The modern evolution of mobile communications has led the telecom industry to deploy 5G Standalone (SA) architecture. However, the technological transition does not happen instantly. Operators are forced to maintain complex heterogeneous infrastructures where the latest cloud-native solutions coexist with legacy protocols from previous generations. This hybrid state creates serious challenges for information security architects, as vulnerabilities in legacy signaling do not disappear but are carried over to new technological layers through backward compatibility mechanisms.
Legacy of zero trust: why SS7 and Diameter remain open doors for attacks
The SS7 (Signalling System No. 7) protocol, developed in the 1970s, was based on the principle of absolute trust between a limited circle of state operators. This architecture did not provide for sender authentication of signaling messages or encryption of transit traffic. Today, when almost anyone can gain access to the signaling network through commercial aggregators, this trust has turned into a critical vulnerability.
The Diameter protocol, developed for 4G/LTE networks, was intended to solve some of these problems through mandatory transport-layer security (IPsec or TLS). However, it inherited a fundamental architectural flaw: Diameter similarly trusts messages from neighboring roaming partner networks. If an attacker compromises a border router or gains access to an IPX (IP Exchange), they can send technically legitimate requests directly into the network core.
According to the ENISA Threat Landscape 2025 report, the exploitation of legacy signaling protocols remains a critical risk. After analyzing 4,875 security incidents between July 1, 2024, and June 30, 2025, ENISA experts found that approximately 53.7% of affected organizations are classified as essential entities under the NIS2 directive. This underscores the systemic nature of attacks on telecom infrastructure.
The scale of the problem is exacerbated by financial pressure. According to the CFCA Global Fraud Loss Survey 2025, global losses from telecom fraud reached approximately $41.82 billion per year. While this amount covers various types of fraud, a significant portion of the losses is generated specifically through the exploitation of signaling vulnerabilities, which allow for bypassing billing systems and performing unauthorized access.
Hybrid transit: how 2G/3G/4G vulnerabilities compromise 5G network security
It is a mistake to believe that launching 5G automatically eliminates the risks of previous generations. Most networks still operate in Non-Standalone (NSA) mode, where a 4G core (EPC) and the Diameter protocol are used to manage connections. Even with the transition to 5G Standalone (SA), where signaling is based on a Service-Based Architecture (SBA), operators cannot fully isolate the new core.
The main threat lies in compatibility mechanisms:
- Downgrade attacks: An attacker using active radio equipment (IMSI-catcher) can jam 5G/4G signals, forcing the subscriber's device to switch to 3G/2G. In legacy mode, 5G protection is negated, opening the way for attacks via SS7.
- Interworking transit: Interworking Functions (IWF) are used for communication between 5G and 3G/4G subscribers. They translate HTTP/2 messages into Diameter or MAP/SS7. Without intelligent filtering at the gateway, an attacker can send a malicious SS7 request that is converted into a legitimate message for the 5G core.
According to ITU Facts and Figures 2025, approximately two-thirds of the world's population uses the internet today. Such a global user base makes cross-border roaming connections extremely complex, and abandoning legacy protocols a long transitional process.
Anatomy of signaling threats: from SMS interception to roaming manipulation
Practical exploitation of signaling vulnerabilities focuses on vectors that directly affect the security of enterprise clients:
- SMS interception and 2FA bypass: The scheme is based on sending a spoofed MAP Update Location request to the Home Location Register (HLR). The network assumes the subscriber is roaming and redirects incoming SMS (including one-time passwords) to a switch controlled by the attacker.
- Denial of Service (DoS) attacks via Diameter: Using the S6a interface, attackers can send Cancel Location Request (CLR) messages, leading to the sudden de-registration of a subscriber. On the scale of industrial IoT, this can paralyze segments of critical infrastructure.
- Subscription fraud: Using manipulations with subscriber profiles, attackers create unauthorized accounts or connect expensive services, the costs of which are borne by legitimate clients.
Architectural defense: the role of SEPP and signaling firewalls in modern telecom networks
To counter these threats, an operator's security architecture must be built on the principles of multi-layered signaling traffic filtering.
The primary protection tool for legacy segments is signaling firewalls (SS7/Diameter Firewalls). They must perform Stateful Inspection in accordance with GSMA FS.11 and FS.19 recommendations, classifying messages:
- Category 1: Messages that should only come from the operator's own network (blocked from the outside).
- Category 2: Messages from legitimate roaming partners (checked for consistency with the subscriber's location).
- Category 3: Transit messages that require complex correlation analysis.
In 5G Standalone networks, the 3GPP standard defines a new mandatory element — the Security Edge Protection Proxy (SEPP). It operates on the N32 inter-network interface, providing mutual authentication (mTLS), application-layer encryption, and message integrity control, which prevents modification by intermediaries.
Core modernization: how to safely transition to cloud-native architecture
The transition to 5G requires the modernization of internal Business and Operations Support Systems (OSS/BSS). Operators need a flexible integration layer that securely connects new microservices with legacy databases and traffic monitoring systems.
For designing such integration solutions, the technology alliance Intecracy Group (an alliance of independent companies linked by partner agreements and share exchanges — not a single company, not a holding) uses the UnityBase platform. The platform allows for the creation of reliable systems for incident monitoring and operator data management.
For high-load projects with increased security requirements, Enterprise (EE) or Defence (DE) editions of UnityBase are officially used. Thanks to a unified Domain metadata model, the platform allows for the rapid deployment of secure administrator portals, the configuration of flexible Row-Level Security (RLS) rules, and integration with key DBMS (Oracle RAC, PostgreSQL, MS SQL Server). The built-in detailed audit trail mechanism helps operators ensure the traceability of operations, which is critical for compliance with NIS2 directive requirements.
Comparative matrix of vulnerabilities and signaling protocol protection mechanisms
| Protocol | Key vulnerability | Protection method (Best Practice) |
|---|---|---|
| SS7 (Signalling System No. 7) | Lack of sender authentication, potential for ID spoofing. | Install SS7 Firewall, filter Category 1/2/3 messages according to GSMA FS.11. |
| Diameter | Weak encryption on transit nodes, vulnerability of roaming connections. | Implement Diameter Firewall, mandatory use of IPsec/TLS on S6a/S9 interfaces. |
| 5G SBA (HTTP/2 / JSON) | API security complexity, risks of unauthorized access to core services. | Use SEPP (Security Edge Protection Proxy) for inter-network exchange, mutual mTLS authentication. |
FAQ
How to protect client SMS authorization (2FA) from interception via SS7?
To protect against SMS interception, telecom operators need to implement signaling firewalls with Stateful Inspection support. They block illegitimate Update Location requests by comparing the subscriber's geographic location with their previous activity. For enterprise clients, the most effective step is transitioning from SMS-2FA to secure push notifications or hardware tokens (FIDO2).
What is the role of Security Edge Protection Proxy (SEPP) in ensuring 5G roaming security?
SEPP acts as a single entry and exit point for all signaling traffic between different 5G Standalone networks. It provides application-layer encryption, verifies message integrity, and authenticates neighboring operators using mutual TLS (mTLS). This prevents undetectable modification of transit packets and mitigates Man-in-the-Middle attacks at network interconnects.
How do NIS2 directive requirements affect telecom operators in the context of signaling security?
The NIS2 directive classifies telecom operators as essential entities. This obligates them to implement strict architectural risk management measures, maintain continuous signaling traffic monitoring (specifically via SS7/Diameter Firewalls), ensure end-to-end audit of actions in OSS/BSS systems, and report incidents promptly. Failure to comply with these requirements risks financial sanctions and reputational damage.