Hacking IoT manufacturers and smart cars through APN (Access Point Network)
By Prempal Singh
To connect to any cellular APN service, the device must have the following information: access point name, user name and password.This scheme works in the case of SIM-cards purchased from intermediaries.
Before we go directly to the topic of the article, we will clarify the notion of APN:
APN (Access Point Name), access to which can be obtained from most mobile operators, is a service used to collect mobile data from 3G / 4G protocols originating from the device and redirect traffic to the destination IP site in the corporate network (source –CESG).
Sometimes IoT devices and vehicles that we test transmit only IP traffic through cellular networks.If you think that the use of secret APN-keys enhances security, then we hasten to disappoint you.
We found that APN keys are often easily compromised.In addition, you can use the IoT device and gain access to the APN without breaking the key, after which confidential information and other devices using the same APN become available.This list includes other IoT devices from the same manufacturer and other vehicles.In addition, we can even compromise internal corporate network systems.
Connecting toAPN
To connect to any cellular APN service, the device must have the following information: access point name, user name and password.This scheme works in the case of SIM-cards purchased from intermediaries.
The provider can give out APN-settings for your phone when connected to the network.Or, more likely, information will be available for self-tincture.Providers use various APNs when providing services for tablets, computers or telephone traffic.If you google the phrase “APN Settings”, you can get a large list of public APNs for different cellular providers around the world.In addition, you can find these settings in the unloaded firmware.In any case, connecting to an APN allows a cellular device to communicate over IP, whether it’s the Internet or a private internal band.
Even though sometimes the lack of a standard Ethernet interface on a “smart” device makes testing difficult, at the same time, the process itself can be quite interesting.
Extract APN accounting records
Assuming that a device connected to a private APN service is physically protected, the natural question arises: “How to extract APN accounting records?”
Most of the time, the device will connect to the cellular network to which it can.This does not mean that the phone with a Vodafone SIM card will connect to the O2 network, but it means that we can replace the factory SIM card with our own and the phone will connect to the network we want to.
We have a femtocell that supports the 3G standard, a “Network in a Box” device and several SIM cards.We ordered these devices at Sysmocom, whose specialists are doing a really useful job in terms of accessibility of developments for the 3G standard as part of the Osmocom project.
Once the femtocell and network are operational, we can insert the SIM card into the target device (be careful and do not lose the factory SIM card, which is useful to us in the future) and are waiting for the connection to the network.Thus, through a normal Ethernet interface, we can see what operations the device will perform through the cellular connection.For example:
- Which traffic generates the device where it tries to connect, and whether encryption is used.
- Are there any open ports?Developers can assume that only the use of a cellular APN interface provides a sufficient level of security.Perhaps we can find the superuser password, and also the password used when connecting via Telnet.
- The secret information used for APN authentication.
The first two points we will not consider, since there are enough resources covering this topic.
On the other hand, little is written about APN authentication.APN authentication via 3G network is based on the PPP CHAP protocol.The CHAP protocol, first proposed in 1996 as the predecessor to MS-CHAP, uses a three-way “handshake”: call, response, authentication / rejection.
BypassingAPN authentication
The Osmocom application, on the basis of which our 3G network operates, ignores APN authentication requests, and allows you to connect to any device with any APN-name, user name and password.However, the triple “handshake” is still happening.
If you analyze the authentication process with tcpdump, you will see something like:
In the figure above, the relevant packages are highlighted in a red box.Wireshark shows that the packet containing information about APN-authentication is called (RUA) DirectTransfer (DTP) (SM) Activate PDP Context Request.
But where is the password?
The APN username and username are displayed in clear text.But not the password.
For a direct answer, we need to refer to RFC1994.It turns out that the CHAP Response Value is a slightly collapsed hash.
The octet of the request identifier (in this case, “0x01”) is followed by a password, and then the value of CHAP authentication (in this case, “f3bcc7c0d43ff6a7dafcb4a7a388975d”).After merging, the entire string is coded with the MD5 algorithm.
Yes, this isMD5
By lucky coincidence, hashcat has a mode for iSCSI CHAP hashes.The mode number is 4800. Input is given to hashes in the following format:
[CHAP Response Value]: [CHAP Challenge Value]: [Response Identifier Octet]
In our case, the line will look like this:
7e1062f19af0b4ff4611206457de99e4: f3bcc7c0d43ff6a7dafcb4a7a388975d: 01
Hashcat is easily managed with MD5.Weak passwords will be cracked in 100% of cases.Even in the August 1996 RFC, it is recommended to use a password of at least 16 characters.
Our setup, consisting of several GPUs, operates at a rate of 10 GH / s when selecting hashes encoded by the MD5 algorithm.Thus, the selection of a password of 9 characters in the top / bottom + digits takes about 20 minutes.This is the speed of a simple bust without optimizations, which could make the hacking process even faster.
In addition, for the MD5 algorithm, there are rainbow tables for combinations up to 9 characters or up to 10 symbols in the lower layout plus digits.
Do you know how complicated and how long your secretAPN key is?
Next, we can insert the factory SIM card into the cellular modem and connect to the APN using a compromised account.Directly to the environment that the client uses.Thus, hardware testing becomes an assessment of the internal infrastructure through the cellular network.
We conducted the pentests and compromised the entire internal network of the organization using IoT-devices, which were supposed to be isolated.I remember one access controller that used GSM / LTE through a private APN in a remote and physically accessible location where the theft would not be difficult.We dismantled the device, removed the SIM-card, cracked the APN-key and got access to the network used by the client.The attack vector associated with breaking the secret APN-key was not taken into account.
We also worked with a very large network of intelligent lighting systems.After compromising one lighting device, we got access to the entire APN service and then to other devices on that network.Then to the network of consumers and then to the network of manufacturers of lighting IoT-devices.
Who needs their own 3Gnetwork?Another method
IOT devices often store secret keys in memory, which is almost always unencrypted.
Even if we can not unload the firmware, it is often possible to count the keys directly from the RAM and then compromise the network.
The operation of secretAPN-keys in vehicles
Most modern vehicles have telematics control units (TCUs) that contain SIM cards for working with mobile data.In Europe, because of the ECall automatic warning system, similar control units are used in almost all new cars.Private APNs are used in cellular communications to improve security.The TCU is easily extracted from the vehicle and carried out a study.
Often there are many problems related to TCU in the field of security, which makes the compromise relatively simple.You may not even need hardware related to hardware research.
The main problem is that the telematic blocks pass through a large logistics chain: the spare parts manufacturer, the block manufacturer, the thematic provider and the provider that services the connections.In each link of the chain, errors can be made.
During one of the tests of the vehicle manufacturer, we examined the TCU.Since we had physical access to the block, we did not even need to crack the secret APN-key, since this device was reliable.In exploring the network to which TCU had access, we experienced both interest and horror at the same time.
It was obvious that a huge number of devices were connected to this network.We did not have any special access rights to study the environment outside of the car manufacturer’s network.
And we just did a reverse DNS query …
… and received a large list of DNS records related to vehicle manufacturers that were not associated with our client.Mostly the brands of German cars.And at this stage we stopped.
It was quite obvious that there was no segregation between vehicles and brands.The telematics provider did not even realize segregation between vehicle brands.And only between the vehicles themselves.
The potential of the opportunity we found was enormous.One vulnerability that allows remote exploitation in the TCU, and you can potentially remotely compromise each brand car and other brands.In the past, a similar story has already happened when the Renesas V850 processor compromise the Uconnect telematics system.In this story, secret APN keys were not used, and hacking was based on the lack of segregation in the Sprint network.
We believe that in the attack through secret APN-keys, the potential and consequences could be much more serious if similar errors were made.
I useAPN keys in my products and services, what should I do?
If you are using APNs on connected devices, make sure that both the device and the APN are protected at an acceptable level:
- Always use authentication (some people do not use) with a long and complex password.
- Think carefully about the safe storage and use of the secret password.Think about ways to recover the password in case the device is compromised.The recall of vehicles and the replacement of all SIM cards in TCU units is an extremely expensive pleasure.
- Embedded SIM cards (eSIM) allow for easier backup and recovery in the case of compromised APN records.In addition, these cards are more difficult to remove from the device, since they are soldered.
- Your services, to which you can connect via APN, must be segregated.Do not allow connection to the entire internal corporate network.
- Make sure that only the selected SIM cards have access to the private APN service.You do not want any of the cellular networks to be able to connect to your APN?
- If necessary, segregate customers in a location so that the compromised device does not affect other devices.
- Make sure that you are not giving out broadband outbound Internet access.You do not want the one who stole the SIM card to use the free 4G Internet through your APN?
- Perhaps you think that your APN is private, but it’s better to treat a private APN as a public VPN.Anyone who has access to the SIM card can access your APN.