Huawei, Attack Trees and $5 Wrenches

It’s always a pleasure to see a blog written by Dr Ian Levy (NCSC Technical Director) given the approachable, down-to-earth manner in which he discusses key topics of national security. His latest post covers the DCMS supply chain review for the UK’s future (5G) telecoms networks.

Depending on your preferred flavour of paranoia / news source, it may seem like this decision throws away our last bastions of privacy in the UK and condemns us to a future of (Chinese) state surveillance and espionage. However, one might want to consider this in a broader context, for example: the ongoing “bitter trade battle” between the US and China; growing recognition of the issues around China’s domination of computer manufacturing (so can you trust what’s been baked into the chips inside your laptop?); and balanced against the majority of western youth who think putting embarrassing pictures on Instagram is a good idea (quickly dispelled when they learn that recruiting managers know how to search one’s social media timeline…)

Levy has already addressed the underlying principles for assessing the security of the UK’s future networks but in his latest blog he highlights key points, such as which parts of a 5G system are most critical to protect, the different types of risk (with an example of an “attack tree”), how to address particular attack vectors, and the difficulty of managing risk in such a complicated environment, while reminding us all that a $5 wrench can be an effective password hacking tool.

Huawei is an easy target for criticism due to the belief that the Chinese state can influence the company to hide espionage or denial-of-service features within its products, as well as subverting the marketplace through heavily subsidised pricing. However, remember that other manufacturers could introduce risks through poor security ‘hygiene’ (whether this be at a protocol level, such as SS7, or in something as simple – but lethal – as hardcoding ‘backdoor’ admin passwords into switches.

If you’d like some further views on 5G security and its potential impacts, Brookings are informative and highlight just how many aspects of our future, digitally-connected life might be affected if 5G was attacked or simply failed, ranging from our internet-connected fridges failing to automatically re-stock our milk, to our entire 5G-connected autonomous vehicle transport system coming to a crashing halt (with correspondingly huge numbers of human casualties)…

At Armour, the concept of securing one’s communications is key to our business and to our beliefs, whether that be protecting one’s personal privacy or securing government secrets. Using end-to-end encryption and authentication helps to overcome some of the potential hazards of untrusted (or to use the buzzword “zero-trust”) networks. Many of the possible risks being raised around 5G are present right now, whether you’re a CEO using your mobile to discuss sensitive trade deals while roaming on a foreign country’s phone network… or an NHS patient worrying about which of your personal data just got Whatsapp’d between the nurses treating you in a UK hospital…

For more information contact us here.