Security Risks Hidden in Telecom IT Infrastructure in the 5G Era

Trend Micro researchers summarize characteristics, threats, and recommendations for improving the security posture of enterprise and telco IT infrastructures.

voice blocking

Voice calls remain one of the most trusted types of communication, however, inter-operator trust can still be exploited by attackers to exploit the trusted environment, infrastructure, and interconnection between carriers for remote attack scenarios. Access to telecommunications infrastructure abroad is also sufficient for voice call redirection and interception. Attack scenarios may include the misuse of legal indoor small cells legally installed in private spaces such as bars, the use of Warbox, a war sandbox simulation game where players can War is going on or join the battlefield in person.) or use rogue base stations to intercept data and voice calls, among other possible scenarios.

Given the presumed level of trust, voice call interception attacks or wiretapping often target high-value targets such as top executives, key political figures, lawyers, journalists, activists, and more. This type of attack can not only bypass information security, but also gain access to high-value information that can be used to influence negotiation and transaction outcomes. Trend Micro research highlights some high-profile examples of such attacks, such as those in Italy and Uganda.

Security advice: If feasible, combine algorithms used in the financial sector with telecommunication logs such as Benford’s Law for anti-fraud detection triggers. Incident response (IR) teams can monitor and track the occurrence of abuse and fraud, providing alert and predictable patterns of criminal behavior. Users are also encouraged to use peer-to-peer encryption in their voice applications, and are advised to disable GSM on their phones when possible.

SMS interception

More commonly, developers include SMS authentication in their projects as a reliable option for logging and handling transactions such as one-time passwords (OTPs). However, since SMS messages are exchanged in clear text within telecom networks, they are still vulnerable to interception and downgrade attacks.

A telecom core network can be considered “protected” depending on how a telecom company views the concept of a “secure domain”. But in fact, since the telecom core network usually has only one domain, the data in it is only protected externally and not internally. So hackers or insiders can intercept text messages or downgrade 4G/5G coverage to less secure networks such as GSM.

SMS is also a backup channel for teleoperated technology (OT) systems such as over-the-air (OTA) enabled industrial routers and cellular OT devices. Because GSM has wider coverage than newer telecommunications technologies, these systems are more susceptible to interception.

Through social engineering, SIM swapping can also be used by attackers who pretend to be users in distress. Usually, the attacker pretends to be the user who has lost the device or SIM card and calls a telecom service center. In response, the service center then transfers the user’s account and phone number to the attacker, and all text messages will then be sent to the attacker, not to the unwitting legitimate user. Previously documented cases include malware impersonating an Android tool to steal authentication codes, not to mention the “MessageTap” malware used to compromise telecom texting centers. The first activity of the MESSAGETAP malware, discovered in early 2019, is a hacking tool programmed to target specific individuals and also look for certain text strings and keywords that might appear in intercepted text messages .

Security Advice: Users should consider other means of authentication instead of text messages, such as the mobile app Authenticator or mobile phone push notifications.

Caller ID Spoofing

Calling Line ID Spoofing (CLID) is a legitimate standards-based activity used for legitimate purposes, including masking call centers behind 1-800 hotline numbers. It can also be abused by attackers to target individuals, such as attackers posing as organizations such as banks and government agencies, such an attack scenario would abuse the trust established with a known number of organizations.

One scenario is when a customer receives a phone call or text message from the bank, and this transmission may include a request for action that for some reason the customer inadvertently shares their credentials or other sensitive information with an attacker via a phishing site. Other attack scenarios include:

Attackers impersonating law enforcement agencies and government authorities;

Senior officials receive numbers they think belong to other officials but actually belong to the attacker;

Notably, attacks like this have been observed in both Australia and Singapore in 2020. In both cases, scammers posed as government agencies or officials to buy or receive specific items.

Security Recommendation: As part of a multi-layered defense strategy, users and organizations should scrutinize the origin of incoming calls and text messages, in addition to augmenting existing processes with data such as telecommunications logs related to text messages or call origins.

TDoS ransomware

In 2016, American researchers said that they could easily disable the 911 system for a considerable period of time by exploiting vulnerabilities and technical means. The attackers used an attack method called TDoSDD, also known as a “telephony denial-of-service attack.” The means include using the mobile phone of ordinary users to make a large number of false 911 alarm calls, resulting in line congestion and information interference, making it impossible for those who really need first aid to be rescued.

Telephony Denial of Service (TDoS) is a qualitative model of DoS in which service is “turned off” for a targeted legitimate user, compared to a quantitative model of Denial of Service (DoS) in which the system is overloaded with traffic. Attackers abuse telcos’ existing business processes for managing fraud to create a scenario that portrays the target victim’s phone number and SIM card as belonging to the fraudster. The telco then blocks the victim’s number and SIM card, which is now tracked as a source of detectable fraud. Therefore, victims will most likely need to go to the telecommunications office to do business in person to restore their services.

This DoS method can be thought of as a “black flag” where fraud is carried out exclusively with the purpose of getting the victim (individual or company) caught and stopped. Such attack scenarios include the attacker being within range of the victim’s SIM card and phone number so that the telco can track it as a source of fraud and the victim is considered highly suspicious to move on. Attackers can also prolong outages on data connections and phone calls by making multiple calls to the telco to restore service, making it difficult for the telco to distinguish between real and fake victims.

It must be remembered that the victim may have neither the connection nor the ability to make a phone call, and an outage like this may require the victim to travel long distances just to be present in person at the telecommunications office. Attackers can further abuse this situation for extortion by contacting victims and pretending to have the ability to restore services in exchange for specific demands.

Security Advice: As customers, organizations and users alike can build strong relationships with their respective sales account reps or supervisors to bypass loopholes in the process and restore connectivity and phone service. In this sense, other means of communicating with such contacts are also recommended.

Whaling by SIM-jacking

SIM card hijacking (SIM-jacking) means that criminals obtain personal phone numbers and information, impersonate mobile phone users, apply for a new SIM card to the technical service personnel of telecommunications manufacturers, and then access users’ account information through text messages, and even steal Electronic devices. wallet. Whaling comes from the term “phishing” and is a fraudulent type of attack in which phishers find the names and email addresses of a company’s top management or executive team (such information is often freely available on web pages) ), and write emails commensurate with these individuals and their company positions. These emails attempt to trick executives, journalists, politicians, CEOs, celebrities and athletes alike to click a link and visit a website where malware is downloaded to their computer and copy keystrokes Or search for sensitive information or company secrets. SIM hijacking, also known by others as SIM swapping, is an attack that redirects a targeted “whale”‘s cell phone traffic to an attacker. This allows attackers to initiate voice calls or messages to other employees for business email compromise (BEC), such as intercepting SMS-based multi-factor authentication (MFA) codes or authorizing corporate bank transfers.

One of the easiest ways to do this is through social engineering using multiple points of attack and people, specifically targeting points or individuals within a telco. What’s more, with just one valid point, an attacker can control not just one VIP account, but an entire customer base.

Security Recommendation: It is recommended to use a non-SMS based method for authentication, such as the Authenticator app. VIPs can also use federated identity and asset management (IAM) systems and reconsider IAM controls handled by telcos.

Authenticator is a security assistant APP officially produced by Microsoft that fully protects the security of Microsoft accounts. You only need to use your mobile phone (not password) to log in to your Microsoft account, and after entering your username, you will approve notifications sent to your mobile phone and provide fingerprints. , Face ID and PIN and other multiple security measures to give users a safer service experience!


Telecom infrastructure integration in key verticals appears to be an ongoing trend that is likely to continue as 5G and 6G present opportunities in terms of technology, capabilities, financials and attack surfaces. As a result, IT and security teams need to be aware of the changing risks of IT assets and the differences in concepts, equipment, skills and training required to deal with such risks. When choosing tools to improve visibility and security baselines, new dependencies, network relationships, and vulnerabilities created by these new technologies and developments must be considered.

The Links:   G190EG02V104 LJ64ZU35

Related Posts