Alan Murphy AdaptiveMobile Security on Lessons from SS7 & Diameter that can prepare us for 5G SA

In May 2021 ROCCO Research’s Jason Bryan spoke with Head of Product and Engineering at Adaptive Mobile Security, Alan Murphy about the company’s recent success in ROCCO’s Signalling Firewall Vendor benchmarking research, about Signalling attacks in 2020, what impacts 5G will bring and Adaptive Mobile Security’s plans for 2021.

Jason: This is awesome. So great to catch up with you again Alan in a similar, but somewhat different perspective to last time. We’ve done interviews with you in the past, but a lot has changed since then, so let’s start with something simple, what is your role in adaptive mobile security?

Alan: Well, I’m head of product and engineering. So, I’m in charge of building all the products. I have a great team split across Dublin, Brno in the Czech Republic and in Hyderabad in India. We work with the engine of the company, we take in all the input, we discuss developments with customers, and we produce the platforms intelligence products, and yeah, it’s fantastic.

I’m also on the executive management team. So, I help to steer the company as well and I participate in the GSMA, and other industry discussions. Not as much as I used to, because we have other internal industry experts, like Cathal and Silke, which allows me to concentrate more on the engineering side. As we have discussed before, I’m very much an engineer at heart, I love solving all the problems and getting deep into the technical stuff.

Jason: One question we had is about how you and the team work together with a view on innovation to capture ideas and solutions?

Alan: Yeah, this is something I’ve got experience with. In previous places, it has been, more of a team on site. So, it’s easier to get those ideas. Working in Adaptive, well, it’s more of a remote team and, with the pandemic, everyone’s working from home, so collaboration tools are very important to us. When we went into lockdown last year, and everybody started working from home, it was quite a surprise to see that productivity jumped. So as with any company we’ve had challenges in communication but not anymore. We’ve set up frequent product planning meetings, bringing not just our team, but also other departments within the company together to discuss the products. So, we bring all kinds of ideas together and mix them up together, and then see how it evolves for the product. We do frequent demos and get everybody involved as much as we can, having cross-departmental collaboration across all regions and it has worked out extremely well and been a very productive period for us.

Jason: And so, Alan, can you tell us a little bit something about how you got into this industry?

Alan: Yeah. Well, it’s a similar story to I think a lot of people in our industry, we kind of just fell into it, right? I think it was about 20 years ago, I had worked in a bank and for an internet consulting company back in the boom times, you know, this was first class tickets to London, and training and all sorts of fun. So, when the bust hits, I was working with a couple of guys just doing bits and pieces, websites, that type of thing. Then I got involved in SMS marketing, building all the technology from scratch, it was exciting times working with national marketing campaigns for Coca Cola and McDonald’s and all those tier one brands. This work evolved into a more technology-based direction and eventually developed into an SMS firewall.

Jason: So, what brought you to AdaptiveMobile Security?

Alan: So, about two and a half years ago, I obviously knew Adaptive from the industry, they’re more heavily focused on the cybersecurity aspect and the intelligence side of things. It was quite an eye opener when I joined to see just how tricky it is to do this type of analysis, when you’re facing threats that are very well-resourced private surveillance companies or nation states. You know, previously, it was more particularly about the technology. Now, it’s more about the intelligence really, and, seeing what actually is happening out there, just how sophisticated the attackers are. So, it’s been exciting for the last couple of years here, trying to build not just the tools to stop the attackers, but also the tools to analyse and find out where the attackers are doing those things. It’s one of those things that I enjoy every day to be honest.

Jason: So, based on 2020, have you seen any specific change in terms of SS7 or Diameter attacks due to like the rise of cybercrime?

Alan: Yes. In discussions with our intelligence team and based on what we’ve seen more broadly across the market, we have seen a rise in signalling attacks, especially in certain jurisdictions, certain high-risk markets for cybercrime. But more generally, in comparison to the volume of attacks that we see from surveillance companies, it’s still relatively low. We know from our analysis and our research, direct signalling attacks, for example from interception of two factor authentication or one time password messages, that this is happening, but not at the same scale as we would see other types of signalling attacks. What we’ve seen is not just an increase in the volume of those interception attacks, but the sophistication of those attacks, has increased. I think, from an MNO perspective, we encourage mobile operators to protect their networks, and there’s a huge, concerted effort over the years by us through the GSMA. We are seeing that with firewalls being installed, this influences the attackers, because we also see attackers trying new things to bypass protections.

Jason: Yes, interesting. Let’s talk about phishing for a moment. What’s happening with phishing attacks in the UK right now, which is all over the news, were people, vulnerable or otherwise are receiving many instances of phishing, it almost feels like the attackers are trying to take advantage of the fact that people are not necessarily in the same communities that they were before. They are unable to get advice from each other. Do you think there’s any valid validity in that?

Alan: We have huge coverage in the US, we’ve identified attacks, that when particular events that occur, changes in how these attacks are happening, you have to give them huge respect for their ingenuity at times.

From our perspective, looking at these attacks that are coming in, they’ll try a certain technique, they will see the metrics of how successful it is, and they will immediately change how they’re doing the attack and optimise it so quickly. I give an example, Simjacker. So, we saw the Simjacker attack occurring, and we put in protections against it.

We saw the modification of the actual attack message occurring at times that indicates these people run eight-hour days, we knew when they took their lunch, because the types of attacks that were occurring, they took a bit of a break, and then they started again.

I mean, these people are making a lot of money for this. The attacker only cares about getting the attack through. So, they don’t care what applications they use to do that, you must be aware of the entire ecosystem.

Jason: So, what would you say is the most common type of signalling attack on a network these days?

Alan: Generally, it would be IRSF. There’s just such a low barrier to entry to messaging specifically in certain markets, that it’s much easier for them to do that and then send it directly to people’s mobiles, they open a link, or there’s a call to action there. And then they can measure to see how well it has worked or not, they can cycle through millions of source numbers, modify the text of the message, and try and get past any sort of filtering. And a lot of MNOs only really use some very basic filtering and if they do that, they’re not at the races, these guys are so sophisticated.

The fraud on signalling as I mentioned, the one-time password and two factor authentication interception, that will be the most common one, because if you can get access to that, you can take over somebody’s account, and then you can just impersonate them, transfer money out of their bank, login to their Facebook, blackmail them, whatever you want to do. And ultimately, that is the most dangerous form and that’s really, difficult to protect against, you need to have sophisticated systems in place to help prevent that.

SS7 networks and the people who built them they didn’t think of security at the time and those people, these days they’re entering a phase of their life where they’re all retiring. So, the expertise and the historical context of how the network was built, is being lost and this is being exploited.

On Diameter, we see after some of SS7 protection goes in, we see some of these attacks move over to Diameter. But this time we naturally expected it, but still the sophistication and the changes of how they must have done the attacks is profound. So even just in recent months, we’ve seen a large increase in the number of attacks coming in, but also the sources where they’re coming from. Fraud in general is mostly related to things that are much easier for people to access, like being able to initiate phone calls, and being able to send text messages or MMS or RCS messages. Again, from our perspective, we have our threat intelligence unit, which analyses both signalling and messaging capabilities there. We can often relate some messaging attacks to people who are also active on signalling and being able to look across that entire domain and see this is useful for our customers and being able to protect their subscribers.

Jason: In terms of the network, we think about points of entry for attackers, and what have you seen so far, from the IoT world, from the machine-to-machine traffic?

Alan:  At the beginning, IoT based attacks were not really attacks, they were mostly malfunctioning or badly implemented IoT devices that would inadvertently overload the network. So, I guess it’s still an attack if it affects the network, but it wasn’t always malicious. In terms of the attacks, we saw the IP side of a device was open. So, it was not very well secured, like, like the old-style routers used to have in the 90s on the internet, and they’d be able to log in, and they’d be able to use the actual device to initiate sending SMS messages and that was common a few years ago.

In terms of looking now at the way IoT devices work, obviously, most of them now are internet based. They have Network IP connection, so you would need to look at the volume of traffic coming to and from them. On the signalling side, you will be able to see them, because the vast array of IoT devices out there when something connects maybe once a day upload their data, some of them still use SMS, some of them still use kind of USSD techniques to send data back. But the majority nowadays would be connecting over the IP network. So, we firstly would see on the signalling side, and we could tell whether or not they are permanently connected or, that dial once a day, but then what you see on the IP side, you can detect whether or not for example, there’s exfiltration of data.

So, let’s say I took the SIM card out of your IoT device that’s connected to your node, so it’s kind of VPN all the way back to your core enterprise network, I can take that SIM card out, I can stick it into my own device, now suddenly, I’m on your internal network. Using that, I can download all the data, because you may not have the protections internally as you would have publicly. Most issues are misconfigurations, or bad devices. Targeted attacks will be tricky enough, but possible. One of the big issues with IoT is that the more these devices become embedded into society, the more brands start to become aware of security. What happens if attackers target your connected kettle, and they make it boil, over and over until the water has boiled off, then it goes on fire and burns your house down? Attackers could target, traffic lights, agricultural sensors, these types of things, we must be very careful.

It’s not just about securing individual subscribers anymore, it’s about securing your infrastructure, power plants, electricity meters, it’s very, very important for a nation to be protected. And the mobile networks have a huge role to play there.

Jason: Yeah, I saw recently on LinkedIn, a person talking about their connected coffee machine, they didn’t actually get actually any benefit from having this connected coffee machine, it was connected for the purpose of showing how often the water filter was filled. But in the end, if that’s connected to the internet, it’s a point of entry into the network?

Alan: The quote I love about this is the “S” in IoT stands for “Security”. So, the real kind of thing here is not so much that somebody creates a connected coffee machine that’s IoT enabled or whatever, “connected” but the fact that they don’t have the expertise in security. So, you know, somebody’s building a washing machine. How did they know about security? I’m going to stick in a chip in here and connect it up and build a crappy interface or whatever. I mean, it’s kind of cool. Sometimes these things can be useful. The problem is things like pacemakers, medical devices, and other things like that they truly need to be secured. But conversely, if there’s no security and there’s no way to protect this, then you stifle the innovation.

If I make a connected pacemaker, with an alert when things are malfunctioning, I could save somebody’s life. But then I might not make one, because of the possibility that somebody could hack into the pacemaker and kill somebody! So, security is absolutely a huge part of the innovation, especially in this industry going forward. With 5G, everything’s going to be connected. So, we’ve done a lot of research and development on 5G as a transport because with 5G, we will have everything connected. The signalling is now starting to look a little bit more like the traditional IP, it’s not like the archaic SS7. The complexity is huge. We’re talking about cloud infrastructure, we’re talking about HTTP interfaces. So, the attack vector, and the attack surface is huge. Everything’s going to be connected. Then we have slicing, which is going to be the main benefit, right? Now everybody has 5G radio, but still 4G core. When you’re slicing, a car company might take a slice, and they organise that with a Mobile Network Operator, so their 5G core is now shared with other people, suddenly, if you have directly internal access to this, it just becomes a lot easier to perpetrate these types of attacks and that’s what we’re preparing for.

Looking at security for 5G in the context of all the connections, all the IoT devices, slices, everything like that is just a massive undertaking that we must do now and prepare for, because we can’t allow what has happened in the past to repeat itself, like those SS7 engineers who didn’t imagine the future of cybersecurity.

I think 5G will see a huge increase in security teams within mobile operators, because they’ll have to do it. And then on the actual infrastructure side, what we see from 3GPP, it won’t be enough, we know that because of SS7 and Diameter. You need that, unless you have a brand new 5G SA network that’s disconnected from everything and has some external connection security. Most operators won’t have that they’ll have slicing, they’ll have 2G, 3G, 4G, still integrated with it, they’re going to need a very comprehensive solution to ensure that the entire network is secure, including 5G.

Jason: Yeah, it’s interesting, isn’t it? Because, you know, you got this perception that okay, 5G is going to be more secure by design. But, of course, 5G is not going to be ubiquitous, coverage wise and there will be situations where devices will fall back on to lesser secure networks.

Alan: We do correlation across all the protocols, we look at SS7, everything. So, we get a view of a handset and what it’s doing across these protocols. So, if there’s any anomalies, we’ll know. When we move to 5G, it’ll be the same with a need to know those things, especially when the devices can fall back. If you look at MAP, versus the new 5G protocols, even going through the 5G protocols takes a lot of time.

I don’t believe we’ll know really, what those full threats will be until they start getting deployed until these 5G core networks start coming out until we see this interaction. The platform that we’re building is making sure that we can slot in our system anywhere to do that protection. I think that will be very much required. Of course, you can’t just put it anywhere and expect it to work, you need the intelligence, you need the research, and you need put that at the heart of your security platform. That is something that we do very well.

Jason: When I think about 5G, we haven’t really seen exactly its use cases played out yet. We haven’t really seen what’s going to be invented on top of that, you know, once it’s available. So how can we possibly, consider the security that we will need?

Alan: I agree, but that’s okay. The most important thing with security is to ensure that you have visibility, you can see what’s going on, you know what’s happening, so that when something does happen, you can react as quickly as possible to close that gap. We do a lot of research, and we close a lot of holes. But you know, the attackers are well financed, well resourced, there’s a huge, huge amount of money riding on their getting in and attacking and being successful.  It’s about constant vigilance, you need expertise, you need a team of people to look at it both within your organisation and then externally, you need a lot of expertise, analysis, especially the cybersecurity side of things.

Jason: Speaking of expertise, you talked before about how the 5G network is more like a traditional IT network and how that’s going to develop from an education perspective. Where do you think the experts are coming together to discuss signalling, firewalls, etc, that are needed?

Alan: I would say the first and most important thing that has come out so far, is that the industry is taking security more seriously in the 5G world. The improvements to the protocols themselves has been taken seriously. I do believe that people have a different mentality and our customers who have more cloud-based deployments are much more aware of having to be on top of these types of security issues. Having said that, though, they are still not aware of, of the signalling security aspect of it. I mean, just put 5G security and SS7 security into Google and you’ll see a difference in the number of documents returned.

Jason: So, recently, we did the Vendor Benchmarking for Signalling Firewall, like we do every year in Rocco, and it’s great to see again Adaptive in Tier one again, what was the reaction like to this in the company?

Alan: I’m very familiar with the report, the evaluations, the feedback from customers, and more than other types of awards, where it’s maybe judged in a different way, the fact that this comes from our customers is key for me. I would say that we have a lot of customers both messaging and signalling. So, it’s quite a diverse range from MNOs to CPaSS providers.  On the signalling side, I think we are very well respected in the industry, especially the intelligence part, we know a lot about what these very serious actors are doing, and how to protect against it. On top of that, we have the technologies and the abilities to block and to protect and analyse. We have our SIGIL product which, a lot of our customers rely on each day just to get a context of when the attack happened and what it means. I mean, is it an attack or a misconfiguration. What’s the firewall really trying to tell me? On the SIGIL platform we have our analysts who are feeding intelligence into it. So, you can just go there and understand if it’s a serious attack if the attacker is being tracked and how to shut it down. We get a lot of great feedback from customers. To see that now in the report is fantastic. I want to say, well done to the team as well. They’ve really done a hugely important and great job, both on the analysis side and on the technology side. So, it’s great, really positive to see that.

Jason: So, what for the future, what are the plans for AdaptiveMobile Security this year?

Alan: My top goal this year is to get our customers onto a new release of the platform. It’s exciting work the team have done to bring together this intelligence as a central part of our product, it’s really got to be embedded throughout our product set. Ultimately, as we see the sophistication of the attacks increase, we need better tools to not just protect, but also analyse and see those anomalous and suspicious things happen. And, you know, we’re doing that, with machine learning, with huge amount of analysis, especially on site. The goal is to make sure our customers are protected and therefore to see these new attacks happening as quickly as possible. On 5G, the number of resources and effort we’re putting into that is huge, even though it has slowed down in deployments because of the pandemic. I know the radio side of it has pushed ahead a lot and when we see operators put in their cores to take advantage of slicing it will be interesting to see all the benefits that brings. We must be prepared because if a 5G Core gets hacked within a couple of weeks or months, you know, that moment, that’ll damage the industry big time. With everything we’ve put together we’re certain we can help to ensure that never happens for our customers.