Telecom Security Realities from 2025 and Lessons for 2026

Telecom security rarely stands still. Each year brings new technologies, new attack paths, and new operational realities. Yet 2025 was not defined by dramatic new exploits or spectacular network failures. Instead, it became a year that highlighted how persistent, patient and methodical modern telecom attackers have become.

The recent SecurityGen Year-End Telecom Security Webinar offered a detailed look back at what the industry experienced during 2025. The session pulled together research findings, real world incidents and practical lessons from across multiple domains, including legacy signalling, eSIM ecosystems, VoLTE vulnerabilities and the emerging world of satellite-based mobile connectivity.

For anyone working in mobile networks, the message was clear. The threats are evolving, but many of the core problems remain stubbornly familiar.

A Year of Stealth Rather Than Spectacle

One of the most important themes from the webinar was that 2025 did not bring a wave of highly visible disruptive telecom attacks. Instead, it was characterised by quiet, low profile intrusions that often went undetected for long periods.

Operators around the world reported that attackers increasingly favoured living-off-the-land techniques. Rather than deploying noisy malware, intruders looked for ways to gain legitimate access to core systems and remain hidden. Lawful interception platforms, subscriber databases such as HLR and HSS, and internal management platforms were all targeted.

The primary objective in many cases was intelligence collection. Attackers were interested in call data, subscriber information and network topology rather than immediate disruption. This shift in motivation makes detection far more difficult, as there are often few obvious signs of compromise.

At the same time, automation has become a defining feature on both sides of the security battle. Operators are investing heavily in AI and machine learning to identify abnormal behaviour. Attackers are doing exactly the same, using automation to scale phishing campaigns and to accelerate exploit development.

Despite all this technology, basic security discipline continues to be a major challenge. A significant proportion of incidents still originate from human error, poor operational practices or simple failure to apply patches. The industry continues to invest billions in cybersecurity, but much of that effort is consumed by reporting and compliance activities rather than direct threat mitigation.

eSIM Security Comes into Sharp Focus

The transition from physical SIM cards to eSIM and remote provisioning is one of the most significant structural changes in the mobile industry. It offers clear benefits in terms of flexibility and user experience. However, the webinar highlighted that it also introduces entirely new security concerns.

Traditional SIM security models relied heavily on physical control. Fraudsters needed access to large numbers of real SIM cards to operate at scale. With eSIM, many of those physical constraints disappear. Remote provisioning expands the number of parties involved in the connectivity chain, including resellers and intermediaries who may not always operate under strict regulatory oversight.

During 2025 several major SIM farm operations were dismantled by law enforcement. These infrastructures contained tens of thousands of active SIM cards and were used for large scale fraud, smishing campaigns and automated account creation. While such operations existed long before eSIM, the technology has the potential to make them even easier to deploy and manage.

Research discussed in the session pointed to additional concerns. Analysis of travel eSIM services revealed issues such as cross-border routing of management traffic, excessive levels of control granted to resellers, and lifecycle management weaknesses that could potentially be abused by attackers. In some cases, resellers were found to have capabilities similar to full mobile operators, but without equivalent governance or transparency.

The conclusion was not that eSIM is inherently insecure. The technology itself uses strong encryption and robust mechanisms. The problem lies in the wider ecosystem of trust boundaries, partners and processes that surround it. Securing eSIM therefore requires cooperation between operators, vendors, regulators and service providers.

SS7 Remains a Persistent Weak Point

Few topics in telecom security generate as much ongoing concern as SS7. Despite being a technology from a previous era, it remains deeply embedded in global mobile infrastructure. The webinar dedicated significant attention to why SS7 continues to be exploited in 2025 and why it is likely to remain a problem for many years to come.

Throughout the year, media reports and research papers continued to demonstrate practical abuses of SS7 signalling. Attackers probed networks, attempted to bypass signalling firewalls and looked for new ways to manipulate protocol behaviour. Techniques such as parameter manipulation and protocol parsing tricks were highlighted as methods that can sometimes evade existing protections.

One particularly interesting demonstration showed how SS7 messages could be used as a covert channel for data exfiltration. By embedding information inside otherwise legitimate signalling transactions, attackers can potentially move data across networks without triggering traditional security alarms.

Perhaps the most striking point raised was how little progress has been made in eliminating SS7 dependencies. Analysis of global network deployments showed that only a handful of countries operate mobile networks entirely without SS7. Everywhere else, the protocol remains a foundational element of roaming and interconnect.

As a result, even operators that have invested heavily in 4G and 5G security can still be undermined by weaknesses in this legacy layer. The uncomfortable reality is that SS7 vulnerabilities will continue to be exploited well into 2026 and beyond.

VoLTE and Modern Core Network Risks

While legacy protocols remain a problem, modern technologies are not immune. VoLTE infrastructure in particular was identified as an increasingly attractive target.

VoLTE relies on complex interactions between signalling systems, IP multimedia subsystems and subscriber databases. Weaknesses in configuration or interconnection can open the door to call interception, fraud or denial of service. Several real world incidents during 2025 demonstrated that attackers are actively exploring these paths.

The move toward fully virtualised and cloud-native mobile cores also introduces new operational challenges. Telecom networks now resemble large IT environments, complete with the same risks around misconfiguration, insecure APIs and exposed management interfaces.

The Emerging Security Challenge of 5G Satellites

One of the most forward-looking parts of the webinar focused on non-terrestrial networks and direct-to-device satellite connectivity. What was once a concept for the distant future is rapidly becoming a commercial reality.

Satellite integration promises to extend 5G coverage to remote areas, oceans and disaster zones. However, it also changes the security model in fundamental ways. Satellites can act either as simple relay systems or as active components of the mobile radio access network. In both cases, new threat vectors emerge.

Potential issues discussed included the risk of denial of service against shared satellite resources, difficulties in applying traditional radio security controls in space-based equipment, and the possibility of more precise user tracking due to the way satellite systems handle location information.

Experts from the space cybersecurity community explained how vulnerabilities in mission control software and ground segment infrastructure could be exploited. Much of this software was originally designed for isolated environments and is only now being connected to wider networks and the internet.

As telecom networks expand beyond the boundaries of the Earth, security responsibilities extend with them. Operators will need to think not only about terrestrial threats but also about risks originating from space-based components.

The Human Factor and the Skills Gap

Technology was only part of the story. Another recurring theme was the global shortage of skilled telecom cybersecurity professionals.

Studies referenced in the session suggested that millions of additional specialists are needed worldwide, yet only a fraction of that demand can currently be filled. Many security teams are overwhelmed by the sheer volume of alerts and data they must process.

This shortage has real consequences. When teams are stretched thin, patching is delayed, anomalies are missed and complex investigations become difficult to sustain. The panel emphasised that throwing more tools at the problem is not enough. Organisations must focus on training, automation and smarter operational processes.

Automation and AI-driven analysis were presented as essential enablers. Given the scale of modern mobile networks, it is simply not feasible for human analysts to monitor every signalling protocol, every core interface and every emerging technology manually.

Preparing for 2026

Looking ahead, the experts agreed on several broad trends. Attacks on legacy systems such as SS7 will continue. Fraudsters will increasingly target eSIM provisioning processes. VoLTE and 5G core components will face growing scrutiny. Satellite-based connectivity will introduce new and unfamiliar security questions.

Perhaps most importantly, the line between traditional telecom security and general cybersecurity will continue to blur. Mobile networks are now large, distributed IT platforms, and they inherit all the complexities that come with that transformation.

Operators, regulators and vendors must therefore adopt a holistic view. Investment must go beyond compliance reporting and focus on practical defences, real time monitoring and collaborative intelligence sharing.

Final Reflections

The SecurityGen webinar provided a valuable snapshot of an industry at a crossroads. Telecom networks are becoming more advanced and more capable, but also more complex and interconnected than ever before.

2025 demonstrated that attackers do not always need new vulnerabilities. Often they succeed simply by exploiting old weaknesses in smarter ways. The challenge for 2026 is to close those gaps while also preparing for the technologies that are only just beginning to emerge.

For those involved in telecom security, the full discussion is well worth watching. The complete webinar recording can be viewed below:

Related Posts:

• The 3G4G Blog: Evolving Communication Security Towards 6G at the ETSI Security Conference 2025
• The 3G4G Blog: Detection of Real-world Fake Base Station (FBS) Attacks in Thailand
• The 3G4G Blog: Attack Surfaces for Different Generations of Mobile Technologies
• The 3G4G Blog: Presentations from ETSI Security Conference 2023
• The 3G4G Blog: Top 10 New (2022) Security Standards That You Need to Know About!
• The 3G4G Blog: Authentication and Key Management for Applications (AKMA) based on 3GPP credentials in the 5G System (5GS)
• The 3G4G Blog: 5G and Cyber Security
• The 3G4G Blog: Everything you need to know about 5G Security
• 3G4G: Security in 2G, 3G, 4G & 5G Mobile Networks 

Diameter Security is worse than SS7 Security?

Back in December last year, there was a flurry of news about SS7 security flaw that allowed hackers to snoop on an unsuspecting users calls and SMS. The blog readers will also be aware that SS7 is being replaced by the Diameter protocol. The main reason being to simplify roaming while at the same time being able to manage the signalling storm in the networks.


The bad news is that while is case of SS7, security issues are due to network implementation and configuration (above pic), the security issues in Diameter seem to be due to the protocol and architecture themselves (below pic)

Diameter is very important for LTE network architecture and will possibly continue in the future networks too. It is very important to identify all such issues and iron them before some hackers start exploiting the network vulnerabilities causing issues for everyone.

The presentation by Cédric Bonnet, Roaming Technical Domain Manager, Orange at Signalling Focus Day of LTE World Summit 2015 is embedded below:

From SS7 to Diameter Security from Zahid Ghadialy

Some important information from this post has been removed due to a valid complaint.

The SS7 flaws that allows hackers to snoop on your calls and SMS

By now I am aware that most people have heard of the flaws in SS7 networks that allow hackers to snoop, re-route calls and read text messages. For anyone who is not aware of these things, can read some excellent news articles here:

• Hackers Can Read Your Texts Thanks to Huge Security Flaw - Gizmodo
• German researchers discover a flaw that could let anyone listen to your cell calls. - Washington Post
• White hats do an NSA, figure out LIVE PHONE TRACKING via protocol vuln - The Register
• 1980s technology can be used to hack any smartphone - Beta News

Our trusted security expert, Ravi Borgaonkar, informs us that all these flaws have already been discussed back in May, as part of Positive Hack Days (PHDays).

Here are the slides on SS7 hack from PHDays, http://t.co/VwUwtFVqyc mentions all flaws reveals in 3 #31c3 talks on SS7 security.
— Ravishankar Borgaonk (@raviborgaonkar) December 28, 2014

The presentation is embedded below and can be downloaded from Slideshare:

How to Intercept a Conversation Held on the Other Side of the Planet from Positive Hack Days

xoxoxo Added this new information on the 4th Jan 2015 oxoxox

The following is this presentation and video by Tobias Engel from the 31st Chaos Communication Congress

SS7: Locate. Track. Manipulate. from 3G4G

On Signalling Storm... #LTEWS

The Signalling Storm is coming, its not the question of 'if' but when. This was the unanimous message from the Signaling Focus Day of the 8th LTE World Summit 2012. Several high profile outages have been associated to the Signalling storm, NTT Docomo and Verizon being the main one. Luckily the Telenor outage was due to software issues.

The problem is divided into two parts, the Access network part where the Air Interface is the bottleneck and the core network part which can easily be swamped by the overwhelming amount of Signalling due to more intelligent billing system and always on devices with background applications generating much more amount of traffic as would have on an older system. Lets look at them in turn.

Core Network Signalling Storm:

As I reported earlier, Diameter has been highlighted as a way of salvation for the operators with dozens of use cases but due to its immaturity has caused outages and have given it a bad name. As Connected Planet mentions, "According to one signaling expert, launching the iPhone’s browser, for example, instantly sets off about fifteen individual network signaling requests. Beyond that, 4G network software elements supporting increasingly sophisticated mobile service scenarios “talk” to each other at rates that traditional TDM/SS7-based networks never had to deal with." Hopefully a stable implementation of Diameter protocol will help not only solve the signalling storm but will help generate new models for charging and revenue generation.

A presentation by Ed Gubbins of Current Analysis, comparing the big vendors of Diameter Signalling is available here.

Access Network Signalling Storm:

My thinking is that the Core Network Signalling problem will become an issue some years down the road whereas the Access Network Signalling problem will be seen sooner rather than later. In fact for 3G/HSPA the problem is becoming more visible as the market has matured and more and more users are moving towards using smartphones, Since LTE rollouts are in its infancy (in most markets) the problem is still some way away.

One of the reasons for Signalling storm is the incorrect APN name. I reported earlier about Telefonica's approach to solve this problem by using 'Parking APN', see here.

Also embedded below are couple of presentations from the Signalling Focus day that talk about the problem from Access Network point of view

Martin pineiro telecom-personal_focus-day--tues from ceobroadband

Other Interesting Reading Material

Finally there is an excellent whitepaper from Heavy Reading titled "The Evolution of the Signalling Challenge in 3G & 4G networks", available here to download.

Another excellent article summarising the problem is from Huawei magazine available here.

#LTEWS: Highlights and Pictures of Signalling day from 8th LTE World Summit

I got a chance to attend the 'Handling the Surge in Signalling Traffic Focus day' at the LTE World Summit. In fact I got this opportunity through Diametriq, who were the sponsors of this event and were kind enough to provide me a free pass :) As a result, they get a little plug below.

We got off to a flying start with an Introduction to the need of Signaling followed by a brilliant presentation by Martin Pineiro from Telecom Personal, Argentina.

This was the only presentation that looked at the Access Network Signalling. All other presentations focussed on Diameter signaling. Telecom Personal have 4 carriers, 1 is used for 3G and other 3 for GSM.

Above is their revenue share for different services. The data services really took off for them when they offered a flat rate if 1 peso per day for unlimited data.

Their average dongle data consumption is 2GB/month and average smartphone is 200MB/month.

They do have a simple definition of Smartphone, which is a device that produces 10+ packet connections per day. The device that is most popular in their network is Motorola and Apple devices produce highest data load but their comparison of devices from different manufacturers showed they all produced similar signalling traffic. 

One final point highlighted was that OS & Apps are not part of test and certification so we should get better understanding of that to help avoid signalling overload in future.

Ron de Lange from Tekelec was up next:

Interesting to hear that they are 40 year old company with 300+ customers in 100+ countries.

There is a shift coming in the usage plans with multi access roaming. Some sessions will go over WiFi and some over the mobile network. Plans with OTT allowance are already here and will be more common. There may be opportunity for end users to earn allowance as part of loyalty scheme. The main thing for operator to think is how to get a revenue share from advertisement.

Diameter 2.0 is coming. The signalling storms, if not handled properly can cause disruption (congestion) internationally, if the interconnect is not handled properly.

Next up was Ben Volkow, F5 Traffix:

Today we use Diameter 1.0, tomorrow it would be Diameter 2.0. Diamater 2.0 us "nervous system" approach.

Diamater is much less predictable than SS7 but this could be because of Immaturity of Diameter.

Real networks like the one above is out in the field. An example of n/w is one with 140 point to point connections.

DRA (Diameter Routing Agent) is a new topology introduced by 3GPP and DEA (Diameter Edge Agent) was introduced by GSMA.

The network does not want to spend million of dollars in one go so they start by deploying individual components first and then depending on the use cases this scales up as they add more components.

Next up was the Panel Discussion:

Key points:

• Diameter is first protocol that has dedicated vendors offering monetisation of protocol as well
• Early operators would have deployed Diameter 1.0 so they can evolve by putting DRA for one use case and so on.
• When operators want to monetise using diameter, the signalling problems may become worse
• Adding VoLTE may increase Diameter Signalling by 3 times
• What is meant by monetisation of Diamater is that in SS7, the focus was on reliability, etc. but in Diameter, the operators can leverage PCRF and as a result monetisation. A new use case can also be a OTT proxy that can leverage advertisement revenue. 
• The forecast for Diameter is couple of 100 million for this year and growing. There are many components including Router, Roaming, Charging, Security, Interconnect capability, Aggregating relationships with small carriers and OTT service providers, etc.

Next up was Marjan Mursec of Telecom Slovenia: 

Some interesting facts from them is that they have a public WLAN n/w, GSM with EDGE as fallback and have rolled out HD voice. Their Data usage surpasses voice and Voice and SMS is still growing as can be seen below.

Above shows the data usage increase after they rolled out all you can eat package. They were then forced to introduce fair usage policy.

Their upgrade paths include RAN, Core, Backhaul.

They think they have a big signalling challenge over S1-MME interface. One wrong configured user is sending 4 requests/second. 12,500 users can be enough to reach congestion (ZG: Maybe they should look at PDP Context Parking). Over the S1-U interface, Narrowband users can send 50 packets/sec. 40,000 users at 13.6kbps can saturate the network and the routers will be overloaded.

Next up was Ajay Joseph from iBasis:

Interesting to see that GRX is a service in IPX above.

I think the main point of above is that Diameter by itself is not enough and a mechanism like IPX is required for roaming scenario.

For LTE a new service called LTE Signalling exchange (LSX) can be created within IPX. iBasis has just launched Sandbox for testing Roaming, Charging, Interoperability, etc.

Will LSX bring the roaming costs down? Its operators call but it does provide a foundation and in the next 2-3 years, data roaming costs should come down dramatically.

It should be noted that GRX is an IP network without QoS. Its a service within IPX. Security is also a service within IPX and GSMA based compliance should be there for proper and secure interoperability.

Voice over IPX is not of much interest, especially because there is no return of investment and HD voice cant be send over IP.

Next up was Douglas Ranalli from NetNumber:

His slides are self explanatory

One question during Q&A was, why not put this functionality in the cloud and avoid complexity of having another physical box in the system. The answer was that CDRB is implemented to be compliant with cloud deployment but operators have not yet taken this step. The customers are deploying physical boxes but shared infrastructure would be much more efficient.

Next up was Doug Alston from Sprint:

Next up was Anjan Ghosal from Diametriq:

Everyone is talking about LTE-LTE roaming but there is a need for LTE-3G and LTE-2G so some translation may be required between Diameter and SS7.

Diametriq provides a single platform for signalling between any service (2G/3G/4G) and possibility to enhance.

Next up was another Panel Discussion:

One observation is made is that as compared to the ITM Optimisation event, where the operators were more worried about the OTT players eroding revenues, the focus here was that how Diameter can help monetise the OTT services,

Next up was Edward Gubbins from Current Analysis:

The Final presentation was from Julius Mueller from Fraunhofer FOKUS:

As usual, Dimitris Mavrakis was up to the mark and chaired the whole day very well.

To end an enjoyable day even better, iBasis invited the attendees for drinks on the Hilton Terrace, which is next to CCIB and complemented the drinks with some delicious Tapas as can be seen below :)

E&OE. In case if have misheard, misquoted, etc. please feel free to correct me via comments in this post.

For all the action from LTE World Summit for the next 2 days, please follow twitter #LTEWS.

Please let me know by using the voting buttons below if you found it useful or not.