What do 5G, the US election infrastructure and the FireElement RAT from QUA R&D all have in common? The answer is that they are the focus of the latest edition of the Global Threat Intelligence Report (GTIC) from NTT Ltd. As expected, with the US 2020 elections getting ever closer, it is the election story that takes the lead. However, it is the 5G story that catches the eye, not least for the closing paragraph that seems to put the responsibility for security on mobile providers.
NTT has a significant stake in 5G. In November 2019, IPlytics ranked NTT as the 10th largest holder of patents around 5G. In January 2020, NTT declared ownership and licencing of over 1100 essential IP patent families around 5G. This is important when it comes to mobile providers requiring security to be built into the deployment process. NTT Ltd has a focus on Secure by Design. It is an approach that requires security to be built-in from the design phase, not engineered later and bolted on.
Can we solve 5G security?
5G, we are constantly being told, is the technology that will liberate the Internet. It is the technology that will enable everyone to get online. More importantly, it will free all those Internet of Things (IoT) devices and make possible smart cities, connected cars and much more. The idea of ubiquitous connectivity excites people from users to developers. But getting online is one thing; getting online securely and being safe is a much more tricky issue.
In 5G Faces Widely-Varied Threats, Jeremy Bender, Security Intelligence Writer, Global Threat Intelligence Center, US takes a brief look at the promise of 5G. Importantly, he does so from a network perspective. He calls out the reliance of 5G on software and virtualisation technologies and, in particular, three technologies Software Defined Networking (SDN), Network Function Virtualisation (NFV) and multi-access edge computing (MEC).
According to Bender: “The expansion of MEC and the increasing number of devices joining the network means an increase in the overall attack surface. This leads to a greater number of entry points for attackers. Additionally, an increase in unsecured devices can lead to a heightened risk of denial-of-service attacks.” Bender goes on to identify the risks from complexity and an increase in vulnerabilities from poor software development practices.
To solve all of this, Bender believes that: “Mobile providers must require security to be built into the deployment process. A single, coherent security framework addressing the full range of security risks, accepted and universally applied, is required to ensure 5G systems can safely and reliably deliver on their promise.”
But is it fair to put this on the mobile operators? Benders admits that mobile operators will no longer be fully in control of the network or systems that underpin the architecture.
Time to reassess levels of responsibility
The most interesting thing about Bender’s piece is that it raises the questions of responsibility and accountability. Who is responsible for connecting devices to the 5G network? Will all those IoT devices connect directly or will they be assembled into systems that connect, rather like the corporate office and the Internet. How you look at this problem, shifts responsibility and network design.
Take the example of a car. The number of components in modern cars that are connected through sensors continues to grow. That increases the risk factor. Hacking into a car through a wireless network is no longer a maybe, it is a given. How do car manufacturers secure their vehicle? Many are trying hard, but as third-party and after-market component are fitted, it becomes harder. As we move towards connected cars, one of the poster-child use cases for 5G, the question is who secures that connection?
For example, should the entertainment unit connect directly to a mobile network to download updates and content? If so, should it have any connection, other than power, to systems in the vehicle? Entertainment units have already been used to take over cars so how can an attack through such a unit be stopped?
This is where a car becomes analogous to the office. There will be core systems and user-owned devices. The layers of security and control must rest with the car manufacturer. Attacks using 5G as a bearer cannot be the responsibility of the network operator nor can they create and enforce a security model that will be universally adopted as Bender would like.
It’s not just about cars but history
Cars are just one example of challenges for 5G. Another is the explosion of sensors in manufacturing, and the use of digital twins. Smart cities are an even more complex problem given the number of suppliers, network operators, devices and software involved.
“I think what strikes me about the piece is that we have learnt nothing from history, not the distant history the very recent kind. We are blindly rushing to consume 5G, and all the advances it gives us without actually addressing the underlying issues of baking in security from the outset (PLC/SCADA anyone?). It’s then hardly surprising that the efforts of security vendors and providers to make up for this lack of foresight, is at best poorly implemented and at worst just a marketer’s wet dream to over promise and under deliver.
“MVP is a common term we hear for the Minimum Viable Product when launching. However, I prefer the Maximum Vulnerabilities Permitted use of this acronym. Shitty code is eating the world and the faster we develop without good practices, the more we shouldn’t be surprised when the future self-driving car throws a wobbly when someone has hacked into it for their kids TI speak and spell toy (ET phone home?).
“My fear is that doing what we have always done and expecting a different outcome is not only the definition of insanity but a recipe for disaster. The future might be bright in terms of possibilities, but don’t expect any time soon for the security sphere to come up with some form of magic that makes such shitty practices ok for the common person.”
What about election hacking and that RAT?
The upcoming US 2020 election is going to be the most-watched in history. For some, it will be about politics. For others, it will be about how to run an election securely. Where are the weaknesses in the US election infrastructure? Which form of voting is most susceptible to attack and how? Is it possible to run a national election without accepting a degree of interference and, if not, what should be acceptable?
The GTIC article attempts to provide answers to some of these questions, and they show how error, accidental or deliberate is a natural occurrence. One major threat, and one that refuses to go away, is ransomware. Will this be the first election in history where cybercriminals hold votes to ransom? Will that lead to the payment of ransoms to get results back? If so, can those results ever be trusted? If not, how do you re-run such a massive undertaking?
The technical analysis of the QUA R&D FireElement RAT takes a look at an attack that is current. It also demonstrates how bad actors are targeting multiple operating systems to widen the attack surface. It is something that is becoming more common and where myths such as “I use a Mac and am safe from attack” are dangerous.
The piece also shines a light on how an increasing amount of malware is developed not for use by the creator, but to be licenced to other cybercriminals. The malware industry not only emulates the existing software industry but has been faster to move to an as-a-service approach. QUA R&D run an invite-only and subscription service. The latter ensures that the malware is constantly updated to incorporate antidetection measures and new distribution channels.
Enterprise Times: What does this mean?
It is easy to gloss over the threats from 5G by focusing on the potential wider benefits and use cases. Equally, it is easy from a security perspective to despair about the failure to learn from past mistakes. It will happen, attacks will happen, and what is needed is a more open discussion about mitigation and secure deployment. One thing that Bender didn’t mention is the ability for 5G operators to use network slicing. This has the potential to limit damage from an attack by constraining use cases. At the very least, it would protect smart cities from a complete network failure.
The real question for the US 2020 election is not about which voting system will be hacked and how, but what can reasonably be done to minimise the impact. November will show how many of the warnings were ignored and what actions were most effective.
Stopping malspam campaigns that spread malware such as the FireElement RAT is not simple. It requires constant updating of tools and, educating users. It also means that IT has to improve the way it identifies and detects the attacks. From a cybersecurity perspective, it also shows how quickly a bad actor can evolve to evade detection.
This is one of the more interesting GTIC reports in a while and well worth a read.