Download Attacks From 4G/5G Core Networks: Risks of the Industrial IoT in Compromised Campus Networks
Globally, organizations are anticipating (if not already reaping) some of the benefits of 5G technology. 5G is inevitably poised to transform industries and businesses within the next few years. As a result, industries who wish to take part of the conversation around 5G must consider leasing a network slice from telecom operators or set up their own 5G campus network.
In our research, we look into the implications of developing a 4G/5G campus network for IT and OT experts who are tasked with running and maintaining factories, critical infrastructures, and other such environments. We do this by testing attack scenarios rooted from a compromised campus network and especially the core network within it. In this entry, we give an idea of these threats and their respective mitigations.
Common Attacks From Compromised Core Networks
These are the common attacks conducted at the IP network and that are well within the expertise of IT professionals. In these attack scenarios, the threat actors would have had to gain control over a core network’s potential entry points. In our research, we identify these entry points as the server hosting network services, the VM or the containers, the network infrastructure, and the base stations.
By taking control over these entry points, a threat actor would not have to be a telecom expert to launch attacks from an IP network. Even though these scenarios are not necessarily cellular network-specific, they highlight how a compromised core network can be another opening for threats that already affect industrial control systems (ICSs).
Our research revealed several attack scenarios, for which we suggest respective mitigations:
DNS Hijacking
Scenario:
An attacker can assign a malicious DNS to the user equipment (UE), hijack a legitimate DNS response, or simply change the DNS entry on the DNS server.
Mitigations:
- Use a network monitor or an EDR that detects uncommon IP.
- Use an industrial protocol with encryption and certificate pinning.
MQTT Hijacking
Scenario:
Once the telemetry or messages sent to the cloud or back-end servers are changed, analysis algorithms and statistics can be affected. An attacker can also intercept MQTT to temporarily cover up what has been done in remote sites.
Mitigation:
- Use MQTTS with a username, a password, and certificate pinning.
Modbus/TCP Hijacking
Scenario:
The attacker writes a Modbus parser to change the Modbus function codes and data values in the packets.
Mitigation:
- Set up an encrypted VPN between remote sites and the control network in the campus.
- Do not use port forwarding.
Downloading or Resetting Unprotected PLC
Scenario:
If a PLC is not read/write- protected, an attacker can upload the program blocks and obtain the design. If it is protected, the attacker might still be able to reset the PLC and download a new design to sabotage the production.
Mitigations:
- Set up an encrypted VPN.
- Set read/write protection when deploying the PLC.
- Upgrade PLC to newer firmware that supports challenge-response authentication.
Remote Desktop
Scenario:
Depending on the configured encryption options, an attacker sitting at the points of interception that routes and forwards packets between user devices and outbound networks has the opportunity to sniff RDP port 3389 or VNC port 5900 in order to log keystrokes and passwords.
Mitigations:
- For secure use of VNC, enable TLS encryption and X.509 certificate pinning.
- For secure use of RDP, use version 10 or one that offers a more secure configuration. Never choose the “less secure” option for backward compatibility.
SIM Swapping
Scenario:
An attacker installs the SIM card to their own device to gain access to the campus network, scan for vulnerabilities, or attack other devices.
Mitigation:
- Use an IMSI/IMEI management system, such as Trend Micro™ Mobile Network Security (TMMNS), which inspects the binding and revokes access permission from unknown bindings.
Cellular Network-Specific Attacks
Attacks that are cellular network-specific can only be delivered via a cellular network. These attack scenarios serve as a good starting point for narrowing the knowledge gap between the fields of IT and OT on one end and telecommunications on the other.
Our research revealed several attack scenarios, for which we suggest respective mitigations:
Access Point Name (APN): Security by Obscurity
Scenario:
An attacker uses their own telecom infrastructure to observe unencrypted communication, despite the customized APN.
Mitigations:
- Remember that APN does not mean encryption.
- Use VPN in the industrial router and use secure protocols, such as HTTPS, MQTTS, and S7Comm-Plus, among others, in the field.
SMS Brute-Force Attack
Scenario:
If an attacker knows the phone number and the IMSI of an industrial router that supports SMS backup, the SMS command password can be brute-forced within only 10 tries.
Mitigations:
- Do not dispose of the plastic card that holds the SIM card.
- Set the SMS password to a longer string.
- Set "trusted phone numbers" instead of accepting SMS from all callers.
Fake GTP Attack
Scenario:
The attacker sends a fake GTP packet to the base station if the TEID is known to them. This can, for example, allow them to bypass the firewall rules in the destination. As a result, the target device would receive the fake packet, as it would a legitimate packet.
Mitigation:
- Install an IDS/IPS that understands GTP and detects TEID brute-forcing attacks. Use IPsec or VPN to protect the connection between base stations and the core network.
Communication Technology
In the future, campus network technology will be deployed by more organizations and further developed to meet the evolving demands that can be fulfilled by 5G technology. As a result, it is undeniable that organizations must adapt and prepare for more changes, particularly when updating their infrastructure to include a 5G core network. Based on our research, we can say that campus networks introduce a new field that is equally significant as IT and OT: communication technology (CT).
Organizations will then need to consider this new trio of IT, OT, and CT to work with a better security framework. Meanwhile, IT and OT experts must prepare themselves for knowledge expansion amid the blurring lines of their responsibilities and the deepening role of telecom technology in industrial environments.
Here are some of our general security recommendations that organizations can consider implementing:
- Use application layer encryption, such as HTTPS, MQTTS, LDAPS, or any well-designed industrial protocol.
- Rely on proper network segregation, VLAN, and IPsec as valuable defenses for industrial facilities that run campus networks.
- Apply the latest patches for operating systems, routers, and base stations as soon as they are available prevent threats from affecting open campus networks to threats.
- Since LTE and 5G do not automatically address the need for encryption, use VPN or IPsec to help protect remote communication channels, including remote sites and base stations.
In our research titled “Attacks From 4G/5G Core Networks: Risks of the Industrial IoT in Compromised Campus Networks,” we give a more detailed description of the campus network and its components. The full research also provides an elaboration of the different attack scenarios and their implications.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
Recent Posts
- Unleashing Chaos: Real World Threats Hidden in the DevOps Minefield
- From Vulnerable to Resilient: Cutting Ransomware Risk with Proactive Attack Surface Management
- AI Assistants in the Future: Security Concerns and Risk Management
- Silent Sabotage: Weaponizing AI Models in Exposed Containers
- AI vs AI: DeepFakes and eKYC