F5 Details Cellular Gateway IoT Flaws at Black Hat

LAS VEGAS—Cellular gateways are leaking information that could be exposing critical infrastructure to risk. That's the conclusion of Justin Shattuck, principal threat researcher for F5 Labs, who talked about the issue of cellular gateway flaws for internet of things (IoT) in a session at Black Hat USA here on Aug .9.

In a video interview with eWEEK, Shattuck provided details of the vulnerabilities and misconfigurations he found as well as their potential impact. Cellular gateways are used to connect emergency services and other critical infrastructure, including law enforcement vehicles, he said. Overall, F5 Labs was able to identify more than 100,000 devices that are impacted by the cellular gateway flaws.

The flaws could potentially enable an attacker to identify locations of infrastructure, track individuals, and even manipulate or corrupt communications. Among the vulnerabilities that Shattuck discovered was information disclosure about the cellular gateways. He also discovered that some devices lack proper authentication, enabling attackers to simply log in, without challenge. F5 began contacting impacted vendors in 2016 and has had challenges getting vendors to patch.

"We sent off over 400 disclosures in the first few days and got zero responses," Shattuck said. "It was actually very heartbreaking as a researcher to volunteer so much information and no one wanted to pay attention."

It took several years of effort, but Shattuck and F5 did get some vendors to pay attention. F5 found that Sierra Wireless was using default credentials, among other issues. Shattuck said that Sierra Wireless worked with F5 to fix issues.


"These devices are emitting as much data as you can soak up," Shattuck said.

He said he could identify the locations of first responders, including fire and police, over GPS and where the vehicles were going. While vulnerabilities are always a concern, Shattuck emphasized that misconfigurations are a primary risk for the cellular IoT gateways.

While Sierra Wireless has patched issues, Shattuck is still concerned about the vendors that have yet to respond and address the risks he identified.

"I'm a little broken-hearted that we have over 13,000 disclosures, two responses and only one dialogue," Shattuck said. "That one dialogue has been with Sierra Wireless."

Watch the full video with Shattuck above.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.