Securing the next generation digital infrastructure highlights from BlackHat Asia 2020

By Jane Lo Singapore Correspondent

Originally scheduled for March, BlackHat Asia 2020 returned 29th September – 2nd October 2020 to a virtual stage hosted in the Singapore Time Zone.

With an agenda that spanned from policy decisions, thought leadership to firsthand technical skill-building, the event offered unique opportunities to learn the latest exploit development, platform security, malware and more.

Here, we highlight some of the discussions on securing the digital infrastructure that will be powered by the nextgeneration technology of 5G.

With 5G implementation gaining steam globally, the talk on “Cross-Protocol Attacks in the Era of 5G” by Sergey Puzankov (Telecom Security Expert, Positive Technologies) cannot be more relevant – for governments, industries and users searching for more information on the benefits and risks of 5G deployment.

“Mobile networks have evolved. These days they combine several generations”, he said, to deliver seamless service to subscribers.

For example, 5G networks with non-standalone architecture rely on a 4G LTE core network. Devices will connect to 5G frequencies for data transmission, but rely on 4G and even 2G/3G networks for voice calls and SMS messaging.

“This mishmash of technologies, protocols, and standards in telecom has implications for security,” he said.

In other words, 5G networks in such deployments are exposed to legacy vulnerabilities inherent in these previous generation networks - such as the Diameter and GTP protocols, commonly used in the telecoms industry for 3GPP, GSM, UMTS, and LTE networks.

Of particular concern are the “standards reliant on SS7 (Signaling System 7), a technology developed in the 1970s”, Puzankov explained, which “still continue to dominate.”

Developed “in an era when only fixed-line operators had access to networks, and the stakes were much lower for questions of security,” he said. “It contains architectural flaws that make it vulnerable to a whole range of threats. These flaws can even be utilized to listen in on calls, intercept SMS messages, and instigate various forms of fraud.”

Misconfiguration and software bugs also become points of compromise for potential attacks.

“Intruders are attacking mobile networks from all possible angles, in part by leveraging multiple protocols in combined attacks,” he said. Securing the next generation digital infrastructure highlights from BlackHat Asia 2020

Highlighting a few scenarios of potential exploits –including bypassing firewall and tampering with data packets – he said, “an attack starts with actions in one protocol that are continued by actions in a different one,

requiring particular combinations of actions for the attack to succeed.”

While inherited threats are concerning, another challenge lurking on the horizon is the security posture of IoT devices.

With the increased capacity and bandwidth offered by 5G, more IoT devices will be online. And attacks such as Mirai malware which caused some of the largest DDoS attacks – including the October 2016 Dyn cyberattack – have the potential of becoming more common.

Clearly, in today’s increasingly interconnected era (exacerbated by Covid-19 and stay-at-home guidelines), secure IoT devices are critical to a trusted digital infrastructure.

In his keynote “Engineering Cybersecurity for a Nation: What Singapore is Learning from Cars and Sanitation”, Gaurav Keerthi (Deputy Chief Executive (Development), Cyber Security Agency of Singapore) gave an insightful view into defining a new way forward for cybersecurity in Singapore.

“Singapore wants to be a Smart Nation and wants to shift the paradigm of cybersecurity in order to achieve that. Doing so will require us to challenge some mental models: Should cybersecurity be a public good? Should it be an engineering problem or a policy problem? Should users be solely responsible for it? Should it be seen as a cost or a benefit to a company?”

Drawing on the food labelling scheme as an analogy, he proposed that it is not unreasonable for consumers to expect the same for IoT devices.

“If you care about your diet, you can take a look at the label and avoid sugary drinks,” he said. “But today, if I look at the router, I have no way of deciding that this router is more secure than that router. It is invisible to me. Customers cannot pay for what they cannot see. So we started thinking, what if we can put a nutrition label on IoT devices?”

“And this is what we will be doing. We will be introducing the Cybersecurity Labelling Scheme (CLS) on network connected devices”. (The details are announced during the Singapore International Cyber Week to be held 5th-9th October 2020).

Covid-19 has accelerated the digital transformation across societies and businesses at an unprecedented rate in the last 6 months. In the coming years, 5G will play a pivotal role in further transforming the ways we live, work and play. Applications in virtual reality, robotics, autonomous driving are attracting excitement. As the attack surface further expands alongside the growth of 5G use cases, conversations on 5G risks and policy direction will no doubt attract increased and urgent attention.

The youngest is 18 years old... 67 female hackers spent the weekend #hacking in September during the #CTF For Girls in #Singapore 2020, organized by Women of Security (WoSEC) Singapore . The event was part of SG Women in Cyber Series with Cyber Security Agency of Singapore (CSA)

Five female hackers won the #competition with fabulous results. Some did not sleep the whole weekend, trying to solve the challenges, and capture the #flags, because that is what CTF is all about!

There are girls and women who are passionate about #cybersecurity, and all what they are looking for is learning, and practicing their #passion. For whoever says or thinks that women have made a choice not to start a #technical #career, ask them, do not assume. It all is about giving women an egalitarian opportunity to choose. Be part of the change !

The change starts with actions, and not only words. The CTF received a fantastic #support from Hack The Box, Marsh Asia, SECO Institute, and MySecurity Media.

Congratulations again to the winners - we are proud of you keep going - Le Jing Chia (1st place), Jia Wen Zheng (2nd place), Monika Talekar (3rd place), Elizaveta Busygina (4th place), and See Min Lim (5th place).