Duo Tech Talk: Probing Mobile Operator Networks
The following blog post was authored by Duo Security's latest Duo Tech Talk guest speaker, security researcher Collin Mulliner at Northeastern University. If you missed the talk, watch the video! And join our Duo Tech Talk Meetup group to stay updated on upcoming talks hosted at our Ann Arbor office.
Connected industrial embedded systems, these days often referred to as the Internet of Things (IoT), are not new. These kinds of systems have been around for quite some time already. Such devices range from environmental sensors, shipping and vehicle tracking, home automation and metering, to traffic electric control systems. Due to the critical tasks these devices carry out, the security of them is important.
One aspect of IoT devices is how they are deployed. Deployment can range from remote locations, to being attached to a vehicle that is in motion, and being placed at a fixed location. IoT devices that are placed in fixed locations often serve as independent monitoring devices that need to not rely on local wired infrastructure.
Due to these deployment schemas, connectivity for these devices is often implemented through adding a cellular interface. Today, cellular interfaces are cheap, especially hardware to connect to legacy networks such as 2G and 2.5G infrastructure. Further, mobile network operators seek ways to monetize their old infrastructure and offer cheap access to their legacy infrastructure.
As a result, a lot of IoT devices end up on cellular networks and finally are connected to the public Internet. In the past, we conducted research to determine what kind of devices are connected to mobile networks. The research focused mostly on mobile devices that are reachable from the Internet. The primary goal was to determine if we could identify mobile and smartphones.
But the main result of the research was that we found thousands of cellular-enabled embedded devices were reachable from the Internet. Our research was not tailored towards finding insecure devices, but just to identify devices. Nevertheless, we often found that IoT devices would not require any authentication for services such as telnet and SSH. In particular, devices designed for industrial applications often directly presented an administration interface when connecting to the device.
Below are the slides that document our research into devices that are connected to mobile networks. Our hope is that the people who are responsible for manufacturing, deployment and administration of these devices understand that a device connected to the cellular network is most likely ending up on the public Internet. Therefore, these systems must not provide un-authentication access. Critical systems should not be reachable from the Internet at all and should be put on separate networks provided by many mobile operators specifically for IoT devices.
Collin Mulliner, Systems Security Lab, Northeastern University
Collin Mulliner (@collinrm) is a postdoctoral researcher in the Systems Security Lab at Northeastern University. Collin's main interest is the security and privacy of mobile and embedded systems with an emphasis on mobile and smartphones. Collin is especially interested in vulnerability analysis and offensive security but recently switched his focus to the defensive side to work on mitigations and countermeasures. Together with a team of coauthors, they are the experts behind the "Android Hacker’s Handbook".
Check out our other Duo Tech Talk videos, including:
Duo Tech Talk: My Pet Fish Drove Downtown (An IoT Security Video)
Hacking Cars: Security-Conscious Design for Auto Manufacturers
Duo Tech Talks: Dissecting the Android Bouncer