Open RAN: Attacks against mobile operators from the outside in practice

Two years ago, communications in the telecommunication industry have sparked significant concern regarding the ease with which Open RAN could potentially be hacked [9][10], prompting a deeper exploration of its security implications for the mobile telecommunications sector and related fields. Open RAN, heralded as a transformative force in telecom infrastructure through its innovative standards and concepts, has not only captured the industry's attention for its ability to shift paradigms but also for the security challenges it may introduce, particularly in areas where integrity, confidentiality, and availability are paramount. Security experts have drawn parallels between the vulnerabilities in Open RAN and those found in cloud infrastructures relying on Docker and Kubernetes, underscoring the importance of scrutinizing OpenRAN's unique risk profile [1]. The discourse is further enriched by analyses that identify new interfaces Open RAN will introduce for interconnecting various network functions [2], highlighting potential attack vectors. Despite the wealth of small existing literature, the abstract nature of these risks has led to the initiation of this article, aiming to elucidate practical attack strategies against current Open RAN implementations and identify emerging threats. Employing the state-of-the-art open-source O-RAN [13] stack as a case study, this series seeks to shed light on the evolving security requirements of Open RAN. An examination of existing products that are "ready for commercial deployment" and compliant with O-RAN standards reveals a complex security landscape, necessitating a comprehensive analysis of risks under typical deployment scenarios [3]. This article sets the stage by introducing Open RAN, its predecessors, and its overarching architecture, followed by a detailed examination of the communication interfaces that could serve as attack vectors, and practical attack we can perform using O-RAN stack.

Continue reading

The best of red team bootcamp training for 2023

For 2023, we reserve you a nice surprise. Indeed, Penthertz will join forces with ComThings and AT Security to offer the best bootcamp training if you are interested to perform physical intrusions during your red team engagements.

Continue reading

Intruding 5G SA core networks from outside and inside

5G installations are becoming more present in our lives and will introduce significant changes regarding the traffic demand growing with time. The development of the 5G will is not only an evolution in terms of speed but also tends to be adapted in many contexts: medical, energy, industries, transportation, etc. In this article, we will briefly introduce the 5G network and take as an example the assessment we did with the DeeperCut team to place 3rd on the PwC & Aalto 5G Cybersecurity challenge to introduce possible attacks, but also the tools we developed at Penthertz.

Continue reading

Mobile IoT modules vulnerable to FOTA updates backdooring at scale

Embedded (E)GPRS/EDGE, 3G, 4G, and 5G modules are commonly used for a lot of purposes. Indeed, we can find them in connected devices such as intercoms, alarms, automotive ECUs, In-Vehicle Infotainment (IVI) Systems, rental cars' unlocking boxes (e.g: Getaround connect unlocking system that uses Bluetooth LE but also a backup mobile connection), etc. During the lockdown, PentHertz accidentally found vulnerabilities in the device management process of some modules that could lead an attacker to backdoor FOTA updates of modules remotely at scale. This quick blog post introduces mobile modules, the FOTA attack vector, and different vulnerability classes that could be found to target several modules of other vendors. Considering the risks of these threats, we also encourage all mobile module vendors we did not get the chance to contact us at [email protected] to check modules and the user device management process security and help them to fix identified or new vulnerabilities.

Continue reading

TEACHertz - A new service infrastructure for high-quality online hardware trainings

The beginning of this year is particularly tough for everyone socially and economically. As a circumstance, many habits changed, and businesses moved to a format we are more familiar with, known as remote work. Of course, many people consider this format degraded for courses and will probably never replace the same experience in in-person trainings. But this crisis makes us think about existing solutions and new ways of improvements to fit everyone's needs as much as possible. This is why PentHertz also evolved in that direction to respond to its customers by testing and then building various platforms for teaching and consulting, even for the radiocommunications and hardware areas that generally require a physical presence. In this small post, we will show the directions taken by PentHertz to provide high-quality and very interactive remote trainings. Moreover, we will also introduce the TEACHertz infrastructure so that every professional can benefit from our services to offer their own high-quality training in software and hardware.

Continue reading

An introduction to mobile network mobile intrusion from a mobile phone

With the introduction of the packet service, mobile user equipment (UE) can use the IP communication protocol. Without the proper routing and filtering of UE communications, some sensitive assets on the operator's infrastructure could be exposed, such as core network services. Mobile operators generally know this attack vector and apply suitable mechanisms to avoid risk from the subscriber context. Nevertheless, those mechanisms differ from one operator to another, and their effectiveness varies. Research aspects in mobile networks are evolving a lot with the development of the SDR (Software-Defined Radio) and the SDNs (Software-Defined Networks), which introduce new kinds of architectures. These new architectures are mostly cloud-based systems and include new features that need time to understand and entirely mature from the deployment perspective. In addition, with the research progress of SDR based 4G and 5G-NR NSA networks, new services also appeared to be used inside organizations like private mobile networks. However, the organization itself only provides all security procedures and mechanisms. This post is an overview of previous assessments on private GPRS and LTE mobile network commercial and public solutions and 5G-NR NSA setups.

Continue reading

Testing LoRa with SDR and some handy tools

When assessing LoRa devices' security, like any other RF technology, we must deal with unknown radio parameters and data/payloads we need to understand to complete our mission. Moreover, understanding these parameters and data may help to find interesting issues to exploit (clear-text communication, weak keys, stack protocol vulnerabilities). In this post, we will briefly present LoRa and its different security modes, and then we will focus on RF techniques to detect, demodulate and decode LoRa signals. Additionally, we will introduce some scripts we have made to decode, generate LoRa PHY and MAC payloads, Bruteforce keys and finally, fuzz some protocol stacks.

Continue reading

Subscribe to our mailing list

New content, events, products, services, and more!

* indicates required