Wuthering Heights in telecom crime against IoT – Technologist
Did you know that the annual cost of telecommunications subscription fraud was estimated to be more than US$12 billion? In fact, some think the situation is much worse – pegging the financial damages to be between 3% to 10% of an operator’s annual profits.
Such fraud is conducted when – simply put – cybercriminals gain access to the SIM cards of legitimate subscribers, or other billing portions of a telecom network, effectively taking over control of charges incurred by voice or data usage, subsequent payment channel, and the data being transmitted via the SIM card, such as one-time password to online banking accounts. Needless to say there are many ways fraudsters can cash in on the pilfered SIM cards.
If US$12 billion doesn’t sound bad enough, we are expecting it to get much worse – when IoT projects start to become commonplace globally.
Compromising IoT devices via SIM cards
A common and well-known link that communication devices and internet devices have is the use of a SIM card. For IoT devices to have a unique presence and connection to the internet, they should have a SIM in the same way a phone does.
SIM cards can serve like credit or debit cards in that they are used to initiate billing or connections that have corresponding fees. That’s why SIM cards, unfortunately, can be subject to many of the same frauds and risks credit cards are.
SIMs of all types – eSIMs, USIMs, multi-eSIMs and the like – can be remotely updated with arbitrary information for the purpose of “efficient content delivery’, a standards-based means of changing large numbers of SIM cards all at once, remotely. This can also constitute an attack if used maliciously.
In the case of smart city devices like traffic lights and smart garbage bins, cybercriminals have various ways to abuse SIM cards. They could choose to extract the SIM cards embedded in the IoT devices to launder money or conduct other illicit activities. In some cases, even when the SIM cards might be difficult to extract, vulnerabilities still lie in how the devices have the capability to change carriers remotely. Moving from one carrier to another creates risks as some carriers could be cooperating with or created by criminals.
Similar to a smart city, a smart factory is a collection of centrally managed robots that compose part of an IT network. While many factories consider themselves isolated from the internet, the means by which they meet disaster recovery requirements includes having a cellular data connection for performing backups to an offsite location. While the robots may not necessarily have SIM cards or phone numbers like typical phones and IoT devices, their cellular device will have an internet connection that will allow backups or factory control. What this means is the factory can then be used for outbound fraud, and cyber-telecom vulnerabilities can be used to attack the factory.
Even smart and autonomous vehicles can be subject to the same attacks as mobile phones. Telephony denial of service (TDoS), for example, could cause a smart car to become lost due to a broken internet connection.
What are our options?
Keeping in mind the connection between IoT and telecom should help in creating defences against threats that shift from one to the other. For IoT devices, simple measures like changing the default settings and credentials of the device can already prevent some of the telecom attacks from happening.
Geopolitically, most telecom crimes tend to be addressed by the telecom companies themselves. The costs are absorbed as the cost of doing business – creating an isolation almost. Without thorough cross-border intelligence sharing with law enforcement, the source, investigative method, and evidence cannot be connected in a way that results in a meaningful number of arrests or a decrease in the acceleration of international cyber-telecom fraud.
It is important to acknowledge that there is only so much a single organisation or industry can do against an interconnected web of threats. When multi-billion-dollar classes of fraud proliferate among criminal groups and become scalable on the back of sprawling IoT projects, the need to work together for the benefit of all has never been greater.