Private APNs and Brute Force SMS Attack Risks
Many enterprises using public cellular networks do so via private APNs (access point names), which provide an exclusive gateway for the organization’s data traffic between the public cellular network and the corporate network. The private APN gives the organization greater control over how their mobile data traffic is handled, potentially improving privacy, security and quality of service.
Merely using a private APN, however, does not render an enterprise’s network traffic and assets immune to attack by bad actors. One attack risk, well-known when it comes to the public network, can be very relevant for enterprises adopting private APNs: SMS brute force attacks.
The rising threat of brute force SMS to enterprise cellular assets
Many cellular industrial routers (Customer Premise Equipment or CPEs) and LTE-capable IIoT devices support SMS as a backup channel for controlling and managing the device. This communication channel provides essential management access for the enterprise but also exposes the device to easy-to-exploit vulnerabilities favored by bad actors.
When a CPE connects to the public network, even using a private APN, often anyone with a public phone number can send SMS to that CPE. Bad actors may try to exploit this SMS communication channel to disrupt the CPE activity, steal sensitive information and even use lateral movement techniques to break into private networks, leveraging the CPE as a “trojan horse.”
Brute force to guess CPE passwords – and gain CPE control
Even though a password protects the SMS backup communication channel, usually the password is very weak. In many cases, the vendor sets a default password that is easy to guess – for example, the last four digits of the ICCID or IMEI of the device.
Even if the default password was strong, or has been changed to a strong one, it is quite easy to guess it via a simple brute-force SMS attack. Many vendors do not include blocking mechanisms to limit the number of times you can retry sending SMS messages to the device. Once the password is known, it doesn’t take advanced cybersecurity capabilities to exploit this channel to disrupt critical infrastructures that use the CPE for crucial connectivity. A bad actor could send your CPE a continual flow of SMS containing a reset command. Every time your CPE comes back online from the reset, it receives another SMS and immediately shuts down. Such an attack is extremely easy to orchestrate and also extremely disabling, containing massive risks for the enterprise.
CPEs use SMS commands for many other management activities, such as setting APNs, getting the device’s physical location, and configuring the different servers to manage the device (which can be used to achieve something similar to privilege escalation).
Example of SMS commands supported by several CPE vendors:
Proposed mitigation for brute force SMS attacks on private APNs
Enterprises should monitor their CPEs, especially if they’re using private APNs on public networks to connect critical infrastructure. It is imperative to monitor access trials to the CPEs as well as other related security events.
Additionally, it is crucial to enforce security and segmentation policies to tightly limit device-level communication and prevent unauthorized lateral movement – without disrupting critical business functions – to reduce the risk of importing malicious code from private APNs into the organization.
Read more about APNs and private cellular network segmentation: https://onelayer.com/private-cellular-network-segmentation-apns-are-not-enough/
Learn about private cellular network Zero Trust segmentation: https://onelayer.com/private-cellular-network-segmentation/
Read the Emerging Attack Vectors and Techniques white paper to learn more about private cellular network security risks: https://onelayer.com/emerging-attack-vectors-and-techniques/
For more information, contact us at: https://onelayer.com/contact-us/