Don’t let software chew a dangerous hole in next generation networks and the IoT
Once deployed, the business of managing mobile networks used to be relatively straightforward. Voice and text had a certain predictability. Special events aside, usage of these two services would take place within a set of parameters that the forward-looking network ops team could estimate with sufficient accuracy to stop problems occurring.
Enter the brave new world of mobile internet, and with it a whole new set of variables. Operators found (sometimes to their cost) that users would find a way of surprising them, be it with data heavy applications, tethering or any number of unexpected internet connected uses. The knee jerk reaction was throttling of certain services, additional costs to use the mobile web in certain ways or sometimes outright blocking, says Dmitry Kurbatov, Telecommunications Security lead at Positive Technologies.
The emergence of the data thirsty world of the IoT moves this issue into a whole new world. Not only will there be the same unexpected surprises, but the promise of 5G has been heavily sold as a universal connector. Once inanimate objects now consume bandwidth, often inefficiently.
Thankfully, digital Darwinism works both ways. Into the space has evolved the shiny new world of NFV and SDN. Need capacity quickly, or want to provision a new service? Simple, click this, drag it there and it’s problem solved, right?
Not exactly. Whilst the development of such software undoubtedly makes things easier for operators, it also does what those in the cyber security industry fear the most, centralising control of something very important and connecting it to the internet. This is a practice that creates a bulls-eye for a hacker, an asset which, given enough time and resource by a creative and well-resourced team, could be exploited. This is something that companies with large customer or financial databases have been learning to their peril over the last few years. Putting the king’s jewels in a single chest makes it a target.
Understanding this mindset is the first crucial step in securing any network. Second, and just as important, is actually doing something about it. This sounds obvious, but network security and operations teams are bombarded with a million and one tasks as they prepare to transition to their newly virtualised network, each one a priority and sucking up limited resource as deadlines rush past at terrifying speed.
Getting an external view on security is vital here. Those who have been involved in their planning and deployment are innately biased. This is not a criticism, any team in the middle of a complex technological deployment is not going to be able to see the wood for the trees. Giving someone outside this the remit to break things can be a valuable learning. As previously mentioned, knowledge of the hacker mindset is a valuable defensive tool – so employing a team with the specific remit to find problems can be an eye-opener.
This team should be given the freedom to audit everything from the code being used in critical areas of your deployment to assessing what visibility your network has from ‘the outside’. Many operators assume they have zero visibility to the broader internet, but this is not always the case in our experience. Just one visible access point or incorrectly configured connection is sometimes all it takes to create an attack profile. Think of it as a chink in your armour.
This goes for all network interconnects. The underlying mobile infrastructure, based on either outdated SS7 protocols or its newer predecessor Diametre, is increasingly being found wanting. The technical vulnerabilities in the underlying infrastructure gives attackers an open door through which to walk. Once inside, it is not a huge number of sideways steps for an attacker to have access to crucial central control points.
The supposed difficulty for an attacker gaining physical access to these points has previously been used to diffuse the spectre of this particular risk. However, gaining access to a gateway is increasingly easy through the black market, or it can even be achieved direct through hacked carrier equipment or femtocells.
Not being one for fear, uncertainty and doubt, I will refrain from outlining the doomsday scenarios that such weaknesses can cause in a world where everything is connected. I won’t even pretend to be able to guess the multiples. Suffice to say, one just has to walk around Mobile World Congress to see the plethora of very important devices that will ultimately rely on mobile connectivity in some shape or form. Now imagine someone maliciously overloading critical areas, or diverting capacity elsewhere, and the impact speaks for itself.
Software and virtualisation is a good thing for the mobile industry, broadly. It helps operators be more efficient and embrace innovation, all whilst reducing OPEX. However, I would urge mobile networks not to rush headlong into this Utopian world without considering the security implications. Taking a few relatively straightforward steps before deployment and maintaining ongoing monitoring, can be the difference between a building something special, and just creating another risk point.
The author of this blog is Dmitry Kurbatov, Telecommunications Security lead at Positive Technologies