True 5G wireless data, with its blazing-fast speeds and enhanced security protectionshas been slow to unfold worldwide. As mobile technology proliferates, combining increased speed and bandwidth with low latency connections, one of its most touted features is starting to gain prominence. But the update comes with its own set of potential security risks.
A massive new population of 5G-enabled devices, from smart city sensors to farming robots and more, are gaining the ability to connect to the Internet in places where Wi-Fi isn’t practical or available. People can even choose to swap their fiber optic internet connection for a home 5G receiver. But the interfaces that operators have set up to manage Internet of Things data are riddled with security vulnerabilities, according to research presented this week at the Black Hat security conference in Las Vegas. And those vulnerabilities could haunt the industry in the long run.
After years of examining potential security and privacy issues in mobile data RF standards, Berlin Technical University researcher Altaf Shaik says he was curious to investigate the application programming interfaces (APIs) offered by mobile data. operators to make IoT data accessible to developers. These are the conduits that applications can use to extract, for example, real-time bus tracking data or warehouse stock information. Such APIs are ubiquitous in web services, but Shaik points out that they haven’t been widely used in core telecom offerings. Looking at the 5G IoT APIs of 10 mobile operators around the world, Shaik and his colleague Shinjo Park found common but serious API vulnerabilities in all of them, some of which could be exploited to gain authorized access to data or even direct access to data. IoT devices on the network
“There is a huge knowledge gap. This is the beginning of a new type of attack in telecommunications,” Shaik told WIRED before he was introduced. “There’s a whole platform where you get access to APIs, there’s documentation, everything, and it’s called something like an ‘IoT service platform.’ All operators in all countries will sell them if they haven’t already, and there are also virtual operators and subcontractors, so there will be a lot of companies that offer this type of platform.
IoT service platform designs are not specified in the 5G standard and must be created and implemented by each operator and company. That means there is widespread variation in their quality and implementation. In addition to 5G, enhanced 4G networks can also support some expansion of IoT, expanding the number of carriers that can offer IoT service platforms and the APIs that power them.
The researchers purchased IoT plans from the 10 carriers they analyzed and obtained special data-only SIM cards for their networks of IoT devices. In this way, they had the same access to the platforms as any other client in the ecosystem. They found that basic API configuration flaws, such as weak authentication or lack of access controls, could reveal SIM card identifiers, SIM secret keys, the identity of who bought which SIM card, and your billing information. And in some cases, researchers could even access large data streams from other users or even identify and access their IoT devices by sending or replaying commands they shouldn’t have been able to control.
The researchers went through disclosure processes with the 10 operators they tested and said most of the vulnerabilities they found so far are being fixed. Shaik notes that the quality of security protections across IoT service platforms varied widely, with some appearing more mature, while others “still stuck to the same old policies and principles of poor security.” He adds that the group is not publicly naming the operators they observed in this work because of concerns about how widespread the problems might be. Seven of the operators are based in Europe, two in the US and one in Asia.
“We found vulnerabilities that could be exploited to access other devices even if they don’t belong to us, just by being on the platform,” says Shaik. “Or we could talk to other IoT devices and send messages, extract information. Its a big problem”.
Shaik emphasizes that he and his colleagues did not hack any other clients or do anything inappropriate once they discovered the various flaws. But he points out that none of the carriers caught the researchers’ probe, which in itself indicates a lack of monitoring and safeguards, he says.
The findings are just a first step, but they underscore the challenges of securing massive new ecosystems as the full breadth and scale of 5G begins to emerge.