1 00:00:01,280 --> 00:00:12,559 [Music] 2 00:00:16,480 --> 00:00:20,080 next session on open rand 5g hacking 3 00:00:20,080 --> 00:00:22,320 just got a lot more interesting by 4 00:00:22,320 --> 00:00:23,840 carson noll 5 00:00:23,840 --> 00:00:27,680 so 5g has seen quite some evolutions at 6 00:00:27,680 --> 00:00:29,279 least through telecom through every of 7 00:00:29,279 --> 00:00:32,079 the generations the 2g 8 00:00:32,079 --> 00:00:34,880 3g 4g and now 5g 9 00:00:34,880 --> 00:00:36,880 and it's changing from an old school 10 00:00:36,880 --> 00:00:39,920 monolithical system to a very open model 11 00:00:39,920 --> 00:00:41,440 and openness and open models is 12 00:00:41,440 --> 00:00:43,280 something that we dearly love at least i 13 00:00:43,280 --> 00:00:45,840 do and now the hacking potential and a 14 00:00:45,840 --> 00:00:48,480 lot more interfaces are coming about and 15 00:00:48,480 --> 00:00:50,559 we can actually have some quite new 16 00:00:50,559 --> 00:00:52,079 interactions with this 17 00:00:52,079 --> 00:00:53,760 and i know that from myself from a 18 00:00:53,760 --> 00:00:55,840 previous employer being a telecom 19 00:00:55,840 --> 00:00:58,079 company that it's very interesting to 20 00:00:58,079 --> 00:00:59,680 listen here and also see the new 21 00:00:59,680 --> 00:01:02,160 technology emerge now carson no we know 22 00:01:02,160 --> 00:01:04,959 from all kinds of ccc talks cool ones 23 00:01:04,959 --> 00:01:06,880 even and each 24 00:01:06,880 --> 00:01:09,040 every target was actually cool i call it 25 00:01:09,040 --> 00:01:11,280 education to myself 26 00:01:11,280 --> 00:01:12,880 and as a security researcher and 27 00:01:12,880 --> 00:01:15,360 cryptographer he's now also the chief 28 00:01:15,360 --> 00:01:18,560 scientist for sr labs in berlin 29 00:01:18,560 --> 00:01:19,360 and 30 00:01:19,360 --> 00:01:21,439 take it away please a big applause for 31 00:01:21,439 --> 00:01:24,839 customer knowledge 32 00:01:29,680 --> 00:01:31,840 thank you and thanks for entertaining 33 00:01:31,840 --> 00:01:33,920 everyone for 10 minutes i've never seen 34 00:01:33,920 --> 00:01:36,880 a herald work harder 35 00:01:36,880 --> 00:01:39,200 um good to see you all again uh three 36 00:01:39,200 --> 00:01:41,360 years of of everybody staying at home 37 00:01:41,360 --> 00:01:43,280 hacking on their own things it's about 38 00:01:43,280 --> 00:01:45,040 time to start sharing knowledge again 39 00:01:45,040 --> 00:01:47,600 that's what i'm here for today 40 00:01:47,600 --> 00:01:49,280 we'll be talking about 41 00:01:49,280 --> 00:01:51,040 hacking in and taking down critical 42 00:01:51,040 --> 00:01:53,119 infrastructure um 43 00:01:53,119 --> 00:01:55,280 the irony that this talk was delayed by 44 00:01:55,280 --> 00:01:57,119 10 minutes by the electricity going down 45 00:01:57,119 --> 00:01:59,439 isn't lost on me um we'll make the best 46 00:01:59,439 --> 00:02:01,119 out of the remaining time 47 00:02:01,119 --> 00:02:03,680 um we're talking about open rand today 48 00:02:03,680 --> 00:02:06,560 as a case study basically of technology 49 00:02:06,560 --> 00:02:08,479 developments are happening 50 00:02:08,479 --> 00:02:10,479 in basically every industry people are 51 00:02:10,479 --> 00:02:11,599 going into the cloud they're 52 00:02:11,599 --> 00:02:13,760 virtualizing things 53 00:02:13,760 --> 00:02:16,000 processes get more and more automated 54 00:02:16,000 --> 00:02:16,800 and 55 00:02:16,800 --> 00:02:18,959 nowhere is that shift clearer than in 56 00:02:18,959 --> 00:02:22,319 the telco industry and openran is a is a 57 00:02:22,319 --> 00:02:24,239 great example of that so we'll be 58 00:02:24,239 --> 00:02:26,160 touching on a lot of technology that you 59 00:02:26,160 --> 00:02:29,440 encounter in your industries as well um 60 00:02:29,440 --> 00:02:32,000 i'm just particularly fond of telco 61 00:02:32,000 --> 00:02:34,080 hacking so at the end of this 62 00:02:34,080 --> 00:02:36,000 presentation you'll know what open rain 63 00:02:36,000 --> 00:02:37,920 is and the technologies involved around 64 00:02:37,920 --> 00:02:39,920 virtualization and automation you'll 65 00:02:39,920 --> 00:02:42,160 know how to find security issues in them 66 00:02:42,160 --> 00:02:43,920 and if you happen to be in the business 67 00:02:43,920 --> 00:02:45,680 of building telco networks or for that 68 00:02:45,680 --> 00:02:48,239 matter any kind of cloud network 69 00:02:48,239 --> 00:02:50,800 you'll take away some advice on how to 70 00:02:50,800 --> 00:02:53,280 make those infrastructures more secure 71 00:02:53,280 --> 00:02:56,239 um why am i talking about this well i've 72 00:02:56,239 --> 00:02:58,159 i've experienced telco basically from 73 00:02:58,159 --> 00:03:00,560 from both sides i've been 74 00:03:00,560 --> 00:03:02,800 a hacker of critical infrastructures for 75 00:03:02,800 --> 00:03:04,400 well over a decade now 76 00:03:04,400 --> 00:03:08,640 and around halfway through that um 77 00:03:08,640 --> 00:03:11,120 that journey i've been asked to help 78 00:03:11,120 --> 00:03:13,120 secure telco network so i've seen both 79 00:03:13,120 --> 00:03:15,200 the attacking and the defending side of 80 00:03:15,200 --> 00:03:17,280 it and i can tell you well well hacking 81 00:03:17,280 --> 00:03:19,200 telco networks might seem difficult 82 00:03:19,200 --> 00:03:21,519 sometimes defending them is even harder 83 00:03:21,519 --> 00:03:23,599 so if you're up for challenge 84 00:03:23,599 --> 00:03:26,159 try that sometime 85 00:03:26,159 --> 00:03:28,080 but why anyway are we still talking 86 00:03:28,080 --> 00:03:30,480 about telco security 87 00:03:30,480 --> 00:03:31,680 it's been 88 00:03:31,680 --> 00:03:34,239 literally 13 years since i was standing 89 00:03:34,239 --> 00:03:36,560 here and um 90 00:03:36,560 --> 00:03:38,560 trying to get all of you to help me 91 00:03:38,560 --> 00:03:41,440 compute a51 rainbow tables anybody 92 00:03:41,440 --> 00:03:42,640 remember that 93 00:03:42,640 --> 00:03:45,120 okay yeah that's exactly 13 years ago 94 00:03:45,120 --> 00:03:46,640 this conference 95 00:03:46,640 --> 00:03:48,879 and then you all came together and we 96 00:03:48,879 --> 00:03:50,560 computed those tables we then released 97 00:03:50,560 --> 00:03:53,200 them that year in december at the chaos 98 00:03:53,200 --> 00:03:54,400 congress 99 00:03:54,400 --> 00:03:56,319 and ever since then people know that 2g 100 00:03:56,319 --> 00:03:57,920 is insecure 101 00:03:57,920 --> 00:03:59,360 and nobody has ever found similar 102 00:03:59,360 --> 00:04:02,080 weaknesses in in the other protocols so 103 00:04:02,080 --> 00:04:04,239 on are we done when we're done 13 years 104 00:04:04,239 --> 00:04:07,360 ago um well it turns out telco networks 105 00:04:07,360 --> 00:04:09,360 are more complex than just singular 106 00:04:09,360 --> 00:04:11,599 standards right the reality is always 107 00:04:11,599 --> 00:04:14,000 more complex than the standards written 108 00:04:14,000 --> 00:04:15,840 in theory but let's start at the 109 00:04:15,840 --> 00:04:18,238 positives let's see what has actually 110 00:04:18,238 --> 00:04:21,680 happened in in telco network evolution 111 00:04:21,680 --> 00:04:22,560 um 112 00:04:22,560 --> 00:04:24,639 so with the introduction of 5g pretty 113 00:04:24,639 --> 00:04:25,840 much all the 114 00:04:25,840 --> 00:04:26,960 um 115 00:04:26,960 --> 00:04:29,440 the hacking vectors that were identified 116 00:04:29,440 --> 00:04:31,280 in previous generations were closed and 117 00:04:31,280 --> 00:04:33,759 not just hacking then vectors also 118 00:04:33,759 --> 00:04:35,759 privacy features were added 119 00:04:35,759 --> 00:04:39,440 for instance 5g is the um 120 00:04:39,440 --> 00:04:42,160 the first standard where the mc 121 00:04:42,160 --> 00:04:44,400 basically your your identity isn't 122 00:04:44,400 --> 00:04:46,560 submitted in clear text over the air 123 00:04:46,560 --> 00:04:50,240 anymore right so it took almost 30 years 124 00:04:50,240 --> 00:04:52,479 of network standardization for people to 125 00:04:52,479 --> 00:04:54,639 understand that it's a bad idea to send 126 00:04:54,639 --> 00:04:56,880 identities in clear text right it will 127 00:04:56,880 --> 00:04:59,199 probably take another 30 years for all 128 00:04:59,199 --> 00:05:01,600 non-5g networks to die out and for us to 129 00:05:01,600 --> 00:05:04,160 finally benefit from this um progress 130 00:05:04,160 --> 00:05:05,840 but you know it's a step in the right 131 00:05:05,840 --> 00:05:07,759 direction and there's many others i 132 00:05:07,759 --> 00:05:09,840 won't go into the details here because 133 00:05:09,840 --> 00:05:12,240 of course you all are only interested in 134 00:05:12,240 --> 00:05:14,400 in how networks are broken not how they 135 00:05:14,400 --> 00:05:16,240 have been fixed but 136 00:05:16,240 --> 00:05:18,639 overall of course we have made good 137 00:05:18,639 --> 00:05:20,800 progress or the people writing these 138 00:05:20,800 --> 00:05:22,560 standards i should say have made good 139 00:05:22,560 --> 00:05:25,919 progress um so that today we couldn't 140 00:05:25,919 --> 00:05:28,800 just stick up an antenna and intercept a 141 00:05:28,800 --> 00:05:32,320 5g conversation like we did 13 years ago 142 00:05:32,320 --> 00:05:33,440 at the 143 00:05:33,440 --> 00:05:36,080 chaos congress um 144 00:05:36,080 --> 00:05:38,560 against 2g right um 145 00:05:38,560 --> 00:05:39,680 but even though these network 146 00:05:39,680 --> 00:05:41,759 generations have gotten more and more 147 00:05:41,759 --> 00:05:45,520 secure on paper um we anyway or other 148 00:05:45,520 --> 00:05:47,039 researchers have been able to find 149 00:05:47,039 --> 00:05:49,520 vulnerabilities in each of those uh 150 00:05:49,520 --> 00:05:52,240 standards usually digging a little bit 151 00:05:52,240 --> 00:05:54,000 deeper going to 152 00:05:54,000 --> 00:05:56,720 less obvious places and we want to 153 00:05:56,720 --> 00:06:00,000 continue that today with 5g and again 154 00:06:00,000 --> 00:06:03,039 using openran as a case study 155 00:06:03,039 --> 00:06:03,919 um 156 00:06:03,919 --> 00:06:05,919 what i'll show you now over over the 157 00:06:05,919 --> 00:06:06,960 next 158 00:06:06,960 --> 00:06:10,080 20 25 minutes uh um 159 00:06:10,080 --> 00:06:12,720 kind of the building blocks towards four 160 00:06:12,720 --> 00:06:16,560 hacks that that are a little straight um 161 00:06:16,560 --> 00:06:17,919 spying on 162 00:06:17,919 --> 00:06:20,880 people's communication 163 00:06:20,880 --> 00:06:22,720 extracting their private data from a 164 00:06:22,720 --> 00:06:24,400 mobile network 165 00:06:24,400 --> 00:06:26,720 becoming an admin in that mobile network 166 00:06:26,720 --> 00:06:28,400 controlling all the infrastructure and 167 00:06:28,400 --> 00:06:31,120 ultimately taking down a mobile network 168 00:06:31,120 --> 00:06:33,440 right um these are not singular hex 169 00:06:33,440 --> 00:06:35,440 anymore uh like what we discussed let's 170 00:06:35,440 --> 00:06:38,560 say around 2g um but draws a series of 171 00:06:38,560 --> 00:06:40,800 of building blocks so i'll have to do a 172 00:06:40,800 --> 00:06:44,639 little bit of a build up towards that um 173 00:06:44,639 --> 00:06:47,280 they are also not easily done within 174 00:06:47,280 --> 00:06:49,039 what is what was it less than one minute 175 00:06:49,039 --> 00:06:50,639 for the 2g stuff right we're talking 176 00:06:50,639 --> 00:06:52,240 about weeks here weeks of somebody 177 00:06:52,240 --> 00:06:54,240 penetrating a network and and moving 178 00:06:54,240 --> 00:06:55,520 deeper and deeper and deeper until they 179 00:06:55,520 --> 00:06:57,440 can finally take down the network 180 00:06:57,440 --> 00:06:59,759 um but i'm sure you can imagine many 181 00:06:59,759 --> 00:07:01,360 organizations that would be willing to 182 00:07:01,360 --> 00:07:03,759 spend several weeks to then either 183 00:07:03,759 --> 00:07:06,639 ransom um somebody or do other criminal 184 00:07:06,639 --> 00:07:08,319 activities or for purely strategic 185 00:07:08,319 --> 00:07:10,400 purposes we're talking state sponsored 186 00:07:10,400 --> 00:07:12,240 actors right so it takes weeks to break 187 00:07:12,240 --> 00:07:14,720 into a 5g network and while that might 188 00:07:14,720 --> 00:07:17,680 seem like a long time compared to uh 189 00:07:17,680 --> 00:07:19,280 what what hackers usually show at 190 00:07:19,280 --> 00:07:21,680 conferences like this it's definitely 191 00:07:21,680 --> 00:07:24,400 worth uh worthwhile for um too many 192 00:07:24,400 --> 00:07:25,680 people in the world for this to be 193 00:07:25,680 --> 00:07:26,800 ignored 194 00:07:26,800 --> 00:07:27,599 so 195 00:07:27,599 --> 00:07:30,400 why are networks still vulnerable 196 00:07:30,400 --> 00:07:31,360 of course 197 00:07:31,360 --> 00:07:32,639 they are built from many different 198 00:07:32,639 --> 00:07:35,120 technologies some of them newer like 199 00:07:35,120 --> 00:07:37,039 let's say the 5g standards some of them 200 00:07:37,039 --> 00:07:38,960 older but still mandatory if you're 201 00:07:38,960 --> 00:07:42,960 building a 5g network from scratch today 202 00:07:42,960 --> 00:07:44,879 you would still have to connect it to an 203 00:07:44,879 --> 00:07:46,879 engine technology called ss7 for 204 00:07:46,879 --> 00:07:48,879 instance right won't be talking much 205 00:07:48,879 --> 00:07:51,440 about ss7 today um but there's of course 206 00:07:51,440 --> 00:07:53,440 previous research from years ago that 207 00:07:53,440 --> 00:07:56,319 still to today applies to virtually all 208 00:07:56,319 --> 00:07:57,919 networks in the world because of the 209 00:07:57,919 --> 00:07:59,680 network effect if you want to be part of 210 00:07:59,680 --> 00:08:01,280 this global community if you want to 211 00:08:01,280 --> 00:08:03,440 exchange text messages if you want to 212 00:08:03,440 --> 00:08:05,199 support global roaming you have to 213 00:08:05,199 --> 00:08:07,840 support ss7 or maybe a little bit more 214 00:08:07,840 --> 00:08:10,319 avant-garde supporting diameter well 215 00:08:10,319 --> 00:08:11,919 tough luck it has the same security 216 00:08:11,919 --> 00:08:13,759 vulnerability so 217 00:08:13,759 --> 00:08:16,800 mobile networks are just complex beasts 218 00:08:16,800 --> 00:08:18,879 and today we're going to talk about none 219 00:08:18,879 --> 00:08:20,240 of this stuff 220 00:08:20,240 --> 00:08:23,039 but look one level below to the it 221 00:08:23,039 --> 00:08:25,440 infrastructure 222 00:08:25,440 --> 00:08:27,120 every telco network of course needs to 223 00:08:27,120 --> 00:08:28,800 be built on something right it's not 224 00:08:28,800 --> 00:08:30,800 just software and this used to be 225 00:08:30,800 --> 00:08:33,120 proprietary boxes that you would source 226 00:08:33,120 --> 00:08:34,958 from some scandinavian vendor or let's 227 00:08:34,958 --> 00:08:36,479 say from china 228 00:08:36,479 --> 00:08:38,799 um there was 4g 229 00:08:38,799 --> 00:08:42,000 this moved all onto linux um everything 230 00:08:42,000 --> 00:08:45,200 became ip in in mobile networks so it 231 00:08:45,200 --> 00:08:47,200 already felt a lot more familiar to a 232 00:08:47,200 --> 00:08:49,760 pen tester or red teamer 233 00:08:49,760 --> 00:08:53,440 testing mobile networks and with 5g now 234 00:08:53,440 --> 00:08:55,680 we're going even further down to to get 235 00:08:55,680 --> 00:08:58,160 basically cloudify these networks um and 236 00:08:58,160 --> 00:09:00,720 today we're going to talk about um about 237 00:09:00,720 --> 00:09:03,200 exactly that development um where 238 00:09:03,200 --> 00:09:06,080 networks become much more virtualized 239 00:09:06,080 --> 00:09:09,200 and much more automated okay 240 00:09:09,200 --> 00:09:11,760 so all the hacking i'll be talking about 241 00:09:11,760 --> 00:09:15,200 today is going to be from the it domain 242 00:09:15,200 --> 00:09:17,279 that mobile networks are built on right 243 00:09:17,279 --> 00:09:18,959 very important we're not going to 244 00:09:18,959 --> 00:09:20,640 mess with any of these standards because 245 00:09:20,640 --> 00:09:22,560 they're not the weakest link of mobile 246 00:09:22,560 --> 00:09:24,560 networks anymore as far as i can tell 247 00:09:24,560 --> 00:09:26,080 okay 248 00:09:26,080 --> 00:09:27,040 um 249 00:09:27,040 --> 00:09:28,800 a bit of nomenclature to get that out of 250 00:09:28,800 --> 00:09:30,480 the way so today we're talking about 251 00:09:30,480 --> 00:09:32,320 open rain what's open range first of all 252 00:09:32,320 --> 00:09:35,519 ran what's ram radio access network is 253 00:09:35,519 --> 00:09:37,600 one of three parts that make up a mobile 254 00:09:37,600 --> 00:09:39,760 network does the radio access network 255 00:09:39,760 --> 00:09:41,680 which is basically 90 of the mobile 256 00:09:41,680 --> 00:09:44,000 network actually it's the antenna it's a 257 00:09:44,000 --> 00:09:45,839 cable that connects antenna to some 258 00:09:45,839 --> 00:09:48,399 local switching center another cable to 259 00:09:48,399 --> 00:09:50,480 something more regional another cable to 260 00:09:50,480 --> 00:09:53,120 connect us to a big central data center 261 00:09:53,120 --> 00:09:54,640 and that central data center is then 262 00:09:54,640 --> 00:09:56,800 considered the network core so that's 263 00:09:56,800 --> 00:09:58,480 separate and then different network 264 00:09:58,480 --> 00:10:00,800 cores are connected through interconnect 265 00:10:00,800 --> 00:10:02,240 um for instance to connect different 266 00:10:02,240 --> 00:10:04,000 companies or different countries right 267 00:10:04,000 --> 00:10:05,920 but almost everything that you consider 268 00:10:05,920 --> 00:10:08,320 as a mobile network is the radio access 269 00:10:08,320 --> 00:10:10,079 network part basically the country-wide 270 00:10:10,079 --> 00:10:12,079 infrastructure right 271 00:10:12,079 --> 00:10:13,920 and even though it's 90 of a mobile 272 00:10:13,920 --> 00:10:16,399 network at least it hasn't received much 273 00:10:16,399 --> 00:10:18,240 attention so i certainly haven't looked 274 00:10:18,240 --> 00:10:20,640 at anything ran related since 13 years 275 00:10:20,640 --> 00:10:23,279 ago the 2g stuff because i considered 276 00:10:23,279 --> 00:10:25,600 it's secure and it's basically just 277 00:10:25,600 --> 00:10:28,000 cables right and that was true for most 278 00:10:28,000 --> 00:10:30,839 of these 13 years up until now 279 00:10:30,839 --> 00:10:34,240 was 5g and open ram 280 00:10:34,240 --> 00:10:36,399 there's big changes underway where uh 281 00:10:36,399 --> 00:10:38,560 the radio access network gets a lot i 282 00:10:38,560 --> 00:10:40,720 guess people call it smarter right so a 283 00:10:40,720 --> 00:10:42,320 lot more complex there's much more 284 00:10:42,320 --> 00:10:44,480 technology put into the ran and that's 285 00:10:44,480 --> 00:10:47,040 why after many years of neglecting it uh 286 00:10:47,040 --> 00:10:50,160 we revisited it and um found really 287 00:10:50,160 --> 00:10:53,440 interesting stuff right um so that's ran 288 00:10:53,440 --> 00:10:55,519 so what is open ran open ran is 289 00:10:55,519 --> 00:10:58,480 basically a movement you could say um 290 00:10:58,480 --> 00:11:01,360 loosely defined as as combining three 291 00:11:01,360 --> 00:11:03,120 things only two of which are really 292 00:11:03,120 --> 00:11:05,279 relevant for our discussion today the 293 00:11:05,279 --> 00:11:07,279 third thing is that mobile networks are 294 00:11:07,279 --> 00:11:09,600 now built on commodity hardware to make 295 00:11:09,600 --> 00:11:11,519 them cheaper right so instead of getting 296 00:11:11,519 --> 00:11:13,680 a box from scandinavia or china that 297 00:11:13,680 --> 00:11:15,839 combines hardware and software you get 298 00:11:15,839 --> 00:11:17,519 your own hardware 299 00:11:17,519 --> 00:11:18,880 and then you put whatever vendor 300 00:11:18,880 --> 00:11:21,120 software on it right not so relevant for 301 00:11:21,120 --> 00:11:22,399 us 302 00:11:22,399 --> 00:11:24,880 what's more relevant for the security 303 00:11:24,880 --> 00:11:27,200 discussion is that 304 00:11:27,200 --> 00:11:30,079 everything is virtualized or i guess 305 00:11:30,079 --> 00:11:31,680 containerized is the more appropriate 306 00:11:31,680 --> 00:11:33,519 term we're talking kubernetes here most 307 00:11:33,519 --> 00:11:35,839 of the time um and processes are 308 00:11:35,839 --> 00:11:38,720 automated to a very high in fact scary 309 00:11:38,720 --> 00:11:41,600 degree right um so that's open ram 310 00:11:41,600 --> 00:11:42,880 basically these three things put 311 00:11:42,880 --> 00:11:45,839 together and it's extremely popular um 312 00:11:45,839 --> 00:11:47,839 among telcos right now because it's 313 00:11:47,839 --> 00:11:49,760 cheaper the commodity hardware part is 314 00:11:49,760 --> 00:11:51,760 what they find interesting of course we 315 00:11:51,760 --> 00:11:53,680 find the other two are a lot more 316 00:11:53,680 --> 00:11:55,519 interesting 317 00:11:55,519 --> 00:11:57,519 so in in summary the changes between 318 00:11:57,519 --> 00:11:59,120 kind of how mobile networks used to be 319 00:11:59,120 --> 00:12:00,480 built and how they're being built right 320 00:12:00,480 --> 00:12:02,800 now um a mobile network used to be built 321 00:12:02,800 --> 00:12:04,959 okay you start with an antenna that part 322 00:12:04,959 --> 00:12:06,480 hasn't changed the future will still 323 00:12:06,480 --> 00:12:08,160 have antennas in mobile network just 324 00:12:08,160 --> 00:12:10,160 everything after that changes so it used 325 00:12:10,160 --> 00:12:12,240 to be you connect this antenna to one of 326 00:12:12,240 --> 00:12:14,959 those proprietary boxes appliances you 327 00:12:14,959 --> 00:12:16,800 could say that you get from let's say 328 00:12:16,800 --> 00:12:18,240 scandinavia 329 00:12:18,240 --> 00:12:20,720 and um you you you connect them 330 00:12:20,720 --> 00:12:22,720 throughout the entire country somebody 331 00:12:22,720 --> 00:12:25,120 manually looks locks into each of these 332 00:12:25,120 --> 00:12:27,200 boxes configures them and then basically 333 00:12:27,200 --> 00:12:28,880 you have your network that will stay 334 00:12:28,880 --> 00:12:31,360 virtually the same for the next say 15 335 00:12:31,360 --> 00:12:33,200 to 20 years until it's replaced by 336 00:12:33,200 --> 00:12:35,440 another network generation right there's 337 00:12:35,440 --> 00:12:37,680 sometimes upgrades that the vendor will 338 00:12:37,680 --> 00:12:40,000 ship to you maybe once a year at most 339 00:12:40,000 --> 00:12:42,000 twice a year um 340 00:12:42,000 --> 00:12:43,920 and then you manually install these 341 00:12:43,920 --> 00:12:45,839 upgrades on each of the boxes and that's 342 00:12:45,839 --> 00:12:48,320 it it's very static networks with very 343 00:12:48,320 --> 00:12:50,160 little interference 344 00:12:50,160 --> 00:12:52,880 right now switch over to openran or 345 00:12:52,880 --> 00:12:55,279 really any future mobile network i i 346 00:12:55,279 --> 00:12:57,680 would imagine um instead of getting 347 00:12:57,680 --> 00:12:59,839 appliances you get shipments of software 348 00:12:59,839 --> 00:13:01,600 and you have to install them in your own 349 00:13:01,600 --> 00:13:03,120 cloud environment 350 00:13:03,120 --> 00:13:04,560 and it's not going to be just a few 351 00:13:04,560 --> 00:13:06,959 cloud environments because of 5g's 352 00:13:06,959 --> 00:13:08,959 latency requirements they'll be in a 353 00:13:08,959 --> 00:13:11,519 country like germany several hundred 354 00:13:11,519 --> 00:13:14,240 data centers okay so in several hundred 355 00:13:14,240 --> 00:13:17,440 places you install kubernetes clouds and 356 00:13:17,440 --> 00:13:19,360 then on each of those kubernetes clouds 357 00:13:19,360 --> 00:13:21,519 you have to put dozens of docker 358 00:13:21,519 --> 00:13:24,959 containers right just the complexity of 359 00:13:24,959 --> 00:13:27,360 that the sheer numbers involved do not 360 00:13:27,360 --> 00:13:29,200 allow for anybody to do this manually 361 00:13:29,200 --> 00:13:31,519 one by one anymore right it needs to be 362 00:13:31,519 --> 00:13:34,160 automated uh the whole deployment and 363 00:13:34,160 --> 00:13:37,040 once it's automated um people think of 364 00:13:37,040 --> 00:13:38,800 this as a great benefit because now we 365 00:13:38,800 --> 00:13:40,720 can keep changing the network pretty 366 00:13:40,720 --> 00:13:43,519 dynamically so instead of having people 367 00:13:43,519 --> 00:13:46,160 lock into boxes once once a year and 368 00:13:46,160 --> 00:13:48,639 changing a little bit now you have 369 00:13:48,639 --> 00:13:50,560 scripts running all the time that try to 370 00:13:50,560 --> 00:13:52,240 optimize the network that keep 371 00:13:52,240 --> 00:13:54,240 reconfiguring everything so it's kind of 372 00:13:54,240 --> 00:13:57,440 a living organism almost style network 373 00:13:57,440 --> 00:14:00,639 that is self-optimizing and to me that's 374 00:14:00,639 --> 00:14:02,240 very scary right knowing that it 375 00:14:02,240 --> 00:14:04,000 continuously changes how are you going 376 00:14:04,000 --> 00:14:06,240 to test it and say okay for the next few 377 00:14:06,240 --> 00:14:08,240 years i know it's secure i mean you test 378 00:14:08,240 --> 00:14:10,399 it and even five minutes later it has a 379 00:14:10,399 --> 00:14:12,720 different state so security testing 380 00:14:12,720 --> 00:14:14,959 becomes a lot more complex right now 381 00:14:14,959 --> 00:14:16,800 maybe silver lining 382 00:14:16,800 --> 00:14:18,720 at least we remove the the human error 383 00:14:18,720 --> 00:14:20,160 source from operations right if 384 00:14:20,160 --> 00:14:21,920 everything is software nobody can fat 385 00:14:21,920 --> 00:14:24,000 finger or get fished anymore but of 386 00:14:24,000 --> 00:14:27,120 course we introduced another um maybe 387 00:14:27,120 --> 00:14:29,600 more serious human error source in that 388 00:14:29,600 --> 00:14:31,440 many developers are now involved that 389 00:14:31,440 --> 00:14:34,079 through some magical cicd pipelines 390 00:14:34,079 --> 00:14:36,160 create and push down these scripts and 391 00:14:36,160 --> 00:14:38,160 that's what we want to focus on today 392 00:14:38,160 --> 00:14:39,920 these two developments that everything 393 00:14:39,920 --> 00:14:41,600 gets virtualized 394 00:14:41,600 --> 00:14:44,480 and that everything gets automated okay 395 00:14:44,480 --> 00:14:46,560 and again i'm using this as a case study 396 00:14:46,560 --> 00:14:48,320 to illustrate developments that you 397 00:14:48,320 --> 00:14:50,560 encounter in other industries as well 398 00:14:50,560 --> 00:14:53,440 just nowhere else as as quickly as a 399 00:14:53,440 --> 00:14:55,519 step function as in the telco industry 400 00:14:55,519 --> 00:14:57,279 right because any kind of cloud 401 00:14:57,279 --> 00:14:59,440 environment would be built 402 00:14:59,440 --> 00:15:01,199 similarly so let's start with 403 00:15:01,199 --> 00:15:03,360 virtualization hacking or again to be 404 00:15:03,360 --> 00:15:05,839 more specific containerization hacking 405 00:15:05,839 --> 00:15:07,600 i'm not talking about vmware virtual 406 00:15:07,600 --> 00:15:09,920 machines i'm talking about very scalable 407 00:15:09,920 --> 00:15:12,480 cloud scale virtualization 408 00:15:12,480 --> 00:15:15,199 and as i said telcos have several 409 00:15:15,199 --> 00:15:17,199 hundred 410 00:15:17,199 --> 00:15:19,120 clouds distributed throughout the 411 00:15:19,120 --> 00:15:20,160 country 412 00:15:20,160 --> 00:15:23,519 to host all kinds of functionality and 413 00:15:23,519 --> 00:15:25,600 in theory because all of everything is 414 00:15:25,600 --> 00:15:27,279 virtualized 415 00:15:27,279 --> 00:15:29,040 you actually have a possible security 416 00:15:29,040 --> 00:15:30,079 upside 417 00:15:30,079 --> 00:15:32,079 because once everything is the the 418 00:15:32,079 --> 00:15:33,839 software is virtualized it's nicely 419 00:15:33,839 --> 00:15:36,720 segregated the networks become software 420 00:15:36,720 --> 00:15:38,639 defined so you can basically through 421 00:15:38,639 --> 00:15:40,880 configuration settings create any kind 422 00:15:40,880 --> 00:15:42,560 of segregation that you want on the 423 00:15:42,560 --> 00:15:44,560 network level on the on the hardware 424 00:15:44,560 --> 00:15:46,160 level 425 00:15:46,160 --> 00:15:48,000 most deployments that we have seen do 426 00:15:48,000 --> 00:15:50,000 not make much use of this very fine 427 00:15:50,000 --> 00:15:52,720 grained uh configurability and in fact 428 00:15:52,720 --> 00:15:55,759 go the opposite way creating new areas 429 00:15:55,759 --> 00:15:56,959 in which 430 00:15:56,959 --> 00:15:59,040 devices share resources right and in 431 00:15:59,040 --> 00:16:00,959 mobile networks of course availability 432 00:16:00,959 --> 00:16:02,639 is very important you need your network 433 00:16:02,639 --> 00:16:05,360 to be to be up right and if you have 434 00:16:05,360 --> 00:16:07,680 different different 435 00:16:07,680 --> 00:16:09,120 functional components share the same 436 00:16:09,120 --> 00:16:11,040 hardware if one of them 437 00:16:11,040 --> 00:16:12,880 overloads the system so to speak the 438 00:16:12,880 --> 00:16:15,120 others can suffer as well right so with 439 00:16:15,120 --> 00:16:16,720 virtualization the jury is a little bit 440 00:16:16,720 --> 00:16:19,040 out this is security gain or loss but 441 00:16:19,040 --> 00:16:21,040 certainly if you configure it badly it's 442 00:16:21,040 --> 00:16:22,880 definitely a loss and now we're going to 443 00:16:22,880 --> 00:16:25,759 look at the cases in which we find 444 00:16:25,759 --> 00:16:27,440 these environments to be badly 445 00:16:27,440 --> 00:16:28,959 configured 446 00:16:28,959 --> 00:16:31,759 so the the assumption is that there are 447 00:16:31,759 --> 00:16:33,360 different pieces of software all running 448 00:16:33,360 --> 00:16:35,759 in the same cloud right it could be an 449 00:16:35,759 --> 00:16:37,360 amazon cloud could be google cloud or in 450 00:16:37,360 --> 00:16:39,440 our case a telco cloud 451 00:16:39,440 --> 00:16:41,199 and some of them are trusted and really 452 00:16:41,199 --> 00:16:43,839 secure and very critical other ones uh 453 00:16:43,839 --> 00:16:45,600 maybe test instance somebody trying 454 00:16:45,600 --> 00:16:47,279 something out something unimportant 455 00:16:47,279 --> 00:16:50,000 different security levels okay now the 456 00:16:50,000 --> 00:16:52,800 big question is if something less secure 457 00:16:52,800 --> 00:16:54,160 gets hacked 458 00:16:54,160 --> 00:16:55,759 can a heck a break out of that 459 00:16:55,759 --> 00:16:57,759 environment and influence something more 460 00:16:57,759 --> 00:16:59,759 secure so can either hack the kubernetes 461 00:16:59,759 --> 00:17:02,320 underneath or influence some neighboring 462 00:17:02,320 --> 00:17:04,959 docker containers um and it turns out 463 00:17:04,959 --> 00:17:07,280 that there's multiple paths for doing 464 00:17:07,280 --> 00:17:10,160 this kind of container break out and uh 465 00:17:10,160 --> 00:17:12,160 here i'm listing the ones that we find 466 00:17:12,160 --> 00:17:14,240 most commonly in telco environments 467 00:17:14,240 --> 00:17:16,799 right there's probably other ones but um 468 00:17:16,799 --> 00:17:18,640 these are the ones that we do encounter 469 00:17:18,640 --> 00:17:21,119 and actual assessments so the way to 470 00:17:21,119 --> 00:17:22,959 read this is on the left you have a 471 00:17:22,959 --> 00:17:25,439 property a capability basically that you 472 00:17:25,439 --> 00:17:29,520 can assign to kubernetes as a pot or um 473 00:17:29,520 --> 00:17:32,799 or docker container um and if and the 474 00:17:32,799 --> 00:17:34,720 the the dark red ones are the ones that 475 00:17:34,720 --> 00:17:36,400 we find all the time 476 00:17:36,400 --> 00:17:38,240 they're kind of pseudo defaults not 477 00:17:38,240 --> 00:17:39,919 really defaults where people love to set 478 00:17:39,919 --> 00:17:42,160 those settings and then the lighter 479 00:17:42,160 --> 00:17:44,400 shaded ones um we don't find them quite 480 00:17:44,400 --> 00:17:46,880 as often but but still 481 00:17:46,880 --> 00:17:49,280 enough to be concerned right and so you 482 00:17:49,280 --> 00:17:51,039 start from one of these capabilities the 483 00:17:51,039 --> 00:17:52,640 middle then says how the hacker would 484 00:17:52,640 --> 00:17:55,120 abuse it on the right hand side uh says 485 00:17:55,120 --> 00:17:56,720 the outcome could be in a mobile network 486 00:17:56,720 --> 00:17:59,120 anything from running your own code kind 487 00:17:59,120 --> 00:18:01,200 of crypto miner style it's probably the 488 00:18:01,200 --> 00:18:04,720 least concern to accessing data so 489 00:18:04,720 --> 00:18:06,320 ransomware of course 490 00:18:06,320 --> 00:18:07,679 would be 491 00:18:07,679 --> 00:18:09,760 a relevant threat here two ultimately 492 00:18:09,760 --> 00:18:11,280 this is uh certainly the worst for 493 00:18:11,280 --> 00:18:13,200 mobile networks taking down the systems 494 00:18:13,200 --> 00:18:15,120 right basically disconnecting people 495 00:18:15,120 --> 00:18:17,440 from their critical infrastructure 496 00:18:17,440 --> 00:18:19,280 and just to take the first two perhaps 497 00:18:19,280 --> 00:18:21,360 as an example um so if those 498 00:18:21,360 --> 00:18:23,679 capabilities are set how does a hacker 499 00:18:23,679 --> 00:18:25,200 do this so the first two here privilege 500 00:18:25,200 --> 00:18:28,480 container and sysadmin so if 501 00:18:28,480 --> 00:18:30,320 if either of those capabilities are 502 00:18:30,320 --> 00:18:32,559 assigned to the docker container that 503 00:18:32,559 --> 00:18:34,400 basically means that from inside the 504 00:18:34,400 --> 00:18:36,240 docker you can communicate with the 505 00:18:36,240 --> 00:18:38,480 linux kernel of the host machine right 506 00:18:38,480 --> 00:18:40,480 in less constrained ways than a 507 00:18:40,480 --> 00:18:43,280 non-privileged container and 508 00:18:43,280 --> 00:18:45,440 i mean the linux hackers in the room of 509 00:18:45,440 --> 00:18:47,600 course already have 100 ideas um how to 510 00:18:47,600 --> 00:18:49,520 abuse this right and and it's a long 511 00:18:49,520 --> 00:18:51,039 list i'll just give you two examples 512 00:18:51,039 --> 00:18:55,440 here um you can um abuse a kernel 513 00:18:55,440 --> 00:18:57,200 feature around c groups c group is 514 00:18:57,200 --> 00:19:00,160 basically a way to handle processors you 515 00:19:00,160 --> 00:19:03,280 don't have to use it it's just easier um 516 00:19:03,280 --> 00:19:05,280 if you if you execute multiple processes 517 00:19:05,280 --> 00:19:07,039 basically as one batch 518 00:19:07,039 --> 00:19:09,440 kubernetes door definitely uses this so 519 00:19:09,440 --> 00:19:11,360 if you're inside a 520 00:19:11,360 --> 00:19:13,200 a docker container on kubernetes you 521 00:19:13,200 --> 00:19:15,440 know that the host machine uses c groups 522 00:19:15,440 --> 00:19:18,400 right that's important to know and 523 00:19:18,400 --> 00:19:20,080 basically there's a kernel feature where 524 00:19:20,080 --> 00:19:22,880 you can tell the kernel please 525 00:19:22,880 --> 00:19:25,600 let me know when uh when a c group com 526 00:19:25,600 --> 00:19:27,520 completes and i want to execute a little 527 00:19:27,520 --> 00:19:29,120 bit of code at the end 528 00:19:29,120 --> 00:19:31,840 right with root level uh permissions and 529 00:19:31,840 --> 00:19:33,280 basically you see it here this is 530 00:19:33,280 --> 00:19:36,000 basically a ps with root privileges you 531 00:19:36,000 --> 00:19:38,080 can execute any code you want right so 532 00:19:38,080 --> 00:19:39,039 you just 533 00:19:39,039 --> 00:19:41,679 notify the kernel to please um execute 534 00:19:41,679 --> 00:19:44,400 this snippet of code um at the end of a 535 00:19:44,400 --> 00:19:46,320 c group and you you basically have root 536 00:19:46,320 --> 00:19:48,880 level access right very straightforward 537 00:19:48,880 --> 00:19:51,360 and yeah no surprise right however 538 00:19:51,360 --> 00:19:53,440 people don't think about it like this 539 00:19:53,440 --> 00:19:54,880 when they assign this privilege to 540 00:19:54,880 --> 00:19:56,720 attribute to their containers most of 541 00:19:56,720 --> 00:19:57,840 the time 542 00:19:57,840 --> 00:19:59,600 another way is if you have access to the 543 00:19:59,600 --> 00:20:01,840 host pid namespace again that's that's 544 00:20:01,840 --> 00:20:03,440 given if either of those properties is 545 00:20:03,440 --> 00:20:06,880 set you can basically just just enter um 546 00:20:06,880 --> 00:20:08,159 the part of the name space that gives 547 00:20:08,159 --> 00:20:09,840 you the equivalent to root shell right 548 00:20:09,840 --> 00:20:12,880 so um really very straightforward 549 00:20:12,880 --> 00:20:14,880 exploits and these are just two of the 550 00:20:14,880 --> 00:20:16,720 examples the the other ones on the list 551 00:20:16,720 --> 00:20:18,240 are maybe a little bit more interesting 552 00:20:18,240 --> 00:20:20,799 because they're less intuitive so if you 553 00:20:20,799 --> 00:20:22,559 don't have a privileged container but 554 00:20:22,559 --> 00:20:24,559 still this host pid 555 00:20:24,559 --> 00:20:26,720 namespace access this is very commonly 556 00:20:26,720 --> 00:20:27,919 found 557 00:20:27,919 --> 00:20:30,240 you can't really access those processes 558 00:20:30,240 --> 00:20:31,600 running on the host machine but you can 559 00:20:31,600 --> 00:20:32,720 kill them 560 00:20:32,720 --> 00:20:34,000 and if you can kill everything that's 561 00:20:34,000 --> 00:20:36,080 running in the kubernetes on top of you 562 00:20:36,080 --> 00:20:37,760 you can take down the mobile network of 563 00:20:37,760 --> 00:20:41,520 course right um obvious right so um if 564 00:20:41,520 --> 00:20:44,080 you're building kubernetes environments 565 00:20:44,080 --> 00:20:46,320 look how often the host pid is set for 566 00:20:46,320 --> 00:20:48,640 your containers you'd be surprised right 567 00:20:48,640 --> 00:20:50,559 and then if you combine the host pid 568 00:20:50,559 --> 00:20:53,440 with another benign looking capability 569 00:20:53,440 --> 00:20:55,440 this is p trace you cannot just see 570 00:20:55,440 --> 00:20:57,200 those processes but you can inject code 571 00:20:57,200 --> 00:20:59,280 into the process in any process running 572 00:20:59,280 --> 00:21:01,440 on your host again that's root level 573 00:21:01,440 --> 00:21:03,120 access right that's basically root cell 574 00:21:03,120 --> 00:21:06,640 equivalent two benign looking things um 575 00:21:06,640 --> 00:21:09,200 are combined to basically full exploit 576 00:21:09,200 --> 00:21:10,400 um 577 00:21:10,400 --> 00:21:12,400 access to the file system is uh pretty 578 00:21:12,400 --> 00:21:14,400 dangerous as well i mean obviously if 579 00:21:14,400 --> 00:21:16,159 you have right access to the file system 580 00:21:16,159 --> 00:21:17,760 you can just overwrite configuration 581 00:21:17,760 --> 00:21:20,240 files you can add your ssh key what not 582 00:21:20,240 --> 00:21:22,320 but even read only access to the host's 583 00:21:22,320 --> 00:21:24,080 file system 584 00:21:24,080 --> 00:21:26,240 virtually always when we encounter this 585 00:21:26,240 --> 00:21:29,520 game over because you can find tokens so 586 00:21:29,520 --> 00:21:31,520 tokens are yeah as the name would 587 00:21:31,520 --> 00:21:33,039 suggest just strings 588 00:21:33,039 --> 00:21:34,480 that are used to access kubernetes 589 00:21:34,480 --> 00:21:35,919 infrastructure they're found in all 590 00:21:35,919 --> 00:21:38,000 kinds of configuration files so reading 591 00:21:38,000 --> 00:21:40,240 them is enough to then access kubernetes 592 00:21:40,240 --> 00:21:42,000 infrastructure 593 00:21:42,000 --> 00:21:44,720 also very popular finding passwords um a 594 00:21:44,720 --> 00:21:46,720 bunch of the utilities that you use to 595 00:21:46,720 --> 00:21:48,640 administer environments like this that 596 00:21:48,640 --> 00:21:50,480 take a username and a password as 597 00:21:50,480 --> 00:21:52,320 command line arguments 598 00:21:52,320 --> 00:21:54,240 so where do you find it in bash history 599 00:21:54,240 --> 00:21:56,240 right so if you have read only access to 600 00:21:56,240 --> 00:21:58,159 the file system often there's the 601 00:21:58,159 --> 00:22:00,559 password that you need to to go forward 602 00:22:00,559 --> 00:22:01,360 right 603 00:22:01,360 --> 00:22:03,039 the last one is the one that surprised 604 00:22:03,039 --> 00:22:04,559 me the most i don't know if everybody 605 00:22:04,559 --> 00:22:05,840 can see it from here it's basically 606 00:22:05,840 --> 00:22:08,720 network um network access right 607 00:22:08,720 --> 00:22:10,720 the reason it surprised me the most is 608 00:22:10,720 --> 00:22:12,400 of course i'm old school i know virtual 609 00:22:12,400 --> 00:22:14,080 machines more than docker containers 610 00:22:14,080 --> 00:22:16,400 right and if in a virtual machine if you 611 00:22:16,400 --> 00:22:18,240 give it network access that's not 612 00:22:18,240 --> 00:22:20,400 usually considered a security risk right 613 00:22:20,400 --> 00:22:21,760 i mean how could you run a virtual 614 00:22:21,760 --> 00:22:24,240 machine without network access 615 00:22:24,240 --> 00:22:26,000 it's basically a separate computer 616 00:22:26,000 --> 00:22:28,640 popping up on the same network right 617 00:22:28,640 --> 00:22:30,559 in docker it's not like that if you if 618 00:22:30,559 --> 00:22:32,559 you design a host network attribute it's 619 00:22:32,559 --> 00:22:35,120 sharing the same network interface right 620 00:22:35,120 --> 00:22:37,120 so imagine you have some services tied 621 00:22:37,120 --> 00:22:39,600 to localhost and localhost only right if 622 00:22:39,600 --> 00:22:41,840 you're sharing a network interface the 623 00:22:41,840 --> 00:22:45,039 guest can now access your localhost and 624 00:22:45,039 --> 00:22:47,600 it used to be that even the 625 00:22:47,600 --> 00:22:50,240 kubernetes api the api to basically 626 00:22:50,240 --> 00:22:52,320 configure anything in kubernetes was 627 00:22:52,320 --> 00:22:54,000 often bound to localhost and didn't have 628 00:22:54,000 --> 00:22:56,000 authentication switched on right so 629 00:22:56,000 --> 00:22:57,679 that's game over right there at least 630 00:22:57,679 --> 00:23:00,240 the authentication is now switched on um 631 00:23:00,240 --> 00:23:02,400 in more recent versions but depending on 632 00:23:02,400 --> 00:23:04,320 how how old your kubernetes environment 633 00:23:04,320 --> 00:23:07,120 is this is a big concern but at the very 634 00:23:07,120 --> 00:23:09,200 least i mean given that that this this 635 00:23:09,200 --> 00:23:10,880 interface is shared between host and 636 00:23:10,880 --> 00:23:14,000 guest now um that the gas can tcp dump 637 00:23:14,000 --> 00:23:15,520 everything that's coming in and out of 638 00:23:15,520 --> 00:23:18,000 the host right so that by itself is 639 00:23:18,000 --> 00:23:20,799 already a problem unless they use ssl 640 00:23:20,799 --> 00:23:22,400 for everything 641 00:23:22,400 --> 00:23:24,240 but now guess how they build kubernetes 642 00:23:24,240 --> 00:23:25,919 classes right they say oh everything 643 00:23:25,919 --> 00:23:27,840 that happens within a kubernetes cluster 644 00:23:27,840 --> 00:23:29,919 is trusted it never goes over physical 645 00:23:29,919 --> 00:23:32,480 cable we don't need ssl right everything 646 00:23:32,480 --> 00:23:34,480 unencrypted so 647 00:23:34,480 --> 00:23:38,159 giving network level access to a guest 648 00:23:38,159 --> 00:23:40,400 usually means the host gets hacked right 649 00:23:40,400 --> 00:23:41,440 so just 650 00:23:41,440 --> 00:23:43,600 a whole collection of things that can go 651 00:23:43,600 --> 00:23:45,200 go wrong and again this is just the 652 00:23:45,200 --> 00:23:46,880 stuff that we see in real assessments 653 00:23:46,880 --> 00:23:49,679 there's more stuff that can go wrong 654 00:23:49,679 --> 00:23:51,360 in theory 655 00:23:51,360 --> 00:23:52,960 so um 656 00:23:52,960 --> 00:23:54,000 that was that was a part on 657 00:23:54,000 --> 00:23:56,400 virtualization hacking um let's talk 658 00:23:56,400 --> 00:23:59,120 about automation and the 659 00:23:59,120 --> 00:24:01,440 the implications of of basically this 660 00:24:01,440 --> 00:24:03,360 development 661 00:24:03,360 --> 00:24:05,840 um that instead of having 662 00:24:05,840 --> 00:24:06,960 people 663 00:24:06,960 --> 00:24:09,679 typing in configuration like old school 664 00:24:09,679 --> 00:24:13,120 linus admin type right um you have some 665 00:24:13,120 --> 00:24:15,279 um you have some scripts and an 666 00:24:15,279 --> 00:24:18,480 uncountable number of scripts that are 667 00:24:18,480 --> 00:24:20,880 that are created by all kinds of uh 668 00:24:20,880 --> 00:24:22,320 developers that are pushed through all 669 00:24:22,320 --> 00:24:24,720 kinds of crcd tools right so what's the 670 00:24:24,720 --> 00:24:27,760 implication of that for security um well 671 00:24:27,760 --> 00:24:30,480 of course that um some threads that we 672 00:24:30,480 --> 00:24:32,400 had before amplified some new threats 673 00:24:32,400 --> 00:24:34,000 are introduced and then i guess the 674 00:24:34,000 --> 00:24:35,520 third category would be stuff that 675 00:24:35,520 --> 00:24:37,760 should never uh happen happens anyway 676 00:24:37,760 --> 00:24:39,440 because it's becoming so complex now let 677 00:24:39,440 --> 00:24:41,200 me give you one example of each of those 678 00:24:41,200 --> 00:24:42,400 categories 679 00:24:42,400 --> 00:24:43,919 the threat that was already there that's 680 00:24:43,919 --> 00:24:46,480 being amplified is phishing on or social 681 00:24:46,480 --> 00:24:48,559 engineering in general right so instead 682 00:24:48,559 --> 00:24:52,480 of five linux sys admin types 683 00:24:52,480 --> 00:24:54,159 you now can fish 684 00:24:54,159 --> 00:24:56,240 hundreds of people across various 685 00:24:56,240 --> 00:24:58,240 companies that are all somehow 686 00:24:58,240 --> 00:25:00,799 contributing code into the configuration 687 00:25:00,799 --> 00:25:03,279 of this mobile network right um if you 688 00:25:03,279 --> 00:25:05,120 get to fish any one of them 689 00:25:05,120 --> 00:25:06,000 um 690 00:25:06,000 --> 00:25:07,840 there's a good chance that ultimately 691 00:25:07,840 --> 00:25:09,279 you can adversely affect the mobile 692 00:25:09,279 --> 00:25:10,720 network right so that threat is 693 00:25:10,720 --> 00:25:12,400 amplified threats that are completely 694 00:25:12,400 --> 00:25:15,200 new it's a whole ecosystem of basically 695 00:25:15,200 --> 00:25:18,000 software development tools that are now 696 00:25:18,000 --> 00:25:19,679 part of the operation of your mobile 697 00:25:19,679 --> 00:25:22,240 network right somebody somewhere commits 698 00:25:22,240 --> 00:25:23,919 something to github 699 00:25:23,919 --> 00:25:26,159 it goes through all kinds of ci cd it 700 00:25:26,159 --> 00:25:28,159 becomes packaged somewhere it gets 701 00:25:28,159 --> 00:25:30,240 downloaded into an image that image gets 702 00:25:30,240 --> 00:25:32,400 deployed through another csd 703 00:25:32,400 --> 00:25:35,200 any part of that chain gets hacked your 704 00:25:35,200 --> 00:25:37,120 mobile network is at risk 705 00:25:37,120 --> 00:25:38,640 right and then there's stuff that should 706 00:25:38,640 --> 00:25:40,320 never happen but of course you know you 707 00:25:40,320 --> 00:25:41,679 have hundreds of people working on this 708 00:25:41,679 --> 00:25:42,480 stuff 709 00:25:42,480 --> 00:25:44,960 people posting questions on let's say 710 00:25:44,960 --> 00:25:46,799 stack overflow saying oh can you look at 711 00:25:46,799 --> 00:25:48,480 this piece of code what am i doing wrong 712 00:25:48,480 --> 00:25:50,400 and they're leaking internal secrets 713 00:25:50,400 --> 00:25:52,159 right hundreds of people are involved 714 00:25:52,159 --> 00:25:55,679 one of them will do that for sure right 715 00:25:55,679 --> 00:25:57,919 but you see how the attack service now 716 00:25:57,919 --> 00:25:59,840 becomes really hard to capture right 717 00:25:59,840 --> 00:26:01,360 like there's hundreds of people across 718 00:26:01,360 --> 00:26:02,960 different companies using all of these 719 00:26:02,960 --> 00:26:05,039 tools all of this in theory would need 720 00:26:05,039 --> 00:26:07,039 to be tested now to know whether or not 721 00:26:07,039 --> 00:26:09,120 your network is secure so kind of the 722 00:26:09,120 --> 00:26:11,120 pen testing that we used to do doesn't 723 00:26:11,120 --> 00:26:12,640 apply anymore you don't even know what 724 00:26:12,640 --> 00:26:15,200 the scope is right so instead of course 725 00:26:15,200 --> 00:26:16,559 this needs to be tested through red 726 00:26:16,559 --> 00:26:18,720 teaming everybody knows what red teaming 727 00:26:18,720 --> 00:26:20,799 is right yeah so basically an open 728 00:26:20,799 --> 00:26:23,440 invitation to to hack a company any way 729 00:26:23,440 --> 00:26:25,520 you want and then explain them how he 730 00:26:25,520 --> 00:26:27,120 did it so they can learn from it and 731 00:26:27,120 --> 00:26:29,120 then there's iterations where based on 732 00:26:29,120 --> 00:26:30,960 what you find they get better and then 733 00:26:30,960 --> 00:26:32,640 it's a little bit harder next time or a 734 00:26:32,640 --> 00:26:34,799 little bit more fun if you ask my team 735 00:26:34,799 --> 00:26:36,960 and then you know it's these iterations 736 00:26:36,960 --> 00:26:39,200 right and what i'll show you next is 737 00:26:39,200 --> 00:26:40,880 kind of the best off of the red teaming 738 00:26:40,880 --> 00:26:42,640 that we've done so we do dozens of red 739 00:26:42,640 --> 00:26:45,120 teams but um a handful of them against 740 00:26:45,120 --> 00:26:47,600 5g telcos so what have we found in 741 00:26:47,600 --> 00:26:49,919 actual 5g telcos that allowed us to 742 00:26:49,919 --> 00:26:51,840 achieve all of these hacking goals that 743 00:26:51,840 --> 00:26:53,919 i listed in the beginning and i should 744 00:26:53,919 --> 00:26:55,679 say this is the best of kind of a mashup 745 00:26:55,679 --> 00:26:56,880 of different so 746 00:26:56,880 --> 00:26:58,559 it's not one network that's affected by 747 00:26:58,559 --> 00:27:01,120 all of these i wouldn't disclose uh 748 00:27:01,120 --> 00:27:03,039 client information like this but it's 749 00:27:03,039 --> 00:27:05,039 kind of a yeah 750 00:27:05,039 --> 00:27:06,799 a collage 751 00:27:06,799 --> 00:27:07,919 um 752 00:27:07,919 --> 00:27:10,640 so their first hacking journey um 753 00:27:10,640 --> 00:27:13,840 starts from the internet and we find 754 00:27:13,840 --> 00:27:17,120 some developer put up a website 755 00:27:17,120 --> 00:27:18,799 something unauthenticated they're just 756 00:27:18,799 --> 00:27:20,559 playing around with something that they 757 00:27:20,559 --> 00:27:22,399 probably mean to take it down a day or 758 00:27:22,399 --> 00:27:24,720 so later they know it's probably not 759 00:27:24,720 --> 00:27:27,440 secure which is why it's completely 760 00:27:27,440 --> 00:27:29,919 isolated in their network okay we get to 761 00:27:29,919 --> 00:27:32,320 hack it and it's basically that end 762 00:27:32,320 --> 00:27:34,159 right this has no access to anything on 763 00:27:34,159 --> 00:27:35,440 the internal network it's just some 764 00:27:35,440 --> 00:27:37,760 boring website however 765 00:27:37,760 --> 00:27:39,919 it's running in a docker container on 766 00:27:39,919 --> 00:27:41,679 the kubernetes so if any of those 767 00:27:41,679 --> 00:27:44,480 capabilities we looked at earlier is set 768 00:27:44,480 --> 00:27:46,880 we break out of the docker container and 769 00:27:46,880 --> 00:27:49,039 now we're on the kubernetes layer right 770 00:27:49,039 --> 00:27:50,399 and sure enough of course one of these 771 00:27:50,399 --> 00:27:53,360 capabilities was set so we did break out 772 00:27:53,360 --> 00:27:54,880 and now in the kubernetes layer which 773 00:27:54,880 --> 00:27:56,480 means we're not constrained anymore the 774 00:27:56,480 --> 00:27:59,760 kubernetes has access to everything that 775 00:27:59,760 --> 00:28:01,840 any of the container needs access to 776 00:28:01,840 --> 00:28:03,919 right so these combinators environment 777 00:28:03,919 --> 00:28:06,240 it's very hard to kind of dm set them 778 00:28:06,240 --> 00:28:09,520 away right um so we can 779 00:28:09,520 --> 00:28:11,120 we we start looking on the internal 780 00:28:11,120 --> 00:28:13,440 network third step um 781 00:28:13,440 --> 00:28:15,120 very slowly right there's always a blue 782 00:28:15,120 --> 00:28:17,039 team that's looking on what's happening 783 00:28:17,039 --> 00:28:19,360 on the network so you do this space out 784 00:28:19,360 --> 00:28:21,440 over days if not weeks you find 785 00:28:21,440 --> 00:28:22,720 different servers you find different 786 00:28:22,720 --> 00:28:24,640 apis in fact you'll find hundreds of 787 00:28:24,640 --> 00:28:27,760 apis mobile networks today a lot of 788 00:28:27,760 --> 00:28:29,840 a lot of what i do is microservice based 789 00:28:29,840 --> 00:28:32,080 right so just apis everywhere and you 790 00:28:32,080 --> 00:28:34,720 know mistakes are being made so um 791 00:28:34,720 --> 00:28:37,360 completely by accident i believe um one 792 00:28:37,360 --> 00:28:39,760 of these apis if you send wrong stuff to 793 00:28:39,760 --> 00:28:41,840 them it sends you back debug information 794 00:28:41,840 --> 00:28:43,600 and in the debug information that's the 795 00:28:43,600 --> 00:28:45,760 credentials of one of the developers who 796 00:28:45,760 --> 00:28:48,080 knows right mistakes are being made 797 00:28:48,080 --> 00:28:50,399 those credentials they allow us to to 798 00:28:50,399 --> 00:28:52,399 access some systems not necessarily 799 00:28:52,399 --> 00:28:54,320 production system in the sense of mobile 800 00:28:54,320 --> 00:28:56,399 network we're still on the i.t side 801 00:28:56,399 --> 00:28:58,480 right where the websites live but 802 00:28:58,480 --> 00:29:00,240 there's kind of a data lake 803 00:29:00,240 --> 00:29:01,919 equivalent right an elastic search that 804 00:29:01,919 --> 00:29:03,760 includes a lot of information to do 805 00:29:03,760 --> 00:29:06,480 statistical analysis and so enough we 806 00:29:06,480 --> 00:29:08,640 find the customer text messages in there 807 00:29:08,640 --> 00:29:09,520 right 808 00:29:09,520 --> 00:29:12,240 so this is a multi-week hacking journey 809 00:29:12,240 --> 00:29:13,600 to basically 810 00:29:13,600 --> 00:29:15,760 achieve the equivalent that in 2g took 811 00:29:15,760 --> 00:29:17,919 one minute right sticking up an antenna 812 00:29:17,919 --> 00:29:18,720 um 813 00:29:18,720 --> 00:29:21,120 capturing the text messages around 814 00:29:21,120 --> 00:29:23,279 you however now we get the text messages 815 00:29:23,279 --> 00:29:25,760 of an entire country right so maybe it's 816 00:29:25,760 --> 00:29:27,279 worth spending a few weeks on this 817 00:29:27,279 --> 00:29:29,039 certainly for somebody who wants to 818 00:29:29,039 --> 00:29:31,360 break two-factor authentication or any 819 00:29:31,360 --> 00:29:33,760 of the things that are attached to text 820 00:29:33,760 --> 00:29:36,399 messaging today right 821 00:29:36,399 --> 00:29:38,480 so that that's one hacking journey and 822 00:29:38,480 --> 00:29:40,399 you see how none of this actually 823 00:29:40,399 --> 00:29:42,159 targeted telco 824 00:29:42,159 --> 00:29:44,480 standards right it 825 00:29:44,480 --> 00:29:46,159 doesn't even matter that this is a 5g 826 00:29:46,159 --> 00:29:47,840 network what matters is that this is a 827 00:29:47,840 --> 00:29:49,520 highly virtualized 828 00:29:49,520 --> 00:29:51,520 network with lots of automation 829 00:29:51,520 --> 00:29:53,600 fragments floating around and the same 830 00:29:53,600 --> 00:29:55,360 will be true for for the other hacking 831 00:29:55,360 --> 00:29:58,159 journeys so second one um 832 00:29:58,159 --> 00:30:00,240 so it shares some of the same steps so 833 00:30:00,240 --> 00:30:02,000 i'm not going to repeat those uh but 834 00:30:02,000 --> 00:30:04,080 then basically once we're on in internal 835 00:30:04,080 --> 00:30:05,600 network we look around more and more and 836 00:30:05,600 --> 00:30:08,480 more of course we find development um 837 00:30:08,480 --> 00:30:11,360 fragments right in this case a gitlab um 838 00:30:11,360 --> 00:30:13,679 somebody has um basically shadowfile 839 00:30:13,679 --> 00:30:16,240 equivalent so um 840 00:30:16,240 --> 00:30:18,640 hash passwords that they deploy as part 841 00:30:18,640 --> 00:30:20,640 of some configuration update who knows 842 00:30:20,640 --> 00:30:23,120 right um one of these passwords is 843 00:30:23,120 --> 00:30:25,200 crackable we crack it and that password 844 00:30:25,200 --> 00:30:27,760 now gives us access to wherever this 845 00:30:27,760 --> 00:30:29,600 configuration shadow file was deployed 846 00:30:29,600 --> 00:30:31,039 to right i mean it's the whole point 847 00:30:31,039 --> 00:30:34,799 right um including um the the database 848 00:30:34,799 --> 00:30:36,320 that has all the registration 849 00:30:36,320 --> 00:30:38,320 information of all of the customers of 850 00:30:38,320 --> 00:30:40,240 this telco right so bank accounts 851 00:30:40,240 --> 00:30:42,880 addresses and whatnot right again we we 852 00:30:42,880 --> 00:30:45,360 didn't touch anything telco specific to 853 00:30:45,360 --> 00:30:49,039 be able to break in very very thoroughly 854 00:30:49,039 --> 00:30:51,279 third and last hacking journey um this 855 00:30:51,279 --> 00:30:53,600 one is is uh finally getting into the 856 00:30:53,600 --> 00:30:56,240 telco domain so again we reused some of 857 00:30:56,240 --> 00:30:58,320 the building blocks especially uh this 858 00:30:58,320 --> 00:31:00,880 credential um we found earlier but we 859 00:31:00,880 --> 00:31:02,559 also need one one other bit of 860 00:31:02,559 --> 00:31:04,960 information and that is a description of 861 00:31:04,960 --> 00:31:07,600 of an internal api which you know 862 00:31:07,600 --> 00:31:10,080 usually an api isn't self-explanatory 863 00:31:10,080 --> 00:31:12,399 right so you somehow need to understand 864 00:31:12,399 --> 00:31:15,039 how to communicate with these apis and 865 00:31:15,039 --> 00:31:16,960 in this particular case this was shared 866 00:31:16,960 --> 00:31:19,200 on the internet and you can argue 867 00:31:19,200 --> 00:31:21,600 whether this is a security issue because 868 00:31:21,600 --> 00:31:22,960 you know believers in open source 869 00:31:22,960 --> 00:31:24,480 software of course say the source code 870 00:31:24,480 --> 00:31:26,480 can be open that's not a security issue 871 00:31:26,480 --> 00:31:29,120 as long as your credentials are uh 872 00:31:29,120 --> 00:31:30,320 protected 873 00:31:30,320 --> 00:31:32,720 i'm not sure if that's if there's you 874 00:31:32,720 --> 00:31:35,039 know many eyes make bugs go away 875 00:31:35,039 --> 00:31:37,279 argument uh applies to software that's 876 00:31:37,279 --> 00:31:39,279 really only used in one or two companies 877 00:31:39,279 --> 00:31:41,120 because you post it on internet people 878 00:31:41,120 --> 00:31:42,880 don't start looking for bugs in it it's 879 00:31:42,880 --> 00:31:44,720 just the hacker will use that 880 00:31:44,720 --> 00:31:47,120 information so some level of obscurity 881 00:31:47,120 --> 00:31:50,159 sometimes helps in and protecting apis 882 00:31:50,159 --> 00:31:52,880 in an event this was uh on the internet 883 00:31:52,880 --> 00:31:55,360 leaked we already have the access so we 884 00:31:55,360 --> 00:31:57,279 can finally access something in the 885 00:31:57,279 --> 00:31:59,840 telco network in the rand network right 886 00:31:59,840 --> 00:32:02,640 um in fact not just one this intelligent 887 00:32:02,640 --> 00:32:04,399 controller is kind of an optimization 888 00:32:04,399 --> 00:32:06,399 piece of software that's deployed in 889 00:32:06,399 --> 00:32:08,000 each one of these hundreds of data 890 00:32:08,000 --> 00:32:11,039 centers okay so we can access a software 891 00:32:11,039 --> 00:32:13,679 component in hundreds of different 892 00:32:13,679 --> 00:32:15,279 dockers deployed on hundreds of 893 00:32:15,279 --> 00:32:17,200 different kubernetes 894 00:32:17,200 --> 00:32:19,600 and sure enough again 895 00:32:19,600 --> 00:32:22,559 they didn't configure the docker 896 00:32:22,559 --> 00:32:24,720 sufficiently so we can break out into 897 00:32:24,720 --> 00:32:26,720 all of these hundreds of kubernetes 898 00:32:26,720 --> 00:32:28,480 environments and basically take down the 899 00:32:28,480 --> 00:32:30,240 entire mobile network 900 00:32:30,240 --> 00:32:32,320 right so you see how few steps are 901 00:32:32,320 --> 00:32:35,600 actually required um to take control of 902 00:32:35,600 --> 00:32:38,159 an entire network or then take it down 903 00:32:38,159 --> 00:32:41,519 the os to the whole network 904 00:32:41,519 --> 00:32:42,399 and again 905 00:32:42,399 --> 00:32:44,799 none of this is telco specific and in 906 00:32:44,799 --> 00:32:47,279 fact if this went a presentation on 907 00:32:47,279 --> 00:32:49,600 telco networks you could explain 908 00:32:49,600 --> 00:32:52,240 something very similar about most of the 909 00:32:52,240 --> 00:32:53,679 private cloud environments that 910 00:32:53,679 --> 00:32:55,600 companies are building basically 911 00:32:55,600 --> 00:32:57,760 everybody is working on something 912 00:32:57,760 --> 00:32:59,760 similar right now 913 00:32:59,760 --> 00:33:01,840 so let's talk a little bit about uh how 914 00:33:01,840 --> 00:33:04,159 to build those infrastructures better 915 00:33:04,159 --> 00:33:07,120 telco open ran whatever infrastructure 916 00:33:07,120 --> 00:33:08,840 you have right 917 00:33:08,840 --> 00:33:11,279 um obviously you know configure your 918 00:33:11,279 --> 00:33:13,200 kubernetes better or not the kubernetes 919 00:33:13,200 --> 00:33:15,440 itself the pods and the docker 920 00:33:15,440 --> 00:33:17,120 containers running in your kubernetes 921 00:33:17,120 --> 00:33:18,640 kubernetes gives you all of these 922 00:33:18,640 --> 00:33:20,480 different configuration settings make 923 00:33:20,480 --> 00:33:22,960 good use of them and and be considerate 924 00:33:22,960 --> 00:33:23,840 and be 925 00:33:23,840 --> 00:33:25,360 and acknowledge that it's not virtual 926 00:33:25,360 --> 00:33:27,519 machines running in vmware anymore that 927 00:33:27,519 --> 00:33:29,679 uh that um 928 00:33:29,679 --> 00:33:31,760 that are much tighter mesh together 929 00:33:31,760 --> 00:33:33,360 we're gonna go go through this in detail 930 00:33:33,360 --> 00:33:34,640 this is more a 931 00:33:34,640 --> 00:33:37,039 take home list in case you are working 932 00:33:37,039 --> 00:33:39,519 on any technology like this now for 933 00:33:39,519 --> 00:33:41,279 mobile networks more generally we've 934 00:33:41,279 --> 00:33:43,840 been giving um kind of these generic 935 00:33:43,840 --> 00:33:46,240 pieces of advice for years now and again 936 00:33:46,240 --> 00:33:47,279 it just 937 00:33:47,279 --> 00:33:48,880 traverses 938 00:33:48,880 --> 00:33:50,720 telco networks 939 00:33:50,720 --> 00:33:53,360 all of these are easily set and in fact 940 00:33:53,360 --> 00:33:55,200 um you know in our community here we 941 00:33:55,200 --> 00:33:57,679 always wonder why do networks 942 00:33:57,679 --> 00:33:59,840 not do this by default right the whole 943 00:33:59,840 --> 00:34:01,360 security by design i mean i don't know 944 00:34:01,360 --> 00:34:03,120 who coined that term but it's definitely 945 00:34:03,120 --> 00:34:05,120 older than my interest in security so 946 00:34:05,120 --> 00:34:07,279 people 20 30 years ago would have used 947 00:34:07,279 --> 00:34:09,918 that concept and yet today it's not yet 948 00:34:09,918 --> 00:34:12,800 found everywhere and uh i wanted to just 949 00:34:12,800 --> 00:34:15,199 alert you to the complexity of acting 950 00:34:15,199 --> 00:34:18,000 even on simple advice um with two 951 00:34:18,000 --> 00:34:19,918 examples to to conclude what i'm 952 00:34:19,918 --> 00:34:21,359 presenting today 953 00:34:21,359 --> 00:34:22,399 um 954 00:34:22,399 --> 00:34:24,639 the first example of where 955 00:34:24,639 --> 00:34:25,599 um 956 00:34:25,599 --> 00:34:26,960 the reality is just much more 957 00:34:26,960 --> 00:34:29,599 complicated uh than you would imagine is 958 00:34:29,599 --> 00:34:31,679 patching on hardening right come to base 959 00:34:31,679 --> 00:34:33,440 security processes if you don't patch 960 00:34:33,440 --> 00:34:35,119 yourself you don't you don't harden your 961 00:34:35,119 --> 00:34:37,040 stuff you might just as well not do any 962 00:34:37,040 --> 00:34:38,800 security at all it's really absolute 963 00:34:38,800 --> 00:34:42,239 baseline and why do mobile networks not 964 00:34:42,239 --> 00:34:43,679 get hardened i mean for different 965 00:34:43,679 --> 00:34:45,040 reasons in kind of the closed 966 00:34:45,040 --> 00:34:46,719 architectures that were deployed up 967 00:34:46,719 --> 00:34:49,280 until today and is open including open 968 00:34:49,280 --> 00:34:51,119 ran architectures that are running on 969 00:34:51,119 --> 00:34:53,520 clouds so traditionally i mean there's 970 00:34:53,520 --> 00:34:55,839 really no excuse why they don't patch 971 00:34:55,839 --> 00:34:56,960 other than 972 00:34:56,960 --> 00:34:58,560 the way they deploy these networks where 973 00:34:58,560 --> 00:35:00,079 they say once we deploy it we don't 974 00:35:00,079 --> 00:35:02,880 touch it anymore the vendor in china in 975 00:35:02,880 --> 00:35:04,720 sweden wherever they first have to go 976 00:35:04,720 --> 00:35:05,760 through 977 00:35:05,760 --> 00:35:08,000 months long test procedures before they 978 00:35:08,000 --> 00:35:09,839 can say that a new release is ready and 979 00:35:09,839 --> 00:35:11,440 can be deployed i mean if the test 980 00:35:11,440 --> 00:35:13,040 procedure takes several months and then 981 00:35:13,040 --> 00:35:14,800 deployment takes several months you 982 00:35:14,800 --> 00:35:16,400 might just as well not be patching i 983 00:35:16,400 --> 00:35:18,480 mean you're months behind on the 984 00:35:18,480 --> 00:35:20,079 patching right so usually you get 985 00:35:20,079 --> 00:35:22,720 security patches about once a year these 986 00:35:22,720 --> 00:35:24,720 are standard linux boxes that are one 987 00:35:24,720 --> 00:35:27,119 year outdated every cve in the world 988 00:35:27,119 --> 00:35:30,079 applies to them right so it's just an 989 00:35:30,079 --> 00:35:31,760 ecosystem breakdown the way that these 990 00:35:31,760 --> 00:35:33,680 things are procured uh just doesn't 991 00:35:33,680 --> 00:35:36,240 allow for patching that excuse goes away 992 00:35:36,240 --> 00:35:38,960 in these cloud environments right um 993 00:35:38,960 --> 00:35:41,359 in a cloud you control everything you uh 994 00:35:41,359 --> 00:35:43,599 you in fact you're changing stuff so 995 00:35:43,599 --> 00:35:46,160 often you might just as well 996 00:35:46,160 --> 00:35:48,480 redeploy it with new patches 997 00:35:48,480 --> 00:35:50,320 netflix had an interesting strategy 998 00:35:50,320 --> 00:35:52,400 around it netflix had basically in each 999 00:35:52,400 --> 00:35:53,920 of their virtual machines or docker 1000 00:35:53,920 --> 00:35:55,599 containers they have a 1001 00:35:55,599 --> 00:35:58,400 self-destruct timer that runs out at 72 1002 00:35:58,400 --> 00:36:00,400 hours so each each docker destroys 1003 00:36:00,400 --> 00:36:02,800 itself after 72 hours then it's rebuilt 1004 00:36:02,800 --> 00:36:05,040 from a cicd pipeline and the clcd 1005 00:36:05,040 --> 00:36:06,480 pipeline of course has all the latest 1006 00:36:06,480 --> 00:36:08,240 patches built in so 1007 00:36:08,240 --> 00:36:10,000 netflix doesn't have patch management 1008 00:36:10,000 --> 00:36:12,880 they only have basically suicide of 1009 00:36:12,880 --> 00:36:15,920 virtual machines right um 1010 00:36:15,920 --> 00:36:17,040 but 1011 00:36:17,040 --> 00:36:18,800 now the complication in mobile networks 1012 00:36:18,800 --> 00:36:21,440 is who would be able to pull together 1013 00:36:21,440 --> 00:36:23,119 your patches because each of those 1014 00:36:23,119 --> 00:36:25,599 dockers is a in an individual an 1015 00:36:25,599 --> 00:36:27,680 individually stripped down version of 1016 00:36:27,680 --> 00:36:31,440 linux so nobody even knows what uh what 1017 00:36:31,440 --> 00:36:33,359 packages you would have to apply and how 1018 00:36:33,359 --> 00:36:35,119 this is not coming from red ted or 1019 00:36:35,119 --> 00:36:38,160 debian this is just a custom linux and 1020 00:36:38,160 --> 00:36:39,920 if you run your own custom linux you are 1021 00:36:39,920 --> 00:36:41,920 responsible for patch management and 1022 00:36:41,920 --> 00:36:43,599 there's dozens of vendors involved and 1023 00:36:43,599 --> 00:36:44,640 of course 1024 00:36:44,640 --> 00:36:46,960 they don't run linux distros for 1025 00:36:46,960 --> 00:36:49,680 business so patching is just so hard in 1026 00:36:49,680 --> 00:36:52,160 telcos and i mean it breaks my heart 1027 00:36:52,160 --> 00:36:54,400 right years later still very little 1028 00:36:54,400 --> 00:36:56,560 progress similar and this is the final 1029 00:36:56,560 --> 00:36:58,880 example that i'll leave you with um 1030 00:36:58,880 --> 00:37:00,880 standard security tools like an edr 1031 00:37:00,880 --> 00:37:02,800 system right we do a lot of red teaming 1032 00:37:02,800 --> 00:37:04,800 and when we encounter an edr it usually 1033 00:37:04,800 --> 00:37:06,880 sets us back by about a week takes like 1034 00:37:06,880 --> 00:37:08,720 a week to find a way to circumvent it 1035 00:37:08,720 --> 00:37:10,640 it's you know a good slowdown measure 1036 00:37:10,640 --> 00:37:12,880 for hackers right do we encounter them 1037 00:37:12,880 --> 00:37:14,880 in mobile networks no 1038 00:37:14,880 --> 00:37:16,880 well for basically the same reasons 1039 00:37:16,880 --> 00:37:17,760 because 1040 00:37:17,760 --> 00:37:21,760 um the the old-school network vendors do 1041 00:37:21,760 --> 00:37:24,160 not really allow uh you to deploy 1042 00:37:24,160 --> 00:37:26,320 anything on the linux boxes and they 1043 00:37:26,320 --> 00:37:27,760 don't come with an edr so there is no 1044 00:37:27,760 --> 00:37:29,760 idea sometimes you can force us onto 1045 00:37:29,760 --> 00:37:32,079 there if you you know sign it if the edr 1046 00:37:32,079 --> 00:37:34,000 breaks the availability of the network 1047 00:37:34,000 --> 00:37:35,839 you're actually responsible so we have 1048 00:37:35,839 --> 00:37:37,520 seen cases where this is done but only 1049 00:37:37,520 --> 00:37:39,760 ever was false against the vendor 1050 00:37:39,760 --> 00:37:41,520 in the kubernetes docker environment 1051 00:37:41,520 --> 00:37:42,800 again same question these are 1052 00:37:42,800 --> 00:37:45,680 stripped-down versions of linux no edr 1053 00:37:45,680 --> 00:37:47,680 system will work on this out of the box 1054 00:37:47,680 --> 00:37:50,480 these are basically uh embedded linux 1055 00:37:50,480 --> 00:37:52,560 you could call it right ida just isn't 1056 00:37:52,560 --> 00:37:55,119 made for that right so we're basically 1057 00:37:55,119 --> 00:37:57,599 in a situation now where telco networks 1058 00:37:57,599 --> 00:37:59,680 have become cloud environments but where 1059 00:37:59,680 --> 00:38:01,760 the standard security process is like 1060 00:38:01,760 --> 00:38:03,440 patching hardening and the standard 1061 00:38:03,440 --> 00:38:06,400 security tools like edr do not readily 1062 00:38:06,400 --> 00:38:09,520 apply them right big protection gap and 1063 00:38:09,520 --> 00:38:10,400 um 1064 00:38:10,400 --> 00:38:11,839 i i hope you all 1065 00:38:11,839 --> 00:38:13,920 consider this a challenge right either 1066 00:38:13,920 --> 00:38:16,480 to to become more of a telco hacker no 1067 00:38:16,480 --> 00:38:17,920 matter what part of hacking you're 1068 00:38:17,920 --> 00:38:19,920 coming from i'm sure you saw some 1069 00:38:19,920 --> 00:38:22,000 commonality today where basically 1070 00:38:22,000 --> 00:38:24,640 hackers uh telco networks have grown 1071 00:38:24,640 --> 00:38:27,280 into your area of expertise but also if 1072 00:38:27,280 --> 00:38:29,040 you're building uh networks and if 1073 00:38:29,040 --> 00:38:31,920 you're securing networks um i'd really 1074 00:38:31,920 --> 00:38:34,800 like to invite you to to uh consider 1075 00:38:34,800 --> 00:38:36,640 securing telco networks in the future we 1076 00:38:36,640 --> 00:38:38,160 all rely on them for our digital 1077 00:38:38,160 --> 00:38:40,160 lifestyles right so it's important to 1078 00:38:40,160 --> 00:38:42,320 keep those networks secure like we're 1079 00:38:42,320 --> 00:38:44,000 already keeping cloud infrastructure 1080 00:38:44,000 --> 00:38:47,040 secure right um yeah and with that i'm 1081 00:38:47,040 --> 00:38:49,040 i'm at the end all this left to me is 1082 00:38:49,040 --> 00:38:50,720 thank you for for sitting here in this 1083 00:38:50,720 --> 00:38:52,800 hot tent with me and and bringing back 1084 00:38:52,800 --> 00:38:54,640 so many good memories to to the series 1085 00:38:54,640 --> 00:38:56,720 of conferences um i'll be around if you 1086 00:38:56,720 --> 00:38:59,359 have any questions on telco on cloud on 1087 00:38:59,359 --> 00:39:01,760 red teaming already missing berlin so if 1088 00:39:01,760 --> 00:39:03,839 you ever want to do some project with us 1089 00:39:03,839 --> 00:39:06,240 i love to do that and yeah now over to 1090 00:39:06,240 --> 00:39:08,720 your questions please thank you 1091 00:39:08,720 --> 00:39:11,959 [Music] 1092 00:39:16,560 --> 00:39:19,440 thank you carson um we we have a few 1093 00:39:19,440 --> 00:39:21,520 minutes for 1094 00:39:21,520 --> 00:39:24,320 questions if you have a question please 1095 00:39:24,320 --> 00:39:26,240 walk over to the microphone in the 1096 00:39:26,240 --> 00:39:27,839 middle there are two microphones in the 1097 00:39:27,839 --> 00:39:29,050 middle please line up 1098 00:39:29,050 --> 00:39:30,480 [Music] 1099 00:39:30,480 --> 00:39:33,040 first question here you go 1100 00:39:33,040 --> 00:39:35,680 hey first of all thanks a lot um we've 1101 00:39:35,680 --> 00:39:38,000 had similar situations with industrial 1102 00:39:38,000 --> 00:39:40,400 devices with medical devices and 1103 00:39:40,400 --> 00:39:42,160 stuff that should be expected like fact 1104 00:39:42,160 --> 00:39:44,079 management and everything that was 1105 00:39:44,079 --> 00:39:46,240 clearly not a given and we've seen some 1106 00:39:46,240 --> 00:39:47,839 certification efforts and some 1107 00:39:47,839 --> 00:39:49,440 initiatives that were going to the right 1108 00:39:49,440 --> 00:39:51,599 direction so i guess my question boils 1109 00:39:51,599 --> 00:39:52,720 down to 1110 00:39:52,720 --> 00:39:55,520 do you see a way out whether through 1111 00:39:55,520 --> 00:39:57,760 incentives or just we're waiting for a 1112 00:39:57,760 --> 00:40:00,000 doomsday scenario how do you see things 1113 00:40:00,000 --> 00:40:01,359 evolving 1114 00:40:01,359 --> 00:40:03,440 uh very good question so 1115 00:40:03,440 --> 00:40:04,720 certainly the 1116 00:40:04,720 --> 00:40:05,920 both the industry and different 1117 00:40:05,920 --> 00:40:08,079 governments are pushing towards more uh 1118 00:40:08,079 --> 00:40:10,960 security um the government's more than 1119 00:40:10,960 --> 00:40:12,400 the industry very much based on the 1120 00:40:12,400 --> 00:40:14,240 checklist approach where they say we 1121 00:40:14,240 --> 00:40:16,000 want to we want you to prove that your 1122 00:40:16,000 --> 00:40:18,640 network is secure at one point in time 1123 00:40:18,640 --> 00:40:20,480 what happens after that we're not so 1124 00:40:20,480 --> 00:40:23,839 concerned with so um certification is is 1125 00:40:23,839 --> 00:40:25,920 good and meaningful to to introduce a 1126 00:40:25,920 --> 00:40:28,240 guideline or baseline rather i just 1127 00:40:28,240 --> 00:40:30,400 haven't seen the one certification that 1128 00:40:30,400 --> 00:40:32,480 would address problems like these right 1129 00:40:32,480 --> 00:40:35,040 i'm seeing certifications more around 1130 00:40:35,040 --> 00:40:36,319 you know you have to prove that you're 1131 00:40:36,319 --> 00:40:38,000 not from china that's basically a big 1132 00:40:38,000 --> 00:40:39,599 part of the certification now basically 1133 00:40:39,599 --> 00:40:41,119 protecting yourself from political 1134 00:40:41,119 --> 00:40:42,960 influence i mean yeah that might be 1135 00:40:42,960 --> 00:40:44,480 important i don't care i mean i wanted 1136 00:40:44,480 --> 00:40:46,800 this to to to be secure from hackers 1137 00:40:46,800 --> 00:40:48,240 from anywhere in the world not just from 1138 00:40:48,240 --> 00:40:50,640 china right um other parts of the 1139 00:40:50,640 --> 00:40:53,119 certification lets you uh prove that 1140 00:40:53,119 --> 00:40:54,880 your cryptography is configured 1141 00:40:54,880 --> 00:40:56,720 correctly those things great but 1142 00:40:56,720 --> 00:40:58,240 cryptography hasn't been a problem 1143 00:40:58,240 --> 00:41:00,319 basically since 3g people haven't broken 1144 00:41:00,319 --> 00:41:02,319 the cryptography anymore so 1145 00:41:02,319 --> 00:41:04,640 um yeah i wouldn't hold my breath for 1146 00:41:04,640 --> 00:41:06,640 certification to solve this i think that 1147 00:41:06,640 --> 00:41:08,560 it'd be individual companies going 1148 00:41:08,560 --> 00:41:11,839 forward saying you know um we are we we 1149 00:41:11,839 --> 00:41:14,560 have an i.t history and we we make uh 1150 00:41:14,560 --> 00:41:16,480 our telco networks secures our t 1151 00:41:16,480 --> 00:41:18,880 networks all big telcos have cloud 1152 00:41:18,880 --> 00:41:20,560 environments and they make their cloud 1153 00:41:20,560 --> 00:41:22,160 environments more secure than the telco 1154 00:41:22,160 --> 00:41:24,319 environment and that to me is a weird 1155 00:41:24,319 --> 00:41:25,839 situation 1156 00:41:25,839 --> 00:41:29,200 next question please thank you 1157 00:41:29,200 --> 00:41:30,720 hello 1158 00:41:30,720 --> 00:41:32,960 i may have slightly misunderstood this 1159 00:41:32,960 --> 00:41:34,960 but is the 1160 00:41:34,960 --> 00:41:38,079 what does open ran in what's the open 1161 00:41:38,079 --> 00:41:39,839 mean are there 1162 00:41:39,839 --> 00:41:41,839 open source platforms or freely 1163 00:41:41,839 --> 00:41:44,160 available platforms that we can 1164 00:41:44,160 --> 00:41:46,720 run ourselves if we want to experiment 1165 00:41:46,720 --> 00:41:48,480 with this kind of things yeah no that's 1166 00:41:48,480 --> 00:41:51,040 an excellent question and um i think 1167 00:41:51,040 --> 00:41:53,119 that the naming is very unfortunate in 1168 00:41:53,119 --> 00:41:55,200 open ran so um 1169 00:41:55,200 --> 00:41:58,000 basically what summarizes openran is a 1170 00:41:58,000 --> 00:41:59,920 push from the telcos against to tell the 1171 00:41:59,920 --> 00:42:01,599 vendors to say we're not going to buy 1172 00:42:01,599 --> 00:42:03,599 your hardware anymore we install our own 1173 00:42:03,599 --> 00:42:05,680 hardware and you need to ship a software 1174 00:42:05,680 --> 00:42:08,800 that's an umbrella the open comes from 1175 00:42:08,800 --> 00:42:10,880 the the interfaces between hardware and 1176 00:42:10,880 --> 00:42:12,480 software need to be open so that 1177 00:42:12,480 --> 00:42:14,000 different pieces of software fit on 1178 00:42:14,000 --> 00:42:15,839 different different vendors hardware in 1179 00:42:15,839 --> 00:42:18,560 its openness it does not include open 1180 00:42:18,560 --> 00:42:20,800 source it does not even include open 1181 00:42:20,800 --> 00:42:23,040 standards you have to pay to access 1182 00:42:23,040 --> 00:42:25,520 those open standards so it's very 1183 00:42:25,520 --> 00:42:27,280 different from what this community would 1184 00:42:27,280 --> 00:42:30,000 call open but you know baby steps in the 1185 00:42:30,000 --> 00:42:31,680 right direction yeah 1186 00:42:31,680 --> 00:42:33,599 thank you good question 1187 00:42:33,599 --> 00:42:35,599 uh thank you for your talk uh so quick 1188 00:42:35,599 --> 00:42:38,800 question so does the law um 1189 00:42:38,800 --> 00:42:41,040 lawful intercept components also run in 1190 00:42:41,040 --> 00:42:42,319 kubernetes 1191 00:42:42,319 --> 00:42:44,880 oh that's a very good question so um no 1192 00:42:44,880 --> 00:42:48,079 um so far not um 1193 00:42:48,079 --> 00:42:50,079 but that's just because those vendors 1194 00:42:50,079 --> 00:42:51,599 they're they're behind the curve i'm 1195 00:42:51,599 --> 00:42:53,520 sure you know the few vendors i'm not 1196 00:42:53,520 --> 00:42:54,720 gonna name them but it's basically 1197 00:42:54,720 --> 00:42:56,960 monopolies per country uh that just say 1198 00:42:56,960 --> 00:42:59,200 you know why why do we need to change we 1199 00:42:59,200 --> 00:43:01,599 have a monopoly market you build our 1200 00:43:01,599 --> 00:43:03,680 appliance into your uh network no matter 1201 00:43:03,680 --> 00:43:06,319 how and they might use just ss7 for that 1202 00:43:06,319 --> 00:43:08,319 uh yeah a quick other yes or no question 1203 00:43:08,319 --> 00:43:10,079 sorry next question because we have 1204 00:43:10,079 --> 00:43:12,319 really no time i'll be around later just 1205 00:43:12,319 --> 00:43:13,839 find me later so i 1206 00:43:13,839 --> 00:43:16,000 i just wanted to understand how it is 1207 00:43:16,000 --> 00:43:18,079 moving to cloud infrastructure that 1208 00:43:18,079 --> 00:43:20,560 mobile telecom infrastructure 1209 00:43:20,560 --> 00:43:22,319 yeah i mean 1210 00:43:22,319 --> 00:43:23,520 if if 1211 00:43:23,520 --> 00:43:26,240 if you have to deploy stuff in hundreds 1212 00:43:26,240 --> 00:43:28,000 of places around the country and you 1213 00:43:28,000 --> 00:43:29,440 already know that it's going to change 1214 00:43:29,440 --> 00:43:32,240 every week cloud is the only answer 1215 00:43:32,240 --> 00:43:34,880 logical answer so basically 1216 00:43:34,880 --> 00:43:36,400 cloudifying telco networks is a 1217 00:43:36,400 --> 00:43:38,960 consequence of 5g's desire to have low 1218 00:43:38,960 --> 00:43:41,040 latency let's say your car wants to 1219 00:43:41,040 --> 00:43:42,960 signal to the car behind you that you're 1220 00:43:42,960 --> 00:43:45,119 braking you don't have time to send that 1221 00:43:45,119 --> 00:43:47,200 signal off to telco network send it to 1222 00:43:47,200 --> 00:43:48,880 some central location get the signal 1223 00:43:48,880 --> 00:43:50,720 back get it sent to that other car the 1224 00:43:50,720 --> 00:43:52,160 crash will have happened right we're 1225 00:43:52,160 --> 00:43:54,640 looking at single-digit milliseconds 1226 00:43:54,640 --> 00:43:56,960 delays from car to car and that only 1227 00:43:56,960 --> 00:43:59,839 happens if each little region each city 1228 00:43:59,839 --> 00:44:01,200 basically has their own cloud 1229 00:44:01,200 --> 00:44:03,440 environment um that's why everything 1230 00:44:03,440 --> 00:44:05,280 intelligence in the future will be cloud 1231 00:44:05,280 --> 00:44:06,800 and i hope that answers your question 1232 00:44:06,800 --> 00:44:10,240 yeah and we're out of time no 1233 00:44:10,240 --> 00:44:13,280 sorry it's actually exactly 10 4 so we 1234 00:44:13,280 --> 00:44:15,920 have to move over and make space for the 1235 00:44:15,920 --> 00:44:18,079 next talk which is also a very 1236 00:44:18,079 --> 00:44:20,160 interesting talk about how we moved out 1237 00:44:20,160 --> 00:44:22,960 of the pandemic but first yeah please 1238 00:44:22,960 --> 00:44:27,560 have a great thanks for carsten 1239 00:44:30,610 --> 00:44:34,320 [Applause] 1240 00:44:37,280 --> 00:44:39,359 you