Presentation Material
Abstract
The inception of APIs in the telecom industry is destined to change the way mobile networks operated over the last 3 decades. The latest mobile networks now open their doors to enterprise customers, service providers, and application developers providing access to data and core network functions within the carrier’s network. This access is facilitated by the well-known HTTP based Restful API paradigm and allows the integration of automotive, health care, industries, and many others with the 5G mobile networks.
This talk brings to light for the first time the practical details of the APIs that enable next-generation AI, MEC, and IoT applications using the latest 4G and 5G networks. A security investigation on hundreds of APIs from 10 commercial providers and operators reveals that all of them contain several of the top ten most critical API weaknesses. Even an average attacker can easily find a RCE and disrupt the operation of billions of IoT devices that tend to rely on the latest mobile networks. We put forward the security loopholes in telecom exposure APIs and once again remind you that security should be rooted into the design of 5G and IoT networks.
AI Generated Summary
The talk addresses a new attack surface in 4G and 5G mobile networks arising from standardized network exposure via application programming interfaces (APIs). These APIs, intended for industries and IoT service providers, allow remote management and data retrieval from connected devices, representing a significant shift from traditional closed telecom architectures. The research investigates the security of commercial IoT service platforms that provide these APIs.
Key findings reveal systemic design and configuration weaknesses. Platform registration often requires minimal business verification (e.g., a tax ID), lowering the barrier for malicious actors. Authentication practices are frequently inadequate, including acceptance of weak dictionary passwords and reliance on long-lived static API tokens instead of proper OAuth flows. Critical vulnerabilities include missing rate limiting, exposure of permanent subscriber identifiers (like IMSI) in API responses enabling enumeration, and insecure direct object references. Specific flaws allowed IP address injection in downlink messages, potentially enabling device hijacking across the platform. Inconsistent security was observed between the API layer and the accompanying web management portal. Furthermore, platforms failed to detect or block SMS messages containing known malware payloads when sent to owned devices.
The practical implication is that these newly exposed, high-impact interfaces—controlling device location, billing, configuration, and core network keys—are often secured with insufficient, generic web application protections. Standard security mechanisms like TLS and basic authentication are necessary but not sufficient. The research underscores an urgent need for robust, telecom-specific API security design, stringent access control, proper token management, and specialized security testing tools for this domain. The potential for compromise extends from individual IoT devices to core network elements and billing systems, posing a severe risk to industrial and critical infrastructure deployments.