Black Hat: Eying Mobile Networks

Friday, July 27, 2012 @ 02:07 PM gHale

By Jacob Kitchel
It truly is an “Internet of Things” a German researcher demonstrated at the Black Hat USA 2012 security conference in Las Vegas.

Collin Mulliner, a security researcher from Germany, presented the results of his in-depth investigation of mobile carrier networks with the detection of a multitude of surprising devices on European mobile carrier networks.

Black Hat: A Nose for Backdoors
Black Hat: Persistent Threat Plan
Black Hat: Govt. Unplugged
Black Hat: Smart Meters Insecure
Black Hat: Sub-GHz Wireless Within Reach
Black Hat: Air Gap Myth Buster
Black Hat: New Security Paradigm

To perform his research, Mulliner enumerated and discovered the networks and devices from the Internet. Many of the devices found in the research had surprising uses such as vehicle tracking devices and systems, inventory management systems, traffic light systems, and GPS-enabled survey equipment.

At first glance it would seem that Mulliner’s research would have been performed from inside the carrier’s network. That was not the case as Mulliner presented several issues with approaching the research from that direction.

Often, when residing on a mobile carrier’s network, devices are restricted from talking to peer devices and are restricted to communicating directly to the Internet. Additionally, performing the research from each mobile carrier’s network would be cost and location prohibitive. These restrictions forced Mulliner to think differently and approach the problem from a different angle – the Internet.

By identifying large network blocks owned by the mobile carriers, Mulliner then enumerated the network blocks for active IP addresses and cataloged the results. He then looked for common ports and services that embedded devices would use such as the telnet, ftp, and remote management enabling services. This led to interesting results.

Several GPS tracking systems gladly returned tracking information without any sort of restriction or authorization required – the data was just there for anyone to stumble upon it.

Another surprising result Mulliner discovered was the vast majority of these devices existed on legacy 3G networks still maintained by the mobile carriers. While consumer mobile phones had migrated over to newer networks with newer technology, the mobile carriers were re-selling access to legacy 3G networks for the discovered devices because the devices did not require voice traffic and similar services required by mobile phones. This tact, used by the mobile carriers and a common scenario worldwide, essentially gives the legacy networks a literal second lease on life.

Leave a Reply

You must be logged in to post a comment.