Written Evidence to Parliamentary Consultation on Ensuring access to ‘safe’ technology: the UK’s 5G infrastructure and national security inquiry

Written evidence submitted by Dr Greig Paul (Lead Mobile Networks & Security Engineer on 5G RuralFirst), Electronic & Electric Engineering, University of Strathclyde, the executive summary of which is as follows: 5G networks will see significant changes from 4G networks. While today we see only early stages of 5G adoption, we can see that these changes will impact security in network design. 5G will increasingly bring “core” functions towards the edge (nearer the radios) of the network – the distinction of “core” and “non-core” is blurring already with new technology. In light of this, we must ensure our networks are designed with this in mind – our networks should be designed to be “intrinsically secure” without relying on equipment vendors. There is momentum behind 5G enabling “Industry 4.0” and associated increases in productivity, with businesses encouraged to take advantage of 5G. This means security issues in 5G networks will directly impact the economy, and NCSC may need to prepare for advising non-telecoms providers about security of private mobile networks. Some applications, such as connected vehicles, will require increased inter-connectivity between different telecoms networks at the edge of their networks (where core functions will move to), for low-latency safety-related communications. This is a change compared to the current approach, where networks only inter-connect at the core, and has security implications around vendor equipment and exposure of telecoms companies to the vendor selections of other telecoms operators. The O2 outage in late 2018 has highlighted the harm to the country by disruption to service, and the lack of resilience in place. There are legislative gaps around telecoms operators, compared with other utility operators. Telecoms networks should be considered as essential services, and regulated under NIS regulations. This has implications for other CNI, including energy utilities, which do not consider public mobile networks to have suitable power autonomy in the event of a “blackstart” incident. The risks of widespread outsourcing within the telecoms sector (and other utilities and infrastructure sectors), as well as “sell-and-lease-back” models, should be considered by the committee. Government policy around connectivity shows a move towards convergence of industrial/business focused networks and public 5G networks, as shown in the Rural Connected Communities competition, with a vision of new, smaller entrants into the telecoms market. As government policy envisages new entrants into this market, it is important to consider what the security implications will be, and how to support them. Key Recommendations: Telecoms operators should be designated as Operators of Essential Services under NIS, in light of their importance in day-to-day life and the economy, and exposed to the same penalties for disruption as other OES, ensuring investment in security and power resilience. Parliament should reduce the weight it places on distinction between “core” and “non-core” functions of networks – networks should be secure without relying on vendors. Inter-connection at the network edge for low-latency vehicular communications means vendor choices can impact on other network operators, and cause cascading security issues. Parliament should consider whether a culture of buying “cheapest” puts the UK’s national interests at risk, among telecoms companies. Operators, not government, should bear the costs of suitable security, as they enjoy the profits from operating these networks

Investigating the security of android security applications

Encryption is commonly used to provide confidentiality of sensitive or personal information when held on smartphones. While many Android devices feature inbuilt full-disk encryption as a precaution against theft of a device, this is not available on all devices, and doesn't provide security against a device which is turned on and in use. For this reason, a wide variety of applications are available within the Google Play Store, offering to encrypt user data. Modern, strong encryption offers strong assurances of confidentiality when used correctly, although the fundamental cryptographic primitives are complex, with many opportunities for mistakes to be made. The security of a number of implementations of Android-based encryption applications is investigated. Highly popular applications, including those by Google-endorsed "Top Developers", are considered. A number of major weaknesses in the implementation of encryption within these applications is presented. This highlights the importance of both well-audited open-source cryptographic implementations, as well as the underlying cryptographic algorithms themselves, given the vulnerabilities identified in these applications. In many cases, there was no encryption in use by the application, and file headers were undergoing trivial static obfuscation, such that files would appear corrupted. In other cases, encryption algorithms were used, but with significant implementational errors. In these cases, plaintext recovery was still possible, due to the use of static keys for every installation of the app, and the re-use of cipher initialisation vectors

Google's Android setup process security

Despite considerable research having been carried out into the security of the open-source Android operating system, the vast majority of Android devices run software significantly deviating from the open source core. While many of these changes are introduced by the original equipment manufacturer (OEM), almost every Android device available for sale also features a suite of Google-provided applications and services, which are not part of the Android Open Source Project (AOSP) code. These applications are installed with system-level privileges, and are effectively an extension of the operating system itself. We monitored the process of setting up an Android device, and have identified a number of design weaknesses in the implementation of a number of Google services features which come pre-installed on virtually every Android device on sale today, which could permit skilled and capable attackers to carry out persistent attacks against Android users

IEDs on the Road to Fingerprint Authentication : Biometrics have vulnerabilities that PINs and passwords don't

Almost every 2016 flagship mobile phone, whether Android or iOS-based, is set to come with an integrated fingerprint reader. The convenience benefits of fingerprint readers are clear to users, but is the underlying technology really ready for widespread adoption? This article explores some of the background of the challenge of secure user authentication on mobile devices, as well as recent weaknesses identified in the handling of fingerprints on many consumer devices. It also considers legislatory and social implications of the widespread adoption of fingerprint authentication. Finally, it attempts to look forward to some resulting problems we may encounter in the future

Take control of your PC with UEFI secure boot

UEFI secure boot is often regarded as a nuisance for Linux users, but you can use it to protect your system by taking control of it. Learn how to do this, sign your own bootloader, and protect your whole system with full disk encryption (including the kernel)

Practical attacks on security and privacy through a low-cost Android device

As adoption of smartphones and tablets increases, and budget device offerings become increasingly affordable, the vision of bringing universal connectivity to the developing world is becoming more and more viable. Nonetheless, it is important to consider the diverse use-cases for smartphones and tablets today, particularly where a user may only have access to a single connected device. In many regions, banking and other important services can be accessed from mobile connected devices, expanding the reach of these services. This paper highlights the practical risks of one such lowcost computing device, highlighting the ease with which a very recent (manufacturered September 2015) Android-based internet tablet, designed for the developing world, can be completely compromised by an attacker. The weaknesses identified allow an attacker to gain full root access and persistent malicious code execution capabilities. We consider the implications of these attacks, and the ease with which these attacks may be carried out, and highlight the difficulty in effectively mitigating these weaknesses as a user, even on a recently manufactured device

The financial auditing of distributed ledgers, blockchain and cryptocurrencies

The internet and digital transfer of money is set to fundamentally change the way financial audits are conducted. This paper critically assesses the way that such assets are currently audited when stored in distributed ledgers, transmitted via a blockchain or whose value is stored in crypto rather than sovereign currency form. In it, we identify the self-verifying nature of such financial data which negates the need for traditional audit methods. Despite the promise of such methods, we highlight the many weaknesses that still exist in the blockchain and how these presents issues for verification. We address distributed transaction and custody records and how these present auditing challenges. We suggest how auditors can use smart contracts to address these and at the same time provide arbitration and oversight. Our contribution is to propose a protocol to audit the movement of blockchain transmitted funds in order to make them more robust going forward

Automating identification of potentially problematic privacy policies

Almost every website, mobile application or cloud service requires users to agree to a privacy policy, or similar terms of service, detailing how the developer or service provider will handle user data, and the purposes for which it will be used. Many past works have criticised these documents on account of their length, excessively complex wording, or the simple fact that users typically do not read or understand them, and that potentially invasive or wide-reaching terms are included in these policies. In this paper, we present our automated approach and tool to gather and analyse these policies, and highlight some interesting considerations for these documents, specifically those surrounding past legal rulings over the enforceability of some specific and widely-used contract terms --- the ability for terms to be changed without directly notifying users (and presumed continued use indicates acceptance), and the protections in place in the event of a sale or acquisition of a company. We highlight the concerns these pose to user privacy and choice, and the extent to which these terms are found in policies and documents from many popular websites. We use our tool to highlight the extent to which these terms are found, and the extent of this potential problem, and explore potential solutions to the challenge of regulating user privacy via such contracts in an era where mobile devices contain significant quantities of highly sensitive personal data, which is highly desirable to service operators, as a core valuation asset of their company

Automating identification of potentially problematic privacy policies

Almost every website, mobile application or cloud service requires users to agree to a privacy policy, or similar terms of service, detailing how the developer or service provider will handle user data, and the purposes for which it will be used. Many past works have criticised these documents on account of their length, excessively complex wording, or the simple fact that users typically do not read or understand them, and that potentially invasive or wide-reaching terms are included in these policies. In this paper, an automated approach and tool to gather and analyse these policies is presented, and some important considerations for these documents are highlighted, specifically those surrounding past legal rulings over the enforceability of some specific and widely-used contract terms - the ability for terms to be changed without directly notifying users (and presumed continued use indicates acceptance), and the protections in place in the event of a sale or acquisition of a company. The concerns these pose to user privacy and choice are highlighted, as well as the extent to which these terms are found in policies and documents from many popular websites. This tool was used to highlight how commonly these terms are found, and the extent of this potential problem, and explore potential solutions to the challenge of regulating user privacy via such contracts in an era where mobile devices contain significant quantities of highly sensitive personal data, which is highly desirable to service operators, as a core valuation asset of their company