20.5k unique visitors in the last 3 days

Top Security Researcher Explains How to Crash Telco Networks in the Cloud

Karsten Nohl showed how cloud vulnerabilities could let hackers progress from spying on messages to taking down entire networks.

Karsten Nohl is the world’s best known white hat hacker of telecoms systems, having identified numerous weaknesses in GSM mobile networks and then served as the CISO of two large telcos. So we should listen when Nohl says he and his team have found ways to penetrate telco networks operating in the cloud, giving them the ability to:

  • spy on communications,
  • extract customer data, and
  • bring down a network.

Nohl’s presentation at the recent May Contain Hackers conference in Netherlands (pictured above) was called “OpenRAN – 5G hacking just got a lot more interesting” but this title was somewhat misleading. The content of the presentation focused on vulnerabilities that more generally apply to the use of the cloud by telecoms networks, with a particular interest in vulnerabilities for Docker containers that run on Kubernetes, the open source system for automating the management of containerized applications. Open RAN is relevant as a driver for increased adoption of the cloud, and a German study has already argued that Open RAN is not secure by design, but Nohl highlighted how hackers could break out of an insecure cloud container and use that as the starting point for compromising functions in other containers. As is often the case, some of the risk stems from social manipulation as well as exploiting technical vulnerabilities.

There is too much detail to cover here, but we can summarize the risks Nohl identified using the following categories.

  • Some likely configuration choices would allow a hacker to undermine a component not considered critical to security in order to attack other components where security is critical. Nohl said each of these methods had been executed by his team on real-life networks, proving the risks are genuine.
  • Greater automation of systems combined with a vast rise in the number of developers employed to manage common systems multiples the risk of being hacked. Every additional person is another target for social engineering and just one person can jeopardize security by carelessly revealing information. Nohl said his team had found sensitive information on a web forum and discovered old development sites left online.
  • Nohl and his colleagues found a way to compromise the RAN Intelligent Controller, software that is replicated in hundreds of containers, allowing them to exploit an insecure Docker configuration to take down an entire mobile network.

Nohl also warned that telecoms providers have yet to enshrine the concept of security by design in the way they work. He contrasted the approach of telcos and most other businesses with that of Netflix, which destroys and rebuilds Docker containers in a 72-hour cycle to ensure they never fall behind with patching.

The methods used by Nohl suggest the transition to the cloud leads to a significant change in a telcos’ risk profile. Whilst the latest generation of networks are generally more secure than their predecessors, the shift towards a generalized, commoditized technology architecture also shifts the balance in where risk lays. There are many examples of hackers breaching customer data from telcos but few examples of networks being taken down by attackers. One reason for that is network equipment has historically been specialized and the design emphasized resilience over other goals like privacy. So a bad actor would need a more unusual skill set and greater resources to bring down a network than to steal data. Nohl’s presentation shows why the transition to telco clouds also offers bad actors a more straightforward progression from stealing data to disrupting services.

Rightly or wrongly, the telecoms industry and its regulators have tended to care more about service disruption than privacy breaches. Prolonged interruptions to telecoms services also have a profound impact on the public consciousness, as demonstrated by the recent nationwide outage at Rogers. The appropriate response to Nohl’s research would see telcos tightening security for data as a byproduct of mitigating the risk of deliberate network disruption.

You can replay Nohl’s presentation below or obtain it from here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email