Tag Archives: Deutsche Telekom

The 5G security debate in Germany gains momentum

2 February 2019

Report ‘Deutsche Telekom proposes steps to make 5G safe as Huawei debate rages’ (1) published on January 30, 2019 by Reuters Technology News makes clear that at least the German government and the Deutsche Telekom started to discuss 5G security issues.

“Deutsche Telekom takes the global debate on the security of network equipment from Chinese providers very seriously,” the company said in a statement that spelled out three confidence-building measures.

The company, which is nearly one-third state owned, proposed that all critical infrastructure should be independently certified before deployment by an independent laboratory under state oversight.”

That sounds good.

“It also called for network equipment makers to submit the source code that runs their equipment to a trusted third party. Under certain circumstances, an operator would be able to gain access to address any security vulnerabilities.”

From my point of view, this is not sufficient to increase trust in Huawei’s hard- and software. Moreover, it is also not enough to investigate Huawei hardware and software only. If it comes to matters of national security we should trust no network equipment supplier.

Hardware and source code of all vendors must be verified by an independent organization. Only verified hard and software versions are approved for installation and operations. In addition, a technical testing organization must oversee the installation of hardware and software to make sure that only verified components are installed.

I strongly recommend that the German government should found an independent firm for certifying the software and hardware of any network equipment supplier involved. A trusted German partner should hold a share of at least 51% in this company. Goal of this company is not spying on the suppliers know how, but to create trust in a critical infrastructure.

View on Saargau

View on Saargau from 49.596700, 6.618173

Without trust in the 5G network infrastructure, service providers will not take full advantage of the technology. This will throw back the digitalization in Germany, and thus the German economics, by years. Internet access with 2 MBit/s, the standard in the rural German area Saargau, is definitely not enough to be competitive in the long-term, not to mention for self-driving cars or remote surgery.

Enjoy the view on Saargau.


References

1. Busvine D, Rinke A. Deutsche Telekom proposes steps to make 5G safe as Huawei debate rages. Reuters [Internet]. 2019 Jan 30 [cited 2019 Feb 2]; Available from: https://www.reuters.com/article/us-usa-europe-huawei-tech-deutsche-telek-idUSKCN1PO26K

Advertisements

British man arrested after 900,000 broadband routers knocked offline in Germany

5 March 2017

About 900,000 Deutsche Telekom customers suffered internet outages on Sunday 27th and Monday 28th November 2016. Two weeks ago a 29-year-old man has been arrested at Luton airport by the UK’s National Crime Agency (NCA) in connection with this attack. Both, the attack and the arrest of the cyber attacker made it into the headlines.

Report ‘New Mirai attack vector – bot exploits a recently discovered router vulnerability‘, posted on 28 November 2016 at BadCyber, describes the technical details of attack. The attacker used the TR-064 protocol over Port 7547 to inject code into the routers configuration details.

Protocol TR-064 is used by ISP’s to keep their infrastructure up-to-date. Under normal conditions the updates are initiated by the router. In this case the attacker sent some specially crafted packets to the router to inject the malicious code.

For access to the router a username and password is required. The attacker used well-known default passwords in the attack, with great success:

Username Password
 root     xc3511
 root     vizxv
 root     admin

How can such attacks been avoided?

We all need to take greater care over our router security. Default passwords must be changed at commissioning, forced by the router software. In addition, the router should prevent the usage of passwords from the ‘Worst Password‘ lists.

But in my opinion that’s not enough. Vendors deliver internet routers with really poor software quality. Although injection attacks are at least for ten years on the OWASP Top 10 Vulnerabilities list, no vendor seems to care about this issue.

The NIST NVD database lists 995 injection related software flaws (e.g. remote command injection or sql-injection) in the last three years, even though solutions to address this issues, e.g. by input sanitizing, are known for years now.

in my opinion, to protect critical infrastructures from cyber attacks some governmental attention is required. For critical components like internet routers a certification before selling is required to make sure, that state-of-the-art protection against common attack vectors is implemented.

Sounds easy, doesn’t it?

Have a good weekend. And check the complexity of your internet router password.