7

A certain large Asian company and leader in 5G infrastructure has recently been accused of being compromised by its authoritarian government. Aside from the fact that it's nearly impossible to audit closed-source hardware as free of backdoors, what theoretical risks are posed by such compromised infrastructure? (Note that I'm not referring to user devices like handsets but to infrastructure like cell base stations, routers, etc.)

The majority of Internet traffic is now encrypted end-to-end. And I'd imagine the rate of encryption is much higher in the Western countries that would be most concerned about compromised foreign technology. So I would assume that the actual content of most Internet communication would not be at risk (aside from SSL stripping types of attacks, which are already mitigated by HSTS). In that case, I assume the main theoretical vulnerabilities would lie in these areas:

  • metadata (connection endpoint information)
  • voice calls and SMS (at best, encrypted only between handset and base station)
  • supply chain disruption or denial of service during a diplomatic dispute

What do you think?

Jordan Rieger
  • 131
  • 10
  • 1
    I think you are considerably downplaying the risk of unencrypted traffic. The resource you cite claims *"over 50 percent of internet traffic is now encrypted"* which while being the majority still means that a huge amount of traffic is not encrypted. One might maybe ignore the related risks if only a tiny part of the traffic (like 1%) and only to irrelevant sites is not encrypted but according to this statistics we are still far away from this. – Steffen Ullrich Jan 30 '19 at 19:18
  • @SteffenUllrich fair point, but that source was pretty vague. Here's another source, Google's transparency report, saying that web traffic in Chrome (not just traffic to Google) is approaching 90% encrypted: https://transparencyreport.google.com/https/overview?hl=en&time_os_region=chrome-usage:1;series:time;groupby:os&lu=load_os_region&load_os_region=chrome-usage:1;series:page-load;groupby:os The trend is clearly toward 100%. Granted, the web is not everything. – Jordan Rieger Jan 30 '19 at 20:00
  • 1
    You mention HSTS to mitigate ssl stripping type of attacks, which is true, but HSTS usage is no near as high as overall ssl usage. Don’t know how trustful source this is https://w3techs.com/technologies/details/ce-hsts/all/all but it claims that 9.4% of all web sites are using HSTS in January 2019. Another thing to consider is that which CAs your devices trust. If this large Asian company has leverage with some trusted CA then it can be possible for them to MiTM ssl traffic. Though e.g. mobile apps can mitigate this with certificate pinning. – MKT Jan 30 '19 at 22:29
  • Interested in this topic. You are presenting valid "mainstream" risk but I think the question should be about the next step in the cyber arms race, which in my opinion is backdoors or other measures to enable governments and law enforcement to read encrypted traffic. There is some noise on this already, where encrypting traffic is incompatible with what governments want to achieve. See https://www.nytimes.com/2018/12/06/world/australia/encryption-bill-nauru.html as example. This is just one way of counteracting widespread encryption adoption. – HackneyB Jan 31 '19 at 01:15

1 Answers1

7

First of all, we are not talking just about internet connections, but about mobile infrastructure.

So yes, we have the points you mention:

  • call metadata (connection endpoint information)
  • voice calls
  • SMS

(not sure about the encryption requisites for these on 5G, but on earlier versions I think it was weak encryption if any)

Plus anything not encrypted on the internet, which is plenty, but I don't think is the real risk there, as it's the same that you bear when connecting on an unprotected WiFi, just in a bigger scale.

Other malicious attacks that could be made:

  • User location (eg. position important official based on the location of their phones)
  • Stealing of SMS codes / account recovery methods by a SIM-swapping equivalent at network level
  • Denial of service: stop all service when given a kill-code
  • Actively overwhelm certain services: make any call made actually go to 911 (or the service you want to collapse)
  • Firmware attacks: the network may be able to flash some radio chipsets with new firmware.¹ Which itself may be able to escalate privileges into smartphone chips...

Supply chain disruption is not that bad. At that point the other country is probably 'the enemy' (even if just a commercial one). Much more concerning is the level of damage that a low-level backdoor silently placed on that ubiquitously deployed technology could do.

Shutting down service for a city would be evident and lead to their tampering being found 'easily' (well, after days or months of studying what went wrong), but a well-placed trojan there could operate silently for decades without being detected, exfiltrating when directives of essential services are communicating, performing wiretaps of selected phones... and all of this almost undetectable, since any controlling checks would be at an higher level.

¹ See Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks by Ralf-Philipp Weinmann USENIX conference Paper

Ángel
  • 17,578
  • 3
  • 25
  • 60
  • "The network is likely to be able to flash some radio chipsets with new firmware." - Can you add any references for this? – Jordan Rieger Jan 31 '19 at 00:37
  • @JordanRieger maybe _likely_ was an overgeneralization, I remember baseband chips (running closed code, which I think can be updated from the tower) sharing memory with the phone being a cause of concern about potential attacks. I have added a reference to a paper where a researcher was [able to compromise both an iPhone and an Android phone](https://www.wired.com/2015/02/firmware-vulnerable-hacking-can-done/) – Ángel Jan 31 '19 at 00:57