Enterprise security professionals have been lax in our demands for visibility into how cellular networks put our organizations at risk. The closed nature of these networks, with absolutely zero transparency about vulnerabilities and attacks, has facilitated several high-impact incidents over the last several years. This report will provide an overview of cellular network vulnerabilities and detail new technologies like 5G that are on the horizon to help enterprises drive security into these networks, particularly in high-risk countries around the world.
To understand the full extent of the security problems in the global cellular ecosystem, it is important to have some insights into its architecture. From a traditional cybersecurity perspective, it will be easiest to draw some analogies. From a handset perspective, each device can talk to an infinite number of towers through a wide array of wireless protocols and frequencies. There are base stations (a.k.a. towers) which serve as transceivers for those protocols and frequencies which then convert all communications to terrestrial formats (usually fiber optics as the physical layer and TCP/IP as the protocol). All of those terrestrial connections link at the network operator's core, and the SS7 network provides the ability for inter-operator communications.
Every single component of the cellular ecosystem has significant and fundamental vulnerabilities which have not been addressed and which can be attacked at micro or macro scale, enabling either targeted or large-scale surveillance of mobile users. In many geographies, cellular technologies are compromised by separate actors through different means simultaneously, without the user having any notice or awareness of the compromises.
This report will cover an introduction of vulnerabilities that impact the following components of the cellular ecosystem:
- SS7 Network Vulnerabilities
- Handset Baseband Vulnerabilities
- Cellular Base Station Vulnerabilities
SS7 Vulnerabilities
The SS7 network is a combination of systems which has been in operations since the mid-20th century. Originally developed for long-distance telephone call billing, it was repurposed at the beginning of the cell network era to serve as the interconnect for all roaming functions between networks. For a network which was originally designed for billing and payment purposes, it has woefully inadequate security controls.
SS7 technologies are obscure, outdated, and full of potential protocol and application layer security problems. Because of the way all carriers have implemented their SS7 interconnects, it is very easy for attackers to move from one SS7 node to another. This results in attacks that can target a lowly Nigerian telco at the start, but then end up gaining access to Vodafone infrastructure through the inter-network trusts that exist between operators.
To see the full extent of what the SS7 vulnerabilities mean for enterprises, one only need look at the recent disclosure by Germany's O2 Telefonica group that many banking customers have had their accounts drained of funds. In those cases, the attackers used SS7 vulnerabilities to intercept one-time-use codes delivered through SMS to the legitimate users[i]. Combined with standard botnet keystroke logging tools, the attackers could obtain the usernames, passwords, and the SMS-delivered one-time-use codes. It is with good reason that NIST published the 800-63b bulletin notifying US government organizations that SMS does not have sufficient integrity and confidentiality to serve as a one-time-password delivery channel[ii].
In addition to intercepting SMS messages, SS7 vulnerabilities can be leveraged by attackers for real-time tracking of individuals, interception of voice calls, voice mail system manipulation, and in some cases, TCP/IP routing path manipulation.
While SS7 vulnerabilities can manipulate TCP/IP routing paths, those SS7 vulnerabilities do not extend onto the handset itself. If enterprises wish to manage the risks associated with SS7 vulnerabilities, using high-integrity Over-the-Top (OTT) messaging systems is the best path. Free solutions from Signal, WhatsApp, and Telegram exist. Enterprise solutions from KoolSpan and Silent Circle are available with features not provided by the free applications.
Handset Baseband Vulnerabilities
Within every cell phone, regardless of whether it is an old-fashioned flip phone or the latest iPhone, there is a combination of technology that most in the mobile industry refer to as the baseband processor. The baseband processor is a bunch of silicon optimized to perform all the functions that a phone needs. These chips are built by the likes of Qualcomm and Samsung and are essentially a conglomeration of CPU, memory, network interface, and media processor. These baseband processors were designed according to network operator specifications and include operator interfaces to control certain aspects of the device, including software update functions and network interface operation.
As with any complex system, these baseband processors rely on a combination of hardware and software that oftentimes is not properly tested for security problems before widespread deployment. Beginning in 2012, researchers began to explore the full breadth of security problems that exist at the baseband processor layer[iii]. Among the impacts that were identified were the ability of attackers to use nearly any cellular radio interface to attempt to run injection attacks against a handset's cellular network interface. These attacks were successful in achieving persistent changes in the target device, arbitrary code execution, and denial of service outcomes. Researchers have also outlined a wide range of other outcomes that can include persistent tracking, battery manipulation with the intent to cause physical damage/harm, and device destruction[iv].
The best bet for enterprises to best protect themselves from baseband vulnerabilities is to avoid purchasing handsets from network operators, and only purchase handsets directly from OEM's that have a proven track record for maintaining their baseband software up-to-date through updates. At present, the only two options with such a history of baseband maintenance are Apple's iPhones and Google's Nexus/Pixel devices.
At the operating system layer of the handset, there are another set of vulnerabilities which contribute to the potential for mobile devices to be used as surveillance tools. Within each operating system, the cryptographic architecture requires that a set of root certificate authorities (CA's) be pre-installed. With both Apple and Google devices, there are hundreds of pre-installed CA's. Most-worrisome are the root CA's from countries with a proven history of abusing their technological capabilities to intercept communications and track individuals. Probably the best example is the TurkTrust CA installed on both Apple and Google devices. Why is every consumer-ready smartphone on planet earth pre-compromised for the benefit of an authoritarian regime? The short answer is that both Apple and Google want to have a streamlined supply chain for the manufacturing of their devices, so whichever country requires that its CA's be pre-installed for "lawful" intercept purposes, Apple and Google install them all. Apple provides a full listing of the root-of-trust CA's on its support site. With the latest release of Android, Google has at least limited the number of CA's that could be trusted by an application, but the pre-installed root CA's are still loaded with a number of questionable organizations, certificate issuers with a spotty track record for operational integrity, and overall the topic has been obfuscated from users for far too long. Android's developer Best Practices for Security & Privacy portal details information on the changes to Android for CA trust.
What is the net impact for users when it comes to these CA risks? The best case study is what happened to TurkTrust[v]. In 2013, TurkTrust lost control of its CA issuance and root integrity, with the result being that anyone could spoof any website on any host which trusted the TurkTrust root. With the advent of the Sauron PKI incident last year[vi], there are many, many wildcard certificates on the loose in the digital underground. The inability of consumers (and enterprise users) to remove compromised roots of trust from their mobile devices is a critical vulnerability. Organizations should be demanding the ability to uninstall these pre-compromised CA's in order to better protect themselves from both nation-state surveillance as well as from sophisticated criminal organizations. Until that becomes a feature in Android and iOS, organizations only have one real alternative, and that is to build their own customized Android ROM's using tools like Lineage OS and deploying those software images to commodity Android devices without those compromised CA's.
Cellular Base Station Vulnerabilities
Sometimes it is difficult to visualize the different layers of technologies that the cellular ecosystem relies on to deliver the services we've come to expect from modern smartphones operating on advanced cellular networks (what we may call 4G or LTE). The first layer that is important to understand is the "physical" layer. Unlike with Ethernet or fiber optics, there is no physical media that we can touch or feel when it comes to cellular. The corollary in the mobile world is the radio traffic carried on a particular frequency and organized as a specific protocol. Just like we could crimp two sets of CAT V cables into a single RJ45 jack to perform a physical wiretap on Ethernet connections, the physical radio frequencies that mobile devices rely on can be compromised to provide attackers with opportunities to intercept, manipulate, and otherwise interrupt the radio signals that carry all of the information to and from mobile devices.
While there are some security controls that can protect mobile communications, they all have been compromised due to the network being designed for availability-at-all-costs. For example, none of the mobile operators would ever want to deny someone the opportunity to dial 911, regardless of where they are and what device they own. Therefore, the operators have enabled all of their base stations to interoperate with any type of cellular protocol, even ones which have primitive protection mechanisms. This availability-at-all-costs approach has made it so that even advanced security features of the latest LTE protocol can be rolled back with relative ease.
Through purpose-built cellular intercept equipment, attackers can perform localized interception, manipulation, and targeted denial-of-service on targeted individuals within a given operational area. In most cases, the operational area will be approximately the same size as the area covered by the legitimately-deployed cellular base station installed by the network operator. But, in certain high-density urban environments and wide-open rural ones, the operating area can be extended immensely through the use of high-gain antennas.
The way that these unauthorized base stations work is that they send a high-powered signal on the same frequency as the targeted device's preferred network, but without the appropriate encryption wrapper and with instructions to spoof the legitimate base station. As long as the targeted individual is within a few miles of the unauthorized base station, the device owner's communications can be intercepted.
Enterprises have three options to consider when it comes to protecting themselves from unauthorized base stations:
- Deploy a dynamic distributed cellular antenna service inside facilities
- Utilize baseband firewall technologies to be aware of unauthorized base stations and create alerting processes
- Utilize OTT technologies designed to defeat unauthorized base stations
A distributed antenna service is essentially a large grouping of small base stations within the physical facilities of the area which needs to be protected. This approach requires the facility owner to have staff who are properly trained in the detection of unauthorized base stations and the active response of the team to combat the signals emanating from the unauthorized base station. These systems start at hundreds of thousands of dollars, and can be expensive to maintain and operate.
Baseband firewall technologies such as those provided in the Cryptophone can provide real-time awareness of unauthorized base stations at a granular level with the baseband firewall display on the Cryptophone device. For larger-scale monitoring, ESD America has developed a platform called Overwatch, which is essentially a grouping of baseband firewalls that share their telemetry and log data amongst themselves. Previously, Overwatch was only available to government customers, but recently it has become available for any enterprise; the cost is at least as much as a basic distributed antenna service.
Which brings us to OTT technologies. If they can help with the first set of SS7 vulnerabilities, they can definitely help with the localized base station problem. The only issue with OTT technologies is that if a device has baseband or other operating system vulnerabilities, then OTT technologies can be compromised relatively easily. Therefore, the best option for most enterprises is to run iPhones or Pixels, purchased directly from Apple or Google, assure that those devices are always up-to-date, and then implement a high-integrity OTT system like KoolSpan or Silent Circle.
The last option, which was mentioned as a potential path to solve the pre-compromised CA problems, is to begin building a purpose-built Android ROM to be deployed on commodity hardware that the enterprise can control from the very beginning of the handset lifecycle until it is retired. Previously, this was not a cost-effective approach, but, with the commoditization of high-powered handsets, it is now possible to purchase commodity handsets, develop a purpose-built Android ROM, deploy it en masse to the devices, and then maintain it over its lifecycle. If this sounds familiar, it's because it is. We did this for laptops in the late 1990's, when enterprises demanded that they have full control to implement the operating system and security controls on enterprise laptops. I find it frustrating that most enterprises have not reverted to this model for mobile devices as this approach would have significant security benefits.
One important aspect that should be noted, all of these vulnerabilities described are especially attractive to government-run network operators in countries without privacy protections or rule-of-law. It is extremely important that international travelers prepare to protect themselves from these types of vulnerabilities while they are working or vacationing in high-risk geographies.
[i] https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/
[ii] https://pages.nist.gov/800-63-3/sp800-63b.html
[iii] https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf
[iv] https://smartech.gatech.edu/bitstream/handle/1853/43766/davis_andrew_t_201205_ro.pdf
[v] https://threatpost.com/turktrust-incident-raises-renewed-questions-about-ca-system-010413/77366/
[vi] https://arstechnica.com/security/2016/08/researchers-crack-open-unusually-advanced-malware-that-hid-for-5-years/