Critical security risks to IoT on cellular networks and how to handle them

By Dawood Ghalaieny, CEO – ZARIOT

What mobile network operators know (and don’t know) about the security of cellular connectivity and aren’t telling you (or can’t tell you).

If you take any risk when it comes to data, you need the CIA. The CIA is the confidentiality, integrity and  availability of that data. As such, IoT data transmission needs to be assessed for these risks. Cellular networks have long been considered a walled garden – a safe way to gain remote connectivity for your IoT devices. 

There is a ‘but’: Threat actors – competitors, governments, hackers for monetary gain (or for fun) – can ruin your reputation because today’s cellular has inherited vulnerabilities from first generation protocols developed in the 1970s. Attacks have been at a level low enough to (for the most part) be sweet under the carpet, however the nature of IoT devices and their growth in numbers is creating a vast opportunity and a vast attack surface for hackers, increasingly able to exploit swathes of devices. The mobile network industry has done some work on this problem – but the attackers are ahead. IoT manufacturers must take steps to protect their devices, operations, and brand reputation.

How are vulnerabilities in cellular networks ‘inherited’?

In every cellular device is a SIM or eSIM, enabling the device to talk to various nodes in the mobile networks. ‘Signalling’ is the process of messaging by which devices and network elements authenticate, communicate, and manage data transmissions.

In the 70s the few mobile network operators worked on trust, openly sharing data and access. Security wasn’t built into their protocol. Today’s mobile network protocols are built on those foundations – Signalling System 7 (SS7) is a part of 1G, 2G, and 3G networks; 4G LTE devices use SS7 as a fallback, and while Diameter, the 4G protocol, was built with security, it inherited weaknesses from SS7 and, in fact, has more access points vulnerable to attackers than does SS7. 5G inherits many existing protocols, with nearly all the same vulnerabilities, and is hardly the answer to security. Shortcomings are emerging already, including flaws from previous generations, and to that we can add an increased attack surface due to sheer volume, alarm fatigue, and increased accessibility. What many people don’t know is that most 5G deployments are ‘Non Standalone’, meaning they use a  4G core infrastructure, therefore the 4G Diameter protocol, and all of its failings.

SS7 and Diameter aside, there are also IP-based signalling protocols in the mix including GTP, SIP, and HTTP/2. GTP carries data through the mobile network long before it reaches a VPN tunnel. There is a shortage of GTP expertise in the mobile network industry, which manifests as poor data protection over GTP. SIP is used for voice traffic and SMS over the Internet Protocol (IP) in 4G and 5G networks. It’s much easier to access and manipulate without a sophisticated understanding than other protocols and represents an attack vector in IoT as it can be used to transmit malicious SMS. The HTTP/2 protocol is the basis of standalone 5G networks (5G SA), yet despite the opportunity to learn from all generations before it, was only designed to eliminate fraudulent call and SMS sender spoofing – and nothing else.

Threat Actors Know the Vulnerabilities

Karsten Nohl and Tobias Engel were the first to publicly expose the SS7 signalling system for what it is: a hacker’s playground. In 2014 at a conference in Germany, and on live television in the US in 2016, these researchers laid bare the extent of the problem in unsecured signalling protocols the world over. 

Hackers have been uncovering access points and vulnerabilities for decades, and the rapid growth in numbers of IoT devices is delivering them a fresh, lucrative opportunity. The nature of IoT devices makes the job of attackers even easier because devices are generally dumb in the wild. Fraud, Denial of Service (DoS), data interceptionand manipulation, and identity theft are among the attack types. 

Attackers simply need access to the cellular network. Device security and IP layer security, while relevant for other attacks, do nothing to guard against these vulnerabilities.

Privacy

Example scenario: The attacker sends a message to a network node, often the visitor location register (VLR), that essentially asks for subscriber information. Sensitive information, including location and contact details, are exposed. This enables the attacker to track the device, and launch further attacks using that information.

Fraud

Many tactics are employed, most of which involve stealing information to gain access to private accounts or services. An example is redirection of SMS, or SMS interception. The attacker sends a message to the network telling it to overwrite a subscriber’s details with their own, changing the number a password is sent to, to their own number. Data can also be intercepted by updating the packet data protocol. As is the case with most attacks, one leads to another – the data is used as the basis of a further attack.

Denial of service

Devices are disabled, rendering them unable to connect to or get service from the network. This is done in a number of ways, from unregistering the device from the network (cancel location message), to updating the network profile (insert subscriber data). A sample of the impacts: disruption at critical times to electronic voting machines, sensors, and surveillance. The 2016 Mirai DoS attack compromised over half a million IoT devices. This attack was launched over the internet, but could as easily have been perpetrated over signalling protocols. 

Are Mobile Network Operators equipped to handle this impending security crisis?

How do mobile operators view these security issues? Are they aware of the scale of the threat? How well positioned are they to handle it?

Kaleido Intelligence, a specialist research firm in telecoms, surveyed 88 operators from around the globe. The resultshighlight a worrying lack of awareness about, monitoring of, and response to signalling security threats.

– 75% of Mobile Operators are vulnerable to signalling attacks, with countermeasures in place across only a limited number of protocols. 

– 44% reported that they do not know the financial impact of signalling attacks. 

– 38% reported that they do not know how frequently attacks cause disruption on their network. 

What are Mobile Network Operators doing, in mitigation?

80% reported that they are monitoring their networks for security threats. But a detailed examination of these monitoring efforts reveal cracks and more. 73% report they are monitoring SS7 traffic, 56% that they are monitoring Diameter traffic, down to only 45% monitoring GTP traffic. This is quite concerning, in the face of many publicised vulnerabilities around the GTP protocol. 

The figures descend further. Just 48% recognise the challenge posed by cross-protocol attacks. Attacks evolve, attackers get wiser. Correlation of information across protocols, with detection of unusual patterns, across the signalling network is critical to comprehensive protection. Only 12% of operators apply a fully-converged firewalling solution capable of accessing multiple protocols across a single appliance. 

Dig deeper, to understand why these figures matter

Operations: 86% of operators have a fragmented approach to security, using disparate teams and systems to handle different threats.

Culture: The past decade has seen those with the longest standing experience in these insecure protocols retired from service. Cost pressures have resulted in downsizing causing more experience to leave the ecosystem. Meanwhile the fashion of outsourcing has also meant that outsourcers see these skills as a costly addition that they can get away with not providing and largely remains out of scope of SLAs and KPIs that are negotiated.

The Impact on Security of IoT

Device level security and IP layer security, including software and encryption, are important protections against other threats, but they do nothing to protect against signalling threats. The most common signalling attacks such as fraud, ransom attacks, location tracking, denial of service, data interception, and SMS interception (or injection),come about because of the vulnerabilities of the cellular network, and require a signalling security solution. 

We’re at an early growth stage; “things” are connecting at an accelerated pace, and we’re seeing the opening to the first surge in IoT attacks. Monitoring and security challenges are significant,but vary across well manufactured to poorly manufactured devices. Attention must be given to devices in remote areas, those deployed without full consideration of security over their lifetime in the field, and many other questions brought about by the particular use case of a particular device type.

Is the future bleak or bright?

– 69% of Mobile network operators believe that 5G will lead to an increase in the number of signalling attacks.

60% of Mobile network operators and mobile virtual network operators have some form ofsignalling security. This is the critical point – it’s evident that ‘some form of’ does not mean ‘protected’. The GSMA, specifies some basic signalling security requirements. And most networks barely meet these requirements.

‘Protected’ implies comprehensive signalling security and control systems with continual monitoring assisted by advanced analytics so that anomalies, and threat scenarios from the simple to the complex, are recognised and mitigated. Visibility is essential to stop these attacks. 

This principle applies to the more basic threats, too, such as SIM cards being stolen and used in other devices, which renders the legitimate device out of service, and runs up bills; and notifications when devices are in locations they shouldn’t be in (stolen). 

Given the substantial shortcomings in security through mobile networks, that security will now be specific to the manufacturer and operations of the IoT device. ZARIOT provides a solution in the form of control, security and retaining the quality of service needed to meet the business objective. 

We know that mitigation is part of the response to any suspected attack. Who were the threat actors? Was it a competitor? Was it governmental interception? Does a hobbyist hacker not like your brand? Access to a system that aids in this discovery, and a partner that understands the importance of this investigation as a response mechanism is crucial to future threat mitigation.

Conclusion – cellular is bright, but IoT must have signalling security

Cellular is the clear winner as a global, ubiquitous connectivity solution. Nevertheless, security vulnerabilities over cellular have been overlooked and kept out of view over the decades. As we enter the era of IoT, cases will grow in number and severity as the opportunities grow for attackers. The reality is that there’s a shortage of sophisticated security expertise in mobile network operators, which renders the networks vulnerable. 

This can be resolved, with comprehensive signalling security but the networks are conservative and want to keep changes to their complex networks to a minimum, or aren’t aware of the attacks on their networks. History pegs mobile networks consistently behind the curve, and the opportunities for attackers will grow at an unprecedented rate. IoT manufacturers must implement a security strategy backed by visibility into signalling attacks – knowing what’s going on is key. Cellular IoT is in a precarious position, out in the wild, zapping communications across unprotected networks by the billions. The attacker won’t choose your devices? Without signalling protection, you’ll need to be lucky every time.