Hacking – It’s definitely a worry for mobile networks, they need to be so careful about ensuring the security of customer data, both the payload and the signalling, and all the customer identity information. If they lost it, it would hit the headlines for days, and they would have a hefty fine to look forward to. The brand damage would be immense, perhaps even fatal.
They also have to be pretty careful about network availability, we saw this thrown into the limelight when O2 lost their network because of some incorrect software coding and processes in their Ericsson deployment. I am sure other operators were so quiet because they unanimously whispered ‘there but by the grace of god…..’ under their breaths.
Then there is also the suspicion of state sponsored intervention into a foreign country’s telecoms infrastructure, particularly highlighted by the level of mistrust towards Huawei in many western countries, even to the extent of outright bans and the ripping out of seemingly fully functional Huawei equipment well before its end of life. All very cloak and dagger, but in the modern world something that regrettably needs to be taken seriously.
So, assuming the network is fully protected the next question might be, ‘if state sponsored interference is a big deal, then what else could be used to disrupt the a mobile network or to compromise user’s data or identity security?’
An interesting question and one answer does spring to mind, that is, at the heart of 95% of mobile connections these days is a highly functional piece of extremely complex technology in the form of a smartphone. The supply of these devices tends to be dominated by a limited number of massive corporates, with a lot of also-rans struggling to compete for the left overs. The big players at the time of writing are Apple, Samsung, Huawei in the UK at least, with more than 60% of the market, followed by Lenovo, Xiaomi, LG & ZTE (all stronger in the Asian sphere). There are of course regional variations, for instance Pixel in the US and some Indian vendors that are successful in India but as yet have little international presence.
One can therefore ask, if a vendor was in an intelligence co-operation with a state, presumably the state of its origin, then what could be done to disrupt the security of communications, or the privacy of the population, of another state, where a significant market share of devices was from this vendor?
Assuming that the mobile terminal operating systems are either:
- completely proprietary and owned by the terminal vendor as is the case for iOS and Apple
- or at least capable of having proprietary extensions built into it as is the case for Android
then in those cases there is flexibility for the terminal vendor to integrate malicious functionality of their own choosing into the operating system. Added to this there will also be the possibility for the manufacturer to build ‘malicious’ software into the device baseband and to have this deployed as part of their standard build.
Given this, what could be done?
At this point we should mention that it isn’t really news to say that smartphones can host malicious software, for years we have seen apps that surreptitiously dialled premium rate numbers or sent premium rate SMSs or let the app vendor mine large amounts of user information that could then be sold on, or used to access accounts elsewhere. This is a big risk, however, users in general understand these risks, they accept the risks, and largely those that care attempt to minimise their exposure to these risks by being ‘sensible’ in their behaviours with devices, be they tablets, or phones or PCs.
We would argue there are a few key differences when the malicious code is installed by the terminal vendor, and these are:
- Firstly, the malicious software can be in every terminal that the vendor produces, it is not dependent on any user behaviour, e.g. access a particular website, or download a particular app.
- Secondly, the malicious software can be down almost at the binary level and many times harder to find than anything at the app level.
- Thirdly, most of the controls against malicious code are actually at the app level, be that by user scrutiny, or app store scrutiny.
This means that if for instance a vendor has 20% of the market then it opens up attack options not only aimed at the owner of the terminal but also to some degree at the mobile network as a whole, and to the population as a whole. Two attacks spring to mind for example:
- 20% of mobiles over stressing the network by continually going into and out of flight mode 10 times a minute is probably going to overload the mobility components of most networks and bring effective communication to a halt.
- Gaining access to a random 20% of the population’s address books will allow a near complete network map of communications between the population, and all associated telephone numbers.
To implement these two attacks would require very little, a very simple broadcast instruction invoking a routine in the case of the first attack, and a periodic small upload from participating mobiles in the second, which would be unnoticed given the scale of data usage and the propensity for these devices to ‘phone home’ anyway.
Another aspect to consider is that whilst the integrity of the core network’s software is subject to on-going scrutiny by the customer operators, and by some governments, the same is not true for mobile terminals. These receive little or no external scrutiny, other than from the amateur software community.
You can argue of course that there are other similar risks in for instance the PC domain, where there are really only 2 laptop operating system suppliers, and one of those is also a supplier of tablets, and smartphones, so in terms of potential impact of malicious vendor code perhaps having the full suite of smart devices is the holy grail and we should all be casting a suspicious eye in Apple’s direction. Of course we do not suggest that Apple would be involved in any behaviour of this nature, but merely pointing out that the control of the vital operating systems for many types of devices, is in the hands of an ever decreasing number of private companies.
The conclusion we at Azenby reached is that the industry has taken many decisions over the years in terms of network integrity, customer bill/privacy and integrity, and largely these have been successful. However, the technology and the regulatory regimes have evolved to allow an uncontrolled mass of powerful mobile terminals with unregulated (or at least self-certificated) software on them to populate networks. These represents a potential massive threat to the mobile networks, and to the privacy of the population in general.
Looking forward the situation seems fairly binary, with two options:
Option A: accept the risks and assume that governments will privately take whatever measures are necessary individually to protect the national interests they represent, with for instance segmented networks that are relatively immune to the mass of potentially rogue terminals sponsored by foreign governments. In this case the population as a whole continue to have their privacy invaded and their services disrupted, though often in return they receive some free services which they value.
Option B: address the risks, through:
- customer groups start forming that do not accept the current state of affairs and use their purchasing power to only purchase terminals and services that offer some form of guarantee around the security of their information.
- and networks/governments extend their concerns over supply of network equipment to the supply of terminals as well, and take a view on the maximum percentage of terminals they are prepared to accept on their network from the various major vendor.
We believe that the attraction of free, highly functional services will continue to anaesthetise the population as a whole to the loss of their privacy with all of the attendant risks that brings, and that choice A will continue indefinitely. The loss of privacy and the erosion of network security will continue bit by bit, with a continuous stream of high profile but not disastrous incidents bringing this to the fore periodically but never triggering a major re-think. Coupled with this, as each new yearly cohort of users comes into the market knowing nothing different, an assumption that there is no privacy on-line will become rooted in common culture as the norm.
Lets just keep our fingers crossed that when the chips are down our government has had a closer eye on this than the population as a whole.