Emerging 5G technology puts SIM-based IoT devices at greater risk

Downloading a high-definition movie in the blink of an eye is the most common perception of 5G networks, but this is just the tip of the iceberg in the 5G era. As the next generation of mobile Internet connection technology, 5G will be able to provide downlink speeds of several gigabits per second (Gbps), and the average download rate is expected to be about 1Gbps/second.

Compared with previous generations of network communication technology, the unique advantages of 5G technology will undoubtedly be more evident in smartphones and other widely used Internet mobile devices. In addition, it is also very likely to benefit widely used IoT devices because it can well provide the infrastructure required by the IoT to carry and transmit large amounts of data.

[[233207]]

Beyond that, 5G’s scalability is also critical to the functionality of the billions of devices connected to the Internet of Things, which is expected to reach 30 billion by 2020 when this emerging telecommunications technology is launched globally. In addition, the amount of data processed by the Internet of Things and 5G is expected to exceed 4G by more than a thousand times, but experts have found that many of the security mechanisms found in traditional communication technologies (such as 2G and even 4G) are not designed for this amount of data. Therefore, while 5G technology inherits and improves on previous generations of communication technologies (2G, 3G, 4G), it also inherits and amplifies the security risks in them.

Using SIM cards in IoT devices

Most wirelessly connected IoT devices, such as smart factory equipment, self-driving cars, smart robots and smart watches, still rely on the same security and identity mechanism used in mobile phones: the subscriber identity module, or SIM card.

Since 1993, SIM card security standards have included a technology that can remotely manage SIM card data and functions - Over-the-Air Technology (OTA). It is achieved through radio and an "invisible" SMS message used for management in the SIM card. The SMS is sent via OTA, and the commands contained in the SMS can be abused by attackers. When these commands are sent over 5G, the scalability of the technology increases the possibility of such abuse. This is particularly evident in the context/environment of IoT devices based on SIM standards and applications (including Universal Subscriber Identity Module USIM, Embedded Subscriber Identity Module eSIM and Integrated Subscriber Identity Module ISIM).

Potential threats to SIM card-based IoT devices

This “invisible” SMS text message that manages the SIM card via OTA is called a “SIM-OTA SMS” message. This communication does not require an IT connection, only a wireless connection to a backend network or operator that is capable of sending SIM-OTA SMS messages. These SIM-OTA-SMS messages are very powerful and can modify or remove the functionality of SIM-based IoT devices and mobile phones, and can even cause the SIM card to be “bricked” or permanently disabled. If all the functions of the IoT device are based on the wireless connection of the SIM, just like a mobile phone, then these devices may also be “bricked”.

The SIM-OTA SMS messages that may affect SIM-based IoT devices include the following standards-based commands:

• TERMINATE CARD USAGE: Irreversibly brick a SIM, USIM, eSIM or ISIM card, and perform a DOS attack;
• TERMINATE DF: Irreversibly intercepts the Dedicated File (including access conditions and allocatable memory) of a SIM, USIM, eSIM or ISIM to perform a DOS attack;
• TERMINATE EF: Irreversibly intercepts a specific Elementary File (including access conditions and data) of a SIM, USIM, eSIM or ISIM to perform a DOS attack;
• ACTIVATE FILE: Activate files to facilitate ransomware attacks, International Revenue Sharing Fraud (IRSF), eavesdropping, and other malicious activities, and perform DOS attacks;
• DEACTIVATE FILE: reversibly blocks files to facilitate ransomware attacks, IRSF and other malicious activities, perform DOS attacks;
• CREATE FILE: creates files that facilitate the execution of SIM and phone malware;
• DELETE FILE: can delete specific functionality, allowing malicious activity to continue running, potentially leading to a DOS attack;

Malicious SIM-OTA SMS messages can be sent via fake base stations, rogue base stations (legitimate base stations that have been hijacked by hackers), hacked carriers and SMS gateways, and even hacked communications satellites. Due to the geographic range of communications radios and the scalability of 5G, it is conceivable that attacks using this attack vector could be carried out at scale and be very effective.

Since file transfers can be invoked using the SIM-OTA SMS method, SIM-related IoT devices can also be prompted to download files including malware. In the SIM-OTA SMS communication diagram below, the commands in the SMS text message can instruct malicious code to execute or instruct the code to retrieve and download malware from a remote location, while the outbound SMS generated from the device can contain additional malicious code or phishing links, or can form part of the command structure of an SMS botnet.

Figure: SIM-OTA SMS communication

The SIM Application Toolkit is essentially a set of useful features, but it can also be abused to compromise SIM cards and SIM-based IoT devices. One of these features is the SIM Service Table, which stores all SIM features, including voice calls and SMS sending capabilities of the SIM card. By using SIM-OTA SMS messages, executing remote code, and enabling other additional services, attackers can use some new malicious behaviors, including building IoT fraud botnets, conducting DDOS attacks against operators and operator functional services, and even large-scale permanent damage to critical IoT infrastructure.

Actionable security measures to protect against threats

In fact, there are many security features that can be used to prevent these malicious activities, but most IoT devices do not support them. Among the security features on the operator side, many require the deployment of a SIM directory management platform called the "equipment identity register" (EIR), however, EIR is still not common in the telecommunications field.

Another possible approach is to use a 5G platform called a telecom security orchestrator (TAO). In general, it is a customizable software program that is responsible for receiving information from the Internet of Things, big data, artificial intelligence, and machine learning, and making automated decisions at high speed and at scale. This is a relatively new technology that is mainly responsible for managing software-defined networks (SDN) and programmable networks like 5G.

The “security orchestrator” — both IT and telecom security orchestrators — is a means of automating very large networks. When run at carrier-grade performance and maturity (i.e., far above normal IT requirements), TAO can address a wide range of telecom security issues. For example, it can identify rogue or fake base stations, as well as hacked telecom equipment and satellites, and block attacks launched through these channels. However, it is important to note that this approach relies on dynamic network routing and data architecture driven by artificial intelligence and machine learning technologies.