One of the oddities of the long campaign against Chinese network equipment is that it assumes that the gear itself is more dangerous than those using it.

Even the super-paranoid Chinese themselves don't believe this.

They aren't especially concerned about foreign network kit but are very careful to ensure that all China's networks are owned and managed by government interests.

Only in the last couple of years have US agencies pushed back against China's state-owned operators. Right now, the FCC wants to shut down all China Telecom operations in the US.

But security flaws in mobile networks around the world may pose an even more pressing danger.

China, Russia and other states are taking advantage of 3G and 4G vulnerabilities to track US mobile users, according to mobile security firm Exigent Media.

"Telecommunications is a rich and expansive attack surface for organized crime and nation states," Exigent says.

It points out that 3G and 4G networks suffer two kinds of security weaknesses.

One is the nature of global roaming. The "inherent vulnerabilities" of operators are exposed through "the patchwork of trusted international roaming agreements, essentially allowing surveillance attack messages to flow freely."

This is exacerbated by the practice of operators in some smaller nations of selling access to its network through the lease of a network address, known as an SS7 Global Title (GT).

"Through the use of a network connection and a foreign operator's GT address, the threat actor can access any network to which that operator has a roaming agreement."

The other weakness is technical. Amazingly, despite years of alarms, the security flaws in 3G SS7 signaling are still there.

Want to know more about 5G? Check out our dedicated 5G content channel here on Light Reading.

Even two years ago, most attacks were launched through SS7, usually to identify user locations.

But this year the majority were carried out via 4G, mostly likely because of stronger 3G counter-measures, making 4G networks more attractive targets.

The Diameter signaling protocol used in 4G has its own vulnerabilities, such as network address, application ID, command code and AVP, Exigent said.

LTE networks also support a diverse range of devices specific to enterprise verticals and are weak at detecting fake registrations, one of the most common attacks in 2020.

This is where the phone of a user landing in a foreign country is intercepted and falsely registered to the attacker's network in a third country, ensuring all communications are routed through that network.

Last year Exigent measured more than 100 million attacks from more than 100 networks in 65 countries.

The numbers fell in 2020 due to the much smaller number of roaming users, with 20 million attacks carried out over 85 networks in 65 countries in the first seven months.

The report notes that this year many of the attacks were sourced from new sources, including networks in small Caribbean, African and eastern European countries, a likely sign of attackers having bought access to these networks for the purpose of "surveillance by proxy."

Exigent said while China operators and in particular China Unicom were the source of more than 80% of all attacks in 2018, direct surveillance attacks from China were rarely seen in 2020, most likely because they were diverted to other operators.

— Robert Clark, contributing editor, special to Light Reading