Article Summary – Most entities rely on layers of defense to keep bad actors out of their network. Often the first layer, and one of the most impactful, are foreign country blocks. If you do not do business with a country, you can block all traffic to/from it. If you layer on blocking attacks that come in via VPN (Virtual Private Network) connections, you reduce the number of directions that a bad actor can target you from. There is one loophole in that defense, however, that you can currently do nothing about. That loophole is with US cellphones used in other countries.


Article Content


Perimeter defenses are as bread-and-butter to cyber defense as having anti-virus or a patching program. In many companies, it goes without saying that many external attack vectors get blocked by your SOC (Security Operations Center) or IT (Information Technology) departments. You block a list of IOCs (Indicators of Compromise), any activity from countries that you have no business with or that are known to be hostile, and even categories of incoming connections (for example: maybe you block FTP or those trying to reach you via a VPN). Those are all important outer layers of defense. If the bad actor cannot even probe your inner defenses, then it is harder to breach them.


There is a substantial loophole in those perimeter defenses. That loophole is cellphones and hotspots, provided by US carriers, that are taken overseas. Or said another way, if Russia and China purchase a hotspot or a US cellphone, with the “International Plan” attached to it, they can return home and launch attacks on your infrastructure while bypassing your perimeter defenses.


The problem was detected when an employee traveled to some European countries. They remained on cellular and were able to fully access their corporate systems. That did not make sense to the SOC, because the countries that the employee was in were blocked. Why was the device functioning like the employee was sitting in his home state?


Traffic was analyzed and the mystery got even deeper. According to the traffic, the employee was in ‘data center alley’ in Northern Virigina (where over half of the internet’s data centers are located and where the route from Europe through the undersea cable emerges onto the broader internet.) The employee was definitely not vacationing in a data center. They were absolutely outside of the country. What was happening?


I do not profess to be an expert in the flow of the electrons from the phone to the destination, but here is how I understood the situation while listening to a call with a major cellular vendor’s engineers. When you take a US device to another country, and have the international plan, there is an agreement between the local carrier and the US carrier. In most cases, what happens is that when you place the call, send the text message, or use the data connection to access the internet, the local carrier merely grabs your packets and shoves them through the undersea cables and hands them off to your carrier in the US. Those electrons then exit the carrier’s cell phone tower or emerge onto the internet from one of their data centers in the US.


Said another way that phone or hotspot are effectively sitting in the United States. There is a little bit of latency the communication, due to travelling halfway around the world, but it is negligible in the grand scheme of things.


When asked, the engineer reported it was a known “issue” and that they were “considering” a solution that “may” get rolled out “sometime in the future.”  That conversation hardly left us with a good feeling, but it was the best we could get. Now, months later, there remains no news about a solution or a timeline to achieve one.


There are certainly higher risks out there such as zero-day vulnerabilities, phishing attacks that launch ransomware and insider threats. However, it is non-sensical that in the age of 5G connections, we are allowing attackers, nearly regardless of their location in the world, to bypass most companies outermost layer of protection and begin probing the perimeter for those zero-day vulnerabilities, open ports, or unpatched systems.


5G is more than sufficient speed to launch sustained attacks on a vulnerable server. While it may take a bit longer to scan all open ports or to brute force a password, the fact that it can be done almost anywhere in the world simply widens the door to more attackers crowding the space. In effect, it lowers the barrier to entry into cybercrime or espionage and complicates attribution. Since the attacks all seem to originate from your wireless carrier, figuring out who was targeting you is nearly impossible.


One can argue that VPNs (Virtual Private Network) are easy to install and can effectively change your country anyway so why does this problem set even matter? It matters because it is possible, with a little effort and a skilled SOC analyst and Firewall admin, to detect and block VPN based incoming traffic. You can block that vector, should you choose to do so. Unless you want to block all connections from all wireless carriers, the same cannot be said for this vulnerability.


To close this article, I would leave you with these thoughts: There are many risks to consider when building a robust series of layered defenses. There are actions you should take before losing too much sleep over attacks from wireless connections. However, that is ultimately my point: Why should you ever have to be vulnerable to those attacks and potentially lose sleep? It is a problem set that should not exist. Your wireless carrier should solve it or provide you with the tools to solve it. One possible action, that was bantered around with the wireless engineer, was a software firewall that we could configure within their system. If we said not to allow any connection originating from Russia, they would stop it from transiting out of their system and landing on our perimeter. Whether that or an even better solution emerges will probably depend on a few more companies questioning their carriers about this risk and requesting the address it. When cyber-attacks move at the speed of light, we should not be leaving holes in our defenses that could be closed