The next wave of wireless security worries: API-driven IoT devices

LAS VEGAS – Wireless carriers may be the next cast of characters to learn the hard way about the security risks created by IoT devices. This warning came in a recent briefing at the Black Hat information-security conference here by Altaf Shaik, a senior security researcher at Technische Universität Berlin.

“There is increased threat when it comes to 5G, and the impact is also quite bigger because here the hacker gets to target the industry and not just a single user,” Shaik said at the start of this 40-minute presentation.

The core issue here is 5G’s utility in connecting not just people (who stand to get notable privacy upgrades with 5G, as Shaik explored in a presentation at last year’s Black Hat conference) but machines. Carriers are now moving to turn that latter feature into new lines of business by offering IoT services to businesses that these customers can manage directly through new APIs.

“For the first time, 4G and 5G networks are trying to bring this network exposure,” Shaik said. “The proprietary interfaces are now changing and slowly moving to generalized or commoditized technologies like APIs.”

“So now any external entity can actually control their smart devices by using the service APIs and going through the 4G or 5G core network,” Shaik said, citing a Vodafone test of drones in Germany. “This exposure layer provides APIs and shares information for the drone control center.”

Carriers sell these IoT services to businesses (as verified with a tax ID) willing to buy IoT SIMs in bulk purchases of a thousand or more. These business customers, in turn, can manage these SIMs through an IoT connectivity management web interface, with an IoT service platform web interface providing account-wide controls.

“You can do plenty of stuff, provided you have access to these APIs,” summed up Shaik.

Open to compromise

However, poorly configured or administered APIs can open the IoT devices of other customers and even perhaps a carrier’s core network to compromise. For example, an attacker could start by exploiting vulnerabilities “to gain data of arbitrary users hosted on the same platform,” then attempt to compromise a carrier’s application server – and then possibly “penetrate from there into the mobile core network, because they are connected,” Shaik continued.

He and fellow researchers Shinjo Park, also with Technische Universität Berlin, and Matteo Strada, with NetStudio Spa, tested this by purchasing IoT SIM cards from nine services and then testing them for possible weaknesses.

To read the complete article, visit Light Reading.