{"id":42031,"date":"2021-07-29T00:00:00","date_gmt":"2021-07-29T00:00:00","guid":{"rendered":"https:\/\/www.trendmicro.com\/en_us\/research\/21\/g\/risks-in-telecommunications-IT.html"},"modified":"2021-07-29T00:00:00","modified_gmt":"2021-07-29T00:00:00","slug":"risks-in-telecommunications-it-sr-threat-researcher-sr-threat-researcher-sr-threat-researcher-manager-threat-research","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/risks-in-telecommunications-it-sr-threat-researcher-sr-threat-researcher-sr-threat-researcher-manager-threat-research\/","title":{"rendered":"Risks in Telecommunications IT Sr. Threat Researcher Sr. Threat Researcher Sr. Threat Researcher Manager, Threat Research"},"content":{"rendered":"

<\/p>\n

<\/div>\n

Telecommunications is just one aspect of a 200-year-old field of research in IT. In our latest report, \u201cIslands of Telecoms: Risks in IT<\/a>,\u201d we liken this field to what seems to be separate islands that are in fact connected by a larger landmass underneath an ocean of IT. Indeed, the features of telecommunications might seem different from each other, but they all come together as the foundation of the entire field.<\/p>\n

In this research, we summarize the characteristics, potential threats, and recommendations to improve the security posture of enterprises and telecommunications companies. The following are some areas of concern that we feature in the analysis.<\/p>\n

Voice interception<\/span><\/p>\n

Voice calls remain as one of the most trusted types of communication. Still, attackers can take advantage of the trusted environment, infrastructure, and interconnection between operators by exploiting inter-carrier trust to implement remote attack scenarios. Access to telecom infrastructure in a foreign country is also enough to conduct voice call redirection and interception. Attack scenarios can include abusing a legitimate indoor small cell legitimately installed in private spaces such as bars, using a war box, or intercepting data and voice calls with a rogue base station, among other possible scenarios.<\/p>\n

Given the level of presumed trust, voice call interception attacks (or wiretapping) often target high-value targets such as C-level executives, key political figures, lawyers, journalists, and activists, to name a few. Attacks of this type not only bypass information security but also gain access to high-value information that can be used, for example, to influence the outcome of negotiations and trading. Our research features some high-profile examples of this kind of attack, such as those in Italy<\/a> and Uganda<\/a>.<\/p>\n

Recommendation:<\/b> If available, algorithms that are used in the financial sector can be federated with telecom logs such as Benford\u2019s Law for anti-fraud detection triggers. Incident response (IR) teams can monitor and track when abuse and fraud occur, allowing alertable and predictable patterns for criminal behaviors. Users are also encouraged to use point-to-point encryption in their voice applications and advised to disable GSM on their phones if possible.<\/p>\n

SMS interception<\/span><\/p>\n

More frequently, developers include SMS-authentication for their projects as a reliable option for logging and processing transactions such as one-time passwords (OTP). However, as SMS is exchanged in cleartext within the telecom network, it is still prone to interception and downgrade attacks.<\/p>\n

A telecom core network can be considered \u201cprotected\u201d depending on how a telco perceives the term \u201csecurity domain.\u201d In reality, however, since a telecom core network is usually only one domain, the data within it is only protected from the outside and not the inside. Therefore, a hacker or insider can intercept the SMS or downgrade a 4G\/5G service area to a less secure network, such as GSM.<\/p>\n

SMS is also the backup channel that is used for remote operational technology (OT) systems, such as industrial routers and cellular OT devices, which support commands over the air (OTA). These systems are more susceptible to interception due to the coverage of GSM, which is wider compared to newer generations of telecommunications technology.<\/p>\n

Through social engineering, SIM swapping has also been used by malicious actors who pretend to be users in distress. Usually, a malicious actor calls a telecom service center pretending to be a user who has lost their device or SIM. In response, the service center then transfers the subscriber\u2019s account and phone number to the attacker, after which all text messages are then sent to the malicious actor instead of to the unwitting legitimate subscriber. Previously documented cases of this include malware impersonating Android tools<\/a> to steal authentication codes, not to mention the \u201cMessageTap\u201d<\/a> malware used to hack SMS centers in telecoms.<\/p>\n

Recommendation:<\/b> Instead of SMS, users should consider other means for authentication, such as mobile app authenticators or a mobile phone push-notice.<\/p>\n

Calling line ID spoofing<\/span><\/h2>\n

Calling line ID spoofing (CLID) is a legitimate standards-based activity used for legitimate purposes, including masking call centers behind 1-800 hotline numbers. It can also be abused by criminals for attacks on individuals, such as malicious actors impersonating organizations like banks and government agencies. Attack scenarios like these abuse the trust established with well-known numbers of organizations.<\/p>\n

One scenario can involve a customer getting a call or a text message from their bank. This transmission can include a request for action due to a \u201creason\u201d with which a customer is lured into unintentionally sharing their credentials or other sensitive information with an attacker via a phishing site. Other attack scenarios also include:<\/p>\n