Cellular IoT Security Threats
Ronen Shpirer, Director of 5G Solutions Marketing at our partner Fortinet has contributed this text.
With IoT comes a tremendous opportunity for mobile operators to sell managed security as a value-added service to Enterprise customers.
Hyperscale Cellular IoT – White Paper
This is an excerpt from our white paper Hyperscale Cellular IoT. The full white paper is available here if you like what you read. Don’t hesitate to contact us if you have any questions.
IoT security threats make up a new challenge for enterprises. It is much more complex than traditional IT security:
- A multitude of different devices come from as many vendors.
- An unprecedented volume of devices.
- Many devices are “headless” without screens and people monitoring them, making attacks more difficult to detect.
- The devices and back-end application servers need to be protected, and the IoT platform also adds to the security management burden.
Most enterprises do not have the resources to handle IoT security, so it is a potentially high-value service for mobile operators bringing additional revenue. Customers expect that their mobile operator adds a layer of protection. For more information on requirements, please read our blog post Cellular IoT Requirements.
Security Threats – IoT Platform
The IoT platform is the critical heart of any IoT service, and in more extensive networks, the implementation may be a hierarchy of platforms. All signaling and data will pass through one or more platform nodes, so protecting them against attack is imperative.
In the following, we will explore some of the expected typical attacks.
IoT platforms may have vulnerabilities, just like any other software. In most cases, they will comprise coding bugs allowing buffer overflows and other memory corruptions, as well as unhandled corner cases. In addition, most IoT platform signaling is via some kind of application programming interface (API), so typical API attacks should be considered. Finally, data received by the platform will often result in a read or write to a database, so SQL attacks are also a threat to consider.
As in any service platform, you must expose only the minimum services and not leave unused services running (as they may be set by default).
For example, Server Message Block (SMB) services are often enabled by default and are also a common vector for attack. Always check open ports and disable or remove any unnecessary services from the system.
This is another method of finding vulnerabilities. It is usually done locally in a controlled environment but can be used as a blunt-instrument attack on a live network. Examples include deliberate protocol anomalies or the use of extremely long fields, or invalid or unusual data. Hackers use all of these techniques to trigger programming errors. The goal is to find vulnerabilities or simply to cause disruption.
Denial of service
Denial-of-service attacks (DoS) could come via external interfaces (if there are any) or from the IoT devices themselves. A simple device malfunction causing a cyclic registration can cause a massive DoS attack if many devices behave this way simultaneously.
When transport layer security (TLS) is used for end-to-end protection of the communication, there should be at least one security device that decrypts the traffic to ensure that the protected traffic is as expected. If this is not the case, a compromised IoT device could use the encrypted connection, and it would hide the malicious traffic from the operator. A security device co-located with the IoT platform may offload the TLS processing and send decrypted traffic directly to the platform. Otherwise, it should re-encrypt the traffic to ensure that eavesdropping is impossible.
Security Threats – IoT Devices
Hackers may also attack the IoT devices themselves. Most IoT devices will have limited connectivity and just communicate with a few destinations. These destinations include the IoT platform and application servers providing other services, such as firmware upgrades or data storage. The narrow scope of communication limits the attack possibilities, but we should always assume that the IoT platform or any application servers may become compromised. Here, an attack launched from inside the local network may occur.
Below, we will explore what such attacks may comprise.
Although IoT malware is not prevalent today, it will become more so as threat actors realize a better return on investment (ROI) for choosing to attack IoT.
Some IoT devices have limited functionality, which reduces the probability of vulnerabilities. However, on the other side, IoT device functionality is often custom-developed. This may introduce bugs that wouldn’t be present in general-purpose components. And the limited functionality may also include a lack of security features such as the capability to send encrypted traffic or set up VPN tunnels. Also, the sheer breadth of device types means that, for instance, an agricultural soil monitor differs significantly from an autonomous vehicle, even though they are both labeled IoT. No matter the device, the enterprise must expect exploits and put protection in place.
If an attacker can send traffic to a device, it may be possible to conduct a DoS attack, especially for constrained devices. For IoT devices with low traffic levels, simple rate-limiting rules should be effective against such an attack.
Attacks through Network Signalling Protocols
As any device connected to the cellular network an IoT device stands the risk of being attacked through signalling protocols. Within Enea we have leading expertise in this area through the recent acquisition of Adaptive Mobile Security. Learn more in their blogpost Role of CyberTelecom / Network Security in High Value M2M and IoT Apps.