.jpg)
The GSMA started work on its GT Leasing Code of Conduct (“CoC”) in 2021. I was asked to lead the Task Force and was pleased it adopted a different approach to all other GSMA specifications. Typically, GSMA specifications are recommendations to the industry. We wanted there to be scrutiny and accountability for compliance to the CoC, rather than a set of specifications that nobody much cared about. We wanted a regime that could monitor compliance with the CoC and have consequences if compliance was claimed, but not actually achieved. This site now provides full visibility of all operators who have signed up to or supported the CoC.
Whilst the rate of adoption is disappointing, I was pleased to receive positive feedback at the last GSMA Fraud and Security meeting. I conducted an informal poll during my presentation and was pleased that delegates were happy with our work to-date. Details are in the pack referenced below – for GSMA members only.[1]
The meeting had another highlight – catching up with Philipe Langlois, the founder and CEO of P1 Security, after a long time. P1 Security is a world-class provider of telecommunications offensive security and Philippe explained the unique approach that P1 Security has taken to vulnerability assessments and penetration testing. I was pleasantly surprised by what I heard and immediately invited Philippe to write a blog for the GSMA’s series of blogs relating to GT leasing that the GSMA has published and he offered to return the favor. So here is my blog, written in a personal capacity.
We discussed Ofcom’s (the UK telecommunications regulator) recent consultation on GT leasing[2] and the submission P1 Security was making to that consultation. You can read it yourself here. When I read the Ofcom consultation, my single biggest concern was that they could inadvertently make penetration testing, as currently conducted, impossible. This seemed to be a good theme for this blog, which Philippe offered to host.
You might wonder why penetration testing would concern me so much? Having spent seven years working for the leading signaling firewall provider, I can tell you that I always told clients that the journey to signaling security starts with purchasing a firewall rather than ending there. Too many operators treated their firewalls as a box-ticking exercise. I made clear that a firewall must be implemented, maintained and subjected to regular external vulnerability assessments to ensure it is performing as expected.
Vulnerability assessments are a key component to protecting end subscribers. MNOs are struggling with poorly designed, legacy protocols, that are stacked and intertwined, which attackers exploit every day. Whilst it is fantastic that multiple bodies are considering GT leasing, we certainly don’t want an inadvertent outcome to be placing obstacles in the path of offensive security providers.
So, back to Ofcom. Their approach to penetration testing indicated a different philosophy. Their arguments are reasonable but P1 Security actually sits on the fence on this matter - P1 Security actually endorses Ofcom’s approach and simultaneously rejects the totality of it too!. Allow me to outline the various approaches to penetration testing and the rationale behind P1 Security’s position:
GSMA’s Approach to Penetration Testing
The GSMA CoC makes no exception for penetration testing. Although the CoC notes that penetration testers may use leased GTs, the CoC also states that the “GSMA strongly advises that GT leasing should not be used” and that for a list of use cases that includes penetration testing, “solutions could have been deployed without the use of GT leasing”.[3]
In other words, the GSMA acknowledges the use of leased GTs for penetration testing but strongly advises that they should not be used, noting that alternative solutions exist. They do not see any role for GTs in penetration testing.
Ofcom’s Approach to Penetration Testing
Ofcom has taken a much clearer approach to penetration testing. In their impact assessment, they state the following:
“We have considered, in particular, whether to allow a limited exemption from our proposed ban on GT leasing for the use case of penetration testing. We are however mindful that there is a risk that any exemption that allows third parties to access GTs and send signaling to other networks (i.e. not the owner of the GT) could provide a loophole for bad actors to exploit and continue to engage in malicious signaling.”[4]
Ofcom then continues by assessing the impact of their proposals[5]:
- Use Case: Penetration Testing
- Description of alternative: Remote access for the penetration tester to the target operator’s test network
and continues its analysis of penetration testing with:
“Penetration testing. We consider that the impact on these services is likely to be limited as we expect that the majority of penetration testing services could potentially be provided using alternative means that do not rely on GTs (e.g. via remote access to the target operator’s test network). Furthermore, penetration testing is designed to test 2G and 3G networks, which means that the potential adverse impact of our proposal should reduce over time as the ability of operators to generate revenue through these services will fall in line with 2G and 3G networks being withdrawn across the world.”[6]
So, to summarise Ofcom’s approach, they state that GTs are not required and that penetration testers should connect directly to the target operator’s test network. The implication is that penetration testing shouldn’t be conducted against the live network.
P1 Security’s Approach to Penetration Testing
P1 Security takes the GSMA and Ofcom approaches but goes further. Unlike all other penetration testers, P1 Security does not use leased GTs[7]. Their position is that the only appropriate way to launch penetration tests is to register as a mobile operator and use those GTs. That way they are fully accountable and responsible for traffic originating from their GTs. However, the challenge is that very few regulators are willing to issue GTs for penetration testing. They were fortunate that ARCEP, the French regulator, had the foresight to issue them a GT and, subsequently, their own Mobile Country Code and Mobile Network Code.
However, P1 Security does not align with Ofcom’s approach of only testing test networks. Whilst that is a critical part of penetration testing, they also believe it is critical to test live networks too. The reality is, test networks are rarely configured identically to test networks and, typically, test networks are more secure than live networks (sometimes test networks suffer from the “perfect world” problem). Given that subscribers use live networks and not test networks, and that the objective is to ensure subscribers are protected, this is a sensible approach.
When Philippe shared this information with me, I found it hard to argue with. For me, the main takeaway is that regulators need to make it easier for bona fide security companies to obtain their own network resources so that they can fully conduct penetration testing. This is fully in line with the objectives of the CoC and will help ensure subscribers are better protected.
The P1 Security approach is clear and rational. They provide more details in their response to the Ofcom consultation which you can read here. One simple fact is incredibly obvious. Something feels very wrong that a security company might be leasing a GT from the same lessor as a bad actor and that the traffic from both might be visible to the same transit carriers. This places a huge emphasis on trust and, as all security professionals know, the only approach to trust is zero trust!
To conclude, the GSMA took the lead and set acceptable standards for GT leasing behavior. Ofcom then took those standards and proposed tightening them even further[8]. With respect to penetration testing, P1 Security encourages regulators to support the needs of the security industry and adopt the approach taken by ARCEP. The next task is to address Diameter - the GSMA Task Force is now reviewing Diameter End Point leasing and I’m always looking out for volunteers to help us with our work.
[1] FASG members can access document FASG30_21 here - slides 31-33
[2] Ofcom Consultation: “Global Titles and Mobile Network Security - Proposals to address misuse of Global Titles”
[3] Section 3, GSMA PRD FS.52 – Global Title Leasing Code of Conduct
[4] Ofcom Consultation: Paragraph 4.27
[5] ibid. Table 4.1
[6] ibid. Paragraph 4.69
[7] I make this statement using the best information available to me but would be happy to be corrected if other penetration testers wish to correct me
[8] Ofcom’s proposals are currently under consultation meaning that they are still subject to change
