Don’t let software chew a dangerous hole in next generation networks and the IoT

Dmitry Kurbatov of Positive Technologies

Once deployed, the business of managing mobile networks used to be relatively straightforward. Voice and text had a certain predictability. Special events aside, usage of these two services would take place within a set of parameters that the forward-looking network ops team could estimate with sufficient accuracy to stop problems occurring.

Enter the brave new world of mobile internet, and with it a whole new set of variables. Operators found (sometimes to their cost) that users would find a way of surprising them, be it with data heavy applications, tethering or any number of unexpected internet connected uses. The knee jerk reaction was throttling of certain services, additional costs to use the mobile web in certain ways or sometimes outright blocking, says Dmitry Kurbatov, Telecommunications Security lead at Positive Technologies.

The emergence of the data thirsty world of the IoT moves this issue into a whole new world. Not only will there be the same unexpected surprises, but the promise of 5G has been heavily sold as a universal connector. Once inanimate objects now consume bandwidth, often inefficiently.

Thankfully, digital Darwinism works both ways. Into the space has evolved the shiny new world of NFV and SDN. Need capacity quickly, or want to provision a new service? Simple, click this, drag it there and it’s problem solved, right?

Not exactly. Whilst the development of such software undoubtedly makes things easier for operators, it also does what those in the cyber security industry fear the most, centralising control of something very important and connecting it to the internet. This is a practice that creates a bulls-eye for a hacker, an asset which, given enough time and resource by a creative and well-resourced team, could be exploited. This is something that companies with large customer or financial databases have been learning to their peril over the last few years. Putting the king’s jewels in a single chest makes it a target.

Understanding this mindset is the first crucial step in securing any network. Second, and just as important, is actually doing something about it. This sounds obvious, but network security and operations teams are bombarded with a million and one tasks as they prepare to transition to their newly virtualised network, each one a priority and sucking up limited resource as deadlines rush past at terrifying speed.

Getting an external view on security is vital here. Those who have been involved in their planning and deployment are innately biased. This is not a criticism, any team in the middle of a complex technological deployment is not going to be able to see the wood for the trees. Giving someone outside this the remit to break things can be a valuable learning. As previously mentioned, knowledge of the hacker mindset is a valuable defensive tool – so employing a team with the specific remit to find problems can be an eye-opener.

This team should be given the freedom to audit everything from the code being used in critical areas of your deployment to assessing what visibility your network has from ‘the outside’. Many operators assume they have zero visibility to the broader internet, but this is not always the case in our experience. Just one visible access point or incorrectly configured connection is sometimes all it takes to create an attack profile. Think of it as a chink in your armour.

This goes for all network interconnects. The underlying mobile infrastructure, based on either outdated SS7 protocols or its newer predecessor Diametre, is increasingly being found wanting. The technical vulnerabilities in the underlying infrastructure gives attackers an open door through which to walk. Once inside, it is not a huge number of sideways steps for an attacker to have access to crucial central control points.

The supposed difficulty for an attacker gaining physical access to these points has previously been used to diffuse the spectre of this particular risk. However, gaining access to a gateway is increasingly easy through the black market, or it can even be achieved direct through hacked carrier equipment or femtocells.

Not being one for fear, uncertainty and doubt, I will refrain from outlining the doomsday scenarios that such weaknesses can cause in a world where everything is connected. I won’t even pretend to be able to guess the multiples. Suffice to say, one just has to walk around Mobile World Congress to see the plethora of very important devices that will ultimately rely on mobile connectivity in some shape or form. Now imagine someone maliciously overloading critical areas, or diverting capacity elsewhere, and the impact speaks for itself.

Software and virtualisation is a good thing for the mobile industry, broadly. It helps operators be more efficient and embrace innovation, all whilst reducing OPEX. However, I would urge mobile networks not to rush headlong into this Utopian world without considering the security implications. Taking a few relatively straightforward steps before deployment and maintaining ongoing monitoring, can be the difference between a building something special, and just creating another risk point.

The author of this blog is Dmitry Kurbatov, Telecommunications Security lead at Positive Technologies

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow


9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

Infineon simplifies secure IoT device-to-cloud authentication with CIRRENT Cloud ID service

Posted on: October 21, 2021

Munich, Germany. 21 October 2021 – Infineon Technologies AG launched CIRRENT Cloud ID, a service that automates cloud certificate provisioning and IoT device-to-cloud authentication. The easy-to-use service extends the chain of trust and makes tasks easier and more secure from chip-to-cloud, while lowering companies’ total cost of ownership. Cloud ID is ideal for cloud-connected product companies

Read more

MNOs want clearer views of network performance and user experience to generate new 5G revenues

Posted on: October 21, 2021

Quebec City, Canada – While 88% of mobile network operators (MNOs) are set to deploy 5G standalone (SA) in the next two years, many are still searching for the tools that will enable these networks to generate revenues from enterprises and industry. This is according to joint research findings from Heavy Reading and EXFO Inc., the communications industry’s

Read more