Attacks From a New Front Door in 4G & 5G Mobile Networks

The presentation discusses the design risks and vulnerabilities of IoT service platforms in the telecom industry and the need for better API security practices.

• The presentation highlights the need for a more systematic approach to testing APIs in the telecom industry.
• The design risks and vulnerabilities of IoT service platforms in the telecom industry are discussed, including access control misconfiguration, weak authentication policies, and token management issues.
• The presentation emphasizes the importance of complying with best practices in API security, such as using OAuth and TLS.
• The lack of integrated testing of different applications in IoT service platforms is identified as a major issue.
• The presentation suggests that more needs to be done to secure APIs in the telecom industry, including better documentation and testing practices.

The presenters discovered several vulnerabilities in IoT service platforms in the telecom industry, including the possibility of billing fraud and the ability to inject malware through SMS and IP content inspection. They also found that many providers did not follow best practices in API security, such as using OAuth and TLS. The presenters emphasized the need for a more systematic approach to testing APIs and better documentation and testing practices in the telecom industry.

The inception of APIs in the telecom industry is destined to change the way mobile networks operated over the last 3 decades. The latest mobile networks now open their doors to enterprise customers, service providers, and application developers providing access to data and core network functions within the carrier's network. This access is facilitated by the well-known HTTP based Restful API paradigm and allows the integration of automotive, health care, industries, and many others with the 5G mobile networks. This talk brings to light for the first time the practical details of the APIs that enable next-generation AI, MEC, and IoT applications using the latest 4G and 5G networks. A security investigation on hundreds of APIs from 10 commercial providers and operators reveals that all of them contain several of the top ten most critical API weaknesses. Even an average attacker can easily find a RCE and disrupt the operation of billions of IoT devices that tend to rely on the latest mobile networks. We put forward the security loopholes in telecom exposure APIs and once again remind you that security should be rooted into the design of 5G and IoT networks.