top of page

Inside the Mobile Core – How Roaming Trust Opens Doors for Attackers

  • Writer: Bridge Connect
    Bridge Connect
  • Aug 12
  • 3 min read

Introduction: The Soft Underbelly of Global Telecoms

Mobile operators like to speak of “seamless global roaming” as a triumph of industry cooperation. And in many ways, it is. Billions of users connect worldwide each year, with traffic and billing handled automatically between operators.

But the very mechanisms that make roaming possible are built on a foundation of inherited trust—trust that can be, and increasingly is, abused. Attackers exploit vulnerabilities in the mobile core and the signalling protocols that underpin roaming, such as SS7, Diameter, and GTP.

These attacks are often invisible to the subscriber, difficult for the operator to detect, and in some cases can be launched from thousands of kilometres away.


How Roaming Trust Works—and Why It’s Risky

The Trust Model

When two operators form a roaming agreement, they establish a trusted relationship:

  • Mutual acceptance of signalling messages from each other’s networks.

  • Routing privileges allowing one network to query and interact with another’s subscriber database.

  • Assumed legitimacy of the other party’s network traffic.

This trust is essential for enabling services, but it is also the core weakness. Once a malicious actor gains access to a trusted network—either by compromising it directly or by partnering with a rogue operator—they can send signalling messages that bypass normal safeguards.


The Protocols at the Centre of the Risk

SS7 (Signalling System No. 7)

  • Still used in legacy 2G/3G networks.

  • Weak authentication and encryption.

  • Vulnerable to location tracking, call interception, and SMS redirection.

Diameter

  • Successor to SS7 in 4G/LTE environments.

  • More secure in theory, but suffers from inconsistent firewalling and lack of validation.

  • Vulnerable to subscriber data extraction, session hijacking, and billing fraud.

GTP (GPRS Tunnelling Protocol)

  • Used for transporting user data in 3G, 4G, and 5G NSA.

  • Weaknesses in source validation allow malicious injection or redirection of traffic.


Real-World Exploitation Scenarios

Location Tracking

Attackers send queries to the Home Location Register (HLR) or Home Subscriber Server (HSS) to determine where a subscriber is currently registered—tracking them in real time.

Interception of Calls and SMS

By manipulating routing information, attackers can redirect calls or SMS (including two-factor authentication codes) to themselves.

Denial of Service

Malicious signalling floods can deregister subscribers, preventing them from making or receiving calls.

Data Theft and Fraud

GTP vulnerabilities can be exploited to inject or capture subscriber data streams.


Why Protections Often Fall Short

1. Incomplete Signalling Firewall DeploymentSome operators deploy SS7 or Diameter firewalls but configure them narrowly, blocking only known attack patterns rather than performing full validation.

2. Lack of End-to-End GovernanceEven if an operator’s domestic signalling is secure, it remains exposed through its international partners. Weak security in a partner network can be used as a backdoor.

3. Protocol Complexity and Legacy SystemsMixed deployments of 2G, 3G, 4G, and now 5G make consistent security policies difficult to enforce.

4. Limited Threat Intelligence SharingOperators may hesitate to share details of signalling attacks with peers or regulators, leaving the same attacks effective across multiple networks.


Mitigation Strategies for MNOs

1. Comprehensive Signalling FirewallsDeploy SS7, Diameter, and GTP firewalls with:

  • Message validation against known protocol specifications

  • Anomaly detection and rate limiting

  • Behavioural analytics to identify suspicious traffic

2. Rigorous Roaming Partner VettingIncorporate security assessments into roaming agreements, with contractual obligations for:

  • Minimum signalling security standards

  • Real-time incident reporting

3. Active Monitoring and Threat HuntingIntegrate signalling security into the operator’s Security Operations Centre (SOC), with specialised analysts trained to interpret telecom-specific threats.

4. Segmentation of Network FunctionsLimit exposure of critical functions (like HSS/HLR) to roaming interfaces and ensure strict access controls.

5. Industry and Regulator CooperationEngage in threat intelligence sharing via GSMA’s Fraud and Security Group (FASG) or equivalent national initiatives.


Strategic Implications for Boards and Regulators

Roaming exploitation is not simply a technical problem—it has business, legal, and geopolitical dimensions:

  • Customer Trust: Breaches affecting subscribers abroad can result in reputational damage that extends beyond national borders.

  • Revenue Impact: Fraudulent signalling activity can inflate costs or bypass billing.

  • National Security: State actors can exploit these vulnerabilities for surveillance or disruption of critical communications.

For boards, the key takeaway is that securing the mobile core requires more than internal controls. It demands active governance over the operator’s entire trust network.


Final Thoughts

The global nature of mobile networks means that security is only as strong as the weakest link in the chain. As long as trust between operators remains implicit rather than verified, attackers will continue to exploit it.

Bridge Connect works with operators, regulators, and infrastructure providers to:

  • Audit signalling security

  • Implement best-practice firewalls

  • Structure roaming agreements that enforce - not just assume - trust

A proactive stance today will protect both revenue and reputation tomorrow.

 
 

Related Posts

See All
bottom of page