Open RAN so easy to hack it’s ‘scary,’ says top security boffin

Karsten Nohl has the unusual job of hacking into companies at their behest. Known as “red teaming,” the process is the IT world’s equivalent of driving crash test dummies into brick walls or firing dead chickens into a grounded plane’s jet engines.

The basic idea is to expose the vulnerabilities safely (this, remember, is how Nohl makes a living) and then patch them up before there is any real-world damage. But what Nohl and Security Research Labs (SRL), his Berlin-based firm, found in the 5G networks they examined was “very scary,” he told MCH2022, a hacker camp in the Netherlands this week.

On aggregate, the handful of 5G networks SRL was invited to hack were almost boringly easy to penetrate. In one case, an isolated website created by a company developer provided a point of entry to IT systems.

While it might have seemed like a dead end, that website also ran in Docker, a software-management tool used across operations. Thanks to weaknesses in the Docker setup, SRL was able to “break out” of it and infiltrate Kubernetes, an underlying platform responsible for managing cloud applications.

From there, it was not long before the good-guy hackers were rummaging through customer information like a burglar through a jewellery drawer.

Old security threats have been amplified. Phishing, whereby hackers trick people into revealing sensitive data, would previously have targeted a few system administrators.

But the adoption of Docker and Kubernetes, both open-source platforms, means hundreds of people across various companies might be writing code for the configuration of a mobile network.

“If you can phish any one of them, there is a good chance you can adversely affect the mobile network,” said Nohl.

Essentially, this community-based approach has multiplied the opportunities for the criminally minded. If any part of the chain is hacked, the mobile network is at risk, says Nohl, questioning some of the familiar, no-security-in-obscurity claims about open-source code.

“I’m not so sure this many-eyes-make-bugs-go-away argument applies to software that is used in only one or two companies,” he said.

“You post it on the Internet and people don’t start looking for bugs in it. The hacker will use that information. Some level of obscurity sometimes helps in protecting APIs [application programming interfaces].”

The rush to cloudify

In Nohl’s assessment, much of the blame for this mess lies not with anything telco-, network- or 5G-specific but with a rush to virtualize and cloudify operations.

Theoretically, operators should be able to segregate resources more easily with virtualization to mitigate risk. But this rarely happens, according to Nohl.

To read the complete article, visit Light Reading.