Users across the world almost simultaneously started receiving messages that they had trouble connecting to mobile networks on their phones, proving that even the largest carriers are still susceptible to failures in their core network.
First Published 7th December 2018
Ring ring?
4 min read | Reflare Research Team
Around 5am GMT, mobile phones across the world started displaying messages that they had trouble connecting to mobile networks. While preliminary reports indicate that select mobile carriers in 11 different countries were affected, we will base our analysis on the incident reports issued by O2 in the United Kingdom and Softbank in Japan. Users quickly identified that only phones by specific carriers were affected. This by itself is not unusual as mobile carriers commonly operate their own network infrastructure. In countries where legislation grants consumers the ability to roam between mobile networks, the incident simply resulted in slower internet speeds as the remaining mobile carriers took on the added traffic.
However, it soon became apparent that mobile carriers across the globe were facing similar issues. This by itself is worrying but in combination with the prolonged downtime, the theory that a cyber-attack had crippled mobile networks could not initially be ruled out.
Luckily, the issue soon turned out to be caused by backend hardware built by telecommunications provider Ericsson. Apparently, the software running on their devices included an improperly dated certificate. Since certificates are designed to be rejected once their expiry date is reached, this led the devices to effectively shut down at that time. Since all devices were running the same software, they all shut down simultaneously when the certificate expired - which happened to be on the morning of the 6th.
Mobile carriers have since restored their networks.
What conclusions in terms of cyber security can we draw?
While this incident ultimately was not the result of an attack, it still teaches us several important lessons. For one, the use of identical backends by different mobile carriers in several countries presents an interesting target for potential future attackers. Instead of targeting individual carriers, attackers - especially those backed by government actors - can and likely will target just such backend devices in their search for vulnerabilities. After all, such a vulnerability can then serve both as a sort of master key to any of the target mobile carriers and as a switch to take several mobile carriers offline simultaneously.
The prolonged downtime caused by the relatively simple certificate error also tells us that redundancy and failover in mobile communications infrastructure are relatively weak. This makes them attractive targets for cyber-attacks during conventional warfare. Since modern communications rely heavily on mobile data networks, a government actor can cause significant confusion by taking them offline.
Summary
While this week’s incident was not caused by a cyber-attack, it raises uncomfortable questions about the readiness of mobile data infrastructure to resist such attacks in the future. The importance of mobile data networks for modern communications makes them attractive targets to both conventional and government-backed attackers.