by: Trend Micro Research and Europol’s European Cybercrime Centre (EC3)
Telecommunications or telecom technology is the underpinning of the modern internet, and consequently, the internet’s growing segment, the internet of things (IoT). Likewise, the global telecommunications network we enjoy today has been greatly influenced by the existence and growth of the internet. Between telecom and the internet is a two-way relationship, even an indistinguishable divide for users. We experience this since the very same telecom carriers we subscribe to allow us to connect to the internet. At its best, this relationship is exemplified as advances in network connectivity as we move to 5G. In our paper with Europol’s European Cybercrime Centre (EC3), “Cyber-Telecom Crime Report 2019,” we explore how this relationship can also be used to threaten and defraud the IoT.
The SIM Connection
A common and well-known link that communication devices and internet devices have is the use of a SIM card. For IoT devices to have a unique presence and connection to the internet, they should have a SIM in the same way a phone does. This could be a familiar white SIM card, or something smaller attached to the circuitry of the device. A phone makes or receives calls, SMS, or data. Identically, an IoT device has a SIM to allow it to receive and make calls, SMS, or data.
SIM cards can serve like credit or debit cards in that they are used to initiate billing or connections that have corresponding fees. That’s why SIM cards, unfortunately, can be subject to many of the same frauds and risks credit cards are. In addition, the use of SIM cards — and telecom in general — in fraud appeals to criminals, perhaps because the telecom sector is not under regulation for money laundering controls.
In the case of smart city devices like traffic lights and smart garbage bins, cybercriminals have various ways to abuse SIM cards. They could choose to extract the SIM cards embedded in the IoT devices and use the SIMs to launder money or conduct other illicit activities. In some cases, even when the SIM cards might be difficult to extract, vulnerabilities still lie in how the devices have the capability to change carriers remotely. Moving from one carrier to another creates risks as some carriers could be cooperating with or created by criminals.
Bucketed subscription aggregation is also a problem with the IoT, especially in the development of more complex and large-scale IoT environments like smart cities. Such scale could be met with inadequate security measures, wherein many IoT devices (as many as millions) are aggregated to a single accounting line. When even just a single SIM of these IoT devices is compromised, the fraud it facilitates will be left undetected due to the inadequate accounting oversight.
It is also important to note that even if an IoT device is “dumb” or doesn’t have the ability to call or send messages, it doesn’t mean that its SIM is also limited — a fact that many procurement departments of large-scale IoT implementations might forget. These dumb devices could hold unknown telecom capabilities, ones that could be exploited by cybercriminals for data malware infection or very costly long distance fraud.
Large IoT Infrastructures
The scalability of IoT is one of its greatest assets, which, in the case of telecom fraudsters, is something of an opportunity as well. Depending on the number of deployed IoT devices and supporting technologies like dedicated servers, its environment can scale from one entire home to an entire city. The larger the scale, the more challenging it would be to monitor each connected device.
Even smaller-scale environments like smart homes, buildings, and factories do not escape the risk of being used for telecom fraud. Although smart factories are typically isolated from the internet, they do still require some form of cellular data connection to perform backups to an offsite location or undergo remote maintenance. Through this connection, cybercriminals can use cyber-telecom vulnerabilities against them and use them for outbound fraud.
Even smart and autonomous vehicles can be subject to the same attacks as mobile phones. Telephony denial of service (TDoS), for example, could cause a smart car to become lost due to a broken internet connection.
Securing Telecom and the IoT
Keeping in mind the connection between IoT and telecom should help in creating defenses against threats that shift from one to the other. Getting a grasp on common channels used by IoT devices can uncover hidden telecom capabilities in them. For IoT devices, simple measures like changing the default settings and credentials of the device can already prevent some of the mentioned telecom attacks.
Telecom technology and the IoT have proven that connectivity can be a powerful tool that helps us save time, improve efficiency, and bridge borders, among others. However, connections that run beyond our awareness can be abused to the detriment of others, through crimes like fraud and money laundering. It is important to acknowledge that there is only so much a single organization or industry can do against an interconnected web of threats. Collaboration and cooperation between all stakeholders, from telecom carriers to security experts and law enforcement, are necessary in keeping our connections safe.
For the complete discussion on telecom threats, read our paper “Cyber-Telecom Crime Report 2019.”