Presentation Material

Abstract

The integration of telcos with the mainstream technologies like virtualization, SDN, cloud, and big data open mobile networks to offer endless use cases and connect billions of devices. That being said, the internals of a new 5G core network makes heavy use of the commonly-known HTTP and REST API protocols, and hacking them is as easy as hacking the web. Especially, the new interface to power and connect the sensors, cars, cities, and smart factories to the mobile networks, is a sweet spot for the attackers.

In this talk, we explore how to gain access to this sweet spot and illustrate how API attacks unfold in the latest 4G/5G IoT mobile networks. We share our hands-on experiences across several countries/networks with surprising results, that allow a remote attacker to take over the underlying IoT infrastructure and cause serious damage to businesses that are starting to benefit from the mobile IoT networks. The ground reality is that there are sheer discrepancies between the standard security practices and implementations in the production environment. We highlight such issues and conclude with our disclosure stories and defense strategies for the mobile networks planning to roll out.