Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Communications Security

One of 5G's Biggest Features Is a Security Minefield (wired.com) 42

True 5G wireless data, with its ultrafast speeds and enhanced security protections, has been slow to roll out around the world. As the mobile technology proliferates -- combining expanded speed and bandwidth with low-latency connections -- one of its most touted features is starting to come in to focus. But the upgrade comes with its own raft of potential security exposures. From a report: A massive new population of 5G-capable devices, from smart-city sensors to agriculture robots and beyond, are gaining the ability to connect to the internet in places where Wi-Fi isn't practical or available. Individuals may even elect to trade their fiber-optic internet connection for a home 5G receiver. But the interfaces that carriers have set up to manage internet-of-things data are riddled with security vulnerabilities, according to research that will be presented on Wednesday at the Black Hat security conference in Las Vegas. And those vulnerabilities could dog the industry long-term. After years of examining potential security and privacy issues in mobile-data radio frequency standards, Technical University of Berlin researcher Altaf Shaik says he was curious to investigate the application programming interfaces (APIs) that carriers are offering to make IoT data accessible to developers.

These are the conduits that applications can use to pull, say, real-time bus-tracking data or information about stock in a warehouse. Such APIs are ubiquitous in web services, but Shaik points out that they haven't been widely used in core telecommunications offerings. Looking at the 5G IoT APIs of 10 mobile carriers around the world, Shaik and his colleague Shinjo Park found common, but serious API vulnerabilities in all of them, and some could be exploited to gain authorized access to data or even direct access to IoT devices on the network. "There's a big knowledge gap. This is the beginning of a new type of attack in telecom," Shaik told WIRED ahead of his presentation. "There's a whole platform where you get access to the APIs, there's documentation, everything, and it's called something like 'IoT service platform.' Every operator in every country is going to be selling them if they're not already, and there are virtual operators and subcontracts, too, so there will be a ton of companies offering this kind of platform."

This discussion has been archived. No new comments can be posted.

One of 5G's Biggest Features Is a Security Minefield

Comments Filter:
  • ...Oh crap, this fuels their egos and "imagination" even more.

    • by 93 Escort Wagon ( 326346 ) on Wednesday August 10, 2022 @01:58PM (#62777994)

      No, they are not right at all. This is about crap security design and programming - not spreading diseases and brain worms. And it's really not about 5G per se at all, just the same IoT vulnerability issue we've all been talking about for the past several years.

      • by cayenne8 ( 626475 ) on Wednesday August 10, 2022 @02:01PM (#62778006) Homepage Journal
        5G or not....am I the only person in the world that just does NOT want every fscking thing in my house, my car and on my body to be connected?

        Geez, I don't want, nor see the value of IoT of anything.

        I don't need my washing machine or fridge or freezer connected to the internet.

        I don't need my car connected to the internet.

        Why are people flocking to these things?

        I mean, I love new tech "neato" type stuff, but what value is this stuff giving me?

        And if you look at it in light of privacy and security problems....how do people see the value in the trade off?

        Is it only me?

        • by GoTeam ( 5042081 )
          It's not just you. It's a trade off between privacy and "clunky convenience". Never consider anything connected to the internet to be secure.
        • > am I the only person in the world that just does NOT want every fscking thing in my house, my car and on my body to be connected?

          The potential has wonderful benefits, like controlling & monitoring HVAC and fire/security system from the office or bed. If you have elderly or pets home alone, it becomes even more important.

          Is it impossible to reasonably secure such, or is the industry just too lazy/greedy to do it right? It seems IOT vendors would want tighter standards so that people buy and trust th

          • by Talchas ( 954795 )
            You don't need an internet connection for a thermostat in the slightest. You don't need to manually say "it got really hot today let's actually turn on the AC part of HVAC", you can just set your thermostat. Frankly if you need to change your thermostat all the time something is wrong with it. You don't need an internet connection for fire alarms or alarmed doors/windows. You do need /some/ sort of connection for systems that can call the police or fire departments, though we've also had both of those with
            • by Tablizer ( 95088 )

              > You don't need to manually say "it got really hot today let's actually turn on the AC part of HVAC", you can just set your thermostat.

              Not if you're not going to be home, that would be a waste of energy. If you go out to eat after work, then you don't need a cool house until later.

              > You do need /some/ sort of connection for systems that can call the police or fire departments, though we've also had both of those without internet.

              We have that now, and it's crappy. The wind, birds, thunder, etc. can se

              • You don't need to manually say "it got really hot today let's actually turn on the AC part of HVAC", you can just set your thermostat.

                Not if you're not going to be home, that would be a waste of energy.

                Well, that's not really very high in my list of priorities in my life.

                While I appreciate saving money when I can, I have a good job and can afford my lifestyle...a few pennies wasted on overcooling my house on occasion isn't something I'll lose sleep over.

                And besides...I've done just fine without it al

              • If I can check around myself I don't need to depend on birds or Barney Fife.

                Make sure he does *not* have his bullet.

          • It is impossible if everything is directly accessible, which is the fundamental flaw of Cloud/IoT systems. I don't know how you can deal with cars another way, but things with a fixed location (or fixed locus of locations) and a single communications mechanism can easily be controlled via the end-user's VPN, which should be the default.

            • I don't know how you can deal with cars another way,

              Well, to my earlier point...I do NOT need to have my car connected in any fashion to the internet, or cellular system, or anything external.

              Period

              I've gone great so far with my car being 100% totally independent from any other system, and I don't need it now.

              I'd like to keep it that way.

          • by Ocker3 ( 1232550 )
            They don't need to lobby for standards, just organise as an industry. But too many customers don't realise the importance of security until their webcam gets hacked, so they're not willing to pay for secure devices or get annoyed by the slight increase in setup complexity.
            • by Tablizer ( 95088 )

              I suppose Underwriters Laboratories could serve as the model, but they need a good ad campaign to make enough consumers value their mark. Otherwise, short-cutting competitors will undercut them using price alone.

              Feature funny ads with celebrities being caught in embarrassing situations via hacked IOT's.

        • I don't care if everything in my house IS connected to something... But not to some freaking "cloud" service.

          Insteon shut down abruptly, took down their could infrastructure and people lost their minds.
          Thing is, what failed in that was the Insteon hubs that talked to the cloud.
          The switches, plugs and sensors still worked just fine... IF the hub they talked to wasn't cloud connected.

          Mobile devices communicating via 5G don't really bother me too much.
          We do need to keep in mind that 5G needs to be treated as a

        • I'm willing to bet most of us on this site agree with most of your post. We are the ultra-minority shopper. The average person is so easily sucked into "wifi this, wifi that" it's insane. Most don't even remotely understand anything about how most of these devices work on any level, or perhaps, "It appears to run on some form of electricity" level.

          Most also just don't care.

          An even worst part , the manufacturers just use it to exfiltrate data out to learn more about us to sell us more crap.

          With 5g, maybe CIA

        • As seen from other replies, you are definitely not alone. I was gifted a cheap Chinese video surveillance system. I found that, if I wanted to monitor via my phone, I had to run through a server in China. So, I don't monitor via my phone.

      • by Tablizer ( 95088 )

        > This is about crap security design and programming - not spreading diseases and brain worms.

        That's sort of the same thing. Many variations of the conspiracy(s) don't claim the original intent is brain-worms etc., only that in its current state it's problematic. How it got "bad" is secondary to fact it (allegedly) is bad.

        > And it's really not about 5G per se at all, just the same IoT vulnerability issue we've all been talking about for the past several years.

        Are you suggesting the headline is mislead

      • by mjwx ( 966435 )

        No, they are not right at all. This is about crap security design and programming - not spreading diseases and brain worms. And it's really not about 5G per se at all, just the same IoT vulnerability issue we've all been talking about for the past several years.

        Exactly, it's not even 5G that is the problem. It's the "Internet of Things" and those of us who've understood the technology and the way that it'll be used have said this from the beginning. It's not that it cant be secured (as much as any wireless or P2P protocol can be secured) but it won't ever be set up or used that way because it'll be "too hard" and people just wont use it because it "doesn't work" because they didn't set authentication up securely. So it's being deliberately released as an insecure

  • by UnknowingFool ( 672806 ) on Wednesday August 10, 2022 @01:52PM (#62777978)
    Who knew it would be a bad idea to link everything to the Internet? Also I am shocked to find crime was happening in this establishment.
  • some home 5G's are natted and are not full ports / your own IP

  • by zmollusc ( 763634 ) on Wednesday August 10, 2022 @02:09PM (#62778024)

    Ok, I can see how people will sell me an OIT musical toilet roll holder which will constantly harvest my valuable consumer data, but how cheap is the data link over 5G? For how much telemetry?
    Is 5G super cheap or something? If so, where can I buy a pair of 5G modems?
    Is it so dirt cheap that we can rebuild the old 9600 baud internets on it?

    • by Tablizer ( 95088 )

      > OIT musical toilet roll holder which will constantly harvest my valuable consumer data

      Instead of Clippy, we have...

      Crappy: "It looks like you are not eating enough fiber. I just ordered you some from The Microsoft Geezer Store. Thank You!"

  • When Senators and Congressmen are for sale so cheap, there is no incentive to invest time and money into developing secure 5G wireless. It's far more sensible to do a half-assed job, then order your tame politicians to enact legislation absolving you of any consequences for the inevitable security nightmare.

  • Is the API requiring a 5G connection and the underlying hardware? or is it just the latest Internet of Things API that happens to work over a 5G connection but will also work over 4G and wired connections?

    I get the feeling someone is conflating one (5G) with the other (API) for clickbait - but that just might be me being skeptical :/
    • It sounds like the carriers have an API for data in the 5G radio itself.

    • by tlhIngan ( 30335 )

      Is the API requiring a 5G connection and the underlying hardware? or is it just the latest Internet of Things API that happens to work over a 5G connection but will also work over 4G and wired connections?

      I get the feeling someone is conflating one (5G) with the other (API) for clickbait - but that just might be me being skeptical :/

      it's both, actually.

      5G is exciting because it offers a way to do zero-configuration IoT - you just plug it in, and it's instantly on the Internet and controllable - you don't ne

      • Honestly it sounds like the worst case scenario for security. Plug it in and boom it is now sending everything to a cloud somewhere and if you are lucky you register ownership before someone else does?

        Why does this sound as bad as the days when installing a windows server with a static IP directly exposed to the internet was port scanned within seconds?
      • That's interesting, who is paying for the network usage and portal, the manufactures of IoT devices? If so, if a manufacturer goes out of business do you lose the connectivity features? This is exciting in a sense, but feels a system equally designed for the needs of companies as consumers. It's like a hidden mobile phone is being embedded in everything you buy.

  • âoeIndividuals may even elect to trade their fiber-optic internet connection for a home 5G receiver.âoe
    Yea, absolutely no thanks. Wired connection will just be more stable and lower latency.

  • by splutty ( 43475 ) on Wednesday August 10, 2022 @02:37PM (#62778100)

    So basically, this isn't actually a 5G problem, but a problem with trying to implement an API that isn't broken.

    Considering the amount of QA most telecom operations utterly fail at, I am not surprised that this causes issues.

  • I remember 20 years ago folks didn't want to use IPv6 because of privacy concerns. Same shit different tech?
  • From reading the Wired article, I can't tell (and I wonder if the person who wrote the article knows the difference.)

    And the source of these APIs is another question: Have these gone through a de-jure formal standardization process (that would include security experts)?

  • Why on earth would anyone consider for even a second replacing a fiber-optic internet connection with 5G wireless? Or even DSL with wireless? Do you really want to be buying your home internet connection from the same outfit that slows your phone data to a crawl once you use 20 GB in a month?

  • ... Can't get good cellular signal in my rural home area due to the giant hills/small mountains, trees, etc. with 5G and 4G LTE. :(

  • by Todd Knarr ( 15451 ) on Wednesday August 10, 2022 @07:10PM (#62778634) Homepage

    Should this even be part of the 5G network or the cell carrier? If the network provides Internet connectivity, then the examples provided are all examples where the device application should be pulling directly from the source rather than through an intermediary. If push notification is required, well that seems to be exactly what IP multicast was designed for. The carrier's network would have to provide multicast relay service to minimize traffic, but that shouldn't introduce any security risks to the carrier's network. Packet-level security to insure multicast packets can't be spoofed would also be required, but that's already present in the form of IPsec for both IPv4 and IPv6.

  • The S in IoT stands for Security. One serious note: It is possible to build secure APIs the technology exists and doesn't cost a fortune. There are well documented standards for encryption, authentication, authorisation and digital signatures. When you think you're ready pay good people to audit your work and do regular penetration testing. If you can't build a secure system they should put your name on a list so you don't cause anymore damage.

He has not acquired a fortune; the fortune has acquired him. -- Bion

Working...