It’s the telecom industry’s dirty little secret. It’s the woefully accepted security flaw at the base of almost every network infrastructure. Until recently, nobody has moved quickly enough to address the core problem threatening billions of IoT devices.
Let’s start at the beginning…every cellular connected IoT device today has a phone number. Every phone number is an address for the delivery of data, text messages (SMS), and phone calls. Many IoT stacks, including platforms and eSIMs themselves, require SMS as a way of sending or receiving sensitive information.
Most technologies evolve over time to become more complex and secure — but not SMS. Also known as text messaging or the Short Messaging Service, SMS has been “trusted” since the beginnings of modern cellular network infrastructure in 1985. Anyone who has a phone over the past 35 years is probably familiar with SMS as a quick, convenient way to communicate between mobile devices. However, what most people outside the telecom industry don’t know is how the technology actually works.
Every SMS message is sent over the SS7 signaling protocol that connects the route between a cell tower and the SMS Center responsible for routing the message to the destination endpoint. The SS7 network does not support encryption, as the technology is entirely trust based. This operates in stark contrast to traffic passed over a data packet network used by more secure HTTP-based messaging platforms like iMessage or Whatsapp. In these networks, the GTP transport link encrypts the packets from endpoint-to-endpoint. Unfortunately, SS7 networks are still used by every major IoT device and wireless carrier today, and will continue to be for the foreseeable future, even as the Internet of Things continues its rapid growth.
“Just trust me”
I mentioned earlier that the SS7 network is trust based. What this means is that anyone already inside of an SS7 network can easily spoof any phone number they want, pretending to be either a sender or a receiver. Most hacks people read about in the news are related to this critical security flaw, which underscores the weakness of an SS7 network. There are thousands of vendors with easy backdoors into SS7 trust networks, which would be able to execute an attack without fear of exposure since the tracing/logging capability of an SS7 network is severely lacking. Additionally, there are unlimited retries with no gatekeeping to block a Distributed Denial-of-Service (DDOS) or brute force style attack which is one reason the U.S. government is blocking the use of Huawei equipment inside American radio networks.
But it gets even worse.
There is another point of exposure between the tower and the user equipment. These SMS messages can be sniffed and hijacked by what is called a “stingray” attack where someone pretends to be an eligible tower to route a message through. Furthermore, because the tower networks are “trusted” within the SS7 network, text message content and records can be cached for years, making them vulnerable to a magnitude of radio, operating system (OS), or hardware exploits on these remotely managed towers.
IoT Devices Remain Vulnerable (For Now)
For IoT device makers, it might seem reasonable to say, “I will just make my IoT application HTTP-based.” But the truth is, that won’t be enough to keep your devices and data protected.
Even if your application uses something other than SMS, and even if wireless carriers
eventually retire SS7 (no carriers have announced plans to do so), your device still uses a SIM or eSIM onboard. And, since SMS is used by almost every SIM or eSIM management platform, you will be forced to leave that door open to whoever wants to make your devices go dark or break into your network from the edge.
Cellular IoT needs a new approach to avoid this data security catastrophe waiting to happen. But WiFi or Bluetooth aren’t the answer. In fact, most research suggests these are much less secure than cellular networks. It’s time for cellular IoT to get serious about addressing this major security vulnerability.
Because the future of the Internet of Things could depend on it.