The second-largest telecommunications provider in Australia – Optus – was recently breached and faced a $1m extortion threat. Making matters worse, the attacker started contacting Optus customers directly. According to reports in the Australian media, the hacker has texted customers demanding $2000 AUD to be paid within two days, or their personal identifiable information (PII) will be sold for fraudulent purposes. However, this is an ongoing story, and the hacker has now apparently taken down the database containing customers’ released information and apologized for their actions. It may be that the attacker got more attention than they bargained for.
API Error Causes Breach
So, how did this security breach come about? The answer lies with application programming interfaces (APIs). APIs represent the glue connecting the vast troves of data that flows across today’s modern online and mobile applications. APIs exist in virtually every Internet device – from security cameras to video doorbells to online delivery and service portals. APIs drive today’s transformation initiatives.
Telecommunications providers and ISPs have discovered the value of APIs in the modernization of their own customer services. Acumen Research and Consulting research found that the global telecommunications API market will experience a CAGR of more than 20% from 2022 to 2030. Driving growth is increased competition across telcos and ISPs to provide new and enhanced services. These services span from online entertainment and mobile applications to customer migration to 4G or LTE networks to delivering a better user experience with integrated features.
The Culprit in the Optus Breach – Broken User Authentication
An unauthenticated API has been identified as the likely cause of the Optus security breach.
Open APIs, or unauthenticated APIs, represent one of the most common API security exposures. The OWASP API Security Top 10 cites broken user authentication as the second largest API vulnerability. Hackers know they can easily exfiltrate data from unauthenticated APIs, making this vulnerability a key target.
We frequently see Internet devices suffer this kind of breach pattern in our work with companies. APIs may be unauthenticated, as in this case, or could be using very simplistic authentication, such as the default basic authentication, which can be easily breached.
Telcos and ISPs must adopt strong authentication to protect their devices. In addition, they must understand that the risk of unauthenticated APIs extends beyond data exfiltration. Attackers can do more damage than just exploiting vulnerability to take over user accounts. They can also gain access to all device data that a device may be entitled to access. This exposes them to far greater risks. If a telco’s network equipment can be exploited, an attacker could assume control of the whole network.
Telcos Must Know Their API Security Risks
The proliferation of APIs within telco and ISP environments has created new and complex security risks that cannot be fully defended with existing regulations and traditional security solutions.
To protect this growing attack surface, telcos should first understand the risks. The OWASP API Security Top 10 list is the best place to start to learn about the top API security vulnerabilities. Unfortunately, according to our Q3 State of API Security Report, many organizations don’t utilize this valuable resource, yet 62% of all API attack attempts use at least one of the security vulnerabilities outlined in this important list.
Second, telcos and ISPs need to ensure that API security measures are communicated and adhered to across the entire organization. APIs touch all areas within an organization, not just development. Multiple teams can own APIs. Often miscommunication (or incomplete communication) can lead to problems. For example, infrastructure teams may assume that the development team has already managed authentication requirements. They may believe that the API has already gone through a security review when, in fact, it hasn’t.
Teams must communicate with each other about security steps that have – or have not – been taken in each stage of the API design, development and deployment process. Miscommunications can be pretty commonplace. In the Optus case, it appears that the network team unintentionally made a test network available on the Internet, which could then be easily exploited.
Lastly, telcos and ISPs need dedicated API security that has the ability to continuously monitor APIs for deviations in behaviors that indicate an attack. Organizations need deep visibility into API usage patterns – across millions of APIs – to protect this ever growing and changing attack surface.
These comprehensive insights are essential to detect threats and increase the speed of response before a breach can occur and compromise critical data or services.