Expanding the Attack Surface (technical)

A few days ago, Google’s Project Zero published a paper on a security flaw discovered in Apple’s IOS.

For 6 months of 2020, while locked down in the corner of my bedroom surrounded by my lovely, screaming children, I’ve been working on a magic spell of my own. No, sadly not an incantation to convince the kids to sleep in until 9am every morning, but instead a wormable radio-proximity exploit which allows me to gain complete control over any iPhone in my vicinity. View all the photos, read all the email, copy all the private messages and monitor everything which happens on there in real-time.

(Paper by Ian Beer, Project Zero. Original posted here.)

It’s important to grasp the breath-taking scope of this thing: to gain real-time access to everything on any iPhone, remotely, at will, without the user clicking on anything, and to do it exploiting a product’s software as mature as Apple IOS.

How, for the love of God, is that possible?

Unfortunately, it’s the same old story. A fairly trivial buffer overflow programming error in C++ code in the kernel parsing untrusted data, exposed to remote attackers.

When I read this, I marveled! Actually, I nearly fell out of my chair.

The old buffer overflow trick! Old as the hills. First published in 1972, if not earlier. (See here.) Despite all that we know today, all the techniques and libraries and templates, we still fall for it — among thousands of other exploits of all types, from inevitable coding bugs to back doors to phishing to inside malefactors to intercepts of equipment shipments to thumb drives to microcode defects, etc., etc., ad nauseum.

Not that it was right out in the open, of course.

This has been the longest solo exploitation project I’ve ever worked on, taking around half a year. But it’s important to emphasize up front that the teams and companies supplying the global trade in cyberweapons like this one aren’t typically just individuals working alone. They’re well-resourced and focused teams of collaborating experts, each with their own specialization. They aren’t starting with absolutely no clue how bluetooth or wifi work. They also potentially have access to information and hardware I simply don’t have, like development devices, special cables, leaked source code, symbols files and so on.

Just so. Mr. Beer basically did this at home for fun. But his project sheds a very bright light on the least talked-about facet of modern technology: that anything networked is vulnerable to a determined attack.


The attack surface is a concept that considers how much of a network (or other system) there is to attack. An air-gapped PC has a very small attack surface. In ancient times, our office IBM XTs did not have virus problems. That is, not until some wise guy finally figured out how to get into DOS with a com file on a floppy disk. For a while we even banned floppies and resorted to Lap-Link instead.

But when true networking arrived, from token ring to ethernet, the genie was out of the bottle.

Now my laptop has browsers, email, usb, WiFi, etc., etc., that each offer rich targets for hackers. This is why ransomware, adware, spyware, bots, and other malware aren’t even newsworthy subjects anymore — and why enterprises go to such lengths and have to spend so much money to defend their networks against compromise. The notion of a ‘computer virus’ that simply corrupts a few files or prevents bootup is today charmingly quaint.

All this is enabled by a growing attack surface.

When we virtualize the RAN — a key pillar of 5G — we are also growing the attack surface. At a guess, the 5G attack surface will be an order of magnitude greater than any previous ‘G’. Why? Because we are doing more and more in software, replicating that software in more and more servers, and surrounding it with more and more software infrastructure, e.g. hypervisors, orchestrators, and so on. All networked together.

And with the ultimate goal of the network edge able to dynamically instantiate any combination of RAN and AI functions, through COTS servers and GPU resources, we will create a kind of monoculture that enables a successful penetration to spread much that more quickly and widely than before.

A national mobile network is a strategic asset. State actors have a stake in penetrating them, not just for spying, but also ‘just in case’ — for leverage, for deterrence. And the virtualized 5G network will have a broad attack surface.

This is what goes through my mind when I peruse media accounts parroting the Huawei-is-a-security-threat mantra. I strongly suspect that US intelligence agencies are much more interested in back-dooring networks built with key western components, and in preventing the Chinese from discovering how they do it. I also believe the Chinese (and everyone else on the planet) will eventually get their hands on it anyway, given the NSA trove of malware that has already spilled onto the dark web, and given on-going state-sponsored cyber-warfare efforts.

But leave aside state actors. There are plenty of merely criminal actors in search of new opportunities they can monetize, or possibly opportunities to express grievances through cyber-based vandalism. Virtualization gives them a target-rich environment. And with the tumbling rush of vendors tripping over each other to get to market — well, one can only imagine the number of latent security flaws even now being embedded in virtualized mobile networks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: