Mukesh Ambani is disrupting the country’s telecom industry. In the last six months, Reliance Jio, his $20 billion telecom ‘startup’, has notched up over 100 million subscribers.
It not only makes Jio the fastest growing telecom company globally, but also a target for hackers from around the world. But Ambani, India’s richest man, has a secret weapon: Karsten Nohl, a German code-breaker.
In the world of hackers, Nohl needs no introduction. The German hacker, famous the world over for exposing major security flaws in telecom networks, was hired as a consultant by Jio in 2014. It was Nohl’s exposé of security flaws in SS7, a protocol used by telecom service providers, that prompted over 200 cybersecurity firms and hundreds of telecom operators to focus on addressing issues that left millions of users vulnerable to attacks.
In the world of hackers, Nohl needs no introduction. The German hacker, famous the world over for exposing major security flaws in telecom networks, was hired as a consultant by Jio in 2014
At Jio’s office in Navi Mumbai, Nohl has been working for two-and-a-half years alongside the company’s chief information security officer, Brijesh Datta. Together, they built an army of information security professionals and prepared the company for a secure launch of its mobile data and voice service in September last year.
“With Jio, it was a once-in-a-lifetime opportunity to work with a company that had enormous security ambitions and no legacy,” Nohl, 35, told FactorDaily at the sidelines of Nullcon, a hacker conference.
“With Jio, it was a once-in-a-lifetime opportunity to work with a company that had enormous security ambitions and no legacy” — Nohl
Cybersecurity usually involves three major aspects — prevention, detection and response. All these involve a whole range of assessments, bug fixing, hacking and practice to handle crises. At Jio, Nohl and Datta (formerly with Bharti Group), have been handling all this in the run up to the high profile launch of Reliance Jio.
They have been doing this with the help of over 100 information security professionals handpicked from a global talent pool which forms the team responsible for securing the company’s digital footprint. And this is no small task: It comprises handling millions of customers, their data, over 1,00,000 cellphone towers that form critical infrastructure, apps like Jio Money, over-the-top services and millions of 4G devices that the company is selling on its own. “The scale of Reliance is just insane,” says Nohl.
Mumbai Meri Jaan
These days, Nohl spends about two weeks every month in Mumbai and the rest of his time shuttling between Berlin, Kuala Lumpur and Hong Kong, where he has clients, including large banks and telecom networks.
This is not his first time in Mumbai, though. Nohl vividly recalls his six-month stint at IIT-Mumbai 13 years ago as a research assistant. It was the first time he’d left Europe and, like for most young people from developed countries, India was a completely shocker for him.
“You arrived at the airport and it was loud and it smelled exotic, and you got into a taxi and the next thing you knew was you are in an accident… just the first hour in India offers more new stuff than a young mind can process” — Nohl
“You arrived at the airport and it was loud and it smelt exotic, and you got into a taxi and the next thing you knew was you are in an accident… just the first hour in India offers more new stuff than a young mind can process,” recalls Nohl. At the time, he was studying electrical engineering at the Heidelberg University of Applied Sciences in Germany.
Then there were social differences. “I don’t remember ever speaking to a girl… they had guards around the dormitory,” jokes Nohl, who now lives across the Powai lake, next to the elite engineering college. “After an experience like that, you never take anything for granted,” he says. Nohl went on to acquire a PhD in computer engineering from the University of Virginia on implementable privacy for radio-frequency identification (RFID) systems.
The Mumbai he returned to is “modern,” he says.
After a year-long stint at global consulting firm McKinsey in 2009, Nohl decided that he wanted to “change the world.” He quit the company to focus on his research and consulting. Nohl and a team of researchers started researching technologies used by telecom networks for security vulnerabilities.
“We researched every single one of these technologies,” said Nohl. He demonstrated security loopholes in SS7, a communication protocol used by telecom networks to talk to each other, at the Chaos Communication Congress in 2014. The team’s work drew international attention in 2016, when he demonstrated, on a popular American television show, that he could spy on a United States congressman sitting in Germany.
After a year-long stint at global consulting firm McKinsey in 2009, Nohl decided that he wanted to “change the world.” He started researching technologies used by telecom networks for security vulnerabilities
“It’s a very old technology that predates mobile networks… it wasn’t designed with security in mind and, sure enough, we can hack it unless the mobile network specifically does something about it,” said Nohl, who at the time was trying to lobby telecom networks to become more secure by publishing his research. As this Guardian article explains, the loopholes in the SS7 protocol had major consequences for users: attackers could listen in to calls and read text messages being sent by people on the network.
With more than 300 million smartphones, nearly 350 million internet users and a thriving digital economy, how secure are Indian users? Some telecom companies in the country are extremely secure and others very insecure, says Nohl. “India has the highest diversity in network security levels as compared to anywhere I’ve seen in the world,” he says. The website Gsmmap.org (pdf) shows a large amount of divergence in security standards between networks in India.
“I’m the guy who doesn’t even know which team he is on anymore. I don’t think in compartments now. I just get stuff done” — Nohl
So is he a Blue team guy or a Red team guy? In the world of hackers, the Red team’s job is to try and hack into a system while the Blue team’s job is to prevent that from happening. “I’m the guy who doesn’t even know which team he is on anymore. I don’t think in compartments now. I just get stuff done,” says Nohl. At Jio, Nohl started testing the network for security flaws from the outside. That made him the Red team guy. He then went on to advise the company on fixing some of the vulnerabilities, becoming the Blue team guy.
Zen and the art of hacking
Nohl, who likes reading Russian classics (mostly Tolstoy and Dostoyevsky, Anna Karenina being his favourite), isn’t in it just for the money. He’s got a more philosophical take on the need for better security. “Even things like democracy are affected… we all rely on our leaders not being spied on by other governments,” he says.
Recent hacks have not only mucked up the reputations of companies like Deutsche Telekom, Germany’s largest telecom company, and Japanese multinational Sony among others, but also caused major financial damage. Companies are now pouring in billions of dollars into cybersecurity.
Nohl’s got a philosophical take on the need for better security. “Even things like democracy are affected… we all rely on our leaders not being spied on by other governments,” he says
The fear of getting hacked has sent companies on an overdrive, collecting every bit of data and information they can lay their hands on. But, when it comes to collecting network data for cybersecurity, Nohl believes in what might pass for minimalism. “Imagine buying 10,000 pieces of furniture and then picking four-five of them for your house. That doesn’t make any sense. First, you make a list of all that you need and what’s the purpose,” says Nohl.
His approach is to collect data only when a thorough analysis proves that the data is useful. This way, he manages to avoid wastage of resources. The industry mostly leans towards collecting all possible data, making up large security systems that are hard to maintain.
“If you start collecting all the data that is available, then you’ll end up spending most of your time monitoring systems, replacing hard disks and taking care of data which has no purpose. And that’s what I’m fighting” — Nohl
“If you start collecting all the data that is available, then you’ll end up spending most of your time monitoring systems, replacing hard disks and taking care of data which has no purpose. And that’s what I’m fighting,” he says.
No matter how much precaution you take, no network is completely safe forever, he adds. But, having the brightest hackers on your team certainly helps.
Photographs: Anand Murali
Lead visual: Nikhil Raj
Disclosure: FactorDaily is owned by SourceCode Media, which counts Accel Partners, Blume Ventures and Vijay Shekhar Sharma among its investors. Accel Partners is an early investor in Flipkart. Vijay Shekhar Sharma is the founder of Paytm. None of FactorDaily’s investors have any influence on its reporting about India’s technology and startup ecosystem.