MDDI's response to PQ on Directives to Mobile Operators to Resolve Network Vulnerabilities

Parliament Sitting on 6 August 2024

QUESTION FOR WRITTEN ANSWER

36. Mr Gerald Giam Yean Song asked the Minister for Digital Development and Information whether IMDA has issued any directives to mobile operators to (i) remove the Signalling System 7 (SS7) and Diameter protocols from their networks to prevent cyber attackers from using SS7- and Diameter-based location and monitoring exploits and (ii) resolve vulnerabilities related to SS7- and Diameter-based location and monitoring exploits.

Answer:

The Signalling System 7 (SS7) and Diameter protocols are standard international telecommunication network signalling protocols used in 3G and 4G mobile networks respectively. They are used by mobile operators who connect to each other for functions such as the setting up of calls, and routing of SMSes. While there are known vulnerabilities with these protocols, there are no alternative protocols in 3G and 4G networks which are more secure and approved by international standard bodies, such as 3rd Generation Partnership Project (3GPP) and European Telecommunications Standards Institute (ETSI).

Mobile operators are required to put in place measures to secure their networks, including against vulnerabilities inherent in the SS7 and Diameter protocols. To address the vulnerabilities of these older protocols, mobile operators have implemented measures such as specialised firewalls and system safeguards to ensure early detection of suspicious network activities and blocking any unauthorised access detected. They have also implemented further control measures to secure their connections with other mobile networks such as through the use of network encryption. These measures are aligned with international standards development organisations such as Global System for Mobile Communications Association (GSMA).

These older protocols are no longer adopted in 5G mobile networks where more secure protocols have been implemented, which overcome the inherent vulnerabilities of older protocols by design.