Fighting back against the abuse of Global Title Leasing
Do you remember when making an international call didn’t involve just dialling the person you wanted to speak to and connecting shortly afterwards? Perhaps you are old enough to remember calling an operator and asking for the call to be connected. Nowadays, the simplicity of instant global communication is taken for granted and has evolved to include Calling Line Identity (CLI) display on most calls, mobile calling, messaging between mobiles and from enterprises, as well as the ability to use your phone abroad. In fact, a new term was created just for it, “roaming”. Device usage has evolved from voice centric services to data consumption, exploiting the capabilities of 4G and 5G networks, which is a remarkable change over just the last two decades.
Quite rightly, we all take these innovations, and their impact upon society, for granted. Long gone is the need to call an operator to connect a call, the telegram is consigned to history and faxes are virtually extinct. In fact, I still have some babygrams at home that were sent when I was born in the 1970s – a telegram that was delivered in the form of a greeting card. How times have changed!
Whilst we take ubiquitous connectivity for granted, behind the scenes an enormous amount of effort is placed into ensuring that interoperability works as simply as “a, b, c”. From standards bodies such as the International Telecommunications Union (ITU), Third Generation Partnership Project (3GPP) and the European Telecommunications Standards Institute (ETSI), telecommunication regulators, through to the GSM Association, these organisations and others have had a critical role in delivering the global telecommunications systems and services we have today. Careful planning, coordination, discussion, debate, design, management and enforcement result in clear standards, specifications, guidance, best practice and regulation. Together these ensure that low cost, high availability, interoperable and competitive global communications networks are built and maintained for the benefit of all of us.
An Evolving Situation
However, sometimes the carefully managed process to launch new services and standards isn’t quite enabling, innovative and fast moving enough to meet market needs. There may be entrepreneurs who spot a gap in the market and an innovative way to deliver services to meet emerging needs. A widely known and legitimate example of this was “steering of roaming” – the ability for a mobile operator to influence which network their subscribers connect to whilst roaming. This was never standardised or coordinated and was the result of entrepreneurial engineers identifying a problem and an appropriate solution. Whilst this was not a standardised solution, it was built upon existing standards and, as such, was welcomed and enabled a functioning competitive market and the GSMA issue guidance on this[1]. In fact, it was so successful that it was eventually standardised[2].
Sometimes the market may produce solutions and/or practices that may have once seemed legitimate but turned out to have questionable consequences and legitimacy. Those solutions may now, in some cases, enable fraud or even endanger life. One such practice has proven to be Global Title “GT” Leasing.
What is GT Leasing?
So, what is a GT and what is GT Leasing? Simply put, a GT looks like a phone number and is used to identify and communicate with certain nodes within a telecommunications network – much like the use of IP addresses within an IT network. In the context of mobile networks, a GT is used, among other things, to support the exchange of SMS and to enable 2G, 3G and even 4G[3] roaming – still a considerable proportion of roaming today.
Operators wanting to enable messaging and roaming implement connectivity between each other, based upon a protocol known as SS7. SS7 was created in the 1970s and was never designed with security in mind, therefore trust was implicit. The protocol contains no protection of the integrity of the data, so it can be modified by any party and there is no way of validating whether messages are authentic. Whilst this is far from ideal, it was seen as acceptable in the era in which it was designed when connectivity was only ever established between known and trusted (mostly nationalised, state owned) operators, subject to specific contractual terms. The consequence of this is that each operator has access to information required to make roaming and messaging services work – the subscriber’s status, capabilities and identifiers.
Where roaming is established, it may be between large operators, small operators, or a mixture of both. Some years ago, some operators identified that the access that they had to SS7 connectivity was an asset in itself, over and above the actual roaming and messaging services it supports. Often, these operators were based in small island locations where there was limited opportunity to grow. Seeking new revenue streams, they sought to monetise their SS7 connectivity by extending access to SS7 connectivity to third parties. This is where GT leasing came to fruition.
The desire to monetise one’s network is legitimate. Some early use cases revolved around value added services such as enabling new mobile operators to rapidly expand their roaming footprint. However, other use cases were a lot more problematic. For these problematic use cases, was appropriate due diligence and a full security review ever conducted? Whatever the case, Operators provided third parties access to their GT assets, and by extension to the SS7 network, usually without the ability to control or supervise the third parties’ activities. All of this was done without the agreement of their roaming partners whose networks were being remotely accessed. This meant that unknown and untrusted parties were able to access some sensitive subscriber information held by mobile operators. Very quickly abusive behaviour was identified and shared within industry fora.
The problems initially focussed on SMS traffic – a mix of legitimate traffic being fraudulently delivered or, even worse, SMS spam. Whilst this is extremely serious, worse was still to come. From around 2014, researchers revealed serious vulnerabilities in the SS7 protocol being used between roaming partners[4]. The consequence of this was that phone calls and SMSs could be intercepted, subscribers could be geolocated anywhere in the world and they could be the subject of denial-of-service attacks. We now know from the Snowden leaks that this became a tool for nation states that morphed into commercially available spyware. From allegations of attacks on politicians such as Angela Merkel[5], diplomats, to less known dissidents and journalists, there has long been a multitude of press articles about this issue. For a long time, most mobile operators in the world have suffered attacks that have been enabled by the GT Leasing activities of a minority of mobile operators. Whilst those operators were long suspected of this activity, the very mutual dependency of roaming agreements and lack of a clear framework meant it was unclear what action could be taken.
Addressing the root causes
Whilst operators have spent millions of dollars improving their network security, just over two years ago operators decided to tackle one of the root causes of the problem – GT Leasing. Within the GSM Association, a group of operators and other industry stakeholders gathered to produce a GT Leasing Code of Conduct “CoC”. The CoC sets out best practice behaviour, prohibits unjustifiable behaviour and sets the clear expectation that alternative solutions should be used to replace GT Leasing. Certain well defined use cases are out of scope of the CoC to avoid unexpected damaging service consequences for consumers (e.g. losing roaming services).
For the remaining GT Leasing activities, the CoC goes as far as to state unambiguously, that the “GSMA strongly advises that GT leasing should not be used” and further states “all other options/architectures should be explored first before using GT Leasing”. For as long as GT Leasing continues, all lessors of GTs are expected to declare compliance with the CoC to their industry partners and adhere to its requirements. Operators and carriers that do not lease GTs are also encouraged to publicly declare their support for the CoC. The hope is that this is the next step on the journey to protecting mobile networks and subscribers worldwide.
Operators and international transit carriers that wish to declare compliance with the CoC must ensure that their GT leasing activities satisfy its requirements by 31 December 2023.
[1] IR.73 Steering of Roaming Implementation Guidelines
[2] 3GPP TS 29.550 5G System; Steering of roaming application function services; Stage 3
[3] Even in 4G, where VoLTE roaming is not available, voice calling is supported through circuit switched fallback
[4] How to Intercept a Conversation Held on the Other Side of the Planet, 27 May 2014; Worldwide attacks on SS7 network, 26 April 2014; SS7: Locate. Track. Manipulate – You have a tracking device in your pocket, 27 December 2014; Mobile self-defense; 27 December 2014