• A new security threat to telco networks has been identified
• It exploits a vulnerability in signalling messages
• Initial analysis suggests the threat to telecom network core platforms is severe
• Telco security chief warns others to be concerned 

Just when telcos were hoping for a hassle-free end to 2021... A new security threat has emerged for network operators that has a respected Chief Information Security Officer (CISO) concerned.

Przemysław Dęba, security chief at Orange Poland, has taken to Twitter to highlight a security warning to telcos from P1 Security, a telecoms security software and services specialist. The company’s R&D unit, P1 Labs, today warned of Log4Shell, a “a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution.”

Essentially, it exploits a vulnerability in signalling messages, and that puts telco core network systems at risk from attack, and The Apache Software Foundation, of which Log4j is a project, has given Log4Shell a “CVSS [Common Vulnerability Scoring System] severity rating of 10, the highest available score. It is estimated that the exploit affects hundreds of millions of devices,” according to P1. Check out the full explanation from P1 Labs here. 

Dęba, in his tweet, noted that if the information about Log4Shell is correct, “we have a new amazing attack vector... Telco operators should be concerned.”

And as he is well placed to determine what’s worth worrying about, this does seem like something that should be checked out, and sooner rather than later...

- Ray Le Maistre, Editorial Director, TelecomTV