By Simon Woodhead
There’s an interesting blog post out today which I suspect will make a few of our competitors hot under the collar, even though this’ll be the first many of them have read about it!
The virtualisation platform, vmWare, is used by many in our industry. While we joke about other networks using “magic boxes”, many now use magic boxes without the box, i.e. just magic! They run SBCs as virtual appliances, usually on vmWare.
vmWare are keen to state that this is not a “vulnerability”, and thus there is no CVE number, but researchers have demonstrated how one can exploit the platform to gain long term access at the hypervisor level. This means hackers could have installed all manner of surveillance and control mechanisms in the hypervisor, and at a lower level than the virtual machines themselves, and thus having massive access to the guest virtual machines underneath.
As there is no CVE number, it’ll be interesting to see how this shakes out – there is no patch to apply in 14 days as is required by the TSRs, but there is clearly an exploit possible and I’d call that a vulnerability! I’m reliably informed that s105A of the Act requires all action to minimise security incidents.
Exploiting a telco network at this level offers unprecedented visibility of signalling and media on phone calls and even if the operator concerned offers encryption (unlikely), the keys will reside within the virtual appliance allowing media to be observed unencrypted. The scope for this to have been abused by State actors for surveillance is massive in my humble opinion.
I’d be losing sleep if this was potentially affecting Simwood and rushing to audit our network and reassure all customers that no exploit had taken place. Of course, I don’t have to because Simwood hasn’t used virtualisation since 2015 so our customers can be assured we’re unaffected by this, and my sleep is uninterrupted.
Call me cynical but let’s watch the rush to do nothing together…