4G/5G Wireless Networks as Vulnerable as WiFi and putting SmartCities at Risk

Researchers from security firm Positive Technologies warns of 4G/5G Wireless Networks as vulnerable as WiFi and putting smart-cities at risk

The Internet of Things (IoT) presents many new opportunities and some different challenges. The vast number of devices makes it very expensive to connect everything with traditional network cabling and in many cases the equipment only supports wireless connectivity.

Many IoT devices for consumers leverage WiFi networks and we are already seeing the security challenges with these technologies. The largest Denial of Service (DoS) attacks leverage consumer IoT equipment (Mirai Botnet) and there are many stories of bad actors spying on people through their unsecured webcams.

While WiFi is widely adopted in homes, it doesn’t scale well to large commercial installations like Industrial IoT in manufacturing, energy or SmartCities.

As communications carriers deploy expansive 4G/5G Wireless Networks these are becoming the infrastructure of choice for commercial IoT. Unfortunately, although managed by professionals, they still have many vulnerabilities that can increase risks unexpectedly. We already knew that the SMS messaging system was flawed and can not be relied upon for secure messaging.

Now security vendor, Positive Technologies, is warning that a fundamental protocol of 4G/5G Wireless Networks creates three potential risks.

“Detected vulnerabilities pose a threat to intelligent traffic lights and street lighting; electronic road signs; information displays at bus stops; and other smart city features that are commonly connected to mobile networks of the fourth generation. Positive Technologies revealed these flaws in mobile networks, which are also relevant to future 5G networks, as part of security assessment conducted in 2016 and 2017.” reads the report published by Positive Technologies.

“Vulnerability exploitation techniques specified in the report are based on flaws of the GTP protocol. They do not require an attacker to possess any sophisticated tools or skills, instead they simply need a laptop, a free software installer for penetration tests, and basic programming skills.”

You have probably heard about Voice Over IP (VoIP) which is a technology method to convert voice into discrete data packets. Once converted it becomes possible to send voice conversations through the same network as computer-to-computer data transmissions (e.g. email, streaming videos, etc.)

These networks rely on something called the Extended Packet Core (EPC) which in turn leverages General Tunneling Protocol (GTPv2) to allow voice and data communications channels to be combined. It is within the GTPv2 proposal that the most recent flaws were discovered.

On its own, there is no encryption included in the protocol so inherent security and authentication must be handled elsewhere in the applications.

“The mobile network infrastructure is based on a set of telephony signaling protocols, developed in 1975, when security wasn’t a consideration but was less of a risk as only a few people had access. Today that’s no longer true. Access has spiralled yet security is still non-existent,” explains Michael Downs, Director of Telecoms Security (EMEA) of Positive Technologies.

Positive Technologies predicts three different, potential exploits:

Information Leakage: with access to the network it is possible for bad actors to discover information about other nodes connected to the network (e.g. location, firmware versions, etc.)
Denial of Service: GTP is used to create an isolated communications channel, but it isn’t completely isolated. Several users’ communications are combined in a single channel and it is possible for one of these users to disconnect the tunnel for all users.
Compete Takeover: many IoT devices are running simple IP stacks and vulnerable system stacks. Existing and yet to be discovered vulnerabilities may exist in these devices and the lack of encrypted isolation means they are remotely accessible and perhaps remotely exploitable.

Similar to other wireless protocols like WiFi and Bluetooth, EPC is not inherently secure. If you need to rely on these topologies for secure communications, you need to take advantage of additional security controls. As always, you must be accountable for your own security.

About the author: Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – 4G/5G Wireless Networks, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.