The Synopsys Defensics R&D team put the Defensics fuzz testing tool to the test in the 5G Cyber Security Hack event and placed second in the competition.
Finnish transport and communications agency Traficom, together with challenge partners Aalto University, Cisco, Ericsson, Nokia, and PwC, organized the 5G Cyber Security Hack, which was held June 18 to 20, 2021. This hackathon-style event was a follow-up to the successful 2019 event that took place in Oulu, Finland, but this year’s event was fully remote due to the ongoing pandemic. That also made it was easier for international hackers to take part. The event itself entailed four interesting hacking challenges relating to 5G technology and its use cases.
The Synopsys Defensics R&D team participated in the 2019 event and finished in third place in two challenges, so they were eager to take on this year’s challenge.
Since the event was fully remote, some people from the Synopsys office in Wuhan, China, were able to participate, and they would bring extensive 5G knowledge that would no doubt be beneficial in the challenges. Ultimately, this year’s SIGKILL team included three engineers from Oulu and two from Wuhan, and they applied for all four available challenges. The total number of participants in the event was 130 hackers from 30 different countries. It’s important to note that not all teams that apply are accepted to participate in the hackathon event. Thanks to the established AST reputation and comprehensive portfolio of Synopsys AppSec testing tools and services, as well as the Defensics® fuzz testing team’s experience, the SIGKILL team earned a spot at this year’s hackathon challenge.
While preparing for the event, the team quickly noted that one of the challenges stood out from the others. Ericsson, one of the event’s partners, presented a challenge called Hack the crown jewel. It specifically mentioned using “network fuzzing to challenge the robustness of the 5G Core Gateway and finding flaws in the stack implementations that can potentially bring down the network or cause a major outage.” This sounded perfect for the Defensics team’s experience.
The Ericsson challenge was a unique opportunity to hack the Ericsson Packet Core Gateway, which is an integral part of the mobile 5G core infrastructure. With growing security and privacy concerns about 5G technology, it was essential for Ericsson to understand how security risks and vulnerabilities could be potentially exploited, so it could learn how to address the risks in a timely manner.
“We already now have hundreds of millions of subscribers in the world in 5G networks, deploying the networks all over the planet. And we’re getting more subscribers connected all the time. The value that is going to be created with this network—the role it’s going to have in our lives, to our society, to our businesses, our industries, our security and safety, our privacy. It’s such a massive asset. It has to have absolutely brilliant security,” said Mikko Karikytö, chief product security officer at Ericsson.
The 5G Cyber Security Hack started with an introduction session on Friday evening at 6 p.m., and the hackers were let loose on the challenges at 8 p.m. The hacking continued throughout the weekend to meet the submission deadline set at 11 a.m. Sunday morning. With all team members participating from their own remote locations, all collaboration took place over video calls and chat. Although working on all the challenges, on Saturday most of the focus was shifted to the Ericsson challenge, as that was the one really best suited to the teams skillset and expertise.
Having a team with members on two different time zones also allowed the hacking efforts to continue around the clock. This was particularly useful because some challenges required scheduled time slots for accessing certain parts of the environment due to limited hardware availability.
On Sunday morning, the team was fine-tuning the final reports and making sure they were submitted by the deadline. It was then time for a few hours of well-earned rest before the prize ceremony at 2 p.m. The team’s collective years of experience with fuzzing—and specifically with the Defensics fuzzer, one of the leading tools for 5G network infrastructure security testing—paid off. The SIGKILL team bested its previous performance and won second place in the Ericsson challenge. Synopsys congratulates and thanks the team members on their accomplishment:
For more info on the event’s results, read Traficom’s event recap.
Defensics is a comprehensive and automated solution that enables organization to intelligently fuzz test, uncover, and address unknown vulnerabilities and weaknesses in software systems, without compromising security, agility, or resources. With Defensics, Synopsys enables organizations to manage exploits and outages with resilient, future-proofed software.