A security researcher who previously exposed GSM and SS7 security issues has warned that telco’s adoption of cloud-based operations for IT and network functions makes them open to a wide range of New security holes.
Karsten Nohl of the Security Research Lab, speaking at the May Hackers conference, said that his team of researchers had found a way to move from the initial penetration of a cloud instance, which has enough credentials to track user communications, extract user data, capture the system. administrative status and finally network removal.
Although Nohl’s speech was titled exposing Open RAN vulnerabilities, in reality Nohl’s own admission was not really about telecommunications protocols, still less about Open RAN itself. There was nothing specific about the Open RAN architecture, the protocols or the interfaces his researchers called. Instead, Nohl focuses more on the general vulnerabilities that the increasing use of cloud software and automated processes can expose in any environment and as such, the vulnerabilities found see will apply to other versions of the private cloud, he added.
However, with telecom companies increasingly adopting container functionalities deployed on Kubernetes and automating processes via APIs, the attack surface arising from cloud adoption is increasing and needs to be addressed, Nohl said. Open RAN, as it plays a role, for example, does so because it is another driver of cloud adoption and of automated processes. He also describes a potential exploit that could target the Radio Smart Controller, through its cloud server platform.
Nohl described how his “red team” hackers were able to find credentials to gain access to part of the network cloud, and thereby expand their position of control in the cloud. network.
Mining presents a security risk from moving to cloud operations, the CI/CD pipeline is social and technical.
One of them is implementing container configurations that do not separate physical resources between functional components. That means if something deemed less secure is hacked, a hacker can get out of that environment and affect something underneath them (Kubernetes) or into neighboring containers. other.
“It turns out there are many avenues to doing this kind of container breakout,” said Nohl.
Most commonly, these involve configuring assigning Privilege or sys_admin capabilities to a container that is not considered security-critical, but can then be exploited to gain access to other containers. another container or a Kubernetes server.
Another vector is to exploit the host_PID namespace access that has been set for the container and use that access to kill processes on the server. “If you combine it with another capability, ptrace, you can also include code in the process,” says Nohl. “It’s basically root-level access where two benign looking things are combined for full exploitation.”
One final hack is to use network access so that guests can access the local server. “At least with a shared interface between the guest and the server, the guest can tcpdump everything from the localhost, unless they use SSL. But Kubernetes clusters are built so that everything in a cluster is trusted, so administrators assume they don’t need SSL: giving network-level access to guests often means the server is under attack. “
All of these, says Nohl, are exploits his team has seen in real-world assessments, and not just theoretical ones.
The second risk for telecommunications companies moving to cloud operations occurs due to the nature of the people and processes involved. There is simply “more developers involved,” and with increased use of automation and software pushed through CI/CD tools, some threats are amplified.
“Instead of five Linux system administrators, you can now scam hundreds of people at various companies, all contributing code somehow, and if you get any of them them, there will be a good change that you can eventually affect the mobile network. There’s an ecosystem of software development tools that are now part of the network’s growth: someone commits something to Github, that thing gets packaged somewhere, takes a picture and deploys the image. – if any part of that chain is hacked, you are at risk. “
Nohl described how his team discovered that sensitive code was posted in a developer query to Stackoverflow, that old crackable passwords were left discoverable, that old development sites were left untouched. online.
A journey involved finding an old development site that was segregated from the production network. But it’s running in a Docker container on Kubernetes and those accesses have been assigned to the container. “So we broke out of the container on Kubernetes, and now we’re not bound.”
In this case, Nohl’s team “very slowly” started looking for new work internally, scouring hundreds of services and APIs that connect micronetwork services. “Then if you send ‘wrong stuff’ on an API, you’ll get the debug info back and there is the credit of one of the developers. That then allows us to access the data lake systems and in which we find the text messages of the customers. It was a weeklong hacking journey to do what took us a minute in 2G, but now we have the text messages of an entire country.”
“It is a journey and it is not aimed at telecommunications standards. The important thing is that this is a virtualized network with lots of automated pieces floating around. “
The third hack has seen researchers break into the telecommunications sector, particularly the RAN Smart Controller. “RIC is an optimization in every one of the hundreds of dockers in the hundreds of Kubernetes and sure enough, again, they didn’t configure Docker enough – so we could break into all those environments the field can be hundreds of these K8s and remove the network. I said:
Nohl said his team’s findings show that security has yet to be implemented “by design” in telecom groups. Patching and hardening should be done to an absolute minimum on a near-constant basis. Netflix, he said, has 72 hours of self-destruct on its Docker containers, after which it is rebuilt from the CI/CD pipeline with all the new patches built in.
He also asked hackers to also take telecom security seriously, as networks move into the cloud. “We invite you to consider that. We rely on them [telco networks] And it’s important to keep them safe. “