One of the biggest features of 5G is the security minefield
The 5G platform provided by the operator has loopholes in the processing of embedded device data.
True 5G wireless data boasts blazing-fast speeds and enhanced security protections, but has been slow to roll out globally. As mobile technology proliferates -- combining expanded speed and bandwidth with low-latency connections -- one of its most touted features is starting to gain traction. But the upgrade comes with a host of potential security risks.
From smart city sensors to agricultural robots and more, a plethora of 5G-enabled devices are gaining the ability to connect to the Internet in places where Wi-Fi is impractical or unavailable. Individuals might even choose to swap out a fiber-optic internet connection for a home 5G receiver. But the interfaces operators set up to manage IoT data are riddled with security holes, according to a study by BlackHatsecurityconference. These vulnerabilities could plague the industry for a long time.
After years of researching potential security and privacy issues in RF standards for mobile data, Altaf Shaik, a researcher at the Technical University of Berlin, said he was keen to look at application programming interfaces (APIs) provided by operators to give developers access to IoT data. Applications can use these channels to obtain real-time bus tracking data or inventory information in the warehouse. Such APIs are ubiquitous in web services, but Shaik points out that they are not yet widely used in core telecom products. By studying the 5G IoT APIs of 10 mobile operators around the world, Shaik and his colleague ShinjoPark found that all these operators have common but serious API vulnerabilities, some of which can be exploited to gain authorized access to data, or even to directly access data on the network. IoT devices.
"The knowledge gap is huge. This is the beginning of a new type of attack in the telecom industry," Shaik told Wired. Platforms'. Every operator in every country will sell this platform, and if not, there will be virtual operators and subcontractors. So there will be a large number of companies offering this platform."
The design of IoT service platforms is not specified in the 5G standard, but is created and deployed by each operator and company. This means they vary widely in quality and implementation. In addition to 5G, the upgraded 4G network can also support some IoT expansion, thereby expanding the number of operators that may offer IoT service platforms and APIs.
The researchers purchased IoT packages at the 10 operators they analyzed, as well as dedicated data SIM cards for their network of IoT devices. In this way, they can access these platforms like other customers in the ecosystem. They found that fundamental flaws in the API setup, such as weak authentication or lack of access controls, could reveal SIM identifiers, SIM keys, the identity of the purchaser, and their billing information. In some cases, researchers can even access massive data streams from other users, and even IoT devices that can be identified and accessed by sending or replaying commands they shouldn't otherwise control.
The researchers conducted a public procedure with the 10 operators tested and said that most of the vulnerabilities they found so far have been fixed. Shaik noted that the quality of security protection on IoT service platforms varies widely, with some looking more mature and others "still sticking to the old bad security policies and principles." It added that the group did not publicly name the operators under investigation because of concerns that the issues could be widespread. Of these, 7 are located in Europe, 2 in the US and 1 in Asia.
"We found that as long as we were on the platform, we could exploit the vulnerability to access other devices, even if they didn't belong to us," Shaik said. "Or we could talk to other IoT devices, send messages, extract information. That's a big problem."
Shaik emphasized that when the different flaws were discovered, there was no hacking of other customers or doing anything inappropriate. But it noted that none of the operators detected the researchers' probes, which in itself indicates a lack of monitoring and security measures.
These findings are only a first step, but they underscore the challenges of securing a new ecosystem at scale as the full breadth and scale of 5G begins to emerge.