True 5G wireless data, with sound blazing fast speeds and strong security protectionshas been slow to unfold around the world. As mobile technology proliferates, combining expanded speed and bandwidth with low-latency connections, one of its most touted features is beginning to come into focus. But the upgrade comes with its own set of potential security exposures.
A massive new population of 5G-enabled devices, from smart city sensors to agricultural robots and beyond, are gaining the ability to connect to the internet in places where Wi-Fi is not practical or available. Individuals can even choose to trade in their fiber optic internet connection for a home 5G receiver. But the interfaces operators have in place to manage IoT data are riddled with security holes, according to research presented this week at the Black Hat Security Conference in Las Vegas. And these vulnerabilities could hurt the industry in the long run.
After years of examining potential security and privacy issues in mobile data radio frequency standards, Altaf Shaik, a researcher at the Technical University of Berlin, said he was curious to investigate programming interfaces of applications (APIs) offered by operators to make IoT data accessible to developers. These are the conduits that applications can use to pull, for example, real-time bus tracking data or stock information in a warehouse. These APIs are ubiquitous in web services, but Shaik points out that they haven’t been widely used in basic telecommunications offerings. By examining the 5G IoT APIs of 10 mobile operators around the world, Shaik and his colleague Shinjo Park discovered common but serious API vulnerabilities in each of them, and some could be exploited to gain access. authorized to data or even direct access to IoT devices on the network.
“There is a huge lack of knowledge. This is the start of a new type of attack in telecommunications,” Shaik told WIRED ahead of his presentation. “There’s a whole platform where you have access to APIs, there’s documentation, everything, and it’s called something like ‘IoT Service Platform.’ Every operator in every country is going to sell them if they aren’t already, and there are also virtual operators and contractors, so there will be a ton of companies offering this type of platform.
IoT service platform designs are not specified in the 5G standard and it is up to each carrier and enterprise to create and deploy them. This means that there is a wide variation in their quality and implementation. In addition to 5G, upgraded 4G networks can also support some IoT expansion, increasing the number of carriers that can offer IoT service platforms and the APIs that power them.
The researchers purchased IoT plans on the 10 carriers they analyzed and obtained special data-only SIM cards for their networks of IoT devices. This way, they had the same access to the platforms as any other customer in the ecosystem. They discovered that basic flaws in the configuration of APIs, such as weak authentication or missing access controls, could reveal SIM card credentials, SIM card secret keys, the identity of who bought which card. SIM and their billing information. And in some cases, researchers could even access large streams of data from other users or even identify and access their IoT devices by sending or replaying commands they shouldn’t have been able to control.
The researchers went through disclosure processes with the 10 carriers they tested and said the majority of the vulnerabilities they found so far are being patched. Shaik notes that the quality of security protections across IoT service platforms varied widely, with some appearing more mature while others “still stuck to the same bad security policies and principles.” He adds that the group does not publicly name the carriers it examined in this work due to concerns about the extent of the problems. Seven of the carriers are based in Europe, two in the United States and one in Asia.
“We found vulnerabilities that could be exploited to gain access to other devices even if they don’t belong to us, just by being on the platform,” Shaik explains. “Or we could talk to other IoT devices and send messages, extract information. That’s a big deal.
Shaik stresses that he and his colleagues did not hack any other clients or do anything inappropriate once they discovered the various flaws. But he points out that none of the carriers detected the researchers’ polls, which in itself indicates a lack of oversight and safeguards, he says.
The findings are only a first step, but they underscore the challenges of securing massive new ecosystems as the full scope and scale of 5G begins to emerge.