Famous white hat telecoms hacker Karsten Nohl is our guest for an episode that focuses on the security risks created by migrating telcos and many other businesses on to the cloud. The use of standard cloud technologies like containers can deliver great efficiency and cost savings but they also mean that a hacker who discovers one vulnerability may be able to cause far more harm as a consequence.
Karsten has a track record of discovering and demonstrating unexpected vulnerabilities in GSM and RFID systems. He is the Managing Director and Chief Scientist of his Berlin-based consultancy and think tank, Security Research Labs. Karsten also has experience working as a telecoms CISO for leading Asian operators Jio and Axiata.
Topical news items are also debated by the show’s three regular presenters, industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.
Transcript (auto-generated)
Hello, this is episode 10 of the Communications Risk Show, and I'm your host, Eric Priezkalns. Every Wednesday, we talk to risk experts from around the world of electronic communications streaming live, so you can also join the conversation submitting questions and observations as we go along. Now asking the question is super simple. Just type your message into the window immediately beneath the streaming window on our website at tv.commsrisk.com. Messages are anonymous, so include your name if you want me to read it out. The show is also streamed live on LinkedIn. A member of our team is keeping an eye on comments posted over there, so we'll try to respond to those too. We'll read out as many of your questions and observations as time permits. Today, we're going to be talking about security and the cloud with Karsten Nohl. He's the founder and chief scientist at Security Research Labs, sometime interim CCO at CISO at such telcos as Axiata and Jio. And a lot of you will remember him from such white hat hacking exploits as showing how to crack GSM encryption in 20 seconds and using SMS messages to crack SIM cards. We'll be talking to Karsten about the vulnerabilities he's found in cloud containers and what this means for telcos and for other businesses who run their operations in the cloud. But first, allow me to introduce my co-presenters, Ed Finegold and Lee Scargall. Ed joins us from Chicago. He's an author, analyst and strategic advisor to tech and telecoms businesses. Lee joins us from Bahrain. His career has seen him switch between executive management and consulting for a wide variety of coms providers around the Middle East, Europe, Caribbean and Asia. Good day to you both, Ed and Lee. Today's first topical topic to pick into your brains and see how you respond. I think I'm really controversial on this. I'm looking for lots of comments from the audience on this too, because I know some people get very wound up by this topic. Malaysia, again, we talked about Malaysia last week. We're going to talk about Malaysia again this week. Malaysian banks are now stopping the use of SMS for two-factor authentication for financial transactions. Following from last week, last week we talked about Malaysian telcos blocking any SMS with a URL in it. Now let's talk about Bank Negara Malaysia, the country's central bank, ordering all the banks to stop authenticating users using one-time passwords by SMS. Now this slipped a little bit under our radar because the governor of the central bank, Shamsaia Maud Younis, announced this change back in September 2022. This is before the big fuss when Elon Musk was saying that he was going to stop using two-factor authentication via SMS, and we saw what a response that generator would run. So actually, the Malaysian central bank was ahead of the game on this particular point of switching off SMS, but they allowed the banks quite a lot of time to exercise the change. But now banks like Standard Chartered have stopped supporting SMS for two-factor authentication. They're forcing their users to use token-based authentication via apps on the customer's phone. The new policy also sets a strict limit where only one mobile phone or other device can be used for authenticating each user. So to you, Lee, straightforward question. Do you agree with the policy of the central bank of Malaysia? Yeah, I do agree with it, Eric. Right. It'd be difficult for me not to, because I've been saying for a long time now that OTPs via SMS, it's just unsafe, right? They're prone to all kinds of exploits, right, such as social engineering, SIM swaps, IMSI catches, and then you've got all the vulnerabilities in SS7. So I hope that banks and regulators are taking note of this, and they do the same, because, you know, this has been a long time coming. But at last, we finally got some leadership from Malaysia. Well, it causes a lot of controversy, this topic, so it's interesting that you and I are in complete agreement on this one. I'll just play devil's advocate a little bit. What about the people who don't have a smartphone, Lee? Well, maybe online banking isn't for them. All right, Ed, I'll bring you in on this one. Smartphone penetration in Malaysia is 95% per stats from Malaysia's comms regulator. That contrasts with 85% for smartphone penetration in the USA per Pew Research. Yes, I'm sorry. I'm making another point about America again. I'm sorry. Are countries who leapt ahead from landline infrastructure to mobile infrastructure, are they the ones now driving forward the comms security debate? Because they're able to do things that countries like the USA with more people relying upon landlines, more reliance upon traditional banking services, are they now effectively falling behind because they can't make changes like this because it will affect too many people? You changed the question on me, which is totally fine because I can think on my feet a little bit. It's the same question just phrased differently. So, no, I think you make a good point that you have a situation here with, especially the US banking system, US banks, telecoms, bearing a lot of legacy, and also I think tending to bend to political will, where if a very small percentage of users might be marginalized as a result of a move like that, it becomes the center of the debate. That's kind of a separate discussion. I just think that's kind of a silly way that the US tends to react to things. So, I think that's part of why you're maybe seeing someone like a country like Malaysia able to take such decisive action on this. But I'm going to push back at you a little bit on some of your assumption here, because I think some of the numbers might be incorrect. And I think that what I took away from the question was the idea that the US is somehow behind and I don't want you to divide us because we are all in this problem together. And I'm going to explain why. So, folks, I took some notes here because I knew that this was a tough one coming up and I have some data to share. So, first of all, your data from Pew, I think was wrong. That looks like a postpaid stat to me. And I have other data from a study I've worked on recently that looked at 14,000 people around the world, a thousand people in the US. And the numbers that we're getting back are more like 92% of Americans with a mobile device, because that can include prepaid as well. So, Pew's numbers are a little bit off. But it was smartphone. It was simply smartphones, specifically smartphones. Well, Malaysia is 94% versus 92%. So, they're pretty close from a mobility perspective. However, if we talk about banking, we're talking about two very different environments. Let's talk about credit cards. USA, 76%. Malaysia, 54%. So, to me, that speaks to the difference in maturity and the difference in the progress that you're talking about. And I think it actually speaks to the leapfrog effect that you're talking about a little bit, that you have a market that didn't get quite as deeply entrenched in something as credit cards and was able to leap forward to digital perhaps a little bit more quickly. So, that works. Bank accounts, USA, 91%. Malaysia, 87%. Personal bank accounts, pretty similar. Savings accounts, this one I found comical. This is funny. Malaysia, 86%. USA, 69%. Suggesting the Malaysians are a little bit more savings conscious, perhaps. And they have fewer credit cards. So, perhaps they're a little more conscious of these issues. Now, here's ones that really pay off. Real-time payments. In Malaysia, 92% of people in Malaysia have sent a real-time payment via something like, I'm not sure if they are in Malaysia in the US, it would be something like Zelle or Cash App or Venmo, something along those lines. In the USA, it's 81%. So, there's a pretty big gap from a digital adoption point of view. But interestingly, when asked about how many of them experienced in our real-time payment scam, 19% Malaysia, 17% USA, pretty similar. So, after going through this whole rigmarole, my point is that regardless, we're all suffering the same problem. We're all suffering the same root problem, going back to what Lee was saying was, a lot of the root of this is SMS. A lot of the root of this is phone numbers. So, even though we have these differences in the markets and these differences in maturity, it still comes back to basically about 20% of people suffering these scams. The end result is kind of the same. Okay. I'll ask a different question now. USA isn't any worse or better. There you go. I'll ask a different question now. Now that you're blowing my hypothesis out, we'll water with your stats. All right. I'll ask a different question now. My impression, and I don't think my impression is wrong here, is that Asian countries like Malaysia are way ahead on being able to adopt and implement policies like this. And that these policies are not even up for debate in countries like the USA and the UK. Let's throw them into... It's not even up for debate. You wouldn't even be able to start the conversation to adopt that policy. So whereas you've got somebody who is a top banker, great experience, the governor of the Central Bank of Malaysia forging ahead, it's impossible to imagine the equivalent in the USA, the UK, a lot of Western countries doing something like this because of the backlash. Oh my gosh, we won't be able to cope. How could we possibly cope if we don't have messages sent by SMS? Why? Why is there a difference then? And I'll ask Lee first to let him have a go, see if there is a reason, an explanation, because he might say it's because we're rubbish in the West. I don't know. What do you think, Lee? You've been all over the world. Why are countries like Asia so far ahead? I honestly don't know, Eric. I really don't know the answer to that. All right, fair answer. Ed, why is the West so far behind? So again, this is probably coming from some ignorance and people will disagree with me, but I think that in my experience, at least in the US, the political type discussions tend to get taken over by the extreme. And the extreme in this case is we have to defend the fuzzy wuzzy, right? So we saw it in the robocalling argument. And so I'm agreeing with you here, Eric, that I think if we were going to see regulatory action of the type we saw in Malaysia and the US, you would have seen it around robocalling. But instead, what we saw around robocalling was, well, wait, we have to protect all of these potentially legitimate uses of robocalling. And let's parse out all those little minority instances and use that as a reason not to take action against the big bad wolf, so to speak. And it's just that attitude. And I don't know why it's different in Malaysia, but I see that attitude in the US and I don't think it's productive. Also a comment here from one day, Oluwatomi. He says, who looks after the seniors that are not technologically savvy, a very American way of putting it, seniors, the frustration of lost devices. I personally think this will not be a reality anytime soon. Some good percentage of folks would be cut off from service. I don't really agree. I don't really agree with you one day. I have to say, I think when you force change to happen, people adapt quickly. And there's no reason why all the people can't adapt to. I actually think if you put all the people in an environment where they get access to information, they're called the silver surfers in certain parts of the world. Actually, when you look at the data, the silver surfers, the older people, they can very quickly adopt all sorts of advanced services delivered online if they're given access and they're given some information resources about them. It's as simple as that. Give them access, give them information resources, make it cost effective to do it. That's a big factor. People don't want to change if they can keep on doing the same thing in the same way, or if change is going to cost them money. If you make it cheaper to change, they'll change. So I think there will be resistance to moving away from SMS for two-factor authentication because people are used to it. And there's a little bit of inconvenience in downloading an app on your phone. But if there was some financial backing behind it, if, say, you started charging people for receiving those SMSs, they'd change pretty quick, sharp towards using an app. You'd have like a year at most where people would be downloading the app and then everybody would be fine. So that's my point of view. But we have to move forward in the debate. Sorry, guys, I know there's plenty more we can say about this. Keep on sending your comments. Now, here's a message from our serious sponsors, Blue Jump. When thinking about testing calls and other needs on networks, it's worth keeping in mind the sheer variety of objectives to be fulfilled using testing. You could have Blue Jump perform a thorough audit of the roaming service provided by partner networks in key locations. Auditing your roaming partners means you're not just trusting that your customers be able to connect to services whilst away from home. You could obtain a fresh perspective on how your services are perceived by customers. That means using Blue Jump's facilities to conduct tests to reflect what real people do when they use their phones. Or if you're worried about the various forms of bypass fraud including SIM boxes, refiling, low TT bypass, then you can use Blue Jump's extensive international deployment of devices to originate test events on the networks and observe they're routed around the world in a manner you expected before it terminates on your network. Popularity of why means telcos need to do more than ever to ensure traffic is routed correctly and termination fees have been levied as they should. Blue Jump can execute a risk based testing program where you are focusing on the routes and countries when there's the greatest risk your telco will be exploited. Now buying your own equipment and setting your locations in the country is not cheap. It's much more cost effective to have Blue Jump use their test anywhere crowd to have test conduction on their behalf using their automated equipment. Their test infrastructure includes the latest Android test devices deployed globally. Blue Jump works on behalf of telcos, governments, software businesses, all sorts of companies, harnessing the power of real phone devices that can make calls, send messages, transfer data, stream entertainment, any of the things that real people do with phones every day and thus perfectly emulate the customer's journey. They also support the latest innovations like eSIMs and satellite connections. So in summary, the automation of testing by Blue Jump spares your staff the laborious effort of manual tests. It also means you get results more quickly, which can be especially important when seeking to identify where frauds occur. And because of the way Blue Jump's technology works, you will be aware of the fraudsters, but they won't be aware of your anti-fraud testing until you decide to take action. So whether your focus is the customer's network experience, roaming costs, or the assurance of interconnect routing, then you should call upon the experts at Blue Jump, the URL, blugem.com, Blue Jump. So continuing the topical chat, French President Emmanuel Macron promises an anti-scam block, a nationwide anti-scam block that's going to filter malicious links from SMS messages and emails. In a message posted to LinkedIn from the French President's official LinkedIn account last Wednesday at 7 a.m. French time, Macron made the following promise and I apologize in advance for my terrible accent. For those of you who don't speak French, that translates as we will build a barrier against fraudulent SMS and email campaigns by preemptively filtering malicious links with a bill that aims to secure and regulate the digital space. Ed, to you, do you believe the French government knows something about blocking malicious links that the rest of the world doesn't? If anybody was going to implement a filter to remove malicious links from emails, wouldn't Google have done it by now already? You know, Monsieur Macron, Mr. President, I love the idea. Please elaborate. I'd like to know more. I don't think the French government knows anything special about this. And I did find your reaction to it, just the way that you answered the question, to be funny because yeah, if this was so easily solved, it would have been solved and it would have been solved by the folks that know it best, like Google. I agree with you. But I thought about our discussion last week about this idea of just not permitting any SMS links. And I'm not even sure what my position was on it last week because I disagree with myself. I've come around to it because I thought about what you said. And I thought about the idea that, for example, if you put it in the physical world, you walk out to the mailbox to go pick up your snail mail and how many times in my life if I wish the junk mail would just vanish, all the junk mail that you don't want would just go away. I don't want to deal with it. And it also creates risks of identity theft and all that sort of thing. So I'm taking that same idea and putting it here. Yeah. And I think we should, Mr. President, let's block them all. Block them all, Mr. President, please. Thank you. Okay. So there's a vote from a crumb there, if you could vote in France. Lee, I got to ask you this question. Of course, you've got connections to France. You've got family members, French family members. This is another example. Is this another example of a politician promising to do something about scams spread via SMS? Why are we getting all of these examples of politicians cracking down, showing lots of leadership now? The first SMS was in 1992. Why hasn't that happened earlier? Well, I think it's down, Eric, to the sheer scale of fraud being committed online right now. I was actually reading on the UK government's website that online fraud now accounts for 40% of all reported crime in the UK, and it costs seven billion pound a year. Now, as for politicians, it seems like Macron and Rishi Sunak, they've both been singing from the same song sheet because they've both just announced new anti-fraud initiatives. So I went on the UK's government website just to have a look at what some of these new measures were. And they're talking about banning SIM farms, stopping CLI spoofing. So I guess that means we're going to be getting stairs shaken soon at some point. And they also mentioned, this is quite interesting. Hey, hey, hey, there's a public consultation first. Don't be joining the party that's announcing this before it's actually decided yet. Sure. We have to follow due process, of course, right? Now, the interesting thing here is they also say they're going to use UK's intelligence agencies to disrupt fraudsters from overseas. Now, I don't know what they mean by disrupt, but that's quite an interesting remark to make. And they were also going to say that they're going to work with tech companies to allow people to report scams more easily. So it all sounds good on paper, but there's no real mention of what they're going to do. I think it's a load of talk. And I would back your assertion that it's big now. Yeah, well, it didn't just suddenly get big. It wasn't like there was no fraud last year. And then suddenly this year, all the frauds happened. The reason why fraud is massive is because no one's been doing anything about it for a long time. So really the question is about why are the politicians now thinking, I mean, yes, you could always make the argument because it's big now, but why didn't they think it was big enough before? Is this just a little bit of cheap window dressing? Look at me, says President Macron, my pension reforms aren't going too well in France. Everything else is going very badly for me. I'm doing terribly in the polls. I can't spend any money. I tell you what, I'll just talk about fraud. Because if I talk about fraud, people won't notice that previously the amount of money that was spent on fighting fraud was nothing. And now these enormous reforms will mean the government will now spend next to nothing on fighting fraud. It's a great way of making you sound yourself as though you're beefing yourself up because the plateau you started with is so low, you need to spend hardly anything to do better. Isn't that the problem Lee? But basically we're getting all excited because we go, whoa, like in the UK, 30 million pounds is going to be spent on the successor to action fraud, the National Fraud Intelligence Gathering Service where everybody dials in, well, 30 million pounds might sound like a lot of money, except it's not. And also they're spending 30 million pounds on essentially replacing the people who used to receive phone calls about fraud and then would take the written transcript of what was said and scrunch it up in the bowl and throw it into the bin because they were so useless. So 30 million pounds and improving on that, it's not much of an improvement really. Is that not the problem? Ed, I'll come back to you on this one. Is this not just cheap politics? Cheap politics, everybody says they're going to do something as long as somebody else is paying the cost, the taxpayer isn't paying the cost, the government's not taking it seriously, but politicians want to get a few votes cheaply. Yeah, it's become part of the news cycle now. If you think of like, what are the topics that are always in the cycle as if it's a big lazy season that you're spinning around, coming to topic to topic and it's on there now firmly. And every once in a while, we're going to come back to these fraud topics and we're going to talk about them and we're going to act like we're doing something about them. And if I'm going to take any positive away from it, it's like, hey, we're talking about it. People that can do something about it have some awareness now that there's something to be done. And that's the best positive I can take. But yeah, I mean, the cynic in me says, yeah, there's going to be a lot of talk. And again, you come back to what we've been talking about with stir shaken, you know, and you're going to spend a lot of money to come up with a solution that doesn't solve the problem. Like is that to me, that's yeah, that's kind of what politicians are doing here historically. Well, this this case of Macron, they're going to have a special filter. Just do what the Malaysians have just done. The Malaysians already told if you wanted to take dramatic action, you want to do radical action. Boom. We're just not going to have any SMS messages with Lincoln. Overnight, the problem is solved a little inconvenience. But if you're going to say it's a huge problem, then why is the reaction to the huge problem always so modest in comparison, it gets described as a crackdown. But there are countries that prepare to do things and the Malaysians are showing us the example late, I pushed this back to you. Are we not again in the West, a lot of talk, not a lot of trousers when it comes to taking action. But this this is difficult, because in the same press release, they did say to be fair, they did say they were going to create 400 new jobs under the NCA. Right. So I think they are, they're trying to do something. But I'm the same as with you, Eric, it's just it's just here, right? I want to see I want, you know, let's sit down in six months or next year. And let's review it. Has it got better? Yes or no? My personal opinion is I don't think it will. All right, thank you for that. We'll move keep moving forward. Let me take this opportunity now for another one of our weekly features, the symmetry fact of the week and interesting facts supplied by the team at symmetry solutions. Over the years, many professionals working for comms fighters and the suppliers have approached me for advice about where to obtain high quality training on revenue assurance and fraud management. I'm glad that they do because I hate to see people wasting money on training provided by flim flam agents. And so for many years, I've kept my recommendation simple, go to the most experienced practitioners of revenue assurance and fraud management in real life, get your training from them. That's why I've long recommended the services of Jeff Ebert for revenue assurance training, and Colin Yates for anyone wanting a better understanding of fraud management. So it's a funny coincidence that both men now work for symmetry solutions, as symmetry is head of business assurance and head of fraud management respectively. Between them, they provide the training to over 750 telecom professionals. Now they work together at symmetry, they have a comprehensive syllabus which covers revenue assurance and fraud management at the introductory intermediate and senior levels. That means they can easily tailor a training program that focuses on your particular needs, no matter how specific or extensive they may be. Colin and Jeff even provide mentoring to leaders of our FM teams who want a trusted counselor who can give them independent advice. So wherever your training needs, turn to symmetry, and they're uniquely experienced trainers at symmetry solutions.co.uk. There's so much we have to fit in the show, we never find time, we've got to get past Nolan in a bit. So we're not going to spend too long on the next segment, guys. But Lee, you identified a really fascinating news story about a new iPhone feature that caused your concern. Do you want to tell us some more? Yeah, so this is something we spoke about on the show the other week, and this was concerning voice authentication and synthetic cloning. Now, today, I was reading an article that Apple, they're going to bring out a new feature in iOS 17, that actually allows voice cloning in as little as 15 minutes, just by reading back some text prompts, right. So this live speech feature is actually designed for people who have difficulty speaking, right. So they just type in the words, and then it converts it to speech. And it's in the identical sound to their voice now. So if you imagine this now, right, having a live speech feature on a phone, right, of somebody's clone voice, it's just going to take fraud to a whole new level. And you know, you want to have people included, you want to see technology, get people included and do things they can't do before. But for me, this is symptomatic of, we don't deal with the risks, we don't anticipate risks until they've hit home. Ed, am I right? Am I wrong? What's your feeling on this in terms of where are we always leaving it too late to react to the risks? Shouldn't we be anticipating the danger of giving people on their phone the ability to clone voices in just 15 minutes? Yeah, absolutely. And, you know, I noted that the CEO, I guess, of OpenAI was in front of the US Congress talking about, you know, what are potentially smart ways to regulate the technology and what have you. And that's all well and good. But to your point, it's like, or is it already too late? It might be too late. How long is that process going to take? Two years? And then the cat's already out of the bag. So I think, yeah. And the last thing too, you and I have talked about this a hundred times, the 737 MAX always comes to mind as the ultimate example of like, when you rush these things without asking the right questions and with political or economic pressure behind them, what happens? Things blow up, you know, quite literally. So, yeah, I mean, it's... I'm pro-business. I don't want to put barriers. I want governments putting barriers in the way of doing business. Okay. I don't want everybody to have to like go to a committee to get every new technology innovation approved, but Apple's got a track record here. And Apple is obviously a more responsible business than many other smaller businesses that are out there. Okay. We've seen it with the Apple tab already. Seemed like a good idea. You attach this device, you touch this little thing to your objects, to your computer, whatever. So if your computer's stolen, you know where it is. You know, if something else is stolen, you know what it is. You can track it down. What happened? The creepiest people in the world start attaching them to the bags of women that they want to stop, start attaching it to cars and use it as a tracking device. And yes, Apple put in some, some countermeasures to prevent it being abused. But nevertheless, there was a lot of abuse of these things and very dangerous abuse. There could be people's lives at stake in terms of the misuse of the Apple tab. Again, there seems to be... I don't want to put barriers in the way of business, but there seems to be a reluctance to accept our society may lose more overall than sometimes we're gaining with some of these technologies. What can we do now? There may be a good reason for that barrier, right? In the sense that you're, if you look at it from the perspective of, are we weaponizing everyone's phones? Lee, is that what this is? From what you were saying, does that in a sense kind of weaponize everyone's phone? And then isn't that a reason to what Eric was saying, to put a barrier in the way? I feel like it is. I agree, Ed. I think the way they're talking about within 15 minutes, just by saying a couple of text prompts, and you can feed in anybody's voice into that, then within 15 minutes, that's it, you've cloned somebody's voice. And you've got a phone, it's on the phone, you can contact anybody, you can impersonate anybody. And I think some of these risks have just not really been thought through properly. Yeah, look, nobody wants to see somebody who loses their voice, not have the ability to communicate to their friends, their family, their loved ones, okay? But even for them, there's a risk. You've lost your voice, there's now a clone of your voice on the phone. Well, still, if somebody gets access to that phone, if somebody gets control of that phone, now somebody can impersonate you. And you may not be in a position to fight back against that abuse against you, because you are disadvantaged in being able to identify and speak and do something about getting your right over your voice, which is now an electronic thing, back again. So I do think we tend to rush ahead with these things. Anyway, quick comment here from Hervé Andure. Malaysia's choice to block URLs is not optimal as they're pushing legitimate use cases to other unregulated forms of communication. This is like the kind of argument if you do something with SMS, ends up being with WhatsApp and the rest of them should we treat WhatsApp. And we'll come back to that in a future episode. We've got to keep moving on. I've got to keep moving on, guys. Before we bring on today's guest cast. And oh, here's another one of our regular weekly features. Each week, Jeffery Ross of Core Authentication, Fraud Prevention and Geolocation Specialists, One Root, takes us on a tour of the world as we overcome the barriers to communicating with each other. This week's destination is England, oddly enough, the place where I am. And having seen the video, it's obvious that Jeffery's opinion of England has been badly influenced by one of our own team. Producer James, please roll the VT. Hey, everyone, from One Round, I'm Jeffery Ross, and this is The World in Your Phone. Let's talk about England. A few countries have an unforgettable impact on the world's history, but England is definitely one of them. The largest of the four nations under the United Kingdom, England is known in popular culture for many things from the royal family, William Shakespeare, Isaac Newton, to some of the world's most famous musicians, red double decker buses, red phone boxes or phone booths, Harry Potter and the ever popular show Bridgerton. But did you know that in 2022, some of the iconic red phone boxes were retrofitted by Vodafone with updated technology to increase 4G coverage on busy urban streets? This was done to improve both 4G and 5G coverage while the old 3G networks begin to be retired this summer. One of the more unknown yet interesting facts about England is that from 1066 to 1362, French was the official language of England. Désolées englétaires. Stamps were invented in England, and due to an old law that has never been updated, it's technically considered treason to stick a stamp upside down. And six ravens must be kept in the Tower of London due to an old tradition and superstition. Be sure to subscribe to the One Route YouTube channel, where you can catch up and watch the One Route Roundup, a show that spotlights individuals and companies making a positive difference in the telecom industry. One more fun fact is the town of Cleethorpes. In the 1820s, Cleethorpes was a must-go-to destination as a health holiday resort with sea bathing and the taking of medicinal waters. At one time, Cleethorpes was described as a bathing place for which it is highly eligible. The air is pure and the scenery amazing with extensive views of the sea. I know if Cleethorpes most definitely tops the bucket list of places to go for Eric. And now that Eric's fallen out of his chair, I will say, Lee, back to you and more of this great communications risk show. Cheers. Do not believe a word that Jeffrey says. Do not believe a word that Jeffrey says. I know you want to say something about Cleethorpes to defend its honor, Lee. What I like about Cleethorpes, Eric, is it's full of ordinary people and we live in ordinary houses and we just go day-to-day doing our ordinary things. We're not trying to be some kind of Ponzi, southern cut-type village down south. You talk about your servants now, not you, Lee, but never mind. We'll move forward. We'll move forward by introducing today's guest. We're so glad to have him here with us. Karsten Nohl. He's the founder and chief scientist at Security Research Labs. He served as chief information security officer at a whole bunch of businesses around the world, including Axiata in Malaysia and Jio in India. And the security findings he's had, he's reached over the years, extraordinary, the ones that he's shared at Chaos Communication Congress and Black Hat Conferences. We could go on and on and on listing what Karsten's done for this industry. Tremendous, amazing contribution to this industry. We're so grateful for it. Now, the subject of today's interview stems from a presentation Karsten gave last year entitled Open RAN. 5G hacking just got a lot more interesting. The connection to telecom is very obvious there, but the risks extend to other sectors too, because they concern the use of cloud containers. Hello, Karsten. Thanks for joining us on the show today. Hi, Eric. Good to be here today. So I referred to the presentation you gave last year that was about the way you found vulnerabilities associated with the virtualization of networks. So just to recap for the less technical members of the audience, the telecoms industry is going through a process of replacing proprietary telecoms equipment with functions that run on cloud servers on commodity hardware. It's an attractive proposition for telcos because of the enormous cost savings. But you, Karsten, you showed how a hacker could find a route to progressively subvert those functions on the cloud, leading to a series of ills like reading private SMS messages, reaching all the telcos customer data, and even tearing the network down. We can't go into too much detail, but for the audience who are not aware of the research you did in that arena, can you succinctly explain how a hacker would be able to get unauthorized access to these functions on the cloud? Sure. Maybe before going into the insecurities, let's remind ourselves why certain changes are afoot in the telecom industry. You already mentioned one of the two imperatives, which is cost saving. There's certain technologies that if you introduce them, you save costs. So it's inevitable that these technologies will be introduced just through market forces. The other motivator are new use cases. Just with our 40 networks, we can't support use cases like car to car communication, for instance. We need more distributed mobile networks, lower latency, so we need to be present with core networks in more places. So both of these imperatives lead to the adoption of generally two streams of technology. One is hardcore virtualization. So not the virtualization of your good old days where you ran two or three things as virtual machines on a few core networks. We're talking about for a country like Germany, where I'm right now talking about 500 core networks for 5G, every single one of them having multiple functional units so that you can have these very low latencies within each region. If you have to administer thousands of functional units now in terms of Docker containers, you need a very high level of virtualization. You also need a very high level of automation. That's the second technology trend. So basically to save costs and enable new use cases, you need virtualization and automation. Now for the hacker, that's a field day because both of these introduce new attack surface and new vulnerabilities often found in other industries already just new to telco. And so to your question, what's the typical journey of a hacker into one of these more modern, cheaper to operate, enabling new use cases, a mobile network, it's usually four steps that the hacker follows. First, I identify some insecure part of infrastructure, like a test server or something forgotten and those existed before. They usually locked away in what we call the demilitarized zone, a DMZ. And these DMZs still exist today, but instead of having hardware firewalls, because of that high level of virtualization, we're talking about software firewalls. Everything lives in kind of the same Kubernetes environment. So there's a good chance that after you break into one of these unimportant servers, you can escape from them and take over the Kubernetes environment. So not necessarily the entire telco at this step, but you break out of your little sandbox that the developer cuffed out for themselves. That first step is enabled by the virtualization trend that we can't stop anymore. So we have to learn to live with it. You're then in some kind of a development zone where different test systems are all coexisting and you'll find a lot of what we call a CICD infrastructure, basically the infrastructure that allows you to have automation. Instead of humans in the loop, you have all kinds of scripts and they need to be changed all the time. So software trickles down through these systems and mistakes are being made in all industries, but this being a new trend in telco, of course, many more mistakes are made in telcos as new adopters. So you find these entry points in these CICD pipelines, be it exposed source code repositories on the internal network, weak credentials, APIs are probably the biggest problem, hundreds of APIs, some of them tests, some of them production, but all of them reachable from that little foothold. So the second trend, the automation allows hackers to go their second step. So now we're somewhere in a more interesting place in a mobile network and still not in a production network, not in a telco network, but we're somewhere where we can influence software that eventually trickles down into the telco network. And that's the third step, basically just wait for your changes to be propagated into the telco network. Now we're sitting in the telco network. Chances are, once again, you're kind of a boring part, right? You don't always get lucky. You don't always get to hack the domain controller. You're in some software that does something in a telco network. And once again, you're breaking out of your virtualization, you're taking over this time the real telco network. So really four steps that are all enabled by these trends, virtualization, automation, and every single one of them, hard to prevent unless we want to stop the trends of building cheaper networks and more automated networks, really hard to prevent mistakes from being made, right? So the pressure really is on to detect these mistakes before the hackers do and firefight all the time. That's why telco hacking has gotten a lot more interesting. It's much more dynamic. It's much more tactical these days. You say that with a little smile on your face because you're the guy who gets to play a game. I'm finding the flaws in these cloud containers. You mentioned Kubernetes. So specifically you identified some issues in terms of hackers being able to infiltrate Kubernetes containers. They're one of the most popular form of container technology for the cloud. Yeah, 100 percent. The scale of what can go wrong is very big. I'm an old school risk manager. I like to think in terms of the scale and the probability of what's happening here. And to some extent, you pointed out in your presentation that it actually took you a lot longer to work through, to find and to identify some of the vulnerabilities that you found. It took more work in practice, OK? So on the one hand, it could be that there's more effort involved. And so the probability of being hacked may be, and this is what I'll leave you to decide, maybe lower. But the scale, the potential impact is higher. How do you put into words, it's very hard to put into words, but how do you put into words the sense of the scale of the risk we're taking on and how much is it to do with the probability versus the scale of what will happen when hackers, if hackers get access to the cloud systems that are telcos running? So telco networks have always had security issues. That's known hopefully. But by and large, telco networks, when considered hacked infrastructures, we rarely hear that telcos go down or go black because of hacking. With 5G, that is becoming more likely because there's just many more moving paths where something can go wrong. So the surface of attack is increasing dramatically and intentionally so. Like I said, in Germany, we're deploying 5G networks in 500 locations. So as compared to the maybe three or four core locations we had for 4G, more than 100 times the attack surface, logically speaking. Networks, on the other hand, maybe to say something positive for a change from hacker, networks become a lot more resilient. So those 500 copies of the core, they're not being configured manually. Just deployment scripts that can create as many as you want. So for instance, somewhere is no concern at all for 5G network, at least not on a long-term basis. If somebody encrypts your files, just rebuild everything from scratch. So we're becoming more resilient, but we'll have to expect more short-lived outages. That's fascinating. Next week's guest will be Patrick Donovan. He's a different kind of security research to you. He spends his time analysing the security products on the market and the businesses that supplies them and the factors that drive demand for those products. He's going to be talking about one of the most important factors that's driving demand, the threat posed by nation state actors. If we were to suppose a nation state with effectively limitless resources decided to exploit the vulnerabilities you identified, what objectives do you think that they would realistically set for themselves? What would be the consequences? Would it be of a type that might be very sensitive in a country like Germany, nationwide surveillance effectively? Or would it be the case that they'll be looking to shut down communications? And as you say, maybe communications networks may be resilient, but maybe shut down all communications at a certain point in time? What would you, if let's put it another way, you were in charge of one of these nation state actors, what do you think you could realistically achieve in terms of attacking a country's networks? State sponsored criminals, they're certainly interested in two very different goals. One is stealthy spying, so trying not to be detected and collect as much data as possible about individuals or industry secrets. The other strategic objective is to take down critical infrastructure. So be very loud and be very noticeable for as long as possible. With future mobile networks, both of these change in nature, they don't necessarily become more likely, at least not the spying. But we do put more X into the same basket by using these highly automated infrastructures. So maybe let's start with the spying. I think what we basically settled on as the message you will state after the Snowden revelations is still true. Spy agencies can spy on everyone, just not at the same time. So with enough resources deployed, a state will be able to spy on every individual through mobile networks, but not all individuals in a mobile network all at the same time, because that would be too noticeable. And I think that is still true in 5G. No matter how much insecurities we add, we also add great opportunities for telemetry and security monitoring. So any wholesale abuse would be noticed. And as a society and even as users, I think we can live in a world where states can break into anybody's one account or 100, say, as long as it's not millions, because those people likely to land on those lists that state-sponsored criminals want to hack into, they hopefully know that, and they don't likely rely on the security of a mobile network. Whereas the average user who does rely on the mobile network security, they don't land on those lists. So we're in an OK equilibrium. That leaves the second hacking objective, which of course is availability. And I, for one, I'm surprised how the cat and mouse game pans out in Ukraine, for instance, where obviously there is a very capable cyber actor trying to take down the mobile networks and other critical infrastructure. They sometimes succeed, but mostly not. So if you deploy enough of the defense resources, cyber-wise, apparently the battlefield is relatively equal. So while mobile networks are insecure, by default, abuse can be detected relatively quickly when deploying enough resources. And because we're worried about this availability issue more in geopolitical tense situations, as long as we create these opportunities to collect telemetry and respond to abuse, I think that too we are in an OK equilibrium. So I wouldn't worry too much about state-sponsored spying. It's possible, we're never completely prevented, but states have limited resources too. So are you more worried about criminal activity from organized crime then? Do you think that's a more serious threat than the nation-state threat? Yes, I am more concerned that ordinary citizens rely on mobile networks. For instance, for the authentication to online services. So criminals are not really interested in what you talk on the phone or what you write in text messages, that which you could hack in the telco. They're interested in that one SMS that gives you access to your Google account. When you say, I forgot my password, OK, please verify that it's really you. We sent you a text message. Now the criminal has access to interesting information, Gmail, all the other services. And as we've seen, telcos struggle a lot with SIM swapping. And whenever there's any electronic means to get that same information without having to walk into a local telephony shop, that's just prime target for abuse. So it's mostly the weaker members of society that get victimized and not by governments, but by ordinary criminals. Is this an area where if communications was encrypted end to end, that would address some of these some of these risks for the ordinary user? Yeah, I'm not going to advertise using, for instance, WhatsApp as a second factor authentication, but I've seen it done. And I believe a company like Facebook can certainly deploy more security resources into their ecosystem than the weakest out of how many? A thousand telcos. So on balance, I feel like going with these hyperscalers for security is a better bet than to to guesstimate what protection you can expect from the local network you're either a customer of or you're currently roaming in. Right. So a lot of this is outside of your own control. Interesting stuff. Ed, I want to bring you in on this now. The commercial realities here, I wanted to ask you about that. Is it inevitable virtualization because of the cost savings and therefore we're going to have to pump up and put in the appropriate level of security resources to do it? Or might some businesses be resistant to virtualization because of the risks being posed? I mean, I think Carson makes a really good point that from an economics perspective, the virtualization aspect of it seems inevitable. And it's one of those things where it's kind of like with cars, where like, well, you can hold onto your gas car as long as you want, but eventually you won't be able to get them anymore because you're only going to be able to get electrics. And I think there's some market effect like that that'll end up occurring. The sorry though, I've probably lost my train of thought now, Rick. So if you have to apologize. Well, I'm just keen to get your feeling here on terms of the economics, you know, whether we end up having to, whether we have to keep on moving forward, like sharks that have to keep swimming going forward, or is there a possibility sometimes you freeze technology rather than always doing the next thing you could do? The question, here's what I see actually is now it's not so much whether virtualization is happening, but where's it going to live, right? And so you're seeing a lot of these questions and forgive me everyone for losing this thought a moment ago, but what I'm seeing a lot of now, right, are these questions and a lot of practitioners writing articles about the cost we thought we'd get about moving to the cloud really didn't happen that way. We had these cost explosions. These are the steps we're taking to bring some stuff back in house or to simplify some of our architectures, you know, to bring those costs down. So that's where I tend to see, you know, a lot of those discussions. This is like out of house or in-house and how are we architecting it? And are we using serverless or not? And there's our microservices environment becoming too big so that the traffic is too hard to manage as to those kinds of things. Interestingly, a lot of those add up to what Carson was talking about though, right? Is that all those exposures, right? All the discrete microservices, all the APIs. And one thing that also he made me thought of as we were going, talking about the 5G spec, you're looking at the 5G standalone spec. There's a really interesting thing in it called network exposure function, right? NEF. And what network exposure function in concept does is basically take anything in the network, anything the network can do, and you could define it, you know, individual as a service and expose it via an API. That doesn't mean that you should do that with every single service in a 5G network, but you know, the spec is made up so that you can. And so I think one of the questions that comes up in Carson, I would hope that this is something you could probably consult the folks on is look, when you go on implement this, how do you implement NEF in a secure way? Even before you even implement it, how do you define what you're even going to expose in a way that ended up being secure before we throw this out there? Right? So I mean, I think there's a lot of yet unanswered questions around 5G security still to come, you know, on this virtualization tree, right? It goes on and on and on like that. Again, forgive me for losing that midway. Hopefully I got it back. Just to add to that, this is the false mobile network generation. I don't know what happened to 1G, but somehow is the false iteration that people are implementing over 30 years. So that almost a decade goes into every single generation. And yet every single time it feels rushed, every single time people put themselves under pressure to roll it out without spending that six months time window to architect it well. And with 5G is no exception. That's a great point. That's absolutely a great point. I want to bring you in here, Lee as well here, because I don't know how much you can talk about the work you've done, but you have done work of the type where you have advised nation states on the business parameters, the reasons to move things to the cloud, the extent to which the country might be rejuvenated and generate income for itself by seeking to be the host of clouds of cloud service for other countries as well as itself. Is security a big topic that comes up in that kind of cost benefit analysis or is it something that is treated as something that they'll deal with when they need to deal with it? So this is quite an interesting question, Eric. So usually I've been a big promoter of the cloud and over here I can talk about Bahrain in particular. There's not many hyperscalers over here right now. There is a big push to try and get more and more here. But we've actually done the cost benefit analysis we've done is to put some bits of the IT domain within the cloud is it's actually cheaper just to buy a server, put it in our own rack and to manage it ourselves. Right. So I think over time that price per unit is going to come down as more and more hyperscalers come here. I mean, Bahrain tends to be quite an expensive market anyway. I know when you try and buy something from suppliers, they tend to pump the price up quite a bit. So Bahrain is quite unique in that way if you compare it to other countries around the world. One of the other factors, so apart from the cost and benefit analysis, one of the one of the primary things around which is a main concern for other countries is that transported data or having that data being sent overseas and is and is held within within another country. Lots of concern about that and the security around that. Absolutely. Can't agree more about that. Karsten, let's bring it back to you here now. So we've talked quite a bit here about telcos, which is great because a lot of people who watch the show are interested in telcos and work for them. But this isn't just about telcos, these problems you've identified. They're actually they really extend a lot into into many other aspects of many of the critical businesses, many of the functions of society that we need, including utilities, for example. What's your appraisal of the extent to which the vulnerabilities you've identified could cause harm in other parts of society and other sectors too? Are there critical utilities that come to the front of your mind where you worry that maybe cloud security is inadequate? Yes, spot on. Telco isn't the only industry where people like to enable future business cases and save money. Turns out everybody wants that. Now, what puts telcos apart, I think, is that in the telco world, we think in step changes from 3G to 4G to 5G. So there's certain technology changes that are forced onto telcos. And like I said, it always feels rushed. You have to be part of 5G if you want to stay relevant. You have very little time to prepare. Certainly 4G didn't prepare you for that change. In all those industries that I'm aware of, this is more a smooth transition where people say, let's let's dabble into cloud, let's move some non-critical applications into cloud, let's learn, let's make mistakes, low risk, possible high reward, and gain confidence, gain operational experience, find the right partners, and then move more and more. There's never a step change. So the same problems exist everywhere else, but the effect is much muted through the opportunities to explore and gradually change. Now, having said that, of course, most of the large data leaks of the last years were based on people using cloud technology wrong, like that level of inexperience that everybody starts with. Whenever there's data sets, millions of health records or financial records accidentally posted on the internet, it's always some kind of a cloud environment. But that seems a tiny fraction of the data that is being moved into the cloud. So most people seem to get it right most of the time. What of course also helps is being able to use standardized services from Google, Amazon, and Microsoft, which is provide infrastructure will provide most of the operating system and thereby solve many of the security and security operations problems. You'd be hard pressed to find a provider, not just in Bahrain, but in most places in the world, would be able to help you provide your telco cloud infrastructure. So there you're becoming the Google or Amazon equivalent, but they have 20 years experience in that and you don't. So it's a step change that is multiplied by you going deeper into this stack. So yes, other industries share the same problems, but not to the same extent. That's a great way of looking at it. I've got a comment here from one of the viewers, Claudia Durkin, lovely to have you watching the show, Claudia. She says planting the fuse. Great overview, Karsten. Inspecting virtualized containers is often ignored because it's not on the asset inventory. So she's basically agreeing with you there. It's great to have that. One thought that came to my mind during our conversation just then was the generations. You talked about the gap between the generations and the things being rushed in terms of moving forwards in the telecoms industry. It's not clear to me whether the gaps will start to slow down a little bit now and whether there might be a slowing down because telcos have been resisting a transition towards a valuation, which looks more like a utility company than a tech company. So one could argue the need for always delivering something new is because over all those decades we've been talking about, telco started off with valuations much more like tech companies with a high PE ratio, the belief that it's going to be worth a lot of money in future. We're going to onboard a lot of new customers. And so it didn't matter if you were generating revenue now, whereas these days it's all about dividend yield. You'd be paying out some dividends and generating lots of positive cash flow. And in that kind of environment, it might lead to a slowing down more like businesses, like utilities, because there's not the expectation from investors that there will always be something sexy and new each year. Or it could be budgets will get slashed because it's all about cost control and security could be put at risk. Karsten, how much is there any truth in what I'm saying here as a guy who's been at C-level in some big telcos and where would you say the balance lies? Is it that we might slow down and be a bit safer or might we just be cutting more corners in future? Providing just connectivity services certainly has become a commodity and regulators really enforced that. Most countries have four or even five telcos competing for exactly the same geographic footprint with exactly the same services. So obviously there's a race to the bottom in terms of margin. What telcos of course have been trying to use economically and not super successfully is the client relationship. Having seen somebody physical, at least knowing where they live by virtue of having sent a SIM card there, that should be worth something in a highly virtualized world. And it certainly was something for criminals who SIM swap you and take over your identity and everything else is tied to that identity. But that linkage all by itself hasn't enabled telcos yet to monetize enough to make up for that commoditization pressure. They're trying again now. Axiata, where I worked a few years ago, I think is a little bit ahead in the game of API-ifying everything. It's basically giving or selling access to customer data, trying to balance economic opportunity because of course the need for privacy of the customers. That seems, at least in some parts of the world, a very viable strategy and to really distinguish yourself from everybody else who just has connectivity. You have connectivity and insights into your customer. But somehow that is not catching on to the same excitement that I had when I first saw it. And you guys would be in a better position to comment on where the resilience or resistance rather comes from. Lee, do you want to comment? Well, I'd say the resistance probably comes from the regulators. Ed, do you agree? You don't really do much regulation in the USA, do you? Not around privacy. Now, some of it though, too, though, I mean, I agree with Lee, but some of it, and I actually just am wrapping up a report for the team forum about this. Some of it is the platform model that a lot of telecoms don't see themselves as a platform business, don't see themselves as a platform company, and it's not the foot that they put forward first. That would be my guess. Well, we're running out of time, guys. So one last quick question for your casting, because we really appreciate your time today. We also want to know what you're going to be doing next. What is your current focus of the research you're doing? What are the big security risks that you're thinking that we all need to be thinking about next, and it's going to be interesting to you in the immediate future? I'll tell you what I think you want to hear, and then I'll tell you what I think you need to hear. I think that the big trend in terms of change, it's certainly opening APIs to partners and to more and more and smaller, smaller partners, until you're really opening APIs to anybody who wants to consume them. Being in a similar situation as Facebook a few years ago, you remember Cambridge Analytica and whatnot. So telcos are certainly running for economic pressure reasons in that direction. And I'm sure lots of goodwill comes from it, but also lots of hacking comes from creating new interfaces. Again, learning curve. On the path to secure system, there always lies an insecure system, and we're entering that phase now. But I think that's the gradual change and incremental hacking pressure. I think what you need to hear really is, continue to focus on the basics or finally focus on the basics. There's these five processes that have been in security forever, and telcos are just not good at them yet. There's patching, there's hardening, there's identity management, there's segregation, and there's backups. You get those five things right, you become highly unattractive to a hacker because they find much weaker targets everywhere else. So please just don't worry about what changes. Focus on what you already have on everything you could already be doing around those five basic processes. The hacking pressure is certainly increasing, so just because you've gotten away with it so far doesn't mean that's a guarantee for the future. Very wise words. Thank you so much, Karsten. We really appreciate you having you on the show today, and we look forward to hearing what you come up with next in terms of the new vulnerabilities you find in the future. And maybe you'll join us for the second season of this show as well. We'd love to have you back. I'd be delighted, yeah. Thanks for having me. Thank you so much, Karsten. Well, that's it. We're out of time. It's frustrating, this show. There's so much we could talk about. We never seem to fit it all in. Ed Lee and I will return next Wednesday. We'll be talking to Patrick Donegan of Hardin Stunts about the threats posed to comms providers by nation state actors. Watch live on Wednesday, 24th May at 11am US Eastern, 4pm UK, 8.30pm India. Save the show to your diary by clicking the link from the Communications Risk Show website, because it's not literally possible to read out every single timezone every single week. Or just make your life easy by subscribing to the Communications Risk Show broadcast schedule and have every weekly show uploaded to your diary automatically. And the good thing is, if you subscribe now, when we've only got a few episodes left in this season, you'll be confident that you'll have all the episodes for our next season added to your diary too, as soon as those episodes are scheduled. Thanks again to today's guest, Karsten Nohl, Chief Scientist at Security Research Labs. Thanks to my co-presenters, Ed Finegold and Lee Scargall, for their commitment to vigorous debate and their steadfast refusal to be baited by my outrageous questions. And last but certainly not least, our thanks to our wonderful production team. What a great job they always do every week, James Greenley and Matthew Carter. You've been watching Episode 10 of the Communications Risk Show. I'm Eric Priezkalns. You'll find recordings of all our past shows on our website, tv.commsrisk.com. Visit our main website, commsrisk.com, to stay informed of the most important risk news and developments from all around the planet. And check out the website of the Risk and Assurance Group, RAG, at RiskandAssuranceGroup.org for lots of free services and advice for risk professionals, including the RAG4 Block Train and RAGS Leakage Catalogs. Thanks for watching. We'll see you next Wednesday.