Presentation Material
Abstract
The integration of telcos with the mainstream technologies like virtualization, SDN, cloud, and big data open mobile networks to offer endless use cases and connect billions of devices. That being said, the internals of a new 5G core network makes heavy use of the commonly-known HTTP and REST API protocols, and hacking them is as easy as hacking the web. Especially, the new interface to power and connect the sensors, cars, cities, and smart factories to the mobile networks, is a sweet spot for the attackers.
In this talk, we explore how to gain access to this sweet spot and illustrate how API attacks unfold in the latest 4G/5G IoT mobile networks. We share our hands-on experiences across several countries/networks with surprising results, that allow a remote attacker to take over the underlying IoT infrastructure and cause serious damage to businesses that are starting to benefit from the mobile IoT networks. The ground reality is that there are sheer discrepancies between the standard security practices and implementations in the production environment. We highlight such issues and conclude with our disclosure stories and defense strategies for the mobile networks planning to roll out.
AI Generated Summarymay contain errors
Here is a summarized version of the conversation:
The speaker discussed their experience with obtaining SIM cards online without proper verification procedures, which allowed them to potentially forge identities and obtain SIM cards under someone else’s name or company. They noted that this was possible due to the operators’ eagerness to gain new customers when launching a new service.
The conversation then shifted to discussing 5G communication and how it can be intercepted. The speaker mentioned that sniffing 5G communication is similar to 4G, but with some differences in the physical layer. They noted that encryption and security measures like Suchi make it more challenging. However, they suggested that other paths, such as APIs, may be easier to access.
The speaker also discussed accessing APIs without SIM cards, stating that many operators provide publicly accessible APIs for marketing purposes. While credentials are typically required to use these APIs, the speaker hinted that breaking authentication could allow unauthorized access.
Overall, the conversation revolved around vulnerabilities in online SIM card acquisition processes and the potential ways to intercept 5G communication, as well as accessing APIs without proper authorization.