4G/5G Wireless Networks as Vulnerable as WiFi and putting SmartCities at Risk

Researchers from security firm Positive Technologies warns of 4G/5G Wireless Networks as vulnerable as WiFi and putting smart-cities at risk

The Internet of Things (IoT) presents many new opportunities and some different challenges. The vast number of devices makes it very expensive to connect everything with traditional network cabling and in many cases the equipment only supports wireless connectivity.

Many IoT devices for consumers leverage WiFi networks and we are already seeing the security challenges with these technologies. The largest Denial of Service (DoS) attacks leverage consumer IoT equipment (Mirai Botnet) and there are many stories of bad actors spying on people through their unsecured webcams.

While WiFi is widely adopted in homes, it doesn’t scale well to large commercial installations like Industrial IoT in manufacturing, energy or SmartCities.

As communications carriers deploy expansive 4G/5G Wireless Networks these are becoming the infrastructure of choice for commercial IoT. Unfortunately, although managed by professionals, they still have many vulnerabilities that can increase risks unexpectedly. We already knew that the SMS messaging system was flawed and can not be relied upon for secure messaging.

Now security vendor, Positive Technologies, is warning that a fundamental protocol of 4G/5G Wireless Networks creates three potential risks.

“Detected vulnerabilities pose a threat to intelligent traffic lights and street lighting; electronic road signs; information displays at bus stops; and other smart city features that are commonly connected to mobile networks of the fourth generation. Positive Technologies revealed these flaws in mobile networks, which are also relevant to future 5G networks, as part of security assessment conducted in 2016 and 2017.” reads the report published by Positive Technologies.

“Vulnerability exploitation techniques specified in the report are based on flaws of the GTP protocol. They do not require an attacker to possess any sophisticated tools or skills, instead they simply need a laptop, a free software installer for penetration tests, and basic programming skills.”

You have probably heard about Voice Over IP (VoIP) which is a technology method to convert voice into discrete data packets. Once converted it becomes possible to send voice conversations through the same network as computer-to-computer data transmissions (e.g. email, streaming videos, etc.)

These networks rely on something called the Extended Packet Core (EPC) which in turn leverages General Tunneling Protocol (GTPv2) to allow voice and data communications channels to be combined. It is within the GTPv2 proposal that the most recent flaws were discovered.

On its own, there is no encryption included in the protocol so inherent security and authentication must be handled elsewhere in the applications.

“The mobile network infrastructure is based on a set of telephony signaling protocols, developed in 1975, when security wasn’t a consideration but was less of a risk as only a few people had access. Today that’s no longer true. Access has spiralled yet security is still non-existent,” explains Michael Downs, Director of Telecoms Security (EMEA) of Positive Technologies.

Positive Technologies predicts three different, potential exploits:

1. Information Leakage: with access to the network it is possible for bad actors to discover information about other nodes connected to the network (e.g. location, firmware versions, etc.)
2. Denial of Service: GTP is used to create an isolated communications channel, but it isn’t completely isolated. Several users’ communications are combined in a single channel and it is possible for one of these users to disconnect the tunnel for all users.
3. Compete Takeover: many IoT devices are running simple IP stacks and vulnerable system stacks. Existing and yet to be discovered vulnerabilities may exist in these devices and the lack of encrypted isolation means they are remotely accessible and perhaps remotely exploitable.

Similar to other wireless protocols like WiFi and Bluetooth, EPC is not inherently secure. If you need to rely on these topologies for secure communications, you need to take advantage of additional security controls. As always, you must be accountable for your own security.

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.