In a previous post, we discussed IoT hacker motivations in targeting IoT devices and considered three widely known attack methods. These attacks (Mirai, Stuxnet and Brickerbot) each took advantage of the data path to breach security. In this article, we’ll take a look at service-specific IoT device attacks over SMS and Voice – and explain how attackers are taking advantage of vulnerabilities to access privacy information or generate revenue for their criminal business.
Attacks via SMS
In the early 2000s mobile phone scams consisting of unwanted ads sent via SMS were very common. Aside from being annoying, these SMS were also an unwanted cost – charging the recipient for each ad. The SMS ads were quickly prohibited and decreased, but another form of unwanted SMS is still out there – Smishing.
SMS phishing is like email phishing – an attacker invites an unknowing recipient to click on a link which subsequently begins downloading malicious software. IoT cases that include human decision-making of this type, and thereby lend themselves to this attack approach, are limited – for example, payment terminals or order screens are vulnerable. Meaning, for most IoT devices, other attack surfaces are more of a concern.
In 2019, two vulnerabilities were reported: Simjacker and WIBattack. These use SMS and a software on the SIM card in order to gain control over a device (note: EMnify SIM cards do not have this vulnerability). Each SIM is a microprocessor and has room for a software applet. Both vulnerabilities use an outdated applet – [email protected] Browser and Wireless Internet Browser (WIB) – which have not implemented correct security measures. An attacker can send OTA SMS – a special type of SMS that can change SIM configurations – to the device. Usually OTA SMS use a secure key from the operator based on which the SIM can identify if the SMS is originated from the operator – but these applets also accept SMS without security measures. Based on this vulnerability the attackers were able to execute commands on the SIM – like retrieving location information, sending SMS or setting up a call. Both attacks show that the longer a device is out in the field, the more vulnerable it becomes to new security exploits which can ultimately lead to attackers taking over full control of the device.
Voice call fraud is still a major problem for telecommunication operators and their customers – an estimated 28.3 billion USD in 2019. The top fraud type remains International Revenue Share Fraud (ISRF) where customers are tricked into dialing a premium number for which they need to pay a high fee. The premium number provider and the company who rented the number are splitting the revenue. The network provider recognizes the fee associated with the premium number as a charge related to a call their customer made – meaning it ends up on the customer’s phone bill. If a customer refuses to pay the charge, their contract can end up being terminated.
While voice calls are only a corner case of IoT (for example, elevator emergency calls), often the SIM cards deployed in the devices still support voice. An attacker that either gets physical or remote control over a device or SIM card can generate multiple calls without the device owner noticing. In the case where an attacker exploits a security vulnerability such as in the Mirai/Simjacker example and gains control of an entire fleet of IoT devices – the incurred bills could result in the end of the business.
IoT devices serve a specific purpose when deployed in the field and their connectivity profile should be limited to that purpose. If SMS and Voice features are not needed, for example, they should be deactivated within the connectivity provider portal. This deactivation may also only happen after initial device configuration like setting the APN via SMS.
Voice services should be limited to only the sources and destinations that are required for the specific use case. Often IoT solution providers use Voice Over Internet Protocol (VoIP) services instead of the regular telecommunication service, so they can use the same security mechanism as for data services.
External SMS (meaning from other mobile devices) should be blocked – so that attackers cannot send malicious SMS directly to phone. Instead, application to peer (A2P) SMS should be used where only the device owner can send / receive SMS to and from the device – only once their application is authenticated in advance to the connectivity provider.
Another best practice for IoT businesses is to configure a limit on the number of SMS that can be sent or received by a device. In this way, unwanted costs can be prevented if the device malfunctions and sends abnormal amounts of SMS.
Most often when it comes to IoT attacks, it is the data channel that is at the heart of the discussion. However, SMS and Voice channels provide another significant attack surface for cellular connectivity. Businesses that sell connectable products should ensure their devices are not vulnerable – and that the right common security profile is applied. Ideally there should be one common security approach at the connectivity level. Allowing the end-customer to choose the connectivity provider often prevents this and can cause end customer dissatisfaction due to high fraudulent connectivity costs and revenue loss.