Committed to connecting the world

Search
Girls in ICT

Signalling Security

​​​​505437_Signalling Security Landing page.jpg

​​​​BACKGROUND
Signalling protocols play a cornerstone role in providing different ICT services from the simple audio/video sessions to the complex digital financial services widely used over the globe. These protocols and telecommunication networks were designed without consideration for security and privacy. It enables attacks on ICT infrastructure including exploiting signalling protocols used for different ICT services.

While many different domains are using the Internet to build trustable connection among their customers, (for instance, most of the financial institutions are widely using the Internet to give their customers more effective tools to control and manage their finances), the lack of security and privacy in existing ICT infrastructure does not enable such trustable connections. Furthermore, in developing countries, where access to financial services is limited only to legacy ICT infrastructure via over-the-top (OTT) applications, there is an ever growing increase of illegal usage of customers’ applications, thus resulting in the unlawful take-over of their assets.

Additionally, many people all over the globe experience the irritating phone calls or calls from parties pretending to be legitimate business ventures (e.g., representatives of banks, health insurance companies, etc.). Technically, these calling parties use the so-called spoofing number – which in essence is the manner in which the calling party number can be replaced with the number of an official enterprise or anyone of trust. As a result, the spoofing numbers as well as robocalls, along with other similar attacks make lives of the customers uncomfortable and unsecure to say the least.

In summary, the signalling exchange level of security and privacy must match the level provided by the Internet to mitigate attacks on ICT infrastructure, which breaks signalling protocols used for establishing different ICT services. Amongst the well-known attacks are telephone spam, spoofing numbers, location tracking, subscriber fraud, intercept calls and messages, DoS, infiltration attacks, routing attacks, etc. These attacks have become a major priority for different stakeholders, in particular the financial institutions and telecom operators.​​

POTENTIAL SOLUTIONS

Different security measures and relevant solutions can be put in place in order to cope with such vulnerabilities.
The ITU-T Study Group 11, which is the lead group on signalling, has been working on these issues since 2016.
With regard to the spoofing of calling party number, which is considered one of the major issues, ITU-T SG11 has revised Recommendations ITU-T Q.731.3, Q.731.4, Q.731.5 and Q.731.6, in order to specify an exceptional procedure for transit exchange connected to CPE (Customer Premises Equipment) with the aim of providing predefined calling party number by the originating operator.

Also, in order to cope with issues related to intercepting messages and calls, including One-Time-Password which is widely used in the financial institutions, SG11 had developed new Recommendation ITU T Q.3057, which defines the signalling architecture and requirements for interconnection between trustable network entities in support of existing and emerging networks. This Recommendation describes the use of digital signature (digital certificates) in the signalling exchange which may guarantee the trustworthiness of the sender.

THE WAY FORWARD

SG11 develop​ed the extension of the Recommendation ITU-T Q.3057 by defining algorithms for checking certificates for different protocols using Signalling Security Gateway (SSGW), which validates the signatures of other operator's certificates in order to allow or block the signalling packets (ITU-T Q.3062).

In addition, SG11 developed standard ITU-T Q.3063 which identifies the signalling requirements of calling line identification authentication including codes and signalling procedure based on the mechanism defined in the ITU-T Q.3057. Also, SG11 developed the amendments to SS7 and BICC related standards, which define the extensions for the support for the calling line identi​fication authentication (Amd.2 to ITU-T Q.931, Amd.6 to ITU-T Q.1902.3, Amd.7 to ITU-T Q.763).

The requirements for Trusted Signalling Certification Authority (TSCA) and the framework on issuing and distribution of certificates among different operators need to be standardized.

Based on the key takeaways of the ​Workshop on “Improving the security of signalling protocols” (2021):
    • “The trust anchor needs to be a globally trusted SDO, preferably one already in charge of numbering and this anchor must interoperate with existing repositories (such as the ones in the US and Canada).
    • We will need to formulate a way to standardize these local/regional certification processes in order to keep the bad actors out. This standardization process should involve as many countries as possible in order to improve its applicability on the global scale.”
In May 2023, ITU-T SG11 started development a new draft Recommendation ITU-T Q.TSCA "Requirements for issuing digital certificates for signalling security".

ITU-T SG11 is collaborating with ITU-T SG2, SG17 and other SDOs on this subject matter.



DELIVERABLES AND ONGOING ACTIVITIES

    • ​Revised ITU-T Q.731.3 (plus Q.731.4 – Q.731.6) (2019): Stage 3 Description for number identification supplementary services using Signalling System no.7 - Calling Line Identification Presentation
    • ITU-T QSTR-SS7-DFS (2019): SS7 vulnerabilities and mitigation measures for digital financial services transactions
    • ITU-T Q.3057 (2020): Signalling requirements and architecture for interconnection between trustable network entities
    • ITU-T QSTR-USSD (2021)​: Low resource requirement, quantum resistant, encryption of USSD messages for use in financial services
    • ITU-T Q.3062 (2022): Signalling procedures and protocols for enabling interconnection between trustable network entities in support of existing and emerging networks
    • ITU-T Q.3063 (2022)​: Signalling procedures of calling line identification authentication​
    • Amd.2 to ​ITU-T Q.931 (2023):
      ISDN user-network interface layer 3 specific​ation for basic call control.
      Amendment 2: Extensions for the support for the cal      ling line identification authentication
    • Amd.6 to ITU-T Q.1902.3 (2023):
      Bearer Independent Call Control protocol (Capability Set 2) and Signalling System No. 7 ISDN User Part: Formats and codes. ​Amendment 6: Extensions for the support for the calling line identification authentication
    • Amd.7 to ITU-T Q.763 (2023)​:
      Signalling System No. 7 – ISDN User Part form​ats and codes.​ Amendment 7: Extensions for the support for the calling line identi​fication authentication

    • Draft Q.TSCA: Requirements for issuing digital certificates for signalling security ongoing
    • Draft Q.DMSA​: Principles for detection and mitigation of signalling attacks in security signalling gateways ongoing

RELATED LINKS

CONTACTS

​TSB Secretariat of ITU-T SG11
tsbsg11[at]itu.int​

© ITU All Rights Reserved

Back to top