How we turned 5G into 5k
Hacking is a good way to learn and hackathons are a great place to learn with other like-minded people. And that was exactly what we had in mind when we invited our friends and signed in as a team to the first 5G hackathon in the world.
We had no preparation or idea what we were going to do. After we conquered a table for ourselves to set up our base in we quickly found us split between two different challenges. Myself and Jukka (with initial help from Jani) took on to investigate the cylindrical device Nokia has brought into event. Meanwhile Mikko, Ossi and Jani challenged themselves with University of Oulu’s 5G hospital challenge.
Future Hospital
The university’s vision about future healthcare is ambitious and we were presented with the idea of having a nurse visiting customer’s home with cameras and other equipment while doctor can join the visit over network wearing a virtual reality (VR) headset. The challenge itself was not about these doctor’s or nurse’s equipment, but the 5G network making it possible.
The trio led by Mikko started with the basics: Get into the network (we were provided with 5G test network SIM cards) then start exploring the network structure and document everything as we push forward. We found some juicy looking targets, but Mikko was keeping the trio in check. I heard “let’s finish the enumeration first” quite a few times. Equipped with simple tools like ping and nmap, the map of the network and different segments as well as devices in these networks started to form.
Jani drew a map like a pro, I wonder if he’s done that before. But he used Google Draw for the first time. We needed something simple which allows real time collaboration and visibility to what we know already. It also happens to have a version history. We used it to make a timelapse video for the judges to show how we discovered networks and moved on them.
After finding the networks and devices, the real fun began with poking each device and looking what it had to offer. What are the open services? How well is the network segmentation and isolation working? Was the admin password “admin”? These are hypothetical examples, but way too common. And so on. Keep moving. Document as you go and take leverage from the new information to push even further into the depths of 5G network segments.
Documentation was important from two perspectives: It was given to the jury to score our efforts and it also presented the issues we had found and changes we had made. Jury collected these reports so they could also form a big picture of issues, weaknesses and recommendations from each team.
Nokia’s Cylindrical Challenge
Nokia’s Fastmile gateway looked modern and quite elegant. Clearly it was meant for consumers and to be placed in a visible place in the living room or office. It could also be confused with mini air purifier, but those usually don’t have Ethernet cables connected into them.
After initial puzzle we had access to the Wifi side of the device. That’s the side what most owners of the device use to manage it. We did what the hospital guys did and used the really basic tools to analyze the attack surface: nmap for mapping the open ports and services, netcat to interrogate the services and OpenSSL’s TLS client to check if there was TLS encryption involved.
Jukka and I are not frontend developers. We have a history of making our own implementations of network protocols like IP, TCP and TLS. So we challenged ourselves into also analyzing the frontend of the management HTTP service. There was Javascript and HTTP APIs and all that jazz. Now we know how to debug Javascript using Firefox.
The Basics Win the Game
The organizers had prepared prizes for the challenges. Each of the three challenges carried a 10 000€ price to be divided between the first, second and the third place. We received jury’s recognition from our efforts in mapping the 5G segments in Hospital challenge. Our friends from Synopsys secured the third place in two out of three challenges. Congratulations guys! Well done.
And it was quite a shock when the winner of the Nokia challenge was called out: Our team, ABC of Security, had won.
What did we do to win? We kept with the basics: List the open services and play with them. Read a lot of the service specific documentation to learn everything we could from them. Maybe toss in some coding to help. And then write reports from everything we consider an issue.
Security revolves too much around tools and devices. But are they the correct solution if we don’t understand how things work and how everything relates to each other? Jani likes to preach us about how half of the security comes from knowing how things work. People and their knowledge is the leverage to make a difference.
Big thanks to The Finnish Transport and Communications Agency Traficom, University of Oulu, Ericsson, Nokia and Ultrahack for arranging a really cool hackathon! I’d definitely participate again.
ABC of Security was from left to right in the photo below:
- Jukka Taimisto, SensorFleet Oy
- Mikko Kenttälä, SensorFu Oy
- Ossi Herrala, SensorFu Oy
- Jani Kenttälä, BadRap Oy
- Ossi Salmi, Arctic Security Oy
