by Craig Gibson (Principal Threat Defense Architect)
Already, current cellular network technologies such as 3G and 4G allow fast wireless communication. But the next evolution, 5G, is set to afford even faster connections along with greater reliability. Touted as the next generation of mobile internet connectivity, 5G will offer speeds of the order of several gigabits per second (Gbps), with average download rates expected to be about 1 Gbps. While its improvements over previous generations will doubtless be most apparent in smartphones and other widely used internet-enabled mobile devices, 5G is also likely to benefit the internet of things (IoT) since it can very well provide the infrastructure the IoT needs to carry and transfer massive amounts of data.
The scalability of 5G will be critical for the functionality of the tens of billions of devices connected to the IoT, with as many as 30 billion forecast to be online by the time the emerging telecom technology is launched worldwide in 2020. The volume of data that the IoT and 5G is expected to handle is over a thousand times as much as what was expected of 4G. But many of the security mechanisms found in traditional information technologies like 2G or even 4G are not designed for this volume. Consequently, 5G inherits and amplifies the risks from 2G, 3G, and 4G.
Use of SIM cards in IoT devices
Most of the IoT devices for which radio connectivity is available — such as smart factory equipment, autonomous vehicles, mobile robots, and smartwatches — rely on the same security and identity method used in cellphones: the subscriber identity module or SIM card. Since 1993, SIM card security standards have included the means of remotely changing the content and functionality of SIM cards. This is carried out via radio, with a special “invisible” kind of short message service (SMS) message used in managing SIM cards. This SMS is sent “over the air” (OTA) and can contain a variety of commands that can be abused by an attacker. When these commands are sent through 5G, the potential for abuse is amplified by the scalability of the technology. This is particularly significant in the context of IoT devices that depend on SIM standards and applications, including universal subscriber identity module (USIM), embedded subscriber identity module (eSIM), and integrated subscriber identity module (ISIM).
Possible threats to SIM card-dependent IoT devices
The invisible SMS that manages a SIM card over the air is called a SIM-OTA SMS message. This communication does not need an information technology (IT) connection, only a radio connection to a back-end network or carrier that is capable of sending SIM-OTA SMS messages. These SIM-OTA SMS messages are powerful in that they can change or remove the ability of SIM card-dependent IoT devices, as well as cellphones, to function. A SIM-OTA SMS message can even cause a SIM card to be bricked or to become permanently nonfunctional; if the functions of an IoT device depend on SIM radio connectivity, like those of cellphones do, the IoT device will become bricked as well.
SIM-OTA SMS messages that can affect SIM card-dependent IoT devices include these standards-based commands:
- TERMINATE CARD USAGE: irreversibly bricks the SIM, USIM, eSIM, or ISIM; performs denial of service.
- TERMINATE DF: irreversibly blocks the Dedicated File (containing access conditions and allocable memory) of the SIM, USIM, eSIM, or ISIM (specific functions); performs denial of service.
- TERMINATE EF: irreversibly blocks the Elementary File (containing access conditions and data) of the SIM, USIM, eSIM, or ISIM (specific functions); performs denial of service.
- ACTIVATE FILE: activates a file to facilitate ransomware, international revenue share fraud (IRSF), wiretapping, and other malicious activities; performs denial of service.
- DEACTIVATE FILE: reversibly blocks a file to facilitate ransomware, IRSF, and other malicious activities; performs denial of service.
- CREATE FILE: creates a file to facilitate SIM and mobile malware.
- DELETE FILE: may delete certain functions, allowing malicious activities to proceed; may perform denial of service.
Malicious SIM-OTA SMS messages can be sent using false base stations (fake cell towers), rogue base stations (legitimate but hacked cell towers), hacked carriers (can be used in organized crime in ownership of a phone carrier), hacked SMS gateways, and even hacked telecom satellites. Since the geographic scope of telecom radio and the scalability of 5G are both broad, one can imagine that an attack using this vector can be carried out on a massive scale and be very successful.
Since file transfer can be invoked using the SIM-OTA SMS method, a SIM-dependent IoT device can also be prompted to pull down files including malware. In the SIM-OTA SMS communication diagram below, the executed command can refer to malicious code or code retrieving malware from a remote location, while the generated outbound SMS from the device can hold additional malicious code or phishing links, or can compose part of the command structure of an SMS botnet.
Figure 1. SIM-OTA SMS communication (adapted from “Smart Card Handbook” by Wolfgang Rankl and Wolfgang Effing)
The SIM application toolkit, which is essentially a group of useful functions, can also be abused to compromise SIM cards and, by extension, SIM card-dependent IoT devices. One of the functions is the SIM service table, in which the potential functions of the SIM are stored, including the ability of a SIM to make voice calls and send SMS. By using SIM-OTA SMS, performing remote code execution, and enabling additional services, threat actors can facilitate new malicious behaviors, including IoT fraud botnets, distributed denial of service (DDoS) on carriers and carrier functions, and even large-scale permanent loss of critical IoT infrastructure.
Possible security measures against threats
There are security functions that can be performed to prevent some of these malicious activities, but most IoT devices do not support them. Of the carrier-side security functions, many require the deployment of a SIM inventory management platform called an equipment identity register (EIR). EIRs, however, remain uncommon in the telecom industry. One approach that may be viable is the use of a 5G platform called a telecom security orchestrator.
Orchestrators in general are customizable software programs responsible for receiving information from the IoT, big data, artificial intelligence, and machine learning, and for making large-scale high-speed automated decisions based on the information. Orchestrators are quite new and are responsible for managing software-defined networks (SDNs) and programmatic networks like 5G. Without telecom orchestrators, which include telecom security orchestrators, 5G will not be able to handle the scope and volume represented by the large-scale market adoption of the IoT in general and the industrial internet of things (IIoT) in particular.
Security orchestrators, including both IT and telecom security orchestrators, are a means of automating very large networks. While some companies, including Trend Micro, already have IT security orchestrators, certain telecommunications companies are just now prototyping telecom security orchestrators. Capable of operating at telecom levels of performance and maturity (that is, much higher than normal IT requirements), telecom security orchestrators can address various telecom security issues. They can, for example, spot rogue base stations and similar hacked telecom equipment, and thwart attacks such as those delivered via telecom satellites. The approach relies on dynamic network routing and data architecture driven by artificial intelligence and machine learning.