Tony Friar is the editor and lead author of the GSMA Fraud and Security Group’s (FASG’s) new FS.38 “SIP Network Security” permanent reference document (PRD) available to GSMA members.
Why SIP needs governance when it comes to its security
We live in interesting and exciting times in the ever-changing world of telecoms security. Until recently, it could be argued that telecoms security has often been an afterthought. Build it. Launch it. If they like it, then maybe consider security. Even where security has been considered from the start for a particular network type, protocol or access type, the mechanisms defined were often not used in practice. In our industry we didn’t operate on a basis of zero trust; we operated on a basis of trust. We didn’t approach security using the concept of defence in depth; we worked on the basis that if a particular protocol was exposed to the outside world, then as long as it was protected by a firewall it was secure and we no longer needed to consider threats related to that protocol.
Nowadays we can access vast amounts of knowledge 24/7 with our smart phones and laptops. When SS7 was first launched it was very difficult to access information on the protocol. The Internet and especially the Darknet have changed this for all telecoms protocols. It is no coincidence that the attacks on telecoms networks have increased in volume and sophistication as the access to knowledge has become easier and faster on-line. This has made the work of the criminals easier.
Luckily, partly because of the focus being given to 5G security, we are at a stage where the need for a more sophisticated approach to security is now accepted. Governments and supra-national organisations such as the European Union have begun introducing guidelines and even specific legislation requiring certain approaches and levels of security. While we still have a long way to go, but the culture and focus is changing.
One new area of focus within the GSMA Fraud and Security Group (FASG) has been the Session Initiation Protocol (SIP). SIP is now one of the most widely used and deployed telecoms signalling protocols in the world. It is used in mobile, fixed and enterprise networks for the establishment and management of voice and video calls, and for interconnection between networks, as well as providing instant messaging and presence functionality. Within mobile networks, SIP is used by VoLTE (voice over 4G), Vo5G (voice over 5G) and Rich Communication Services (RCS). It is used everywhere from the handset to the core IMS networks and onwards to the interconnects.
For a protocol with such widespread use, security is a major concern. There are a number of existing standards (IETF RFCs, 3GPP and ETSI standards) that cover aspects of SIP security, but there has not been an overarching, end to end, document covering real life attacks and countermeasures. The new GSMA ‘FS.38 SIP Network Security’ permanent reference document (PRD) aims to address this. FS.38 covers access, interconnects, and the core network itself, and takes a defence in depth approach.
Looking closer at defence in depth
One example of the approach to defence in depth is with regards to Session Border Controllers (SBCs). SBCs can be seen as firewalls for SIP and related media. There is currently still a view amongst some in the industry that SBCs are the only defence needed to protect against SIP based attacks. While SBCs are a fundamental part of a core SIP networks defence against attacks no single defence should be relied upon and instead a defence in depth approach is required. This existing reliance on SBCs is in many ways similar to what we saw with SS7 and the view that it was a closed network and therefore safe. FS.38 takes a defence in depth approach to SIP security and goes beyond reliance on SBCs. Also, FS.38 does not only cover those threats that directly involve SIP signalling, but also makes recommendations about related areas such as SIP endpoint provisioning servers, customer portals, and back-end databases that contain SIP usernames and passwords. All of this is related to the defence in depth approach taken by FS.38.
Thinking beyond risks to just Fraud
It is often believed that the only real threat related to SIP is fraud. Unfortunately, this is not the case as SIP can also be used to perform denial of service (DoS) and privacy attacks against both core networks and enterprises. One of the aims of FS.38 is to highlight such DoS and privacy attacks and to describe the countermeasures.
When we mention DoS attacks against SIP networks, we may think of volumetric DoS attacks in which large numbers of SIP messages are sent towards the attack target. Although volumetric DoS attacks should not be ignored or discounted, as processing power has improved and the cost of it has fallen and more core network SBC deployments now have the ability to auto-scale based on load, susceptibility to volume-based attacks has declined (though most definitely not gone away). Volumetric DoS attacks are also generally easy to identify – an unexpectedly large amount of traffic is arriving. Conversely, attacks using malformed SIP messages generally require only small numbers of messages (sometimes only one), are difficult to detect, and depending on the specific malformed message, may bypass defences such as SBCs.
Incomplete signalling attacks are attacks in which the attacker does not send an expected message in an attempt to cause a DoS attack against one or more targets. Such attacks, partly because of their many variants, can be difficult for an SBC to detect and stop. FS.38 proposes several long-term approaches to dealing with such attacks.
Privacy attacks in SIP can be as simple as ‘man-in-the-middle’ (MiTM) type attacks or they can involve the use of specific SIP messages and parameters to cause SIP endpoints and media servers to establish or redirect a session to the attacker. Such attacks can be difficult for SBCs to detect and in some scenarios the attacks will cause the endpoints to establish sessions which bypass the SBC.
At this point I should make it clear that I am in no way disparaging SBCs. They form a key part of the defence in depth layering model, and SBCs protecting core networks provide extremely valuable security and often other key functionality such as the session management. They are generally very good at what they do. But we need to be more sophisticated in our approach to signalling security and we need to adopt a defence in depth approach in which the SBC, while playing an important part, is but one of several defences.
FS.38 recommends the use of encryption for SIP but is very clear that this does not make all problems go away. Attacks via tunnels and insider attacks are two examples where encryption won’t provide protection against such attacks and may even hinder detection. The additional network costs to support encryption are also described.
Going beyond Access into the Core
One of the other key areas covered by FS.38 is the core network behind the access and interconnect SBCs. There is often an assumption that the border protection (SBCs) will not be breached and, as such, little consideration is given to the security of the core network nodes behind the border protection. FS.38 addresses this and makes recommendations related to hardening and testing.
Approaching testing with FS.38 in mind
Penetration and performance testing, together, form a significant part of any approach to telecoms security. Unfortunately, both upfront and routine testing is often overlooked, perhaps due to budgetary considerations, or assumptions made about the ability of border protection nodes as previously described here, or a (correct or incorrect) assumption that the vendors have it designed in and have taken no short-cuts when the age-old security versus functionality debate was held. FS.38 contains a section on testing that makes recommendations about the testing of SIP endpoints, SBCs, core network nodes behind the SBCs, and non-SIP nodes such as SIP endpoint provisioning servers. When responding to tenders the answer is almost always ‘Yes’ in relation to questions about security and performance. This is done in the knowledge that the service provider, probably, will not have the means to properly validate the paper-based claims of the vendor. The bottom line is, it will always pay to discover your vulnerabilities and weak points before the hackers and fraudsters do.
The release of FS.38 adds SIP to the existing GSMA FASG focus on SS7, Diameter, and the protocols used within 5G and this leads us nicely on to protocol correlation. Protocol correlation involves the comparison of related fields in two or more protocols involved in the same session. Discrepancies can be used to identify fraud, security, and privacy issues. The GSMA FS.21 PRD, ‘Interconnect Signalling Security Recommendations’, has been updated to provide coverage as to how SIP can be used as one of the protocols within a protocol correlation approach.
As signalling firewalls will already be handling one or more of SS7, Diameter and the GPRS Tunnelling Protocol (GTP), they are in a very good architectural and functional position to add SIP and to provide the protocol correlation piece. Given that they can also exercise control over a session, they can also terminate the session if their protocol correlation functionality detects anomalies.
In summary: A lot done but more to do
The release of FS.38 was made possible by wonderful contributions from many service providers and vendors within our community all working together towards a common goal. It does not suddenly make the insecure, secure. The recommendations and countermeasures within it need to be implemented; the traditional thinking that all that is needed is an SBC, needs to be discounted. SIP needs to be seen as a significant threat vector (and not just for fraud) and be included within threat analysis for all relevant fixed and mobile networks, including 5G. As an industry, we need to value threat intelligence and regular penetration testing in the same way that the best practices of the Internet and IT worlds do. And we need to stop considering protocols in isolation and start or increase the use of protocol correlation.
SIP is part of an exciting future for telecoms. It is proof-positive of the ever-growing capability of our industry to innovate and offer clients, be they government, corporate, enterprise or consumer, choice regarding how they want to communicate and collaborate, freeing them up in their choice of where they want to live and work. But with this opportunity comes increased risk. The best time to fix the roof is on the sunny day.
To find out how FS.38 is already being applied in the real world
CSP Network Penetration testing + Impact of GSMA’s FS.38 [ Case Study]
Sign up here for Velona’s FREE Webinar.
Unlike cyber, penetration testing in telecommunications has never had proper standards-led governance, which means what passes for proper penetration testing varies widely.
Join us to see how FS.38 can provide a real framework for a thorough end-end test of both enterprise and consumer UC networks for CSPs.
We walk through the methodology and findings of a recent test run for an IMS-based network.
Time & Date: May 25, 2021 13:00 (GMT+01:00) London