Silent No More: Mobile Roamers Spur a Security Evolution

Were you a “silent roamer”?

If you used to travel internationally, turned off your cellular radio while searching desperately for an internet available café with Wi-Fi or purchased an in-country SIM, then you were a “silent roamer.” Today, with premium roaming charges significantly diminished by global mobile network operators, mobile subscribers don’t have to fear “bill shock,” change their usage patterns or avoid accessing their favorite services. International roaming has become part of the seamless mobile experience.

For mobile network operators, however, this step change in roaming has caused considerable change and exposed new vulnerabilities. Many network operators are still adjusting to the shift and are now re-examining security on the roaming network. Roaming traffic volumes, devices, and partners have all increased – exposing a broader attack surface for malicious actors and increasing the likelihood of unintentional events impacting network availability.

The Rise in Roaming Traffic

As a result of the EU commission ruling on “Roam Like at Home” as well as other tariff changes, traffic volume has shot up and revenue declined. Roaming traffic has grown exponentially in the last year. No longer afraid of the cost, the so-called “silent roamers” are adopting the same usage patterns that they have when they are not roaming. Seamless, transparent mobile access was the object of the Roam Like at Home initiative. That also means roaming traffic and subscribers are vulnerable to the same malicious threats as elsewhere in the network.

At one time, mobile roaming was relatively simple. A typical operator had a few key roaming agreements, and the volume of (mostly voice) traffic was small due to the high price. Now, Tier 1 operators offer hundreds of destinations and can have up to 100 roaming agreements per country, per network technology, including voice, data, video and text/SMS. The types and volume of devices roaming are of the same composition as the rest of the network and now include numerous IoT devices.

More MVNO models are also emerging. Traditional mobile virtual network operators offer lower prices to consumers and businesses and often include cheap international roaming as part of that package. With IoT expanding, some MVNOs have specialized on the IoT market.  With vLTE- or EPC-in-a-box, it is much less costly for IoT solution providers or large enterprises to provide more mobile core network elements themselves and control subscribers through their own network. Companies like Rakuten. an on-line market in Japan, can become MVNOs.  Electric utilities with SIM-enabled smart meters can now become MVNOs and gain better control and security over their IoT devices.

The Impact on Operators

What this means for operators is that a once relatively easy-to-manage part of their network has suddenly become much more complex and difficult to secure. This increase in roaming traffic will change the threat landscape. Those who want to damage the reputation of the operator now have a new point of attack. Service disruption to the roaming network could now impact a lot more customers and have greater implications.

As a result, more operators are re-examining their security approach in roaming. In our discussions with operators and in the trials we have conducted, we have also found that the threats found on the SGi are also found on roaming. We have observed ransomware, such as Locky, and cryptocurrency mining, such as Coinhive and CoinMiner, both of which  have severe impact on subscribers and have also been reported much in the news. In almost every single trial we have conducted, we have observed C2 traffic between devices and malicious sites known to be associated with botnet activity.

Roaming is also vulnerable to conditions and attacks that are unique to the GPRS Tunneling Protocols (GTP) used in roaming.

The mobile industry GSM Association (GSMA) published roaming guidelines for operators. The documents identify vulnerabilities found in the GTP protocol, the protocol used for roaming, and describe how they can be manipulated for a malicious action or be the result of an unintentional event, such as network element malfunction, natural disaster, or network outage,   all of which can cause message floods or network elements to malfunction or fail.

Many operators have not previously followed GSMA guidelines or updated their security infrastructure in this area of the network for years, if they have any at all. For the most part, operators are blind to what is now coming across their roaming interface. If you can’t see the threats, you can’t protect your network against them, and you also can’t offer a security answer for your important customers or maintain that level of trust that has been so important to building your business.

The Palo Alto Networks Security Operating Platform provides consistent, application-layer visibility and enforcement for the roaming interface and across all other mobile network peering points. The platform also provides a set of mobile network infrastructure features that provide protection against a number of signaling vulnerabilities and allow operators to easily see who and what is impacting the network. With this strong visibility and mobile infrastructure functionality, mobile network operators can be assured that their network will be protected against any roaming-initiated threats.