Deciphering 5G security (Part 3). The one about the security of the 5G telecommunication supply chain.
22 November 2023 - Reading time: 10 minutes
My dear readers, today is the day when we spend some leisure time exploring a truly exciting topic. The topic becomes even more thrilling when we apply it to telecommunication and 5G. Of course, I am talking about the security of the supply chain. So shall we start?
Everything you always wanted to know about supply chain [in]security but were afraid to ask
Many critical IT systems handling essential services like emergency services, healthcare, energy production and distribution and also telecommunication - all present lucrative targets to hackers. But let's not forget: critical national infrastructure (CNI), by definition, is, well, critical, so typically it is sufficiently protected. Cybercriminals, of course, do not want to waste their valuable time on exploitation where the probability of success is questionable. They, however, are very happy to target CNI indirectly, and it can be done through the compromised supply chains. Hackers have tons of good reasons for that:
Leverage of trust: victims are likely to implicitly trust routine updates/patches from their software vendors and install them without scrutiny. This human factor plays very well into the hands of attackers.
Amplified access: by compromising a single supplier, attackers can potentially gain indirect access to all of that supplier's customers simultaneously. This substantially increases the impact and number of potential victims.
Persistence: once embedded in a supplier's update mechanisms, the attacker's malicious code can persist hidden across numerous networks for a long time before detection.
Attacks self-propagation: compromised updates can then infect new victims automatically as they are installed, requiring little effort from the attacker to spread widely.
I can call it "Diversion of blame": the convoluted path makes incidents much harder to trace back to the original intruder and diverts suspicion to other entities.
High level of disruption: affected critical infrastructure components, can induce serious economic and operational damage across entire sectors.
So, in short, supply chain attacks provide enough advantages making them very tempting from an attacker's standpoint. Maybe that's why we have plenty of such attacks already. And, surely, there will be even more in the near future.
One of the prominent recent examples that is still fresh in everyone's memory is, of course, the SolarWinds breach. It perfectly demonstrated how compromising a supplier can enable broad access to downstream customers by installing tainted software updates. The incident began with malicious actors gaining unauthorised access to SolarWinds' internal systems where they developed their Orion monitoring platform. From this compromised infrastructure, the attackers were able to generate and disseminate "tweaked" software updates containing hidden malicious code. The SolarWinds happy customers were not expecting anything bad and applied these tainted software patches in their environments. As you can guess, unfortunately, they were immediately compromised and subsequently infiltrated, with the hackers using those pivoting positions to move deeper inside organisational networks and systems. By targeting the supplier first, the attackers enabled themselves almost perfect widespread passive access across SolarWinds' vast customer base of users routinely installing the benign-looking yet very much malicious platform updates.
Surely, the story is well-known, but there is one important detail here. The timeline of events shows that the attack did not happen overnight. It took hackers a good few years to prepare, compromise the supplier, retain access, slowly infiltrate and modify the software development lifecycle and finally enjoy the results when the malware was up and running at hundreds of the customers' systems. So now close your eyes and think about what measures your company should have in place to be able to identify and prevent such attacks.
It looks pretty bad already, right? Alfred Hitchcock used to say once: "Any good film should start with an earthquake and be followed by constantly rising tension". So now, shall we turn up the heat even further and think about what could happen if the same attack pattern is applied to the telecommunication systems and, specifically, to the subject matter: our beloved 5G? You will immediately see that there are even more reasons why attacking the 5G telecommunication supply chain is a sweet dream for cyber attackers.
5G supply chain blues
I have touched on 5G security in the previous articles, so here let's just do a quick recap. 5G differs fundamentally from previous cellular architectures in several ways. Rather than being physical and monolithic, 5G leverages a fully virtualised model that is distributed across the network. Through network functions virtualisation, 5G enables the dynamic creation of virtual network functions (VNFs) independently of dedicated hardware. This allows agile deployment and extension of practically any functionality on demand wherever and whenever needed. The network could be also partitioned into isolated "slices" optimised for diverse usage scenarios, allocating dedicated resources without interference (at least "by the book"). Finally, 5G does not rely solely on centralised base stations but utilises distributed user plane functions which swiftly route traffic with low latency. Needless to say, such architecture, featuring hundreds of NFs from countless suppliers, "somehow" assembled by a mobile network operator, creates many exciting opportunities for attackers. But for now, let's focus on the supply chain problems only.
In the telecommunication world, common supply chain-related security targets include third-party suppliers of hardware and software and all the communication and transit paths of software and hardware travelling from suppliers to MNOs. Telco supply chain attacks could bring even more joy to hackers for the following reasons (this is not a complete list):
Default weak security oversight: many suppliers of software or 5G NFs have a "rather-not-perfect" security in their SDLC, to say the least. Therefore, this complex sector presents fantastic opportunities for determined attackers to gain footholds.
Mass disruption potential: telco networks are a part of CNI that support numerous other sectors. Disrupting these networks through a supply chain attack could cause a widespread damaging impact.
Access to sensitive data: by their nature, telco networks carry vast amounts of personal and corporate precious communications data. Implanted malware could steal this private information over time.
Exploit the Internet of Things: more and more devices are Internet-connected and many (especially lonely and remote ones) are relying on telecommunication networks. Compromised updates could spread to IoT devices, which can join botnets, suddenly become evil, etc.
Geopolitical leverage: many nation-state malicious actors could use telecommunication supply chain attacks to gain intelligence or sabotage capabilities against rival governments and/or industries.
Long-term persistence: telecommunication equipment is relied on for decades. Implanting malware guarantees long-lived backdoors in critical systems.
As each network slice and virtualised function can potentially become a target, a failure to properly isolate these elements through segmentation could enable compromises to cascade and potentially cripple the entire system. A successful infiltration of even a single virtual component could paralyse its operations. Further, without adequate countermeasures, an infected segment risks propagating the issue throughout the network, bringing down 5G core functionality.
Is there light at the end of the tunnel?
The rollout of 5G promises many benefits, however, the new architecture of 5G networks also inevitably introduces unique security challenges that need to be addressed throughout the supply chain. Let's discuss some key strategies for preventing and mitigating supply chain risks in 5G (this is also not a complete list).
Thoroughly vet suppliers. With so many interconnected entities involved in the supply chain, the vulnerabilities of the weakest link become everyone's problem. It is advised to conduct regular risk assessments of third parties and audit their security practices. Only work with trusted partners who can demonstrate protections at least equivalent to your own if not better.
Establish a root of trust. One of the important lines of defence is making sure there is a verified root of trust embedded in all mobile network components. This could involve technologies like hardware security modules that can attest to a device's integrity before it connects. Having a trusted identity will make it harder for compromised components to infiltrate the network and stay undetected.
Implement strong authentication. Within 5G's network, each VNF will expose its own attack surface. Strong authentication should be deployed across all layers to strictly control and monitor access. Encryption techniques can also encrypt individual data flows between NFs and hardware to limit the "blast radius" in case of intrusion.
Continuously monitor for anomalies. As 5G networks grow more complex and decentralised, threats will become harder for humans to identify manually. Investing in network and user behaviour analytics solutions that leverage AI/ML can help automatically detect anomalies indicative of attacks or malfunctions. Continuous monitoring and logging are the key to rapid remediation. You can't manage what you can't measure.
Isolate and segment critical functions. Should threats be detected, there should be existing mechanisms which could automatically terminate affected credentials, isolate compromised network slices or NFs, and redistribute traffic automatically. This "zero trust" approach limits lateral movement and prevents single points of failure from cascading impacts. Granular access controls and micro-segmentation help contain incidents.
The bottom line
By taking a holistic, vigilant approach with people, processes and technologies working in tandem, 5G networks can achieve their transformative potential. While mitigating risks to the supply chain no single control is enough - robust security demands continual vigilance across all domains. A layered defence strategy with verifiable device identities, adaptive access controls, real-time analytics and agile containment mechanisms can help mobile network operators navigate the 5G threat landscape. However, diligence must be an ongoing priority for all stakeholders.