What's Riding on 5G Security? The Internet of Everything5G Brings Great Speed But Also Great Complexity
The U.S. government's idea to take the reins of the development of 5G mobile networks has been met with cynicism and criticism. But there are good reasons the government is worried: Standards haven't been set in stone yet, and 5G will present a bevy of new security challenges.
See Also: HIPAA Audits: A Revised Game Plan
High-bandwidth and low-latency 5G networks will connect everything from health systems to self-driving vehicles and critical infrastructure. The structure of 5G networks will be much more complex than 2G, 3G or 4G, with the increased use of virtualization and software-defined networking. There are also concerns over how to preserve user privacy.
Some security experts contend the time is right for the U.S government to step in. A variety of organizations worldwide are weighing in on 5G, including standards bodies such as ETSI and the 3GPP. With three out of the four major U.S. carriers planning modest 5G deployments by the end of the year, now is the time to act on security.
"Bolting cybersecurity onto 5G infrastructure is a sure-fire way to create a very easily hacked network protocol that will be with us for the next 20 years," says Chris Pierson, founder and CEO of Binary Sun Cyber Risk Advisors.
While it would be unlikely that the U.S. government could build a more secure network than private companies on its own, the government now has the opportunity to have a say in standards, says Jake Williams, founder of Rendition Infosec, a security consultancy, and a former operator with the National Security Agency's Tailored Access Operations unit.
"The unique thing 5G does provide is a reset button where the government can inject itself into security standards," Williams says.
5G: A Sea Change
When GSM was under development, function rather than security was the priority. A major concern that emerged was mobile subscribers getting charged for someone else's calls, which led to more secure SIM cards. And each subsequent mobile network generation has had security improvements as threats changed. But 5G will be a sea change.
"It is easy to think of 5G networks as mainly a quantitative evolution similar to previous transitions, such as higher bitrate, lower latency and more devices," the networking company Ericsson writes in a June 2017 white paper. "But this is not the case: 5G security will just as much be a qualitative leap forward to meet the demands of a networked society."
Virtualization and software-defined networking will be a key part of 5G, as networks will rely less on physical separation of systems, according to a white paper by the Institute for Communications Systems at the University of Surrey.
SDN reduces costs, but also raises the security stakes. A compromised SDN controller, for example, "can give 'root-like' access to configuration of virtualized devices under its control, leading to data loss or loss of network security," it says.
5G will also bring a more complex network topology, which could offer opportunities for hackers. For example, data migrating from a virtual machine to a newly spun up one could make sensitive data vulnerable, according to the paper.
But there is good news for protecting data. More application providers are building systems that encrypt data from one end to the other. The keys for data are held by device owners, and only encrypted data transverses networks. That means if there is a vulnerability in a network or an operator's systems, the data should be safe.
Williams says using messaging and voice applications such as Signal, which are based on open-source encryption standards, is better than relying on the security provided by an operator. "Any application is better than regular SMS, since you're now forcing the attacker to break two layers of encryption," he says.
5G is expected to propel the development and expansion of the internet of things - the catch-all term for anything that's not a mobile or desktop device with network connectivity. Gartner predicted last year that IoT devices will number 20 billion by 2020.
"The presence of many millions of long-lived devices may cause congestion in both licensed and unlicensed spectrum - the radio equivalent of space junk or seas of plastic bags."
—University of Surrey
The entry of all of these devices means a lot more radio traffic and potential interference. Because IoT devices have long service lives and not a great track record for being updated, the University of Surry's paper suggests there may be a need for way to switch off redundant IoT devices consuming prime 5G frequencies.
"The presence of many millions of long-lived devices may cause congestion in both licensed and unlicensed spectrum - the radio equivalent of space junk or seas of plastic bags," the University of Surrey's paper says.
There's also the concern that mass numbers of devices could be taken over by hackers and used for distributed denial-of-service attacks. The best example is Mirai, the botnet code that slipped into millions of poorly secured IP cameras, routers and digital video recorders (see Mirai Botnet Pummels Internet DNS in Unprecedented Attack).
Mirai's attacks against a DNS service provider annoyed people because services such as Spotify and PayPal wouldn't resolve. But as more critical infrastructure and medical IoT devices depend on clear networks, attacks could have life-threatening consequences.
"In these scenarios, the 5G network may need to support high reliability while providing [qualify of service] guarantee with a delay not more than 1 millisecond, so as to prevent accidents such as vehicle collision and surgical operation errors," Huawei writes in a 5G security white paper from 2015.
No Eavesdropping, Please
Alleged eavesdropping by China on phone calls is one of the major concerns that drove the U.S. into thinking it should roll out its own 5G network. The government is also concerned that using network equipment from Huawei or ZTE may potentially create opportunities for spying (see Memo to the White House: Forget the 5G Moonshot).
Williams says he's hesitant to declare that 5G calls couldn't be hacked. But it is an improvement over 3G or 4G. "There is no doubt that 5G is more difficult to spy on than 3G/4G," he says.
Some believe the most clear-cut solution is to not use Chinese-made equipment at all. One U.S. lawmaker has already proposed legislation that would stop government agencies from using equipment from Huawei, which for years has been dogged by largely unfounded speculation it is connected to Chinese intelligence.
And on Tuesday, Bloomberg reported that in response to U.S. government pressure, Verizon will not carry Huawei's Mate 10 smartphone, following a move earlier this month by AT&T.
Pierson says that regardless of what type of security is built into the 5G protocols, the supply chain behind telecommunication components is a concern.
"Much of the backbone for the circuits, antennas, microprocessors, and other conductive equipment may be supplied by foreign entities and any potential exploit in protocols or weaknesses could be exploited," he says. "Protecting the supply chain and conducting third party assurance of these products will be a daunting task."