Silent Failures – Backdoors in OSS/BSS Systems

Introduction: The Overlooked Core of Network Security

When telecom security is discussed, the conversation tends to revolve around radio access networks, core switching, encryption, and traffic routing. Rarely do executives or even regulators dwell on what lies behind the scenes: the operational and business systems that keep networks alive.

Operational Support Systems (OSS) and Business Support Systems (BSS) are the silent backbone of every telecom operator. They manage:

• Customer onboarding and provisioning

• Network configuration and diagnostics

• Fault and performance monitoring

• Billing and revenue management

• Product catalogues and CRM systems

• SIM registration and identity databases

These systems don’t transmit voice or data—but they control who does, when, and how much they pay. They are the invisible hands behind the visible network. And they are a prime target for sophisticated attackers.

What Are OSS and BSS – And Why Are They Critical?

OSS – Operational Support Systems

These systems are responsible for keeping the network operational. Key functions include:

• Network inventory management

• Service provisioning and activation

• Performance monitoring and alarms

• Configuration and change control

• Fault resolution workflows

BSS – Business Support Systems

These systems handle the commercial side of operations:

• Billing and charging

• Customer relationship management (CRM)

• Order management

• Revenue assurance and fraud detection

• Product and service catalogues

Together, OSS and BSS form the digital command centre of a telecom business. If attackers gain access, they can manipulate services, steal revenue, or compromise user identities—often without generating traditional intrusion alerts.

Why OSS/BSS Are Ripe for Exploitation

1. Legacy and Patchwork ArchitectureMany OSS/BSS platforms are built on top of decades-old legacy code, integrated over time through M&A, outsourcing, and patch-fixes. This creates a complex environment with poor visibility and outdated security models.

2. Privileged AccessThese systems require broad administrative rights to manage subscribers, services, and devices—making them highly attractive to attackers seeking escalated privileges.

3. Third-Party IntegrationsNumerous vendors, subcontractors, and outsourced developers often have access to OSS/BSS environments, expanding the attack surface.

4. Low Security AwarenessSecurity efforts tend to prioritise RAN, core, and transport layers. OSS/BSS teams are often under-resourced, under-audited, and off the radar of CISOs.

5. Customisation and ComplexityEvery operator has a unique OSS/BSS stack, often heavily customised—meaning vulnerabilities are harder to detect, and standard security tools often fail to apply.

Backdoors in OSS/BSS – What Do They Look Like?

Examples of OSS/BSS backdoors and vulnerabilities include:

• Undocumented Admin AccountsVendor-installed credentials for remote support that are never deactivated.

• Default Passwords on Web PortalsPublic-facing portals with predictable login credentials.

• Hardcoded API TokensLeft in code or config files by developers—often overlooked in audits.

• Remote Procedure Calls (RPCs)Enabled for automation and integration, but without proper access controls or encryption.

• Debug Ports Left OpenEspecially in test or staging environments that become production.

• Manipulable Rate Plans or QuotasAllowing fraudulent usage by insiders or hackers who can alter billing logic.

• Poor Input SanitisationEnabling SQL injection or cross-site scripting in CRM and billing portals.

Real-World Incidents: Silent but Costly

While telecoms rarely disclose OSS/BSS-specific breaches, several cases highlight the risk:

• Billing Fraud in Emerging MarketsFraud rings have gained access to BSS systems to inflate usage metrics, generate fake invoices, or bypass charges—particularly in regions where subscriber identity systems are weak.

• Provisioning ExploitsHackers have manipulated OSS to silently activate or de-activate SIM cards, assign premium services, or reassign phone numbers—enabling identity theft and man-in-the-middle attacks.

• Data Exfiltration via CRMAccess to CRM systems enables attackers to pull subscriber personal data (KYC, CDRs, payment history) without ever touching the core network.

• Zero-Day Exploits in Vendor PlatformsA leading telecom OSS vendor was found in 2022 to have multiple zero-day vulnerabilities in its orchestration platform, used by Tier 1 operators worldwide. The flaw allowed unauthenticated access to network configuration APIs.

Insider Threats – The Human Backdoor

Perhaps the most insidious threat to OSS/BSS comes from within. Staff with access to these systems can:

• Change subscriber profiles

• Allocate free or premium services

• Delete logs and audit trails

• Grant themselves super-admin privileges

• Sell access to criminal or intelligence actors

Because OSS/BSS actions often appear routine—"provisioned user", "updated billing tier", "reset password"—they rarely trigger alerts. It’s the perfect cover for persistent abuse.

The Business Impact of OSS/BSS Compromise

• Revenue Loss: Fraudulent service provisioning, usage manipulation, and billing evasion can bleed millions in untraceable revenue leakage.

• Regulatory Sanctions: GDPR, CCPA, and other frameworks mandate secure handling of subscriber data—OSS/BSS breaches are compliance time bombs.

• Customer Churn: Breaches affecting billing or service continuity can destroy customer trust.

• Operational Chaos: Manipulation of OSS can disrupt services, reroute traffic, or take down critical alarms.

• Reputational Damage: Even if the network is fine, public exposure of BSS fraud or insider abuse damages credibility—especially with enterprise clients.

How to Harden OSS/BSS Systems

1. Audit Access and Privileges

• Review all admin accounts, access logs, and change histories.

• Enforce least-privilege policies with role-based access control (RBAC).

2. Segment the Network

• Isolate OSS/BSS systems from internet-facing components and production networks.

• Use firewalls, VLANs, and secure VPN access for remote management.

3. Enforce Secure Development Practices

• Vet third-party code, plug-ins, and integrations.

• Conduct regular code reviews and static/dynamic application testing.

4. Monitor for Anomalous Activity

• Deploy SIEM or UEBA tools to detect unusual usage patterns in OSS/BSS environments.

5. Encrypt Internal APIs and Data at Rest

• Use strong encryption standards for inter-process communication and stored customer data.

6. Implement Real-Time Audit Trails

• All provisioning, billing, and admin actions must be logged, timestamped, and monitored in near-real time.

7. Train Staff on Security Hygiene

• Engineers and support teams must be aware that they are targets, and trained accordingly.

A Board-Level Concern, Not a Backroom Issue

It’s easy for executives to dismiss OSS/BSS as a back-office function. But when these systems are compromised, frontline services fail—and so does trust.

Boards should request periodic independent security audits of OSS/BSS, mandate incident reporting, and ensure vendors are contractually obligated to disclose known vulnerabilities.

Just as important: boards must support funding for OSS/BSS hardening, even if there is no customer-visible ROI. Prevention is cheaper than breach response.

Conclusion: The Most Dangerous Backdoor Is the One Nobody’s Watching

OSS and BSS systems are the central nervous system of every telecom operator. But too often, they are treated as afterthoughts—operational overhead rather than strategic infrastructure.

Attackers know this. They don’t need to attack your 5G core or decrypt your payloads. If they can get into your OSS/BSS, they can control your services, your customers, your revenue—and you may never know.

In telecoms security, we often ask the wrong question: “Is the network secure?”The better question is: “Who controls the systems that control the network?”