When some network equipment vendor go in the right direction for security in telecom and mobile, it’s rare enough to mention it. This time it’s NSN who published their Responsible disclosure | Nokia Siemens Networks page in the corporate website. (Thanks to Martin Peylo from NSN for publicizing this.)
This is important as Telecom industry is usually lagging behind IP networks in term of security maturity:
We’re still dealing with networks who consider that SS7 is a closed garden and that LTE EPC networks must be robust because these are designed for high availability. This is very often negating the direct, repeatable results of our audits showing crashes and remote vulnerabilities (for example in MME, eNodeB or HSS).
This is a strong signal:
- Yes, vulnerabilities and crashes are indeed found in current or upcoming products as much as in legacy.
- Yes, telecom vendor need to update and patch their systems as well (fast, everywhere, transparently) as in the IP domain.
- IP adoption in Telecom and Mobile helps technology harmonization but also lowers the barrier to entry for potential attackers both on Infrastructure compromise (for example, intruding into an operator) and on Technology compromise (for example, finding a DoS attack or a remote code execution in some Network Element).
- Reaction time is as crucial in telecom and mobile network as it is in IP domain in order to secure infrastructure before they are hit massively.
So let’s hope other vendor will go in the same path and provide security contact for dealing with vulnerabilities. The same question will also apply to operators to be able to receive and process fast any incoming disclosure about one newly discovered vulnerability. Failure to treat security researcher and disclosing parties in a courteous and professional manner risk having them not disclose information, thus favoring the other actors who deal with these vulnerabilities for a profit, i.e. exploit traders.