What the SK Telecom Hack Should Teach You About Your Private Cellular Network Security

The past three weeks have been a bad time to be a cell phone user in South Korea.

Well, not for every cell phone user. Only if you happen to be one of the 25 million customers of the leading South Korean telecom company SK Telecom.

In that case, you found out that your phone’s USIM information may have been leaked by hackers, and you need to either wait on long lines to replace your USIM (except that SK Telecom only has one-fifth the amount of SIMs needed for all their customers) or sign up for their USIM Protection Service (which is free, but won’t cover overseas roaming customers).

It’s not surprising that 70,000 users left SK Telecom within a two-day period, or that the company’s shares fell 8.5%.

While SK Telecom is a public mobile carrier, they also run SK Networks: a private cellular network provider with Korean enterprise clients such as Korea Food Industry Cluster (Foodpolis).

Could such a hack happen to a private cellular network? What would be the ramifications? And how can an enterprise using a private cellular network prevent and mitigate such threats?

By the end of this post, you’ll have all the answers.

IMSI authentication is just not secure enough

The basis of cellular device authentication and connection to a given cellular network is the IMSI (International Mobile Subscriber Identity) number and the associated keys. The IMSI number is a unique 15-digit identifier that represents a relationship between the SIM card, the country code and the mobile network.

When a device tries to connect to a mobile network, it is IMSI authentication coupled with several other authentication protocols that determines whether access – and what level of access – will be granted.

While IMSI authentication is the necessary basis for cellular network security, the SK Telecom breach is a glaring example of how it is insufficient on its own. IMSI details can be stolen in multiple ways, such as:

• • Breaching a Home Subscriber Server (as was the case for SK Telecom)
  • A supply chain attack
  • Intercepting a SIM card manufacturer’s shipment file

With the IMSI details in hand, a bad actor can impersonate your network’s devices and harm your network or your network’s users.

As seen from SK Telecom’s frantic containment efforts, remediation of the IMSI breach requires replacing or reformatting all affected SIM cards, as well as dealing with any harm perpetrated by the bad actors.

For an enterprise private cellular network, remediating an IMSI breach could entail:

• • Replacing or reformatting tens or hundreds of thousands of SIM cards
  • Tracking down any lateral or vertical movement of the attackers through your network
  • Ensuring that no systems, processes or products have been sabotaged

Depending on the extent of the breach, the physical, financial and reputational damage could be immense.

 

What are your options for hardening your private cellular network security?

IMEI, EIR and SIM locks: of limited benefit

The IMEI (International Mobile Equipment Identity) number is the cellular device identifier. Any cellular device, from smart meters to phones to robotic arms, will have its own unique IMEI.

One option for protecting your cellular network in the case of an IMSI breach is to use an EIR (Equipment Identity Register) to tie every given IMSI to a specific IMEI. If a device attempts to connect to the network, the connecting IMSI is checked against the device’s IMEI. If they are not registered as tied together, the network will refuse the connection request.

This network process, colloquially known as a SIM lock, is effectively what SK Telecom offered in their USIM Protection Service.

While using both IMSI and IMEI to authenticate cellular devices is certainly more secure than IMSI alone, this solution suffers from two drawbacks:

1. It’s inconvenient
2. It’s not foolproof

The inconvenience problem

Locking each IMSI to a specific IMEI would create too much friction for public mobile networks. Subscribers, after all, don’t remain with one device forever. 56% of American consumers upgrade their phone every two to three years, 12% upgrade annually and 4% upgrade every six months! And that’s not even counting the times that consumers take out their SIM card and stick it in another device because of temporary issues with their phone.

That’s the reason why SK Telecom’s “USIM Protection Service is only meant to be a short-term solution.”

For private enterprise cellular network, locking IMSIs to IMEIs is also too inconvenient to be a viable security solution – although for a different reason than that of the public network. Creating the registry that ties between the numbers is a cumbersome, manual process. Some human error is expected, especially when you’re dealing with thousands, tens of thousands, or hundreds of thousands of devices.

So, after all that effort, you will inevitably end up with devices that won’t connect when they are supposed to, all because someone entered a number incorrectly. For enterprises that choose private cellular networks to optimize their efficiency, this would be a step backward. It’s just not an option.

The “not foolproof” problem

A cybersecurity expert commenting on SK Telecom’s USIM Protection Service said, “Theoretically, there is no loophole with USIM protection service.”

That’s almost true.

Even if an IMSI is locked to an IMEI, a bad actor with the IMSI could connect to the network using a technique called IMEI spoofing. IMEI spoofing is difficult, and it’s also much less likely to be used on public networks like SK Telecom.

Where it is relevant, however, is private cellular networks that contain physically accessible, unsupervised end devices, such as smart meters or sensors.

How IMEI spoofing could work in this case: a bad actor approaches a smart meter in a remote location. They extract the physical USIM card from the meter and put it in their phone or other device. Then they read the IMEI number listed on the meter and configure the cellular modem inside their device to say that it is connecting to the network as that IMEI. Now the IMSI matches, the IMEI matches – and they’re in.

So, if IMSI authentication is not sufficient, and adding in IMEI is either still not sufficient or too inconvenient to be helpful, what is a security-seeking private cellular network to do?

How to prevent IMSI/IMEI breaches in private cellular networks

The key to private cellular network security is in a critical distinction between private networks and public networks: the level of control over the devices that connect.

Public networks, in order to encourage the greatest subscriber number and satisfaction, must be as flexible and open as possible when it comes to accommodating different device types. If a public network would only be usable by a specific smartphone type, they would go out of business very fast.

Private enterprise networks, on the other hand, choose everything about their network according to what makes the most sense for them – including the types, models and other qualities of the devices that they are going to use.

This level of control over the choice of end devices provides a way to get around the inconvenience and inevitable error of manual, static, one-to-one IMSI-IMEI locks. How? By locking IMSIs dynamically to device categories, where the category criteria – like device type, model or signalling profile – are automatically detected.

 

OneLayer’s Zero Trust cellular network security platform is based on this approach. All the device category criteria together act as a fingerprint that determines whether a given device can connect to the network, as well as what level of access and privileges it will have.

 

Even if your IMSIs are exposed, through a breach or a supply chain attack, attempts to connect to the network using unauthorized devices will lead to an “access denied.” For example, if a bad actor’s smartphone attempts to connect to your private cellular network using an stolen IMSI defined as linked to a smart meter category, or a different type of smartphone category, or even “same smartphone with other functional criteria” category – it won’t be able to connect.

 

Your network has been saved.

 

Live and learn… and implement

As the saying goes, “A wise man learns from his mistakes. A very wise man learns from the mistakes of others.”

SK Telecom has learned (we hope) from their breach and its aftermath that IMSI-only authentication is just not enough for cellular network security. They’re paying a heavy price for that lesson. You can learn it, now, at no cost to you.

But the wisdom isn’t in knowing it. It’s in promptly applying the knowledge to protect your private cellular network, so that you don’t wind up paying the price that SK Telecom did.

 

Contact us to learn more.