The persistent security crisis in mobile networks: old vulnerabilities keep haunting new generations
This article is based on research «Unveiling the Ghosts of Mobile Networks: When Will Old Bugs Die?» presented by Dr Altaf Shaik from the Technical University of Berlin and his video published on 44CON Information Security Conference YouTube channel (https://www.youtube.com/watch?v=364R1SoGGJ4). Special thanks to Dr Altaf Shaik for his scientific work.
Introduction
In a revealing presentation by Dr. Altaf Shaik, a senior researcher at the Technical University of Berlin and telecom security expert with over 12 years of experience, we're confronted with a troubling reality: mobile network security vulnerabilities that were discovered decades ago continue to persist across generations, from 2G to the latest 5G networks. This persistence reveals fundamental flaws in how security issues are addressed in the telecommunications industry.
The telecom security landscape suffers from a critical failure mode: vendors and organizations often apply quick patches to satisfy security researchers rather than addressing the underlying root causes. This approach leads to the same vulnerabilities reappearing in different products, different locations, or even in subsequent generations of technology.
Altaf Shaik explains: "You submit bugs or find vulnerabilities, report them to the respective organization, and expect they'll be fixed. You might get a bounty and everything looks cool, but after a while you see the same bug coming back again in another form or in a different product."
Classic telecom attack vectors that persist
1. IMSI catchers (false base stations)
- Operation Modes: Passive, semi-passive, and active
- Current Threat: Still operational in 5G networks with downgrade capabilities
- Usage: Employed by criminal actors, state actors, and law enforcement agencies
- Recent Developments: Used for SMS flooding attacks, with some perpetrators recently arrested in the UK
2. Signaling system exploits
- SS7: The legacy telephony signaling protocol with vulnerabilities known for 20-25 years
- Diameter: The LTE-era successor to SS7
- SEPP: 5G's Secure Edge Protection Proxy (theoretical improvement)
- Capabilities: Location disclosure, phone call interception, SMS interception
- Commercialization: Private companies offering SS7 services for fees that have become increasingly affordable
Generational analysis: security regression instead of progression
Authentication failures across generations
Mobile networks typically authenticate users only once per day or when moving significant distances, rather than generating fresh session keys regularly. This practice creates extended windows of vulnerability where the same cryptographic keys are reused.
Key finding: "Authentication happens just once when you connect your phone, and after that there's no authentication usually happening until you go back to your home location. Networks don't try to reauthenticate you again as long as you're in the same area."
Privacy protection deficiencies
The problem of attacks via the SS7 protocol remains relevant. Silent SMS messages continue to pose a major threat to privacy.
Temporary identifiers (TMSI) designed to protect user privacy often lack proper randomness, making tracking possible across sessions.
Altaf Shaik research shows concerning patterns in European network:
- 2015: Poor randomness in temporary identifiers in 4G LTE networks
- 2021: Some improvement in 5G NSA networks
- 2024: The same poor patterns from 2015 repeating in 5G SA networks
Determining the user's location by sending messages to the phone also continues to be possible in unsafe 2G networks.
Encryption downgrade attacks
- 2G: Networks still support weak algorithms (A5/0, A5/1) that should have been deprecated
- 4G/5G: Null encryption still possible in some implementations
- User Awareness: Modern smartphones don't indicate encryption status, unlike older Nokia devices that showed when calls weren't encrypted
Integrity protection bypasses
While 3G introduced integrity protection and 4G expanded it, networks can be manipulated to bypass these protections by claiming lack of support for security features.
5G: New technology, old problems
Despite being marketed as a security revolution, 5G inherits many legacy vulnerabilities:
- Authentication Bypasses: Possible in some popular manufacturer handsets
- Security Mode Command Bypasses: Critical security features can be circumvented
- Location Tracking: Still possible through various techniques
- Network Downgrade: 5G devices can be forced to 2G connectivity
- SMS Vulnerabilities: All existing SMS attack vectors remain viable
- The IoT platform threat expansion
5G introduces new attack surfaces through IoT platforms that provide direct API access to mobile core networks. These platforms have shown critical vulnerabilities including:
- OWASP Top 10 vulnerabilities
- Authorization bypass issues
- Weak password policies
- Inadequate access controls
Root causes: why security fails in telecom
Technical challenges
- Lack of 3GPP Specification Depth: Complex specifications with potential ambiguities
- Insufficient Security Testing: Limited fuzzing and advanced security testing
- Skill Shortages: Lack of cross-domain expertise between telecom and IT security
- Vendor Control Limitations: Operators often lack security controls from equipment vendors
Political and regulatory factors
- Internal Policies: Country-specific decisions on security feature implementation
- Legal Restrictions: Some carriers can't inspect SMS content due to privacy regulations
- Lawful Interception Requirements: Deliberate security weaknesses for surveillance capabilities
Others factors
- Implicit Trust Model: Networks built on operator-to-operator trust without verification
The path forward: actionable recommendations
For network operators and vendors
- Supply Chain Security: Comprehensive testing of telecom equipment
- Security Customization: Vendor-provided security controls for different use cases
- Automated Monitoring: Continuous security monitoring, including SMS content analysis
- Comprehensive Testing: End-to-end security testing across handset, core, RAN, and interconnect
For regulators and standards bodies
- Zero Trust Adoption: Move away from implicit trust models
- Penalty Enforcement: Financial penalties for security negligence
- Standardized Security Requirements: Clear, enforceable security benchmarks
Conclusion
The persistence of decades-old vulnerabilities in modern mobile networks represents a systemic failure in the telecommunications security ecosystem. As we move toward 6G and increasingly connected critical infrastructure, the industry must transition from reactive patching to proactive, root-cause security engineering. The convergence of telecom and IT worlds in 5G provides an opportunity to leverage proven security practices from the internet world, but this requires fundamental changes in how security is prioritized, implemented, and maintained across the mobile ecosystem.
The research clearly shows that without addressing these foundational issues, each new generation of mobile technology will simply inherit the security failures of its predecessors, putting billions of users and critical infrastructure at continued risk.
Data transmission and making calls over cellular networks pose a threat even in 5G networks.
We at Protelion taking that into serious consideration highly recommend using secure data transmission channels (Protelion VPN with strong encryption) and calls via the built-in Protelion ArmoredMobile messenger.