Many firms have strict international travel policies in relation to the use of technology. These policies tend to be more skewed towards countries with greater state control over communications networks and specifically the internet. However, the reality is that you are vulnerable whenever your device is roaming internationally. When roaming, local providers use a global interconnection network to get you back to your home provider. Most traffic on this network uses the SS7 protocol which is known to be vulnerable to location tracking, eavesdropping, SMS interception, etc. This is nothing particularly new or eye-opening for security experts.
What is somewhat new is the Long-Term Evolution (LTE) standard. The first commercial device that was LTE capable was introduced in 2011 but LTE did not become readily available until 2013-2014. With the adoption of the LTE standard, the global interconnection network traffic was supposed to switch to a new more secure protocol named Diameter. In theory, Diameter is more secure because it supports the use of Internet Protocol Security (IPsec) for IP traffic. IPsec authenticates and encrypts each packet of IP traffic. However, while the implementation of IPsec is mandatory with Diameter, its use is optional. This means that many of the vulnerabilities that were present previously under the SS7 protocol can still be leveraged today under Diameter.
Researches from Nokia Bell Labs and Aalto University in Finland ran several experiments to show the potential vulnerabilities still present under Diameter. They presented their finding recently at the Black Hat Europe security conference in London.
International Travel Policies, while often seen as inconvenient and overly precautious, are geared to help protect you and your firm from these technology short-comings. So the next time you are on an international business trip and missing your favorite firm connected device, blame the hackers, not your CSO.
Click here for additional information.