One of 5G's Biggest Features Is a Security Minefield (wired.com) 42
True 5G wireless data, with its ultrafast speeds and enhanced security protections, has been slow to roll out around the world. As the mobile technology proliferates -- combining expanded speed and bandwidth with low-latency connections -- one of its most touted features is starting to come in to focus. But the upgrade comes with its own raft of potential security exposures. From a report: A massive new population of 5G-capable devices, from smart-city sensors to agriculture robots and beyond, are gaining the ability to connect to the internet in places where Wi-Fi isn't practical or available. Individuals may even elect to trade their fiber-optic internet connection for a home 5G receiver. But the interfaces that carriers have set up to manage internet-of-things data are riddled with security vulnerabilities, according to research that will be presented on Wednesday at the Black Hat security conference in Las Vegas. And those vulnerabilities could dog the industry long-term. After years of examining potential security and privacy issues in mobile-data radio frequency standards, Technical University of Berlin researcher Altaf Shaik says he was curious to investigate the application programming interfaces (APIs) that carriers are offering to make IoT data accessible to developers.
These are the conduits that applications can use to pull, say, real-time bus-tracking data or information about stock in a warehouse. Such APIs are ubiquitous in web services, but Shaik points out that they haven't been widely used in core telecommunications offerings. Looking at the 5G IoT APIs of 10 mobile carriers around the world, Shaik and his colleague Shinjo Park found common, but serious API vulnerabilities in all of them, and some could be exploited to gain authorized access to data or even direct access to IoT devices on the network. "There's a big knowledge gap. This is the beginning of a new type of attack in telecom," Shaik told WIRED ahead of his presentation. "There's a whole platform where you get access to the APIs, there's documentation, everything, and it's called something like 'IoT service platform.' Every operator in every country is going to be selling them if they're not already, and there are virtual operators and subcontracts, too, so there will be a ton of companies offering this kind of platform."
These are the conduits that applications can use to pull, say, real-time bus-tracking data or information about stock in a warehouse. Such APIs are ubiquitous in web services, but Shaik points out that they haven't been widely used in core telecommunications offerings. Looking at the 5G IoT APIs of 10 mobile carriers around the world, Shaik and his colleague Shinjo Park found common, but serious API vulnerabilities in all of them, and some could be exploited to gain authorized access to data or even direct access to IoT devices on the network. "There's a big knowledge gap. This is the beginning of a new type of attack in telecom," Shaik told WIRED ahead of his presentation. "There's a whole platform where you get access to the APIs, there's documentation, everything, and it's called something like 'IoT service platform.' Every operator in every country is going to be selling them if they're not already, and there are virtual operators and subcontracts, too, so there will be a ton of companies offering this kind of platform."
So 5G conspiracists are sorta right? (Score:2)
...Oh crap, this fuels their egos and "imagination" even more.
Re:So 5G conspiracists are sorta right? (Score:5, Insightful)
No, they are not right at all. This is about crap security design and programming - not spreading diseases and brain worms. And it's really not about 5G per se at all, just the same IoT vulnerability issue we've all been talking about for the past several years.
Re:So 5G conspiracists are sorta right? (Score:5, Insightful)
Geez, I don't want, nor see the value of IoT of anything.
I don't need my washing machine or fridge or freezer connected to the internet.
I don't need my car connected to the internet.
Why are people flocking to these things?
I mean, I love new tech "neato" type stuff, but what value is this stuff giving me?
And if you look at it in light of privacy and security problems....how do people see the value in the trade off?
Is it only me?
Re: (Score:3)
Potential is big (Score:2)
> am I the only person in the world that just does NOT want every fscking thing in my house, my car and on my body to be connected?
The potential has wonderful benefits, like controlling & monitoring HVAC and fire/security system from the office or bed. If you have elderly or pets home alone, it becomes even more important.
Is it impossible to reasonably secure such, or is the industry just too lazy/greedy to do it right? It seems IOT vendors would want tighter standards so that people buy and trust th
Re: (Score:2)
Re: (Score:1)
> You don't need to manually say "it got really hot today let's actually turn on the AC part of HVAC", you can just set your thermostat.
Not if you're not going to be home, that would be a waste of energy. If you go out to eat after work, then you don't need a cool house until later.
> You do need /some/ sort of connection for systems that can call the police or fire departments, though we've also had both of those without internet.
We have that now, and it's crappy. The wind, birds, thunder, etc. can se
Re: (Score:2)
Well, that's not really very high in my list of priorities in my life.
While I appreciate saving money when I can, I have a good job and can afford my lifestyle...a few pennies wasted on overcooling my house on occasion isn't something I'll lose sleep over.
And besides...I've done just fine without it al
Re: (Score:1)
Everyone's needs and wants differ. So be it.
Re: (Score:2)
If I can check around myself I don't need to depend on birds or Barney Fife.
Make sure he does *not* have his bullet.
Re: (Score:2)
It is impossible if everything is directly accessible, which is the fundamental flaw of Cloud/IoT systems. I don't know how you can deal with cars another way, but things with a fixed location (or fixed locus of locations) and a single communications mechanism can easily be controlled via the end-user's VPN, which should be the default.
Re: (Score:2)
Well, to my earlier point...I do NOT need to have my car connected in any fashion to the internet, or cellular system, or anything external.
Period
I've gone great so far with my car being 100% totally independent from any other system, and I don't need it now.
I'd like to keep it that way.
Re: (Score:2)
Re: (Score:1)
I suppose Underwriters Laboratories could serve as the model, but they need a good ad campaign to make enough consumers value their mark. Otherwise, short-cutting competitors will undercut them using price alone.
Feature funny ads with celebrities being caught in embarrassing situations via hacked IOT's.
Re: (Score:2)
I don't care if everything in my house IS connected to something... But not to some freaking "cloud" service.
Insteon shut down abruptly, took down their could infrastructure and people lost their minds.
Thing is, what failed in that was the Insteon hubs that talked to the cloud.
The switches, plugs and sensors still worked just fine... IF the hub they talked to wasn't cloud connected.
Mobile devices communicating via 5G don't really bother me too much.
We do need to keep in mind that 5G needs to be treated as a
Re: (Score:2)
I'm willing to bet most of us on this site agree with most of your post. We are the ultra-minority shopper. The average person is so easily sucked into "wifi this, wifi that" it's insane. Most don't even remotely understand anything about how most of these devices work on any level, or perhaps, "It appears to run on some form of electricity" level.
Most also just don't care.
An even worst part , the manufacturers just use it to exfiltrate data out to learn more about us to sell us more crap.
With 5g, maybe CIA
Re: (Score:2)
As seen from other replies, you are definitely not alone. I was gifted a cheap Chinese video surveillance system. I found that, if I wanted to monitor via my phone, I had to run through a server in China. So, I don't monitor via my phone.
Re: (Score:1)
> This is about crap security design and programming - not spreading diseases and brain worms.
That's sort of the same thing. Many variations of the conspiracy(s) don't claim the original intent is brain-worms etc., only that in its current state it's problematic. How it got "bad" is secondary to fact it (allegedly) is bad.
> And it's really not about 5G per se at all, just the same IoT vulnerability issue we've all been talking about for the past several years.
Are you suggesting the headline is mislead
Re: (Score:2)
No, they are not right at all. This is about crap security design and programming - not spreading diseases and brain worms. And it's really not about 5G per se at all, just the same IoT vulnerability issue we've all been talking about for the past several years.
Exactly, it's not even 5G that is the problem. It's the "Internet of Things" and those of us who've understood the technology and the way that it'll be used have said this from the beginning. It's not that it cant be secured (as much as any wireless or P2P protocol can be secured) but it won't ever be set up or used that way because it'll be "too hard" and people just wont use it because it "doesn't work" because they didn't set authentication up securely. So it's being deliberately released as an insecure
Shocked I tell you! (Score:4, Funny)
Re:Shocked I tell you! (Score:4, Funny)
Also I am shocked to find crime was happening in this establishment.
Your winnings, sir.
some home 5G's are natted and are not full ports (Score:2)
some home 5G's are natted and are not full ports / your own IP
OIT on 5G (Score:3)
Ok, I can see how people will sell me an OIT musical toilet roll holder which will constantly harvest my valuable consumer data, but how cheap is the data link over 5G? For how much telemetry?
Is 5G super cheap or something? If so, where can I buy a pair of 5G modems?
Is it so dirt cheap that we can rebuild the old 9600 baud internets on it?
Re: (Score:1)
> OIT musical toilet roll holder which will constantly harvest my valuable consumer data
Instead of Clippy, we have...
Crappy: "It looks like you are not eating enough fiber. I just ordered you some from The Microsoft Geezer Store. Thank You!"
We already know how this will play out (Score:2)
When Senators and Congressmen are for sale so cheap, there is no incentive to invest time and money into developing secure 5G wireless. It's far more sensible to do a half-assed job, then order your tame politicians to enact legislation absolving you of any consequences for the inevitable security nightmare.
Can someone clarify? (Score:2)
I get the feeling someone is conflating one (5G) with the other (API) for clickbait - but that just might be me being skeptical
Re: (Score:2)
It sounds like the carriers have an API for data in the 5G radio itself.
Re: (Score:3)
it's both, actually.
5G is exciting because it offers a way to do zero-configuration IoT - you just plug it in, and it's instantly on the Internet and controllable - you don't ne
Re: (Score:2)
Why does this sound as bad as the days when installing a windows server with a static IP directly exposed to the internet was port scanned within seconds?
Re: (Score:2)
That's interesting, who is paying for the network usage and portal, the manufactures of IoT devices? If so, if a manufacturer goes out of business do you lose the connectivity features? This is exciting in a sense, but feels a system equally designed for the needs of companies as consumers. It's like a hidden mobile phone is being embedded in everything you buy.
Individuals may even elect to trade their fiber-op (Score:2)
âoeIndividuals may even elect to trade their fiber-optic internet connection for a home 5G receiver.âoe
Yea, absolutely no thanks. Wired connection will just be more stable and lower latency.
So. Not a 5G problem? (Score:3)
So basically, this isn't actually a 5G problem, but a problem with trying to implement an API that isn't broken.
Considering the amount of QA most telecom operations utterly fail at, I am not surprised that this causes issues.
IPv6 modern version? (Score:2)
Vulnerable APIs or vulnerable implementations? (Score:2)
From reading the Wired article, I can't tell (and I wonder if the person who wrote the article knows the difference.)
And the source of these APIs is another question: Have these gone through a de-jure formal standardization process (that would include security experts)?
Replace fiber-optic?? (Score:1)
Why on earth would anyone consider for even a second replacing a fiber-optic internet connection with 5G wireless? Or even DSL with wireless? Do you really want to be buying your home internet connection from the same outfit that slows your phone data to a crawl once you use 20 GB in a month?
Still prefer 3G. (Score:2)
... Can't get good cellular signal in my rural home area due to the giant hills/small mountains, trees, etc. with 5G and 4G LTE. :(
Should this even be part of the 5G network? (Score:3)
Should this even be part of the 5G network or the cell carrier? If the network provides Internet connectivity, then the examples provided are all examples where the device application should be pulling directly from the source rather than through an intermediary. If push notification is required, well that seems to be exactly what IP multicast was designed for. The carrier's network would have to provide multicast relay service to minimize traffic, but that shouldn't introduce any security risks to the carrier's network. Packet-level security to insure multicast packets can't be spoofed would also be required, but that's already present in the form of IPsec for both IPv4 and IPv6.
Security (Score:1)