F5 Warns That Flaws in Cellular Gateways Expose Infrastructure to Risk | eWeek

F5 Details Cellular Gateway IoT Flaws at Black Hat

Justin Shattuck
Aug 9, 2018
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

LAS VEGAS—Cellular gateways are leaking information that could be exposing critical infrastructure to risk. That’s the conclusion of Justin Shattuck, principal threat researcher for F5 Labs, who talked about the issue of cellular gateway flaws for internet of things (IoT) in a session at Black Hat USA here on Aug .9.

In a video interview with eWEEK, Shattuck provided details of the vulnerabilities and misconfigurations he found as well as their potential impact. Cellular gateways are used to connect emergency services and other critical infrastructure, including law enforcement vehicles, he said. Overall, F5 Labs was able to identify more than 100,000 devices that are impacted by the cellular gateway flaws.

The flaws could potentially enable an attacker to identify locations of infrastructure, track individuals, and even manipulate or corrupt communications. Among the vulnerabilities that Shattuck discovered was information disclosure about the cellular gateways. He also discovered that some devices lack proper authentication, enabling attackers to simply log in, without challenge. F5 began contacting impacted vendors in 2016 and has had challenges getting vendors to patch.


“We sent off over 400 disclosures in the first few days and got zero responses,” Shattuck said. “It was actually very heartbreaking as a researcher to volunteer so much information and no one wanted to pay attention.”

It took several years of effort, but Shattuck and F5 did get some vendors to pay attention. F5 found that Sierra Wireless was using default credentials, among other issues. Shattuck said that Sierra Wireless worked with F5 to fix issues.

Risks

“These devices are emitting as much data as you can soak up,” Shattuck said.

He said he could identify the locations of first responders, including fire and police, over GPS and where the vehicles were going. While vulnerabilities are always a concern, Shattuck emphasized that misconfigurations are a primary risk for the cellular IoT gateways.

While Sierra Wireless has patched issues, Shattuck is still concerned about the vendors that have yet to respond and address the risks he identified.

“I’m a little broken-hearted that we have over 13,000 disclosures, two responses and only one dialogue,” Shattuck said. “That one dialogue has been with Sierra Wireless.”

Watch the full video with Shattuck above.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.