Telcos are novices at this pace of change
Nohl, founder of Berlin-based Security Research Labs, recently breached live 5G networks in a series of “red teaming” exercises for companies and in most cases his researchers took control of the network and could have stolen customer data or shut operations. Recently MCH2022 hackers breezed through poorly configured clouds, which comprise much of today’s 5G networks. Nohl said operators failed to apply basic cloud security techniques that could help mitigate hacks.
Open RAN has created an open season for hackers and the first benefactor is the potential hacker. The first parties to unlock value from the telco cloud are likely to be criminals and the treasure will be some 5G operators’ data, according to Nohl. The race for operators to ‘upscale’ has thrust them into too many unfamiliar roles, such as system integrator, and the entire supply chain is vulnerable, Eric Hanselman, chief analyst at 451 Research, has said. “Telcos have never had to deal with these levels of software development or infrastructure management before.”
Mobile operators have always relied on proprietary hardware from vendors like Ericsson, Nokia and Huawei to build their networks. But they’ve been pushed to virtualise network functions and replicate key software components on generic hardware or even in the cloud. While virtualisation has many virtues, such as speed and cheapness, the benefits of dynamic reconfiguration aren’t much compensation when the risks can prove to be fatal.
The decoupling of hardware and software may have prevented vendor lock-in but they have obviated hacker lock outs. The new attributes make 5G networks more complex to secure, said Nohl, which means automation is needed to manage networks. Mixing and matching software and services from different companies involves far more people. “The more stuff you have and the more moving parts, the more opportunities for mistakes, little misconfigurations,” said Nohl.
Among the entry points that Nohl’s team discovered were a backdoor-revealing API that had been posted publicly to the Internet and an old development site that had accidentally been left online. But the increased ease of penetration is not even the main problem. “The really critical question is how difficult it is to break through from your initial foothold to something actually valuable within the network,” said Nohl.
Containers have made that movement easier in many cases. Sometimes these self-contained packages of software ‘bungles’ actually exacerbate any problems in code, software libraries or configuration files. Containers are a critical part of the cloud, but that swings both ways. Different applications from different companies or departments can run alongside one another on the same servers and the one thing they having common is a fatal mistake.
Containers are supposed to be isolated from one another, but if they are poorly configured it’s possible to break out and gain access to other containers or even to take control of the host system. In multiple instances Nohl and his team found misconfigured containers that allowed them to do just this. The problem is that security officers are often left out until the last minute. Security teams are often invited in when the projects are almost finished and have a very short time slot in order to fine-tune it, if they even allowed to intervene.
Some of the above difficulties could be attributed to the fact that telcos are inexperienced when it comes to cloud security, said Nohl. But they may also be taking dangerous shortcuts. Often operators are “lifting and shifting” pre-existing software components into containers, Nohl said, but many of the settings designed to isolate containers from one another prevent the software from working as it should. Rather than rewriting code, developers often simply remove these protections, said Nohl.
“5G has swept over telcos and nobody seems well prepared,” said Nohl. “We are introducing new technology into mobile networks and they can destroy any hacking resistance we’ve built up over the years.”