Diameter Protocol, the 4G (LTE) telephony and data transfer standard, shares the same vulnerabilities as the older SS7 standard such as 3G and 2G. Security researchers from Positive Technologies have shown that poor configurations in 4G (LTE) systems are the main cause of these vulnerabilities.
4G operators misconfigure Diameter
The incorrect use of Diameter leads to the presence of several vulnerabilities in 4G networks, resembling the ones found in older networks that use SS7. These are vulnerabilities that the Diameter protocol is supposed to prevent.
4G operators rarely using important diameter protocol features, leaving subscribers and providers exposed to several threats, including:
- Subscriber information disclosure
- Network information disclosure
- Subscriber traffic interception
- Denial of Service
“Sudden failures of ATM’s, payment terminals and video surveillance” - Security experts, Positive Technologies
The risks of these misconfigurations “could lead to sudden failure of ATMs, payment terminals, utility meters, car alarms, and video surveillance", the researchers state in their report. One of the reasons is the use of 4G SIM card modules that connect to servers when located in remote areas, where classic internet connections are unavailable.
Open door for hackers to target 4G enabled IoT-devices
Even tracking the location of users, intercepting SMS or phone calls are possible on Diameter due to these misconfigurations. With the rise of the Internet of Things devices, Positive Technologies warns such flaws cause major threats. As stated on Positive Technologies’ website, “in the case of many 4G-enabled devices—such as pipeline safety sensors and gas leak detectors—lack of connectivity can lead to major financial losses and life-threatening accidents.”
Diameter Signalling Controller routing and firewall solutions
To prevent being exposed against SS7-like attacks or threats, the correct configuration of Diameter Signaling Controller is needed, as well as intelligent routing and the use of a Diameter firewall.
5 July 2018