To Repel Supply Chain Attacks, Better Incentives NeededAging Protocols in Desperate Need of Overhaul, Says Security Expert Karsten Nohl
The five-year data breach recently disclosed by Tampa, Florida-based Syniverse revealed yet another criminal or nation-state hack attack targeting a key supplier.
But with most of the world's top mobile carriers relying on Syniverse to route their text messages, it's no wonder the company got targeted, says German cryptography and mobile telephony security expert Karsten Nohl.
"I'm not surprised that we heavily rely on a few technology providers to provide services across large ecosystems. We do that privately too, right? We all gravitate towards the same platforms for network effects," Nohl says.
"I'm also not surprised that criminal hackers would go after these critical points in infrastructure. The lesser known the better, because then there's less attention, there's less security scrutiny from the public and the customers," he adds. "So all of this comes down to supply chain security, where it's been learned time and time again … that more often, you suffer damage by one of your suppliers getting hacked than you yourself getting hacked, because of the multiplier effect."
In other words, if by hacking a key supplier such as SolarWinds, Kaseya or Syniverse, an attacker can successfully subvert not one company, but perhaps dozens or thousands, then the odds are they're going to target the supplier.
In this audio interview with Information Security Media Group (click on player beneath image to listen), Nohl discusses:
- How technology and communications businesses in particular must rethink their risk calculus, especially surrounding supply chains;
- The security risk posed by - and potential mitigations for - such outdated protocols as Border Gateway Protocol, Signaling System #7 and transmitting text messages;
- The need to incentivize the right group of stakeholders to overhaul and maintain old networking and communications protocols that underpin today's top services.
Nohl is the founder and chief scientist at Berlin-based Security Research Labs. He's previously served as an interim CISO at both Axiata and Jio, as well as a senior associate at McKinsey & Company.
Mathew Schwartz: Hi, I'm Mathew Schwartz, with Information Security Media Group. Raise your hand if you'd heard of Syniverse before the news recently broke that the telecommunications service provider had suffered a five-year breach.
The breach is a big deal. Tampa, Florida-based Syniverse helps route calls and text messages for 95 of the world's top 100 mobile carriers, among others. It handles more than 1 trillion different types of messages per year.
Karsten Nohl is the founder and chief scientist at Berlin-based Security Research Labs, which continues to conduct extensive research on the aging protocols underpinning today's internet and communication networks. These include Border Gateway Protocol, which was tied to a recent, massive breach of Facebook, including Instagram and WhatsApp. Another oldie but goodie is Signaling System #7, which can be hacked to intercept calls or text messages that contain one-time codes, for example, for banks.
And then there are text messages.
So Karsten, what's your reaction to someone targeting the one firm that handles text messaging on behalf of many of the world's mobile carriers, both large and small?
Karsten Nohl: I'm not surprised that we heavily rely on a few technology providers to provide services across large ecosystems. We do that privately too, right? We all gravitate towards the same platforms for network effects. And just because one platform monopolizes markets easily when it does come to connecting different entities.
I'm also not surprised that criminal hackers would go after these critical points in infrastructure, right? The lesser known the better, because then there's less attention, there's less security scrutiny from the public and the customers. So all of this comes down to supply chain security, where it's been learned time and time again, especially over the last, let's say 24 months, that more often, you suffer damage by one of your suppliers getting hacked than you yourself getting hacked, because of the multiplier effect. If the supplier like SolarWinds or Syniverse gets hacked, many more companies and ultimately customers suffer from the privacy intrusion than when an individual company gets hacked.
Now in the in the mind of the professionals, supply chain security is the number one topic. But that hasn't trickled down to kind of a general awareness that there are technology providers who are basically responsible for the privacy or lack of privacy of virtually everyone.
Mathew Schwartz: Well, if you're a chief information security officer at even a large company, your threat model might not have included the text messages that your employees are potentially sending to each other. I mean, maybe it did, but certainly, as you said, supply chain security, for people who knows security, it's becoming increasingly a perceived risk. But then you end up with these things like, What do you mean, there was one company handling everybody's text messages? I mean, it's just how do you how do you account for that? I suppose I guess, I guess you make sure they use encrypted communications and things. But there's all these things that can get you, it seems.
Karsten Nohl: Yeah, and I think in in this specific area of text messaging, people are well aware that text messages can be intercepted from a number of technology mistakes that were made over the years. And, well, some of these technology mistakes have been fixed now. It left text messaging with a pretty bad reputation, in terms of privacy. However, we do still rely on text messaging for second-factor authentication to almost all of our internet accounts.
So if I wanted to break into your Gmail, Facebook, Yahoo, whatever account, chances are, I'm going to find a password somewhere - maybe in a password leak, or maybe through phishing. And then all I need is the text message to unlock that. In fact, even if I don't find a password, I can probably click on 'reset password.' And all it's going to do is request some generic piece of personal information and text message code. So the text message is there to unlock the digital identity of almost everybody. And at the same time, it's not a well paid for or well-maintained service. As text messages can be sent for a fraction of a cent in some countries, putting any kind of security dependability on that might be wrong to start with. But that's the situation we're in and companies, large companies in particular, have not factored that into their risk calculus sufficiently yet.
Mathew Schwartz: I think NIST several years ago said, Don't use text messages for two-factor. And yet, of course, we still see it. We have Google Authenticator and other apps that people could be using for these text messages. But I know here in the U.K., multiple financial services firms, don't offer that. They only offer text-based authentication still. So what's the answer there, more regulation perhaps, to drive them away from text codes?
Karsten Nohl: I think it's easy to declare text messaging insecure. However, there doesn't seem to be a viable option that comes with the same properties in terms of functionality. So the one property that text messages have over everything else is just the part that helps you recover if you lose your phone.
So if you lose your phone, you walk into a Vodafone shop, you show your ID card, you get a new SIM card with the same number, you receive those text messages again. If you lose your phone, and it has the Google Authenticator on it, how do you recover from that? There's no Google shop that you can walk into to flash your ID card, it's a much more convoluted process, which if it's solved in a convenient way, it again becomes insecure. And if it's solved in a secure way, you will never be able to recover your phone's security codes anymore, right?
So text messaging, just functionally, seems to have a monopoly. So through regulation, or as it was pushing people away from text messages, that might not be the next meaningful step, unless really proper alternatives have been established.
Mathew Schwartz: You'd mentioned some of the challenges associated with text messaging. I know you've written about Signaling System #7 before, because we saw it being exploited a few years back, have, have you seen any large scale improvements when it comes to locking that sort of thing down? I don't know if you've been looking very closely at that or not, I don't want to assume.
Karsten Nohl: Oh, yeah, we are definitely following the ongoing drama that is SS7, and a technology that was introduced in the 80s and manages to survive through all mobile phone generation. So this was introduced as a 2G technology. Today, we had 5G and 5G network is still bound to this old standard because of the network effects.
To exchange information internationally, like text messages, you need to speak the standard that everybody else is speaking and the common denominator is SS7.
There are better standards. There's Diameter, which was introduced as part of 5G, which isn't all that secure. But then there's a standard just for 5G that would solve all of the security issues. And nobody's using it. Why would they, if everybody else is still on the old standard?
So it's a first-mover problem, right? You don't get any advantage from being the only one to support a new standard. So everybody is dragged down to that old security level.
But while the topic of SS7 security bubbles up in the public mind, once or twice a year, there isn't much pressure yet for telcos to actually improve the European Union, actually, a few years back, did an assessment of just European telco operators, and how many of those had fixed some of the most latent issues in SS7 data? And it was less than 30%, who had even tried. Was it successful or not, that's another question, but 70% of the operators - this is years into the discussion of SS7 security - they had decided that it made no difference anyway. Nobody is being called out, particularly it kind of makes the whole industry look bad, so why would I be the one going above what everybody else is doing?
Mathew Schwartz: There's an economic disincentive to spend time and money on it if it isn't going to matter.
Karsten Nohl: Yeah, I don't think anybody has ever switched a phone contract to a more expensive provider just because they had SS7 security, right? There isn't an economic reason to protect customers because those customers make the loyalty decisions to one network based on other factors.
Mathew Schwartz: Definitely. Do you follow the BGP saga as well? I'm just thinking of the Facebook outage the other day. Yet another old, old standard coming back to get us.
Karsten Nohl: Spot on, and SS7 and BGP are roughly the same technology generation. BGP might be a little bit older, in fact. But BGP does very active monitoring for abuse, which we have yet to introduce with SS7. So old technologies shouldn't be relied on blindly. But if you're constantly checking for abuse then abuse becomes much less likely. With SS7, we have yet to reach that point.
Mathew Schwartz: What else do we need to consider, when we're looking at how to address these types of problems?
Karsten Nohl: Well, I find, I find the question interesting as to who should be responsible for text messaging or SS seven security, and we kind of put that responsibility on the wrongly incentivized group of stakeholders, right?
We expect the telcos to improve the security of their services, without anybody being willing to pay anything more for it. And I think we've got that the wrong way round, right?
Banks were the first to heavily rely on text messaging for two-factor authentication for online banking. Many banks have moved on since then. But they were followed by internet companies, you know, your Twitter account, your Facebook account, all of that.
All of these companies are looking for the cheapest option to deliver text messages, and not contributing anything to the security of the text messaging system overall. If any of Google, Amazon, Facebook sent a security audit team to Syniverse, saying you are one of the critical providers for our infrastructure, we need you to be secure, that would go a long way of improving the security for everyone. But nobody feels responsible for securing this technology. And in that sense, nobody has any right to complain about it being insecure either.
And maybe to drive that point home, this will not be the first time that you, your readers, myself, come across the problem of possibly insecure telecommunications infrastructures. And so we read these stories a couple of times per year, at the very least. And yet, we have never taken any decision to change it. We've never actually looked into which network could be more secure, which never could be less secure. We have never written a strongly worded letter to our telco demanding or to a regulator demanding more mobile security. And we have not suggested to Google or Facebook that they should start paying for the infrastructure that they so much rely on.
Mathew Schwartz: Fantastic points. I know we've seen with some open source software in recent years, where similar problem happened, it was buggy, it got exploited, everyone went, 'What do you mean, the entire internet ecosystem is resting on this small thing?' And, and we saw some funding finally, for these sorts of protocols. Possibly we could get that with a little bit more pressure on some of these telecommunications companies to say, sort this out amongst yourselves please?
Karsten Nohl: Well, if regulatory pressure leads to all communications companies, adopting certain norms, that will definitely be welcome, and that will just lead to an increase in prices, right? Somebody's got to pay for it. And that might not be a bad thing.
But being a market economy, right, I would have wished that you know, the likes of Google do contribute that budget to securing infrastructure that they so rely on. I'll give you an example to maybe illustrate the point that as an industry, we're very keen on pointing out problems, but then nobody feels responsible for fixing it. So, there are bug bounties, including for open source software. And there is a messenger application, an open source messenger application that people used to securely exchange messages over the internet, an extremely popular platform. And some big Silicon Valley company has acknowledged that the internet relies on it and put out a $70,000 bug bounty if you find a critical bug in this platform.
This is a project that is done in the free time by one guy who has never received any funding whatsoever. And now he's being told that anybody finding a bug in his software gets $70,000 for it, right?
Speak of perverse incentives. I mean, I know how he can make a ton of cash now, right? But the fact that you first try to tell somebody what all they're doing wrong, without ever having offered to support them in getting it right, I think that is a trend that we see globally, but amplified through our attention, which is always on the bad stuff.
We never talk about, you know, a company like Syniverse, doing a security assessment, and now being a notch more secure. We only talk about them the day that they get hacked. And everybody loves to see that news and loves complaining about it. And nobody steps up to the plate and says, I'm here to fix.
Mathew Schwartz: Excellent points. Although hearing the whole story can be very difficult. It's all very opaque. You will ask a company like Syniverse: How did you spot this breach? What have you done now to prevent it in the future? And they'll say, we've made improvements, that's all we're going to say, because if we tell you anymore, it might give attackers an edge.
Karsten Nohl: Exactly. Well, you can understand it from their perspective too, though, right? That, of course, they feel very insecure, and they're relying on a very thin layer of security from everything that now transpires. Describing in detail what that thin layer of security is, of course, doesn't help.
So you shouldn't rely on obscurity for your security. But obscurity definitely helps on top of everything else, right?
Mathew Schwartz: Great points here that you've raised, like bug bounty programs. There needs to actually be a culture of fixing these things in place inside an organization, before you get people to tell you what else needs fixing. Otherwise, how do you know where to start? Or to get buy-in? Or to prioritize?
Karsten Nohl: And don't get me wrong. I love the idea of background is I think, you know, the crowd mind definitely is what we need for security. But putting up a bug bounty for somebody else's software that is not actually security-maintained, and lacks the resources of security maintenance, that might not contribute ultimately, more security, but just more discussion on who was to blame.
Mathew Schwartz: So what was that messaging app that you were referencing?
Karsten Nohl: I think this was Pidgin. Yeah, so, Pidgin - P, i, d, g, i, n. And it's now $100,000.
Mathew Schwartz: Amazing. That could be a profitable, albeit illicit, little day job if you worked it out just right?
Karsten Nohl: Well the programmer himself, he of course knows some bugs. And I mean, I don't want to go there, but he could definitely put a bug in there. And then have a friend report that one.
Definitely, perverse incentives. The same seems to be true for text messaging security. That's why I mentioned that proposition. There's many people who have a reason to hack text-message-based systems, but nobody contributes any budgets to prevent that from happening.
What do you call this class of problems - like, pollution? Where if you fix your part of the puzzle it doesn't really get better unless everybody else does the same, right?
Mathew Schwartz: It sounds like pollution. You have to go back to the source of the trouble, don't you? Filtering the water downstream isn't the optimum approach. It doesn't fix the actual problem.
Karsten Nohl: Exactly, yeah.
Mathew Schwartz: Karsten, thanks so much for your time and insights today.
Karsten Nohl: Well, Mathew, it's nice speaking with you.
Mathew Schwartz: I've been speaking with Karsten Nohl, founder and chief scientist at Security Research Labs. I'm Mathew Schwartz with Information Security Media Group. Thanks for joining us.