Committed to connecting the world

Signalling Security

BACKGROUND
Signalling protocols play a cornerstone role in providing different ICT services from the simple audio/video sessions to the complex digital financial services widely used over the globe. These protocols and telecommunication networks were designed without consideration for security and privacy. It enables attacks on ICT infrastructure including exploiting signalling protocols used for different ICT services.

While many different domains are using the Internet to build trustable connection among their customers, (for instance, most of the financial institutions are widely using the Internet to give their customers more effective tools to control and manage their finances), the lack of security and privacy in existing ICT infrastructure does not enable such trustable connections. Furthermore, in developing countries, where access to financial services is limited only to legacy ICT infrastructure via over-the-top (OTT) applications, there is an ever growing increase of illegal usage of customers’ applications, thus resulting in the unlawful take-over of their assets.

Additionally, many people all over the globe experience the irritating phone calls or calls from parties pretending to be legitimate business ventures (e.g., representatives of banks, health insurance companies, etc.). Technically, these calling parties use the so-called spoofing number – which in essence is the manner in which the calling party number can be replaced with the number of an official enterprise or anyone of trust. As a result, the spoofing numbers as well as robocalls, along with other similar attacks make lives of the customers uncomfortable and unsecure to say the least.

In summary, the signalling exchange level of security and privacy must match the level provided by the Internet to mitigate attacks on ICT infrastructure, which breaks signalling protocols used for establishing different ICT services. Amongst the well-known attacks are telephone spam, spoofing numbers, location tracking, subscriber fraud, intercept calls and messages, DoS, infiltration attacks, routing attacks, etc. These attacks have become a major priority for different stakeholders, in particular the financial institutions and telecom operators.

POTENTIAL SOLUTIONS

Different security measures and relevant solutions can be put in place in order to cope with such vulnerabilities.
The ITU-T Study Group 11, which is the lead group on signalling, has been working on these issues since 2016.

With regard to the spoofing of calling party number, which is considered one of the major issues, ITU-T SG11 has revised Recommendations ITU-T Q.731.3, Q.731.4, Q.731.5 and Q.731.6, in order to specify an exceptional procedure for transit exchange connected to CPE (Customer Premises Equipment) with the aim of providing predefined calling party number by the originating operator.

Also, in order to cope with issues related to intercepting messages and calls, including One-Time-Password which is widely used in the financial institutions, SG11 had developed new Recommendation ITU T Q.3057, which defines the signalling architecture and requirements for interconnection between trustable network entities in support of existing and emerging networks. This Recommendation describes the use of digital signature (digital certificates) in the signalling exchange which may guarantee the trustworthiness of the sender.

THE WAY FORWARD

SG11 developed the extension of the Recommendation ITU-T Q.3057 by defining algorithms for checking certificates for different protocols using Signalling Security Gateway (SSGW), which validates the signatures of other operator's certificates in order to allow or block the signalling packets (ITU-T Q.3062).

In addition, SG11 developed standard ITU-T Q.3063 which identifies the signalling requirements of calling line identification authentication including codes and signalling procedure based on the mechanism defined in the ITU-T Q.3057. Also, SG11 developed the amendments to SS7 and BICC related standards, which define the extensions for the support for the calling line identification authentication (Amd.2 to ITU-T Q.931, Amd.6 to ITU-T Q.1902.3, Amd.7 to ITU-T Q.763).

The requirements for Trusted Signalling Certification Authority (TSCA) and the framework on issuing and distribution of certificates among different operators need to be standardized.

Based on the key takeaways of the Workshop on “Improving the security of signalling protocols” (2021):

“The trust anchor needs to be a globally trusted SDO, preferably one already in charge of numbering and this anchor must interoperate with existing repositories (such as the ones in the US and Canada).
We will need to formulate a way to standardize these local/regional certification processes in order to keep the bad actors out. This standardization process should involve as many countries as possible in order to improve its applicability on the global scale.”

In May 2023, ITU-T SG11 initiated the development of the draft Recommendation ITU-T Q.TSCA "Requirements for issuing End-Entity and Certification Authority certificates for enabling trustable signalling interconnection between network entities".

In June 2024, ITU-T SG2 initiated the development of the draft Recommendation ITU-T E.RAA4Q.TSCA "Registration authority assignment criteria to issue digital public certificates for use by Q.TSCA".

ITU-T SG11 is collaborating with ITU-T SG2, SG17 and other SDOs on this subject matter.

Workshops, webinars and other related events

Demo: SMS OTP Intercept
Demo: SS7 call interception

2016: Workshop on “SS7 Security”

DELIVERABLES AND ONGOING ACTIVITIES

Revised ITU-T Q.731.3 (plus Q.731.4 – Q.731.6) (2019): Stage 3 Description for number identification supplementary services using Signalling System no.7 - Calling Line Identification Presentation
ITU-T QSTR-SS7-DFS (2019): SS7 vulnerabilities and mitigation measures for digital financial services transactions
ITU-T Q.3057 (2020): Signalling requirements and architecture for interconnection between trustable network entities
ITU-T QSTR-USSD (2021): Low resource requirement, quantum resistant, encryption of USSD messages for use in financial services
ITU-T Q.3062 (2022): Signalling procedures and protocols for enabling interconnection between trustable network entities in support of existing and emerging networks
ITU-T Q.3063 (2022): Signalling procedures of calling line identification authentication
Amd.2 to ITU-T Q.931 (2023):
ISDN user-network interface layer 3 specification for basic call control.
Amendment 2: Extensions for the support for the calling line identification authentication
Amd.6 to ITU-T Q.1902.3 (2023):
Bearer Independent Call Control protocol (Capability Set 2) and Signalling System No. 7 ISDN User Part: Formats and codes. Amendment 6: Extensions for the support for the calling line identification authentication
Amd.7 to ITU-T Q.763 (2023):
Signalling System No. 7 – ISDN User Part formats and codes. Amendment 7: Extensions for the support for the calling line identification authentication

Draft Q.TSCA (SG11): Requirements for issuing End-Entity and Certification Authority certificates for enabling trustable signalling interconnection between network entities ^ongoing
Draft E.RAA4Q.TSCA (SG2): Registration authority assignment criteria to issue digital public certificates for use by Q.TSCA ^ongoing
Draft Q.DMSA (SG11): Principles for detection and mitigation of signalling attacks in security signalling gateways ^ongoing

CONTACTS

TSB Secretariat of ITU-T SG11
tsbsg11[at]itu.int