Skip to main content
banner image
venafi logo

Telcos Discover the Value of Machine Identities in Protecting Revenue

Telcos Discover the Value of Machine Identities in Protecting Revenue

machine identities protect telco revenue
January 29, 2019 | Wilson Yan

When most folks think about how the mismanagement of machine identities can impact revenue, they think about the downtime and aftermath of certificate-related outages. But I recently visited some wireless carriers in Southeast Asia that are learning in a very concrete way how ignoring machine identities can result in lost revenue.



WiFi data offloading

Speaking with a local wireless carrier about managing their machine identities a month or two ago, I learned that they have been having trouble with WiFi data offloading hacks. But before we get into the details, let’s talk about why carriers would want to offload certain data traffic.

According to an article written by cell tower lease experts Steel in the Air, “Wi-Fi offloading is the use of Wi-Fi technology to deliver data that was originally sourced by cellular networks. Wireless Service Providers can intentionally offload cellular 3/4G and LTE traffic to Wi-Fi, which basically means that the end user will be accessing unlicensed spectrum in the public domain via a Wi-Fi hotspot.  Why are the wireless carriers interested in offloading subscribers from their networks where they get paid by the megabyte?  Two words- Data Tsunami.”

What is an eNodeB?

Here’s the scenario: Cell towers support cellular coverage for data. But the cell towers have another component called an eNodeB, which offloads the data from the cellular tower to another part of the network, such as a WiFi or wired network. It saves the telco money in terms of resources because if their capacity is full in the cellular data network, then they would have to build more cell towers. Thus, the offloading makes it cheaper for the cell telephone companies to roll out infrastructure, and not have multiple cellular towers to cater to increasing demands for mobile data.

So, historically, these eNodeBs have not had any form of authentication. All a hacker had to do was buy a device for themselves and they would have unlimited data coverage for themselves and all of their mates.

Then a couple years ago, some of the wireless carriers started to realize that they needed to implement certificate authentication to prevent this revenue leakage. Apparently, that was easier said than done. To protect against misuse, some manufacturers chose to simply embed a self-signed certificate onto the eNodeB to support a one-to-one trust model. While this one-to-one trust is super-secure, it is also super hard to manage. To get around these management limitations, some carriers configured their authentication to just trust any certificate, which kind of defeats the entire purpose and effectively takes the carriers back to step one.

Hackers began to exploit this lack of authentication by purchasing eNodeB units that came preloaded with the same manufacturing certificate. Anyone trying to hack the telephone network could just go and buy 10 units from the same manufacturer. These units would all have the same level of trust as the 10,000 units that the telco had purchased. And anyone could buy one on eBay for a few hundred bucks. If the carrier was too busy felt it was too difficult to replace all the certificates of the eNodeB units to perform proper authentication and identification, then the hacker would have free reign to offload data.

PKI problems and machine identities

That’s where my recent conversation started. The wireless carrier wanted to fix the problem by implementing a properly-managed PKI that would allow them to roll out certificates onto their eNodeBs. Ultimately, this would equip them to validate the identities of these eNodeB units and take advantage of the benefits of machine-to-machine identity protection. But alas, it was not to be that easy.

To further complicate the scenario, the self-signed certificates that were embedded by the manufacturers were configured with very long lifetimes. This means these certificates would be valid for something like 10 or 20 years. Plus, they were not issued by a trusted certificate authority (CA). So, it would be difficult to prevent their misuse by revoking them. It would have been better by far to purchase publicly trusted certificates from a respected CA before manufacturing and have these embedded in the units.  

It’s never too early to think about how machine identities will impact your security AND your revenue stream. The result of poor vigilance of these machine identities was that devices that were designed to save the carrier money, ended up causing them to lose bandwidth. And in today’s mobile economy, bandwidth is money. So, that's a real-world example of wireless carriers losing money because they are not properly implementing, managing and protecting machine identities.

How well are you managing your machine identities?



Related posts

Like this blog? We think you will love this.
Featured Blog

Orchestration and Automation are Critical for Machine Identities

The challenges of identity-based zero trust security

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Wilson Yan
Wilson Yan

A self-proclaimed "digital security problem solving zealot", Wilson is a Principle Consultant of Information Technology at Venafi. He is responsible for driving deployment of Venafi’s solutions across Singapore, Australia and Macau, and securing PKI certificates and keys.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more