When most folks think about how the mismanagement of machine identities can impact revenue, they think about the downtime and aftermath of certificate-related outages. But I recently visited some wireless carriers in Southeast Asia that are learning in a very concrete way how ignoring machine identities can result in lost revenue.
Speaking with a local wireless carrier about protecting their machine identities a month or two ago, I learned that they have been having trouble with WiFi data offloading hacks. But before we get into the details, let’s talk about why carriers would want to offload certain data traffic.
According to an article written by cell tower lease experts Steel in the Air, “Wi-Fi offloading is the use of Wi-Fi technology to deliver data that was originally sourced by cellular networks. Wireless Service Providers can intentionally offload cellular 3/4G and LTE traffic to Wi-Fi, which basically means that the end user will be accessing unlicensed spectrum in the public domain via a Wi-Fi hotspot. Why are the wireless carriers interested in offloading subscribers from their networks where they get paid by the megabyte? Two words- Data Tsunami.”
Here’s the scenario: Cell towers support cellular coverage for data. But the cell towers have another component called an eNodeB, which offloads the data from the cellular tower to another part of the network, such as a WiFi or wired network. It saves the telco money in terms of resources because if their capacity is full in the cellular data network, then they would have to build more cell towers. Thus, the offloading makes it cheaper for the cell telephone companies to roll out infrastructure, and not have multiple cellular towers to cater to increasing demands for mobile data.
So, historically, these eNodeBs have not had any form of authentication. All a hacker had to do was buy a device for themselves and they would have unlimited data coverage for themselves and all of their mates.
Then a couple years ago, some of the wireless carriers started to realize that they needed to implement certificate authentication to prevent this revenue leakage. Apparently, that was easier said than done. To protect against misuse, some manufacturers chose to simply embed a self-signed certificate onto the eNodeB to support a one-to-one trust model. While this one-to-one trust is super-secure, it is also super hard to manage. To get around these management limitations, some carriers configured their authentication to just trust any certificate, which kind of defeats the entire purpose and effectively takes the carriers back to step one.
Hackers began to exploit this lack of authentication by purchasing eNodeB units that came preloaded with the same manufacturing certificate. Anyone trying to hack the telephone network could just go and buy 10 units from the same manufacturer. These units would all have the same level of trust as the 10,000 units that the telco had purchased. And anyone could buy one on eBay for a few hundred bucks. If the carrier was too busy felt it was too difficult to replace all the certificates of the eNodeB units to perform proper authentication and identification, then the hacker would have free reign to offload data.
That’s where my recent conversation started. The wireless carrier wanted to fix the problem by implementing a properly-managed PKI that would allow them to roll out certificates onto their eNodeBs. Ultimately, this would equip them to validate the identities of these eNodeB units and take advantage of the benefits of machine-to-machine identity protection. But alas, it was not to be that easy.
To further complicate the scenario, the self-signed certificates that were embedded by the manufacturers were configured with very long lifetimes. This means these certificates would be valid for something like 10 or 20 years. Plus, they were not issued by a trusted certificate authority (CA). So, it would be difficult to prevent their misuse by revoking them. It would have been better by far to purchase publicly trusted certificates from a respected CA before manufacturing and have these embedded in the units.
It’s never too early to think about how machine identities will impact your security AND your revenue stream. The result of poor vigilance of these machine identities was that devices that were designed to save the carrier money, ended up causing them to lose bandwidth. And in today’s mobile economy, bandwidth is money. So, that's a real-world example of wireless carriers losing money because they are not properly implementing and protecting machine identities.
How well are your machine identities protected?