APIs in the Telecom Industry
Carlo De Micheli, Zoran Gorgiev
The telecom industry has been one of the most dynamic for years, and it looks like it will continue to be in the foreseeable future. In recent years, APIs have added to these dynamics even more.
As telecommunication progresses to a new era of transformation, API insecurity emerges as a new concern. Wait, are APIs really that important in telecommunications? So, you’re telling me now that they require special attention from the telcos? But are there real-life examples of any destructive consequences of exploiting APIs in telecom?
You’ll find the answers in the following few sections.
APIs in Telecom
Telcos were among the first companies to show a practical interest in APIs, which made perfect sense. Considering the high competition in the telecom market and the costs of gaining an edge over rivals, APIs were the obvious choice. They could simplify innovation and delivery of new services, simultaneously reducing costs.
But what precisely does an API do in telecom? What’s a telecom API’s purpose?
APIs are a central element of telecom’s digital transformation. They carry so much potential in this industry that the discussion of their usefulness goes beyond what they’ve already allowed telcos to achieve. It’s equally about the countless goods telecom APIs will bring soon if the industry makes the right moves.
Analysts argue that APIs can unlock the monetization potential of 5G and multi-billion-dollar revenue in the next several years. This potential is so immense that we can’t envision all the application scenarios made possible by APIs. However, telcos must first motivate the developer community, and innovation and revenue will follow.
One of the points of introducing APIs in telecom, if not the point, is to let developers build innovative new features and services. But for that to happen, telecom APIs must be scalable and interoperable.
The first means that APIs must be able to grow and adapt to the telecom company’s changing needs, but this does not happen at the expense of API and service reliability. The second means APIs must work in different environments—from gaming to payment processing—and geographical regions, which requires shared telecommunications API standards.
Although the telecoms industry will need to do more regarding interoperability, initiatives such as CAMARA and the GSMA open gateway give much hope for the future.
Some of the capabilities APIs can make possible for telcos are the following:
- Mobile gaming
- In-app payments
- Identity aggregation
- M2M communication
- Access to legacy systems
- Network monitoring and control
- Speed on demand, speed tiers, and low latency
- Integration of chatbots and IoT devices like sensors
- Remote control, an advantage already widely used in electric vehicles
- Rich Communication Services (RCS), such as rich voice and rich messaging
Nonetheless, as APIs expand the horizon of possibilities for telecommunication companies, they also bring unique security risks. For instance, a telecommunication API’s scalability can inadvertently introduce vulnerabilities if achieved without proper security checks due to the pressure of tight deadlines and the imperative of low time to market.
Also, although no one can deny the benefits of innovative service development as well as widespread data exchange and accessibility through APIs, these dramatically expand telcos’ attack surface if not accompanied by proportionate security measures.
A few examples of telecom data breaches suffice to show the dangers of forsaken API security.
API Security Incidents in Telecom
Two of the three incidents we’ll discuss were highly publicized, mainly because they involved large and globally known telecommunication companies.
The third is not widely known, and unlike the first two, it’s not an API incident where malicious actors exploited a vulnerable API. Instead, it’s a security risk disclosed by an ethical hacker.
The incidents are ordered by importance, not chronologically.
The Optus Security Breach
Optus is the second-largest Australian telco. The Optus data breach happened in 2022, and it’s widely considered one of the most disastrous in the industry.
The API that allowed the breach suffered from multiple security flaws:
- It was a publicly accessible API that operated with sensitive user data
- It was uncatalogued, meaning it suffered from the Improper Inventory Management vulnerability
- It completely lacked authentication, which makes it fall within the Broken Authentication category of the ten most severe and common API security risks
- It included incremental user identifiers, which means it falls under the Broken Object Level Authorization type
- It didn’t prevent the threat actor from requesting information on an enormously large number of users, meaning it suffered from the Unrestricted Resource Consumption vulnerability
The breach led to a data theft that affected more than 11.2 million Optus customers. The stolen information included:
- Names
- Birth dates
- Physical and email addresses
- Phone, driver’s license, and passport numbers
In the aftermath of the breach, Optus faced lawsuits, non-compliance charges, severe reputation damage, and millions in financial losses.
The T-Mobile Data Breach
At the beginning of 2023, the telecom giant T-Mobile disclosed another in a series of security incidents plaguing the company since 2018. This time, an API played a central role in the breach.
Unfortunately for the cybersecurity community, the technical details of the attack were never disclosed by the telecommunications service provider or a security researcher. We only know that the problem stemmed from poor API configuration, which can be a symptom of a worse predicament, such as oversight of security best practices.
The threat actor stole the personal data of 37 million T-Mobile prepaid and postpaid customers. The stolen data included the following:
- Names
- Birth dates
- Billing and email addresses
- Phone and account numbers
- Plan features
Hackers use these data types to target unsuspecting users in social engineering campaigns.
The Celcom Data Leak
Celcom, now CelcomDigi, is the oldest telecom company in Malaysia. In 2020, an ethical hacker discovered and reported a vulnerable Celcom API.
The hacker first noticed that the Celcom Life mobile app didn’t work as expected when he wanted to reload his phone credit and buy a data plan. It turned out that the app didn’t validate data on the back end. That implied the server would process the request even if someone manipulated the credit on the front end, changing it from, say, 50 to 100.
This discovery led the hacker to explore the Celcom Life API more deeply and hunt for more vulnerabilities. As a result, he found that, as part of the two-factor authentication process, the API surprisingly returned the AnalyticsUserName and AnalyticsUserPassword along with the OTP (one-time password).
The hacker used this discovery to query information for another mobile phone number (chosen arbitrarily). Unfortunately for the telco, the API returned the queried information so he could see another customer’s details, such as subscription plan and data usage.
This discovery meant that a malicious actor with access to the Celcom network could steal and sell the data—customer billing, plan, roaming, and credit information—of any prepaid or postpaid customer or use it in a phishing campaign, which can put any mobile carrier in a world of trouble.
How to Protect Telecom APIs?
Telcos are treasure troves of user information, which makes data breaches and leaks a continuous danger, as we’ve seen from the three telecom security incidents. To protect yourself, you must:
- Produce a complete inventory of the APIs you rely on
- Identify and fortify the API endpoints operating with sensitive data
- Enforce regular and frequent API vulnerability testing in development as well as production environments
Ethical hacking and penetration testing are necessary on your journey to secure APIs. Most discovered API vulnerabilities in the wild result from the efforts of ethical hackers and pentesters, preventing security catastrophes like the ones in the Optus and T-Mobile cases from happening.
However, manual ethical hacking and pentesting are time-consuming, limited in scope, and challenging to scale. In contrast, if you complement those with a security platform that harnesses the power of artificial intelligence to execute API attacks automatically and provide actionable insights, you’re on a good way to a robust API security posture.
Most companies run penetration tests rarely, typically due to the complexity and resource demands of manual testing.
The advantage of automated penetration testing is that you can run tests at any stage of the SDLC (software development life cycle), such as upon the release or update of a new feature. That ensures managing vulnerabilities early, avoiding or reducing the risks and costs of later-stage remediation.
Equixly, the AI-Powered Hacker
Equixly is an AI-powered ethical hacker that noticeably improves the speed and expands the scope of API penetration testing to secure your APIs.
In more specific terms, Equixly makes it possible to:
-
Conduct continuous security tests: It allows you to automate API security testing in development as well as production and probe your APIs for vulnerabilities regularly and as often as circumstances dictate. It was developed to run unobtrusively in the SDLC. As such, Equixly is a trusted ally to developers and security professionals who believe in the merit of the shift-left approach.
-
Attack your APIs as threat actors do: Equixly enables you to carry out penetration tests, execute various attacking scenarios based on the latest OWASP Top 10 API Security Risks list, and analyze hundreds of API requests and responses to unearth technical vulnerabilities and logic flaws.
-
Map your attack surface: Equixly helps you discover zombie and shadow APIs to create a comprehensive API inventory and learn which endpoints work with sensitive information to classify data precisely.
-
Lighten your compliance workload: Equixly gives you the means to meet compliance requirements by generating detailed reports on the security risks of your APIs and the endpoints that expose sensitive data. These reports can prove your efforts to secure APIs by providing evidence of remediation actions taken between API tests.
Conclusion
In the end, APIs turn out to be a big deal in the telecom industry. They allow the telecommunication world to become more connected and open than ever before. Besides that, they promise to create revenue opportunities and bring future innovation even beyond what we can picture now if the industry plays the cards right.
For that to happen, API security must become an integral part of telcos’ strategies. No innovation and advancement are viable in the long term if you neglect this part of the equation. It’s a variable that affects the final result, and you have to factor it in to get the desired outcome.
Download Equixly’s Telecom brochure:
Carlo De Micheli
Director of Product Marketing
Carlo is a versatile professional with extensive international experience. His enthusiasm for innovation extends across cybersecurity, automotive, and aerospace, where he actively engages in pioneering projects. Holding a technical background in aerospace engineering and supplementing it with independent studies in programming and security, Carlo has organized and presented at international conferences and established tech startups related to the sharing economy and fashion before embracing marketing and sales.
Zoran Gorgiev
Technical Content Specialist
Zoran is a technical content specialist with SEO mastery and practical cybersecurity and web technologies knowledge. He has rich international experience in content and product marketing, helping both small companies and large corporations implement effective content strategies and attain their marketing objectives. He applies his philosophical background to his writing to create intellectually stimulating content. Zoran is an avid learner who believes in continuous learning and never-ending skill polishing.