Top Security Researcher Explains How to Crash Telco Networks in the Cloud

Karsten Nohl is the world’s best known white hat hacker of telecoms systems, having identified numerous weaknesses in GSM mobile networks and then served as the CISO of two large telcos. So we should listen when Nohl says he and his team have found ways to penetrate telco networks operating in the cloud, giving them the ability to:

  • spy on communications,
  • extract customer data, and
  • bring down a network.

Nohl’s presentation at the recent May Contain Hackers conference in Netherlands (pictured above) was called “OpenRAN – 5G hacking just got a lot more interesting” but this title was somewhat misleading. The content of the presentation focused on vulnerabilities that more generally apply to the use of the cloud by telecoms networks, with a particular interest in vulnerabilities for Docker containers that run on Kubernetes, the open source system for automating the management of containerized applications. Open RAN is relevant as a driver for increased adoption of the cloud, and a German study has already argued that Open RAN is not secure by design, but Nohl highlighted how hackers could break out of an insecure cloud container and use that as the starting point for compromising functions in other containers. As is often the case, some of the risk stems from social manipulation as well as exploiting technical vulnerabilities.

There is too much detail to cover here, but we can summarize the risks Nohl identified using the following categories.

  • Some likely configuration choices would allow a hacker to undermine a component not considered critical to security in order to attack other components where security is critical. Nohl said each of these methods had been executed by his team on real-life networks, proving the risks are genuine.
  • Greater automation of systems combined with a vast rise in the number of developers employed to manage common systems multiples the risk of being hacked. Every additional person is another target for social engineering and just one person can jeopardize security by carelessly revealing information. Nohl said his team had found sensitive information on a web forum and discovered old development sites left online.
  • Nohl and his colleagues found a way to compromise the RAN Intelligent Controller, software that is replicated in hundreds of containers, allowing them to exploit an insecure Docker configuration to take down an entire mobile network.

Nohl also warned that telecoms providers have yet to enshrine the concept of security by design in the way they work. He contrasted the approach of telcos and most other businesses with that of Netflix, which destroys and rebuilds Docker containers in a 72-hour cycle to ensure they never fall behind with patching.

The methods used by Nohl suggest the transition to the cloud leads to a significant change in a telcos’ risk profile. Whilst the latest generation of networks are generally more secure than their predecessors, the shift towards a generalized, commoditized technology architecture also shifts the balance in where risk lays. There are many examples of hackers breaching customer data from telcos but few examples of networks being taken down by attackers. One reason for that is network equipment has historically been specialized and the design emphasized resilience over other goals like privacy. So a bad actor would need a more unusual skill set and greater resources to bring down a network than to steal data. Nohl’s presentation shows why the transition to telco clouds also offers bad actors a more straightforward progression from stealing data to disrupting services.

Rightly or wrongly, the telecoms industry and its regulators have tended to care more about service disruption than privacy breaches. Prolonged interruptions to telecoms services also have a profound impact on the public consciousness, as demonstrated by the recent nationwide outage at Rogers. The appropriate response to Nohl’s research would see telcos tightening security for data as a byproduct of mitigating the risk of deliberate network disruption.

You can replay Nohl’s presentation below or obtain it from here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.