Network-Centric Security Threats

Security Threat Landscape

Traditional network environments are characterized by well-defined perimeters and trusted domains. Networks have been initially designed to create internal segments separated from the external world by using a fixed perimeter. The internal network was deemed trustworthy, whereas the external was considered potentially hostile. Perimeter devices, such as firewalls and intrusion detection systems, have been the traditional technologies used to secure the network.

Threats

In this section, we discuss the threats that can be mapped to the network asset taxonomy. The threats reported here are not exhaustive but representative of the matters covered. Most of them are related to mobile network considering the network evolution toward 5G and the fixed-mobile network convergence. This section provides an overview of the main relevant security issues. Most of them are already known and under the attention of different standardization bodies, security working groups, and an alliance that is working on them by providing guidelines and countermeasures as well as configurations hardening. However, despite such actions, some of these attacks are still ongoing. This is in part motivated by the availability of open-source attack tools.

For several years now, vulnerable network assets have been exploited as preferred targets. Malicious cyber actors often target network devices, and, once on the device, they can remain there undetected for long periods. After an incident, where administrators and security professionals perform forensic analysis and recover control, a malicious cyber actor with persistent access on network devices can reattack the recently cleaned hosts. The adoption of a Security Assurance process that covers the entire life cycle management starting from secure design, secure development, secure deployment, security monitoring, and security management is necessary to counteract these attacks. There are also cases where attackers do not need to compromise their intended target directly but can achieve their aim by compromising the supply chain where it is least secure. In the last years, there was, in fact, an increase in breaches caused by vulnerable software. Any given software stack can contain many sources of components and libraries in differing versions, increasing the need to assess, test, and patch carefully. This potential threat highlights the importance of managing the supply chain.
Another source of well-known network breaches is the use of legacy protocols. Signaling exchange is required to establish and maintain a communication channel or session on telecommunication networks as well as allocate resources and manage networks. For example, a 2/3G network uses SS7 (Signalling System 7) and SIGTRAN (SIGnalling Transport) while 4G relies on Diameter; all generations use SIP (Session IP) and GTP (GPRS Tunnel Protocol). Many fundamental services, such as short messaging service (SMS), are managed by these protocols. Many of these signaling protocols are outdated and have been implemented under a trust model that assumed well-behaved mobile operators without the need to deploy strong security controls.
In addition, another type of attack vector comes from a flaw in the specifications. The paper in [1] is just an example of vulnerabilities discovered during a careful analysis of LTE access network protocol specifications and a demonstration of how those vulnerabilities can be exploited using open-source LTE software stack and low-cost hardware. The paper in [2] demonstrates instead the usefulness of adopting a formal verification tool to automatically check whether the desired security properties are satisfied or if instead the defined protocols/procedures suffer from ambiguity or under-specification.
To complete the overview of the attack scenario, another vector comes from the poor configuration of network nodes as highlighted in [3].
In the following section, the most relevant known network threats are reported according to the following categories.[4][5]

  • TG2.1: Unintentional damage/loss of information on IT assets: this group includes all threats causing unintentional information leakage or sharing due to human errors.
  • TG2.2: Interception and unauthorized acquisition: this group includes any attack, passive or active, where the attacker attempts to listen, intercept, or re-route traffic/data. An example of this would be man-in-the-middle attacks. This group also includes manipulation attacks where the attacker attempts to alter or interfere with data in transit, in particular with signaling messages and routing information.
  • TG2.3: Nefarious activity/abuse: this group includes threats coming from nefarious activities. It requires active attacks targeting the network infrastructure of the victim.
  • TG2.4: Organisational threats: this group includes threats to the organizational sphere.

Threat Group TG2.1: Unintentional damage/loss of information on IT assets

Threat T2.1.1: Erroneous use or administration of devices and systems

Attacks or human-errors are exploited to gain unauthorized privileged access to a system, which can lead to the installation of other malicious content or backdoors or even physical access to the devices. It is used as part of an attack, regardless of whether the target is a single system/asset or a whole network or facility.

Assets: “Core Network”, “Access Network”, “Infrastructure Network/Area Network”, “Peering Points”.

Related Attack


Threat Group TG2.2: Interception and unauthorized acquisition

Threat T2.2.1: Signaling traffic interception

Most of the signaling protocols are dated and implemented in an insecure way. Most of them have not been designed with security features. SS7 (Signaling System 7) and Diameter are signaling protocols used in mobile networks. It is widely known that these signaling protocols have no security defenses built-in and have several severe security weaknesses, which can be exploited by attackers in many ways. SS7 is used to exchange information among different elements of the same network or between roaming partner networks (e.g., call routing, roaming information, features available to the subscriber). Diameter is the replacement of SS7 in the 4G mobile generation. An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker’s control.

Assets: “Core Network”, “Peering Points”. The exploitation of SS7 design weaknesses to obtain a victim’s location, harvest their messages, and listen in on calls was demonstrated in 2014.[6] Other examples are the demonstration in [7] and [8]. O2 in Germany confirmed that some customers in Germany have had their accounts drained by attackers that used SS7 to intercept and redirect mTANs to their own phones.[9] In [10], and attempted Data interception attacks using SS7 was reported.

Related Attack

Threat T2.2.2: Data session hijacking

Session hijacking is an attack that is basically used to gain unauthorized access between an authorized session connection. For example, the GPRS Tunnelling Protocol (GTP) allows mobile subscribers to maintain a data connection for Internet access while on the move. GTP manages tunnels for transporting IP packets throughout the core network to the internet. GTP comprises three parts—control plane (GTP-C), user plane (GTP-U), and charging (GTP-C). Since there is no authentication and encryption supported in GTP-U messages themselves, several attacks to GTP-U might be possible. An attack via the GRX global roaming exchange network can be conducted by employees of almost any mobile operator as well as by external attackers who have access to the operator’s infrastructure. Such an attacker might be able to craft GTP-U messages and send them to the network to trigger answer messages and thus get information (e.g. about network topology), or just send malicious messages to the network. This may involve guessing a valid TEID (Tunnel Endpoint Identifiers), hijacking a TEID, unless the endpoints use non-predictable TEIDs. Other common hijacking attacks exploited the vulnerabilities of Border Gateway Protocol (BGP). They are documented for instance in IETF’s RFC 4272 “BGP Security Vulnerabilities Analysis”, which was published in 2006. BGP fundamental vulnerabilities related to the lack of a mechanism to protect the integrity and authenticity of messages in peer-to-peer communications. Also, the lack of a mechanism to validate the authority of an AS (Autonomous System) to announce prefixes or relay route information. Finally, BGP has no mechanism to validate the authenticity of the path attributes in prefix announcements. These security vulnerabilities can be exploited by an adversary to perform BGP hijacking when the adversary claims to be the origin of prefixes of another network. The result of this attack is that the traffic is forwarded to the wrong destination. This attack can be used to intercept, alter, or disrupt Internet traffic.

Assets: “Core Network”, “Peering Points”.

Related Attack

Threat T2.2.3: Traffic eavesdropping

An eavesdropping attack is possible if the traffic is not protected, e.g. user-plane traffic is not encrypted at the radio access level or if vulnerable/weak crypto algorithms are used. Eavesdropping is also possible by exploiting a lack of protection on the backhaul link that connects the radio access network to the core network. In 4G network the backhaul is composed of IP-based control elements and interfaces, making it vulnerable to IP-based attacks. In addition, eavesdropping can be possible also by exploiting the lack of mutual authentication between the radio access node and the core network, or the lack of prevention against IP-based attacks, or the lack of encryption of data and signaling traffic. If the backhauling link is not encrypted, then user security context information such as part of the currently used keying material will be revealed to an eavesdropper. Also, the user plane traffic would be available to eavesdroppers in the clear. The impact of eavesdropping depends on what traffic is affected. Eavesdropping control plane traffic can be more critical as it may reveal information to the attacker that allows him to mount further attacks.

Assets: “Radio Access Network”, “Infrastructure Network/Area Network”.

Related Attack

Threat T2.2.4: Traffic redirection

The redirection of data can be accomplished at different levels. On local networks, IPv4 ARP spoofing, ipv6 router advertisement or automatic proxy discovery can be exploited. At the internet level, DNS spoofing is widely used to point legitimate hostnames to fake servers. Ultimately, redirection of data can be possible by data manipulation that can be specially performed if data is not integrity protected.

Assets: “Access Network”, “Core Network”.

Related Attack


Threat Group TG2.3: Nefarious activity/abuse

Threat T2.3.1: The exploitation of software bug

The more the network environment will be softwarized, virtualized, and transferred on general commodity hardware equipment, the more such environment could be exposed to vulnerabilities due to software bugs and poor configuration. Already today every year thousands [11] of software bugs impact network devices such as routers, servers, databases, or other functional elements of the networks. This type of threat also includes network failures when several systems fail to connect or to work together.

Through software bugs, it is possible to attack the vulnerable device or the entire infrastructure causing, for instance, DoS, frauds, and other issues. To help customer to manage such situations, many network manufacturers such as Cisco, Juniper, Ericsson, Huawei set up specific PSIRT (Product Security Incident Response Team) Services, aimed to collect, analyze, and provide patches related to their products and finally to help their customers to address the possible issues suggesting related solutions.

Assets: “Access Network”, “Core Network”, “Infrastructure Network/Area Network”, “Endpoint Network”.

Related Attack

Threat T2.3.2: Manipulation of hardware and firmware

Attacks against hardware and firmware are especially appealing to attackers. Once they have compromised the firmware, they can safely persist on the device and evade the security measures applied at OS, application or software levels. Since the malicious code lives within the firmware of physical components, the threat can easily survive a complete reimaging of the system or even replacement of the hard drive(s). This sort of persistent attack would typically occur as the second stage of malware infection. Once a system is initially compromised, malware could then look for vulnerabilities in the firmware and missing device protections that could allow malicious code to be implanted in the firmware itself. This threat clearly points also to Device/ IoT-centric security.

Assets: “Core Network”, “Infrastructure Network/Area Network”, “Endpoint Network”.

Related Attack

Threat T2.3.3: Malicious code/software/activity

Malware is any piece of software written with the intent of damaging devices, stealing data, or causing damage. Viruses, Trojans, and recently crypto-miners and ransomware are among the different kinds of malware. Although the primary target for malware is traditionally to “infect” a device (fixed or mobile), malware is one of the main threats against network infrastructures (e.g. the control plane), and it will be even more dangerous with the emerging networks softwarization. When devices are considered, this threat is strongly connected to threat T1.4.3 in Device/IoT-centric security.

Assets: “Core Network”, “Endpoint Network”.

Related Attack

Threat T2.3.4: Remote activities (execution)

Remote activities can take a variety of forms, but in general refer to the process by which an agent can exploit a network vulnerability to run, for example, arbitrary code on a targeted machine or system.

Assets: “Core Network”.

Related Attack

Threat T2.3.5: Malicious code – Signaling amplification attacks

Mobile networks do not have enough radio resources to provide service to every single customer at the same time. The scarcity of bandwidth requires advanced techniques to reuse idle resources in an efficient manner. The RRC protocol stack reassigns radio resources from a given user when the connection goes idle for a few seconds. When an inactivity timer expires, the radio bearer between the mobile device and the core network is closed and those resources become available to be reassigned to another UE. At this stage, the UE moves from connected to the idle state. Each instance of bearer disconnection and setup involves a significant number of control messages exchanged among nodes within the EPC (Evolved Packet Core). DNS amplification is another example of an attack that massively exploit open recursive DNS servers mainly for performing bandwidth consumption (DDoS attacks). The amplification effect lies in the fact that DNS response messages may be substantially larger than DNS query messages.

Assets: “Access Network”, “Radio Access Network“, “Core Network”.

Related Attack


Threat Group TG2.4: Organization (failure malfunction)

Threat T2.4.1: Failures of devices or systems

System failures include the incidents caused by failures of a system, for example, hardware failures, software failures or errors in procedures or policies. An example is a software bug in a system like an HLR that suddenly stops its operation and consequently prevents al subscribers from connecting. This threat clearly points also to Device/IoT.

Assets: “Access Network”, “Core Network”, “Infrastructure Network/Area Network”.

Related Attack

Threat T2.4.2: Supply chain

A supply chain threat refers to the compromise of an asset, for instance, a software provider’s infrastructure and commercial software, with the aim to indirectly damage a certain target (e.g., the software provider’s clients). This type of attack is typically used as a first step out of a series of attacks. More concisely, it is used as a stepping stone for further exploitation, once a foothold is gained to the target system or systems. Attackers do not need to compromise their intended target directly but, in many cases, can achieve their aim by compromising the supply chain where it is least secure. This potential threat highlights the importance of managing the supply chain holistically and driving out or mitigating insecure elements.

Assets: “Infrastructure Network”.

Related Attack

Threat T2.4.3: Software bug

A security bug is a software bug that can be exploited to gain unauthorized access or privileges on a computer system. Software bugs could have an impact on ICT systems, such as routers, servers, databases, and in this way impact networks or services. This type of threat also includes complex failures like network failures when several systems fail to connect or otherwise work together.

Assets: “Access Network”, “Core Network”, “Infrastructure Network/Area Network”.

Related Attack


[1] M. Armbrust, A. Fox, R. Griffith, A. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica e M. Zaharia, «Above the Clouds: A Berkeley View of Cloud Computing,» University of California at Berkeley UCB/EECS-2009-28, February, vol. 28, February 2009.

[2] P. Mell e T. Grance, «The NIST definition of cloud computting,» 2019.

[3] S. Chandna, R. Singh e F. Akhtar, «Data Scavenging Threat in Cloud Computing,» International Journal of Advances In Computer Science and Cloud Computing, 2014.

[4] Mobile Telecommunications Security Threat Landscape, GSMA, January 2019https://www.gsma.com/aboutus/resources/mobile-telecommunications-security-threat-landscape

[5] Threat Landscape 2018, ENISAhttps://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape

[6] White hats do an NSA, figure out LIVE PHONE TRACKING via protocol vuln https://www.theregister.co.uk/2014/12/26/ss7_attacks/

[7] Tobias Engel, “SS7: Locate. Track. Manipulate”, 2014, https://imsicatcher.info/article/ss7-locate-track-manipulate/

[8] “SS7 Attack Discovery” , Positive Technologies, 2016 https://www.ptsecurity.com/upload/corporate/ww-en/products/documents/ss7/PT-TAD-Product-Brief-eng.pdf

[9] Schwachstelle im Mobilfunknetz: Kriminelle Hacker räumen Konten leer https://www.sueddeutsche.de/digital/it-sicherheit-schwachstelle-im-mobilfunknetz-kriminelle-hacker-raeumen-konten-leer-1.3486504

[10] Tunnel Vision : Malicious data interception via SS7 https://www.adaptivemobile.com/blog/malicious-data-interception-via-ss7

[11] Seehttps://www.cvedetails.com/vulnerabilities-by-types.php