Prominent tech firms like Microsoft and NEC have recently expressed concerns over the security and perhaps too-rapid adoption, respectively, of critical 5G technologies. Now German security researchers have given some substance to the industry’s fears and unease.
At a hacker conference held in the Netherlands last month, Karsten Nohl, founder of Berlin-based Security Research Labs, outlined how his team had breached live 5G networks in a series of “red teaming” exercises—where hackers are hired by a company to test their defenses. In most cases they were able to take control of the network, he says, potentially allowing them to steal customer data or disrupt operations.
The hacks, revealed at the May Contain Hackers 2022 event (a.k.a. MCH2022), were made possible thanks to poorly configured cloud technology, which is playing an increasingly important role in 5G networks. Nohl says many telcos are inexperienced in how to protect such systems, and his team found that operators had failed to apply basic cloud security techniques that could help mitigate hacks.
The push toward Open RAN, virtualization, and “cloudifcation” unlocks more choice and functionality for 5G operators. It has also thrust them into the unfamiliar role of system integrator, suddenly responsible for securing the entire supply chain.
“5G has swept over telcos with all its implications, and nobody seems well prepared,” says Nohl. “We are introducing new technology into mobile networks, and those technologies can greatly enhance the security of our mobile networks. Or they can basically destroy any hacking resistance we’ve built up over the years. People are not aware of those choices.”
Mobile operators have traditionally relied on proprietary hardware from vendors like Ericsson, Nokia, and Huawei to build their networks. But in recent years, there has been a major push to “virtualize” network functions, which involves replicating key components in software so they can run on generic hardware, or even in the cloud. And the advent of 5G has only heightened the demand for virtualization, in particular when it comes to radio access networks (RANs)—the part of the network involved in connecting end-user devices like cellphones to the network core.
Virtualization has a host of benefits, including the ability to deploy networks faster and more cheaply, to quickly upgrade networks, and even to dynamically reconfigure them in response to changing situations on the ground. The decoupling of hardware and software also prevents vendor lock-in and allows network operators to mix and match components from different companies, something advocated for by the Open RAN movement.
But these new capabilities are also making 5G networks more complex, says Nohl, which in turn necessitates the increasing use of automation to manage networks. And the ability to mix and match software and services from different companies means far more people are involved in the development pipeline. “The more stuff you have and the more moving parts, the more opportunities for mistakes, little misconfigurations,” says Nohl.
This makes it much easier to break into such virtualized networks than was previously possible. Among the entry points the team discovered included a backdoor-revealing API that had been posted publicly to the Internet as well as an old development site that had accidentally been left online. But the increased ease with which attackers can penetrate the networks is not in and of itself the main problem. “The really critical question is how difficult it is to break through from your initial foothold to something actually valuable within the network,” says Nohl.
His team found it was worryingly easy to move deeper into the networks they tested, thanks primarily to poorly configured “containers.” These are self-contained packages of software that bundle up an application and everything needed to run it—code, software libraries, and configuration files—so that it can be run on any hardware. Containers are a critical part of the cloud, because they allow different applications from different companies or departments to run alongside one another on the same servers. Containers are supposed to be isolated from one another, but if they are poorly configured it’s possible to break out and gain access to other containers or even to take control of the host system. In multiple instances Nohl and his team found misconfigured containers that allowed them to do just this.
“I saw it many times when security teams were invited to the party when all is done and almost finished. The security guys have a very short time slot in order to fine-tune it—if they are actually allowed to touch it.”
—Dmitry Kurbatov, SecurityGen
Some of the above difficulties could be attributed to the fact that telcos are inexperienced when it comes to cloud security, says Nohl. But they also may be taking shortcuts. Often operators are “lifting and shifting” preexisting software components into containers, Nohl said, but many of the settings designed to isolate containers from one another prevent the software from working as it should. Rather than rewriting code, developers often simply remove these protections, says Nohl. “Those shortcuts we see everywhere now,” he says.
“Network operators are having to move into a new operating model that’s significantly different than what they’ve done in the past,” says Eric Hanselman, chief analyst at 451 Research. “The reality is that telcos have never had to deal with these levels of software development or low-level infrastructure management before. They always rely on their suppliers for this.”
While the shift toward Open RAN and the growing virtualization and “cloudifcation” of networks is unlocking more choice and functionality for operators, says Hanselman, it has also thrust them into the unfamiliar role of system integrator, responsible for securing the entire supply chain.
Xavier Costa Pérez, head of 5G networks R&D at NEC Laboratories Europe, disputes that operators are behind the curve when it comes to 5G security. While he admits that the transition to more virtualized networks entails inevitable risks, he says major players are investing heavily in security and partnering with cloud providers to tap into their security expertise. “I think the telco industry is very much aware that this can be a big issue,” he says. “It’s critical for survival, so I don’t think it’s taken lightly at all.”
It’s also important to remember that these kinds of highly virtualized networks still represent only a small portion of the 5G infrastructure today, probably less than 10 percent, says Costa Pérez. And all operators have backup 4G networks that they can switch to in the event of any problems.
Network operators aren’t complacent, says Ian Smith, security operations director at the industry body GSMA. “We know that maintaining security, especially for new network technologies, is an ongoing and evolving effort, and one to which the mobile industry is wholeheartedly committed.”
However, that hasn’t been the experience of Dmitry Kurbatov, cofounder of telecom security startup SecurityGen. He has found that security often appears to be an afterthought, rather than being part of the development process from the start. “I saw it many times when security teams were invited to the party when all is done and almost finished.” he says. “The security guys have a very short time slot in order to fine-tune it—if they are actually allowed to touch it.”
Nonetheless, he’s optimistic about the shift to 5G. Previously, operators had little option but to trust vendors when it came to security, but now they will be able to take matters into their own hands. “You actually can have full visibility and control over [5G] systems and functions, which means now you have the chance as the network owner to be much more secure,” he says.
And even more important, the industry isn’t alone in going through the transition to the cloud, says John Carse, chief information security officer at the Japanese operator Rakuten Mobile, which has been a champion of Open RAN principles. “This is a good thing because it means telecom doesn’t have a special problem to solve,” he says. “Telecom can benefit from adoption of techniques happening in all the industries surrounding it versus trying to overcome proprietary challenges.”
Edd Gent is a freelance science and technology writer based in Bengaluru, India. His writing focuses on emerging technologies across computing, engineering, energy and bioscience. He's on Twitter at @EddytheGent and email at edd dot gent at outlook dot com. His PGP fingerprint is ABB8 6BB3 3E69 C4A7 EC91 611B 5C12 193D 5DFC C01B. His public key is here. DM for Signal info.