IoT Security: How to Prevent SMS and Voice Call Attacks

The Internet of Things (IoT) has opened up many opportunities for a variety of industries to accomplish tasks with more efficiency and productivity. But IoT is also extremely vulnerable to cybersecurity attacks, and if an enterprise doesn’t invest adequately in their security team, they’re opening their system up to a host of threats. However, when comparing an enterprise IoT system’s cybersecurity vulnerabilities to mobile phones that almost every consumer possesses, it’s easy to see who is more at risk of an attack.

Single connected devices, like mobile phones, have been utilizing the same technology for decades. This technology has known vulnerabilities in SIM cards as well as SMS and voice calls, but changes haven’t been made to protect consumers. Hackers can obtain private information and generate revenue for their criminal businesses. Couple this with the fact that many enterprise IoT systems allow employees to bring their own devices (usually mobile phones), and we’ve got a growing problem on our hands.

SMS Vulnerabilities and Attacks

Remember when each SMS message cost money to send in the early 2000s? There were also mobile phone scams that would send unwanted ads to people. The person would end up having to pay for the ad text messages, and phone companies caught on fast, prohibiting SMS ads. But there’s another threat lurking for SMS messages: smishing.

Smishing is a form of phishing, where the hacker sends a person an SMS with a phishing link. When the person clicks on the link, it downloads malicious software. IoT applications that are built with human decision-making, like order screens or payment terminals, are vulnerable to this but limited in number. So for other IoT devices, there must be another way to get into the device’s hardware and software.

In 2019, cybersecurity experts reported two major vulnerabilities for mobile phones: Simjacker and WIBattack. Both vulnerabilities are tied to SMS messages and SIM card software, and they allow a hacker to gain control of a device. Because each SIM card is a microprocessor, it has room for a software applet. Both vulnerabilities use an outdated applet (S@T Browser and Wireless Internet Browser (WIB)) that don’t have strong enough cybersecurity. The WIB vulnerability, in particular, is present on mobile phones from 85 major mobile carriers, including T-Mobile, Vodafone, and Dallas-based AT&T.

A hacker can send an over-the-air (OTA) SMS that can change SIM configurations in a person’s phone. The OTA SMS uses a secure key from the operator, but the vulnerable applets also accept SMS messages that don’t have security measures. The hacker can then execute malicious commands on the user’s SIM card, including sending SMS messages, getting location information, and making calls. The longer a device is being used, the more vulnerable it is to security exploits and, eventually, full control of the device.

Voice Call Issues and Weaknesses

Voice call fraud is a major issue for most consumers and mobile carriers, costing both parties an estimated total of $28.3 billion in 2019. The most common fraud type is the International Revenue Share Fraud, where customers are tricked into calling a premium number that charges high fees. The provider of the premium phone number and the company that rents the number split the revenue gained. The mobile carrier charges the customer, and if the customer tries to fight the charge, they may get their contract terminated.

Voice calls are relatively common, and they don’t include only consumer voice calls. For example, elevator emergency calls may use SIM cards to support voice. An attacker can get remote or physical control over these devices or SIM cards. If a hacker gains control over a lot of IoT devices, it could bankrupt a business.

Protecting Your Mobile Phone

IoT devices should be limited in their connectivity profile to the purpose they serve when deployed in an IoT system. For example, if the phone doesn’t need to receive SMS or voice calls, these features should be deactivated inside the connectivity provider portal. Sometimes, this deactivation needs to be done upon the device’s initial configuration.

Voice services should be limited to a certain group of recipients and receivers for specific use cases. Often, IoT app developers use Voice Over Internet Protocol to consolidate security measures to be the same as for data services. External SMS messages from other devices should be blocked so attackers can’t send malicious messages and links to the IoT device.

Application-to-peer SMS should be employed to authenticate their application in advance so that only the device owner can send and receive SMS messages from their device. Another way to protect IoT-enhanced enterprises is to set a limit on how many SMS messages can be sent or received by each device. This can greatly reduce the costs of smishing and hacking attacks.

Changing the Discourse

It’s important for major mobile carriers to issue safer SIM cards for their customers. Experts recommend that hardware manufacturers and mobile app developers work together to create a common security approach at the connectivity level. But it’s also imperative that consumers are trained to recognize smishing-type messages so that they can avoid clicking on malicious links. With IoT systems, SMS and voice capabilities not only unlock more flexibility and functionality for the system, but they also increase the vulnerability of the devices in the system.

Have you ever received a smishing SMS message on your SIM-enabled device? How did you know it was malicious? Let us know in the comments below!