Hacking IoT Manufacturers and Smart Cars via APN

To connect to any cellular APN service, a device needs the following information: access point name, username, and password. This setup is common when using SIM cards purchased from intermediaries.

What is an APN?

Sometimes, IoT devices and vehicles only transmit IP traffic via cellular networks. If you think using secret APN keys increases security, think again. We found that APN keys are often easy to compromise. Moreover, you can use an IoT device to access the APN without even cracking the key, gaining access to confidential information and other devices using the same APN—including other IoT devices from the same manufacturer and other vehicles. In some cases, you can even compromise internal corporate network systems.

Connecting to an APN

To connect to any cellular APN service, a device needs the access point name, username, and password. This is the case with SIM cards bought from intermediaries.

Figure 1: List of SIM cards

Your provider may supply APN settings when you connect your phone to the network, or you may need to configure them yourself. Providers use different APNs for tablets, computers, or phone traffic. A quick search for “APN Settings” yields a long list of public APNs for mobile providers worldwide. You can also find these settings in extracted firmware. In any case, connecting to an APN allows a cellular device to communicate over IP, whether on the internet or a private internal range.

Even though the lack of a standard Ethernet interface on a “smart” device can make testing difficult, the process itself can be quite interesting.

Extracting APN Credentials

If a device connected to a private APN service is physically protected, the question arises: “How do you extract APN credentials?”

Most of the time, a device will connect to any cellular network it can. This doesn’t mean a Vodafone SIM will connect to O2, but you can swap the factory SIM for your own, and the device will connect to your chosen network.

We used a 3G femtocell, a “Network in a Box” device, and several SIM cards, all ordered from Sysmocom, whose experts contribute to the open-source 3G project Osmocom.

Figure 2: sysmoNITB 3.5G device

Once the femtocell and network are operational, insert a SIM card into the target device (be careful not to lose the factory SIM, you’ll need it later) and wait for it to connect. Through a standard Ethernet interface, you can observe what the device does over the cellular connection, such as:

• What traffic the device generates, where it tries to connect, and whether encryption is used.
• Whether there are open ports. Developers may assume that using a cellular APN interface is secure enough. You might discover a superuser password or a Telnet password.
• Secret information used for APN authentication.

We won’t cover the first two points, as there are plenty of resources on those topics. However, there’s little written about APN authentication. APN authentication over a 3G network uses the PPP CHAP protocol. CHAP, first proposed in 1996 as a predecessor to MS-CHAP, uses a three-way handshake: challenge, response, authentication/rejection.

Bypassing APN Authentication

The Osmocom application powering our 3G network ignores APN authentication requests, allowing any device to connect with any APN name, username, and password. However, the three-way handshake still occurs.

If you analyze the authentication process with tcpdump, you’ll see something like this:

Figure 3: Packets transmitted during APN authentication

In Wireshark, the packet containing APN authentication info is called (RUA) DirectTransfer (DTP) (SM) Activate PDP Context Request.

Figure 3: Contents of the (RUA) DirectTransfer (DTP) (SM) Activate PDP Context Request packet

But where’s the password? The APN name and username are shown in plain text, but not the password. For the answer, refer to RFC1994. The CHAP Response Value is a condensed hash. After the request identifier octet (e.g., “0x01”) comes the password, then the CHAP authentication value (e.g., “f3bcc7c0d43ff6a7dafcb4a7a388975d”). The entire string is then encoded with MD5.

Yes, it’s MD5.

Fortunately, hashcat has a mode for iSCSI CHAP hashes (mode 4800). The input format is:

[CHAP Response Value]:[CHAP Challenge Value]:[Response Identifier Octet]

For example:

7e1062f19af0b4ff4611206457de99e4:f3bcc7c0d43ff6a7dafcb4a7a388975d:01

Hashcat easily cracks MD5. Weak passwords will be broken 100% of the time. Even the 1996 RFC recommends passwords of at least 16 characters.

Figure 4: Password recommendations

Our setup with several GPUs runs at 10 GH/s for MD5 hashes. Brute-forcing a 9-character password (upper/lowercase + digits) takes about 20 minutes—without optimizations that could make it even faster.

Figure 5: Example hashcat command

There are also rainbow tables for MD5 covering up to 9-character combinations or 10 lowercase + digits.

Do you know how complex and long your secret APN key is?

Next, you can insert the factory SIM into a cellular modem and connect to the APN using the cracked credentials—directly into the client’s environment. Hardware testing becomes an assessment of internal infrastructure via the cellular network.

We’ve performed pentests and compromised entire internal networks using IoT devices that were supposed to be isolated. I recall one access controller using GSM/LTE via a private APN in a remote, physically accessible location. We dismantled the device, extracted the SIM, cracked the APN key, and gained access to the client’s network. The attack vector of a compromised APN key had not been considered.

We also worked with a large smart lighting network. After compromising one lighting device, we accessed the entire APN service, then other devices, then the consumer network, and finally the manufacturer’s IoT device network.

Who Needs Their Own 3G Network? Another Method

IoT devices often store secret keys in memory, which is almost always unencrypted. Even if you can’t extract the firmware, you can often read keys directly from RAM and compromise the network.

Exploiting Secret APN Keys in Vehicles

Most modern vehicles have telematics control units (TCUs) with SIM cards for mobile data. In Europe, due to the ECall emergency system, these are in almost all new cars. Private APNs are used for cellular communications to increase security. TCUs are easy to extract and analyze.

Figure 6: Telematics control unit

There are often many security issues with TCUs, making compromise relatively easy. You may not even need hardware hacking techniques.

The main problem is that TCUs pass through a long supply chain: parts manufacturer, TCU manufacturer, telematics provider, and connectivity provider. Mistakes can happen at any stage.

In one test for a car manufacturer, we examined a TCU. With physical access, we didn’t even need to crack the APN key, as the device was already trusted. Exploring the network the TCU could access was both fascinating and alarming.

It was clear that a huge number of devices were connected to this network. We had no special access rights beyond the car manufacturer’s network. We simply performed a reverse DNS lookup… and got a long list of DNS records related to car manufacturers not associated with our client—mostly German brands. We stopped there.

There was no segregation between vehicles or brands. The telematics provider hadn’t even separated brands, only individual vehicles. The potential was enormous: one remote exploit in a TCU could compromise every car of that brand—and others. A similar incident happened before, when the Renesas V850 processor in the Uconnect telematics system was compromised. That attack didn’t involve secret APN keys, but exploited a lack of network segregation in Sprint’s network.

We believe that attacks via secret APN keys could have even more serious consequences if similar mistakes are made.

I Use APN Keys in My Products and Services—What Should I Do?

If you use APNs in connected devices, make sure both the device and APN are protected to an acceptable level:

• Always use authentication (some people don’t) with a long, complex password.
• Carefully consider secure storage and use of the secret password. Plan for password recovery if a device is compromised. Recalling vehicles and replacing all SIMs in TCUs is extremely expensive.
• Embedded SIMs (eSIMs) make it easier to back up and recover compromised APN credentials. They’re also harder to extract, as they’re soldered in.
• Services accessible via APN should be segregated. Don’t allow access to your entire internal corporate network.
• Ensure only selected SIM cards can access the private APN service. You don’t want anyone on the cellular network connecting to your APN.
• If needed, segregate clients by location so a compromised device doesn’t affect others.
• Don’t provide unrestricted outbound internet access. You don’t want someone who stole a SIM to get free 4G internet via your APN.
• You may think your APN is private, but treat it like a public VPN. Anyone with SIM access can reach your APN.

Author: Ken Munro