5G Networks Are Worryingly Hackable

Prominent tech firms like Microsoft and NEC have recently expressed concerns over the security and perhaps too-rapid adoption, respectively, of critical 5G technologies. Now German security researchers have given some substance to the industry’s fears and unease.

At a hacker conference held in the Netherlands last month, Karsten Nohl, founder of Berlin-based Security Research Labs, outlined how his team had breached live 5G networks in a series of “red teaming” exercises—where hackers are hired by a company to test their defenses. In most cases they were able to take control of the network, he says, potentially allowing them to steal customer data or disrupt operations.

The hacks, revealed at the May Contain Hackers 2022 event (a.k.a. MCH2022), were made possible thanks to poorly configured cloud technology, which is playing an increasingly important role in 5G networks. Nohl says many telcos are inexperienced in how to protect such systems, and his team found that operators had failed to apply basic cloud security techniques that could help mitigate hacks.

The push toward Open RAN, virtualization, and “cloudifcation” unlocks more choice and functionality for 5G operators. It has also thrust them into the unfamiliar role of system integrator, suddenly responsible for securing the entire supply chain.

“5G has swept over telcos with all its implications, and nobody seems well prepared,” says Nohl. “We are introducing new technology into mobile networks, and those technologies can greatly enhance the security of our mobile networks. Or they can basically destroy any hacking resistance we’ve built up over the years. People are not aware of those choices.”

Mobile operators have traditionally relied on proprietary hardware from vendors like Ericsson, Nokia, and Huawei to build their networks. But in recent years, there has been a major push to “virtualize” network functions, which involves replicating key components in software so they can run on generic hardware, or even in the cloud. And the advent of 5G has only heightened the demand for virtualization, in particular when it comes to radio access networks (RANs)—the part of the network involved in connecting end-user devices like cellphones to the network core.

Virtualization has a host of benefits, including the ability to deploy networks faster and more cheaply, to quickly upgrade networks, and even to dynamically reconfigure them in response to changing situations on the ground. The decoupling of hardware and software also prevents vendor lock-in and allows network operators to mix and match components from different companies, something advocated for by the Open RAN movement.

But these new capabilities are also making 5G networks more complex, says Nohl, which in turn necessitates the increasing use of automation to manage networks. And the ability to mix and match software and services from different companies means far more people are involved in the development pipeline. “The more stuff you have and the more moving parts, the more opportunities for mistakes, little misconfigurations,” says Nohl.

This makes it much easier to break into such virtualized networks than was previously possible. Among the entry points the team discovered included a backdoor-revealing API that had been posted publicly to the Internet as well as an old development site that had accidentally been left online. But the increased ease with which attackers can penetrate the networks is not in and of itself the main problem. “The really critical question is how difficult it is to break through from your initial foothold to something actually valuable within the network,” says Nohl.

His team found it was worryingly easy to move deeper into the networks they tested, thanks primarily to poorly configured “containers.” These are self-contained packages of software that bundle up an application and everything needed to run it—code, software libraries, and configuration files—so that it can be run on any hardware. Containers are a critical part of the cloud, because they allow different applications from different companies or departments to run alongside one another on the same servers. Containers are supposed to be isolated from one another, but if they are poorly configured it’s possible to break out and gain access to other containers or even to take control of the host system. In multiple instances Nohl and his team found misconfigured containers that allowed them to do just this. [READ MORE]