Sunday, March 30, 2008

5 Common Mistakes Made By Mobile Operators

Our consultants are often contacted by Network Operators to audit and improve security. Having spent our formative years at the worlds largest ISP, Telco security is a subject close to our hearts. Mobile Network Operators face some particularly unique challenges. They have all the normal concerns of a business dependent on IT, plus the added requirement that they must secure the network while making it widely available to their customers and the customers of other operators without compromising the infrastructure, their peers, or the end users and their personal data.

These challenges are set in an environment of changing technology, business models, and industry structure. Couple this with the fact that outages cost big money, and mobile communications are often highly personal, the stakes are very high for MNOs!

To assist fellow security professionals working in the Mobile sector, 360is have come up with our list of the most common mistakes made by MNOs. Enough scene setting, lets begin!

Mistake 1. Over Integration / Under Segregation
One of the tenets of good information security is the separation of networks of differing levels of trust. Unfortunately this practice is easily eroded or rendered ineffective by over-integration of different functions onto a single hardware platform or software infrastructure. Over integration amplifies the effects of any individual security failing . One sure sign of over integration is that you have difficulty in drawing up truly separate network diagrams for subscriber, management, and telemetry functions. Conversely, if you can easily move data and conduct interactive sessions between those 3 networks without a defined intermediate gateway or bastion stage in the process, this is also a bad sign.

Mistake 2. Misplaced Faith In Encryption
The second mistake and the first are often found together. Software and Hardware vendors have tended to treat encryption as a sort of magical security whitewash, to be sprayed liberally over everything, disguising unsightly flaws or cracks in the architecture. Encryption (implemented properly) is a great way to ensure confidentiality of communications on a shared network but historically it has suffered from poor implementation; weak random number generation, flawed protocols, and endpoint vulnerability. In practice attackers rarely focus on the encrypted tunnel itself when there are far easier pickings to be had among the authentication system, the tunnel endpoints, and intermediate proxies.

Mistake 3. Not Considering Atypical Behavior
Once handsets were dumb. They had no user-settings, no expansion, and no ability to run code other than their Firmware. Users could make voice calls and send SMS, life was simple for the MNO. Today a "handset" can be a phone, a smart phone, a laptop, even a server. Services extend to voice, SMS, Internet, Corporate VPN, i-mode style portals, and hosted applications like BlackBerry. MNO's expend huge amounts of time and money testing all these handsets with all these services to ensure a positive experience for their subscribers, but somehow in the testing... security gets ignored. Just because handsets are normally allocated addresses by DHCP and browsers are configured to use your proxy, doesn't mean an attacker with a laptop will follow "regular user behavior". Does your security testing take this into account? Claiming "You can't do that with our (handset/registration process/portal)" is not a very effective defense for your network.

Mistake 4. Incorrect Trust Models
Crashing these mistakes into one-another is becoming a theme. Following on from atypical behavior we come to the problem of trust among network elements, users, and their traffic. The reason why behavior is such a problem is that mobile networks often have their trust models wrong. A trust model that relies on the handset to behave itself is as bad as those that rely on the user to behave himself. MNO security staff should be very wary of trusting source addresses, the interface traffic appears on, or any credentials passed by systems they do not exclusively control. If somebody says "It's a walled garden, we don't need to worry" you are probably already making mistake 4.

Mistake 5. No consideration of Modes Of Failure
Not planning for the inevitable failure of one or more parts of your security architecture is foolish. Sooner or later a configuration slip-up, a careless/malicious insider, or a new bug in your systems will cause one of your security mechanisms not to work. Does it fail-safe? Are you pro-active in checking all the careful steps you took to avoid mistakes 1-4? What is the extent of your exposure if any one of these mishaps occurs? Vendors hate to answer the question "what about when it doesn't work?" but you as security architects for your MNO must accept such eventualities as inevitable and plan for the worst.

The challenges faced by MNOs are similar to those faced by SCADA users a few years ago. They stem from the increasing pervasiveness of IP, the evolution of handsets from "dumb" single purpose devices to more flexible, complex systems, and the increased variety of services offered to subscribers. In an industry where "air gaps" are a myth, we have found many MNOs making the same mistakes as their cousins in the utility sector. Equipment vendors must shoulder part of the blame for vulnerability in mobile networks, many of their systems are based on unhardened main-stream Operating Systems. However, MNOs themselves do not escape criticism. You are guys are too trusting of your vendors!

It is common for entire networks to be sourced from a single vendor, radio-side and fixed-side, but this is no excuse for abdicating responsibility for operational security. That burden rests squarely with the operator, and if you need help in meeting the challenge we know who to call.