Attacks From a New Front Door in 4G & 5G Mobile Networks

Presented at Black Hat USA 2022, Aug. 10, 2022, 4:20 p.m. (40 minutes)

The inception of APIs in the telecom industry is destined to change the way mobile networks operated over the last 3 decades. The latest mobile networks now open their doors to enterprise customers, service providers, and application developers providing access to data and core network functions within the carrier's network. This access is facilitated by the well-known HTTP based Restful API paradigm and allows the integration of automotive, health care, industries, and many others with the 5G mobile networks.

This talk brings to light for the first time the practical details of the APIs that enable next-generation AI, MEC, and IoT applications using the latest 4G and 5G networks. A security investigation on hundreds of APIs from 10 commercial providers and operators reveals that all of them contain several of the top ten most critical API weaknesses. Even an average attacker can easily find a RCE and disrupt the operation of billions of IoT devices that tend to rely on the latest mobile networks. We put forward the security loopholes in telecom exposure APIs and once again remind you that security should be rooted into the design of 5G and IoT networks.

Presenters:

• Matteo Strada - Security Researcher, NetStudio Spa
  <span style="font-size: 10pt;">Matteo Strada is a penetration tester and researcher at NetStudio Spa. He holds a dual masters' degree from both University of Trento and Technical university of Berlin. Matteo is passionate and has extensive hands-on experience in the latest cellular and networking technologies, and web pentesting.</span>
• Shinjo Park - Security Researcher, Technische Universität Berlin
  Shinjo Park is a PhD student in Security in Telecommunications, TU Berlin. He is interested in breaking and fixing cellular network entities and mobile applications in the world.
• Altaf Shaik - Senior Security Researcher, Technische Universität Berlin
  Dr. Altaf Shaik, is currently a senior researcher at the Technical University of Berlin in Germany. He conducts research in telecommunications, esp., 6G, 5G radio access and core network security. He combines a professional background in programming, wireless communications and offensive network security. His renowned research exposed several vulnerabilities in the commercial 4G and 5G specifications and commercial networks that allow attackers to perform powerful attacks affecting millions of base stations, handsets, M2M and NB-IoT devices. Altaf is a frequent speaker at various prestigious international security conferences such as Black Hat USA & Europe, T2, SECT, Nullcon, Hardware.io and HITB and many others. His accomplishments landed him in the hall of fame of Google, Qualcomm, Huawei and GSMA. He also trains various companies and organizations in exploit development, and also building secure mobile networks including their testing and security evaluation.

Links:

• https://www.blackhat.com/us-22/briefings/schedule/#attacks-from-a-new-front-door-in-4g-38-5g-mobile-networks-26971

Similar Presentations:

• Black Hat USA 2021 / 5G IMSI Catchers Mirage
• Black Hat USA 2021 / Over the Air Baseband Exploit: Gaining Remote Code Execution on 5G Smartphones
• Black Hat USA 2019 / New Vulnerabilities in 5G Networks