Tag Archives: 5G

Security News for the Week Ending April 24, 2020

Corona Virus Puts Brakes on 5G Deployment

A research reports says that global cloud revenue from the operation of core 5G networks will fall 25% to 30% shy of the $9 billion forecasted for this year.

They predict that this will only be a short term problem and that 5G deployment will pick up next year.

*I* think a bigger problem is going to be network congestion, but what do I know; I am not trying to sell consumers and businesses a dream.

Samsung just demonstrated a 5G phone on a commercial cell site (TEST) was able to transmit at 4.2 gigabits a second. Two phones doing that fully consumes one 10 gigabit fiber. 100 of those at one cell site would consume 50 fiber strands from that site. One hundred cell sites with each filling up 50 fiber strands would, in the aggregate fill up 50×100= 5,000 strands of fiber and that is for just 100 cell sites. The forecast is for hundreds of thousands of cell sites in the U.S. Where do we get all of that network capacity? The answer of course, is to throttle down your speed to something they can digest, unless you pay a lot of money (which they would like). Most people will say that it is not worth it. That spells a problem, I predict. Credit: Computer Weekly.

Space Crime – Astronaut Accused of Hacking Spouse’s Bank Account from Space

In possibly the first space crime ever, the spouse of an astronaut on the U.S. space station, who was separated and filing for divorce, accused the astronaut of hacking into her bank account from outer space. I used to say that you could hack from half way around the globe, but I guess now I have to amend that to include outer space. It turns out that the spouse is now being charged with lying to the cops – she had given her spouse access to that bank account years earlier and never changed the password, even though she said that she had. Credit: CNN

Ticketmaster Changes Refund Policy After the Fact

While this is not really a security issue, I find the numbers staggering. And a warning.

Ticketmaster has postponed or cancelled 30,000 events and still has another 25,000 events scheduled for the rest of this year. Just the cancelled events represents $2 billion in ticket sales and, I am sure, hundreds of millions of dollars of profit. As a result, Ticketmaster decided to change their refund policy, AFTER PEOPLE PURCHASED THEIR TICKETS to say that you won’t get a refund unless the event is cancelled and not “indefinitely postponed”. Since the performer, venue and Ticketmaster all have a vested interest in keeping people’s money, many events will be “indefinitely postponed”. Not surprisingly, Ticketmaster is being sued.

Ticketmaster is working on offering refunds for 18,000 postponed events, likely due to a combination of the shaky legal strategy of changing contract terms after the fact and the bad publicity, but that still leaves maybe 30,000 to 40,000 events, representing maybe 100-500 million tickets (depending on average venue size), in limbo.

For consumers, this is a bit of a security warning in the sense that you should consider that any money that you spent on tickets for concerts and travel should be treated as a total loss for now. Plan for the worst and be happy if you wind up better than that. I assume that no one is buying tickets right now, but consider this when that option resumes.

For example, a high school class trip got cancelled here in the Denver area and the travel agency refunded 25% of the cost of the trip. The other 75% is, apparently, unknown.

Credit: Blabbermouth. For more information on the behind the scenes challenges that Ticketmaster is dealing with, see this article in Billboard.

Remote Worker’s Lack of Corporate Firewalls Blamed for Rise in Malicious Activity

SC Magazine says that the number of devices that have been commandeered to work for the bad guys has more than doubled since the pandemic.

The researchers believe that many of these devices were infected before the pandemic but the devices were blocked from the Internet by corporate firewalls.

Now that people are home and have a range of protection from NO firewalls to crappy firewalls that have never been patched to OK firewalls – but probably very few great firewalls, the malware can do it’s damage.

As a side note, reports from some corporate IT departments say that the availability of corporate grade firewalls suitable for home deployment is non-existent, so even companies that want to fix the problem by providing firewalls to employees can’t. The study says that the number of OBSERVED compromised companies increased by 400% between January and March in some countries. Credit: SC Magazine

Half a Billion iPhones at Risk Due to Email App Bug

While Apple is claiming that they don’t have any concrete evidence that hackers abused a bug in Apple’s default email application, they are not denying that the bug exposes email users to to having their phones compromised and data stolen just by receiving a blank email.

Apple is also saying that while they are developing a patch, the three bugs in mail that were reported were not enough to compromise phones.

Security firm Zecops says that at least 6 firms were targeted as far back as 2018. The bug dates back to iOS 6 — 2012!

For now, high risk users should not read their emails on their phones.

Credit: Tech Crunch and Engadget

5G Security Is a Mess and Banning Huawei WILL NOT Help

The President is right that cellular security is a problem, but not for the reason that he thinks – although that is a problem too.

Researchers at Ruhr-Universität Bochum have discovered a way to compromise 4G cellular security – the cell service that almost all of us use now.

It allows them to impersonate the phone’s owner and book fee based services that get charged to the owner’s phone bill.

It also could impact law enforcement investigations because it would also allow a hacker to access websites using the victim’s identity. In fact do anything the real owner can do.

If the attacker wanted to blackmail someone, they could upload sensitive or compromising information and then lead the cops to that info. The cops would believe the owner did it. Hackers could threaten to do that in order to blackmail someone.

The vulnerability affects all LTE devices – Apple, Android, Windows – even Cellular IoT devices.

And the only way to fix it is by changing the hardware – at both the user end and the cell company end. Any bets on that getting fixed? I didn’t think so.

The team is trying to figure a fix for the next generation (5G). They say that it is possible.

But it is going to cost the cell carriers money.

The additional security requires the phones to transmit more bits, costing the carriers overhead.

And all 5G phones would have to be replaced (DO NOT buy one if you have not already done so).

And the base stations would have to be expanded.

Other than that, it is a piece of cake.

The problem is the lack of integrity protection: data packets are transmitted encrypted between the mobile phone and the base station, which protects the data against eavesdropping. However, it is possible to modify the exchanged data packets.

For more info see Help Net Security and CSO Magazine.

Behind the 5G Hype – What You Need to Know

Given that the cellular market is pretty well saturated in the developed world and cell companies are not likely to sell a lot of $1,200 cell phones in the developing world, Verizon, AT&T and the others are working overtime to create something to separate you from more of your money.

To even the game, you need to be knowledgeable.

For example, are you aware that most current cell phones being sold today WILL NOT support 5G?  Its true.  They will support pretend 5G (called 5G Evolution by AT&T, but I think they stopped calling it that after they were sued).  My partner Ray has a phone on AT&T and the phone says 5G, but I know for a fact that his phone does not have a 5G radio in it.

Rumors say that Apple plans to release one or more 5G capable phones some time next year, likely in the fall, but possibly earlier.  Maybe!

Samsung has a couple of 5G capable phones today – for example the Note 10 5G, which is different than the Note 10 and costs several hundred dollars more.

So what else do you need to know?

AT&T just launched it’s 5G service in 10 cities including LA, San Francisco and San Jose.  If you are an AT&T customer, have one of those new 5G phones, pay extra for a 5G service plan and happen to be near one of their 5G towers, you are good to go.  If you miss out on any of those requirements, you won’t get 5G.

As I have often said, when it comes to telecommunications services, we are like a developing country.  Other countries, like China, South Korea and Switzerland are far ahead of us in rolling out real 5G.

Part of the problem is radio spectrum.  5G will operate on three different frequency bands, called, for simplicity, low, medium and high.  Low is the most available spectrum to the carriers but also the most congested so while it can be deployed more quickly, it will also give you the smallest speed bump.  High is the least crowded but also the least available, at least until the FCC frees up more spectrum.  It will, eventually, give the best speed.  But it has a downside which is that the high frequency radio waves don’t travel very far or through building walls, so that will require tens of thousands of new towers.  Historically, city planners in the nice parts of town are anti cell tower (although these will be much smaller), so you have competing needs.

T-Mobile uses low band and claims that their network of slow-G (excuse me, 5G) covers 200 million people.  When Wired tested their network with one of the two phones that they sell that support 5G ($900 and $1,300), they found speeds as high as 158 megabits, but as low as 5 megabits.  Neither one are as fast as your current cable Internet.

T-Mobile admits that their 5-G service will only be about 20 percent faster than their existing service.

Verizon, on the other hand, uses the high band and tests show speeds of between 600 megabits and 1.5 gigabits – that is extremely fast.  But it is only available in small parts of 17 cities.  And the connection will only work if you are outside and near one of the few towers.

AT&T’s so called 5G service uses the slow band (low), but it also has high band service that it is offering to a select few business customers in a few locations.

Sprint is using the mid band and tests show speeds of between 110 megabits up to 400 megabits, which is, at the high end, probably 10 times faster than the speediest current 4G cell service.  They claim that their service covers about 3 percent of the residents of the U.S.

On the other hand, South Korea will cover 90 percent of their population with real 5G within the next two weeks.  They say that average speeds with be between 300 and 500 megabits and peak speeds will be between 800 and 900 megabits.

Statistics say that in 2020, 3G cell service will be more prevalent than 5G worldwide.

This doesn’t mean that you shouldn’t go for 5G cell programs.  It does mean that you should understand what you are getting.  And not getting.

The carriers, collectively, are spending billions of dollars to build out 5G network infrastructure ahead of when people get 5G capable phones, so they assume that people will, eventually, fork over their money for expensive phones and more expensive cell service.

My suggestion is to wait until there are more phone choices, wider service availability (are are two small sections inside the city limits of Denver that have broad 5G coverage today, according to Verizon and we have more data to understand what kind of speed boost you are really going to get.

Also, all of the providers are selling boxes that you can plug into your Internet connection to give you 5G when you are at home.  Other than to impress people, I see no reason to do this because it will not run any faster than the WiFi in your house already runs.

Source: Wired






Security News for the Week Ending November 1, 2019

Johannesburg, South Africa Attacker Threatens Data Breach

In what I think is going to be the way of the future, hackers compromised Joburg IT systems and threatened to publish data that they stole if the ransom is not paid.  As I write this, the deadline has just passed, they have not paid the ransom, the data is not yet exposed and they think they will have most of the systems back online soon.  While this project seems to be the work of inexperienced hackers (they did not encrypt all of the systems), this does not mean that more experienced hackers won’t try this technique and do a better job of it.  Source: The Register.

China Steals IP to Build C919 Airliner

I keep saying that the biggest threat to U.S. businesses is not credit card fraud but IP theft, such as by the Chinese.  In this case the Chinese wanted to build a passenger jet to compete with Boeing and Airbus.  The plane, in development for almost 10 years, was delayed because the Chinese didn’t actually know how to build it.  SOOOOOO, here comes TURBINE PANDA.  Stupidly, the developer of Turbine Panda came to the US for a security conference, where he was quickly arrested by the FBI.  Now China’s MSS (ministry of State Security) has banned Chinese researchers from attending conferences in the US.  In the meantime, Turbine Panda was  used to compromise US and European airplane parts suppliers so that China could get the tech that they needed to build the C919.  Source: CSO.


FCC Plans to Ban Huawei and ZTE Equipment, Force Replacement

The FCC is set to vote on rules banning using Federal Government subsidies to buy Huawei and ZTE equipment  because of their close ties to the Chinese government and another rule that would force telecoms to rip  out existing Chinese equipment.  The cost of replacing existing equipment has been estimated at several billion dollars and the FCC doesn’t have any way to pay for that.  In addition, if telecoms have to use more expensive 5G equipment from other providers, they will have to slow down the deployment of 5G services due to cost.  The options that telecoms have, if that proposal gets approved, is to significantly delay the rollout of the much overhyped 5G cell networks or raise prices.  This disproportionately will affect less densely populated parts of the county (like me, who lives 20 miles from downtown Denver – I cannot currently get any form of broadband Internet or any form of cell service where I live) because carriers will choose to install limited 5G service in highly dense areas where they will get more subscribers to pony up the additional fees for 5G cell plans and those 5G cell phones that often run $1,100 or more.  The U.S. is already pretty much a third world country when it comes to fast , affordable Internet and cell service and this will only reinforce it.  I have no problem banning Chinese firms, Congress just needs to figure out how to pay for this desire.  Source: ARS


Domain Registrars Web.com, Network Solutions and Register.Com Hacked

These three registrars – all owned by the same folks – were hacked in AUGUST but the company didn’t figure it out until mid OCTOBER.  The information taken is mild by today’s standards – names, addresses, phone numbers, etc. but no credit cards – they don’t don’t believe (that’s comforting).  Also not compromised were passwords.  If this is accurate, it seems like they segmented the data, which is a good security practice.  Still, if you use one of these services, I would change  my password and make sure that two factor authentication is enabled.  Source:  The Hacker News.


Rudy Guiliani Bricked His iPhone;  Asked Apple to Fix It

Reports just surfaced – and so far are not being disputed  – that the Prez’s cybersecurity advisor, personal lawyer and who knows what else, apparently forgot his iPhone password and after 10 tries, locked it up, so he took it to an Apple store in San Francisco and GAVE it to some random Apple tech to reset, and reload from iCloud.  Definitely a super secure situation.  Rudy said that everyone needs help from time to time and compared himself to the dead San Bernadino mass shooter whom the FBI needed help unlocking his iPhone.   I don’t think that would be someone that I would compare myself to.  Source: The Register.

Does Amazon Have a Security Prob?

One report says that an Amazon customer was seeing mysterious fraudulent charges on his account and even after working with Amazon multiple times and resetting everything, the charges kept coming.  After months, he found out that Amazon doesn’t have visibility to non-Amazon branded smart devices that are connected to your account (like a smart TV) and even if you reset your account, those devices can continue to connect and order stuff.  There is a department inside the company that has a special tool that they can use to detect these rogue devices.  If you are seeing mysterious charges that they can’t explain, this could be it.  Source: The Register.

5G – Mostly Hype – For Now

There has been a lot of hype surrounding the next generation of cellular technology and while 5G is definitely cool, we need to make sure that we don’t get the cart before the horse.

#1 – Everyone has to buy a new phone.  Apple watchers think that Apple should release it’s first 5G phone before the end of 2020.  Other phones are being touted as 5G or possibly 5G evolution – which is different.  This means that even if 5G is available in your neighborhood, which it likely is not, it won’t do  you any good until you replace your phone.

#2 – Carriers need to upgrade each and every cell tower.  This means new electronics.  Given that there are hundreds of thousands of cell towers – or more – in the United States, that is a lot of money.  Likely, carriers might upgrade the network first in rich neighborhoods (because those people might buy new phones sooner) or neighborhoods with high traffic density.  Most of us won’t see upgrades for years.  I still connect to towers that only support 3G and 2G on a regular basis.

#3 – Network capacity needs to be upgraded.  It is wonderful if you can talk to the cell tower at 1 gigabit per second but that does no good if the connection from that cell tower to the rest of the network is only, say 50 megabits – there is no magic to get you faster speed.  And that needs to go all the way back to the Internet backbone.  In many cases, that is 5 to 10 network connections that all have to be upgraded.  If you have two cell towers that each want to talk at 1 gigabit per second and they connect to one consolidation  point, that needs to have a 2 gigabit connection and if two of those connect to a higher consolidation point, that needs to have a 4 gigabit connection.  Everybody shares the same pipe and it will only run as fast as the slowest connection.

#4 – MORE cell towers.  The nature of 5G is that the signal can only travel a short distance at that high speed.  This means more towers. And more “back haul” connections.  Should we put a tower in your back yard?  This is going to be a big problem.  Carriers want to reduce costs which means that land owners are going to be even less likely to want to put a tower in their back yard.  I have heard some stories that carriers are lobbying for laws to force land owners to put cell sites on their land for next to nothing.  That is not going to go over very well.

#5 – Oh, yeah, 5G doesn’t work inside.  Not in your house.  Not in your car.  Not in your office.  Unless you have a 5G mini cell site inside the building.  With enough bandwidth to back haul the traffic.  There are some carriers that are working on  using a different frequency that works better inside, but frequency (also called spectrum) is exceptionally scare.

#6 – Now you create all these really cool 5G applications that use all that bandwidth.  What about security.  After all, today, phone app security is horrible.  If you start building all of these bandwidth gobbling applications will security magically improve?  Not likely.

Other than that, there are no problems with 5G.

What we are likely to see is limited deployment of 5G over the next couple of years.  Select sites in select cities.  What we are also know is that the back haul bandwidth is going to be a problem.

Next we are going to have to get everyone to buy new phones.

And likely the 5G cell plans are going to cost more just like smartphone plans had/have a “surcharge”.

We need to develop all those cool new apps.

And finally, we need to solve the security problems.

As I said, other than that, there are no problems with 5G.


Security News Bites for the Week Ending March 1, 2019

We Don’t Need Back Doors in Crypto – We Have Enough Bugs Already!

Researchers have found three new bugs in the protocol design (as opposed to the implementation) in both 4G and 4G cellular networks.  The design flaws can be carried out by any person with a little knowledge of cellular paging protocols.

The hardware to carry out the attack can be purchased for less than $200 and all four major carriers are vulnerable since these are protocol design problems and not implementation bugs.

The good news is that since these are protocol design flaws, the networks of all of our adversaries (and our friends) are also vulnerable, which probably makes the spy-guys happy too.

There is no fix approved or planned for the security holes.  Source: Techcrunch.

Google Slipped a Microphone into your Nest Security System – Forgot to Tell Buyers.

When Google announced that the Nest security system would now support “Hey Google” with no hardware upgrade, a few geniuses figured out that there must have always been a microphone in the Nest that Google just accidentally forgot to tell people about.

Google is trying to spin down the tornado saying that yes, they just forgot to tell people that there is a microphone in there, but not to worry because it isn’t enabled by default.  They put it in there to detect breaking glass and other features, they say.

Alarm systems often have microphones, usually to detect glass breaking, but the control panel, where Google put it, might not be close enough to all of the windows in the house to detect that.  Some alarms support two way voice communications to the alarm monitoring center, but if a system has that, it is not a secret, but rather a feature, loudly announced.  More likely, Google kept it a secret so that competitors wouldn’t figure out their future plans.  Source: The Intercept.


Hacking Tools Going Mainstream

Celebrite, the Israeli company that makes tools for law enforcement (and, I think, for anyone else who’s check clears) to hack iPhones and Android phones has grown a conscience.

Used Celebrite devices are showing up on eBay for as little as $100 – and, of course, will the ex-owner’s data still intact.

Celebrite is “warning” their customers not to do that but rather to return their devices to them for destruction.  If you think they are really concerned about your security, then that makes sense.  On the other, if you believe that they would rather sell you a new one for $6,000 rather than you buying it on eBay for $100 …..

In any case, they are available and many of them still have the captured data on them.  Source: Forbes.


TSA’s Pipeline Security Team Has Five People

2.7 million miles of pipeline and five employees.

Roughly half a million miles of pipe  per person.

And none of them have cyber expertise.

Since 2010 the number of people assigned to pipeline security have ranged from a low of 1 to a high of 14.  Not very comforting.

And they don’t plan to add any cyber expertise anytime soon, instead they are relying on begging other parts of Homeland Security for help.

Given that TSA hasn’t figured this out in almost 19 years, some folks in Congress want to move the responsibility elsewhere.

In the meantime, lets hope that the terrorists do not understand how bad things are.  Source: FCW.