5G Brings Great Speed But Also Great Complexity
The broad security issues facing deployment of 5G networks. (Source: Ericsson)
The U.S. government's idea to take the reins of the development of 5G mobile networks has been met with cynicism and criticism. But there are good reasons the government is worried: Standards haven't been set in stone yet, and 5G will present a bevy of new security challenges.
See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'
High-bandwidth and low-latency 5G networks will connect everything from health systems, self-driving vehicles and critical infrastructure. The structure of 5G networks will be much more complex than 2G, 3G or 4G, with the increased use of virtualization and software-defined networking. There are also concerns over how to preserve user privacy.
Experts say it is the right time for the U.S government to step in. There are a variety of organizations worldwide that are weighing in on 5G, including standards bodies such as ETSIand the 3GPP. With three out of the four major U.S. carriers planning modest 5G deployments by the end of the year, now is the time to act.
"Bolting cybersecurity onto 5G infrastructure is a sure-fire way to create a very easily hacked network protocol that will be with us for the next 20 years," says Chris Pierson, founder and CEO of Binary Sun Cyber Risk Advisors.
While it would be unlikely that the U.S. government could build a more secure network than private companies on its own, it has opportunity now to have a say in standards, says Jake Williams, founder of Rendition Infosec, a security consultancy based in Augusta, a former operator with the NSA's Tailored Access Operations unit.
"The unique thing 5G does provide is a reset button where the government can inject itself into security standards," Williams says.
5G: A Sea Change
When GSM was under development, function rather than security was priority. A major concern that emerged was mobile subscribers getting charged for someone else's calls, which led to more secure SIM cards. And each subsequent mobile network generation has security improvements as threats changed. But 5G will be a sea change.
"It is easy to think of 5G networks as mainly a quantitative evolution similar to previous transitions, such as higher bitrate, lower latency and more devices," the networking company Ericsson writes in a June 2017 white paper. "But this is not the case: 5G security will just as much be a qualitative leap forward to meet the demands of a networked society."
Virtualization and software-defined networking will be a key part of 5G, as networks will rely less on physical separation of systems in the past, according to a white paper by the Institute for Communications Systems at the University of Surrey.
SDN reduces costs, but also raises the security stakes. A compromised SDN controller, for example, "can give 'root-like' access to configuration of virtualized devices under its control, leading to data loss or loss of network security," it says.
5G will also bring a more complex network topology, which could offer opportunities for hackers. For example, data migrating from a virtual machine to a newly spun up one could make sensitive data vulnerable, according to the paper.
But there is good news for protecting data. More application providers are building systems that encrypt data from one end to the other. The keys for data are held by device owners and only encrypted data transverses networks. That means if there is a vulnerability in a network or an operator's systems, the data should be safe.
Williams says messaging and voice applications such as Signal, which are based on open-source encryption standards, is better than relying on the security provided by an operator. "Any application is better than regular SMS since you're now forcing the attacker to break two layers of encryption," he says.
5G is expected to propel the development and expansion of the "internet-of-things" - the catch-all term for anything that's not a mobile or desktop device with network connectivity. The analyst Gartner predicted last year that IoT devices will number 20 billion by 2020.
"The presence of many millions of long-lived devices may cause congestion in both licensed and unlicensed spectrum - the radio equivalent of space junk or seas of plastic bags."
—University of Surrey
The entry of all of these devices means a lot more radio traffic and potential interference. Since IoT devices have long service lives and not a great track record for being updated, the University of Surry's paper suggests there may be a need for way to switch off redundant IoT devices consuming prime 5G frequencies.
"The presence of many millions of long-lived devices may cause congestion in both licensed and unlicensed spectrum - the radio equivalent of space junk or seas of plastic bags," the University of Surrey's paper says.
There's also the concern that mass number of devices could be taken over by hackers and used for distributed denial-of-service attacks. The best example is Mirai, the botnet code that slipped into millions of poorly secured IP cameras, routers and digital video recorders (see Mirai Botnet Pummels Internet DNS in Unprecedented Attack).
The service outages caused by DDoS attacks will have a radically different impact in the future. Mirai's attacks against a DNS service provider annoyed people because services such as Spotify and PayPal wouldn't resolve. But as more critical infrastructure and medical IoT devices depend on clear networks, attacks could have life-threatening consequences.
"In these scenarios, the 5G network may need to support high reliability while providing [qualify of service] guarantee with a delay not more than 1 millisecond, so as to prevent accidents such as vehicle collision and surgical operation errors," Huawei writes 5G security white paper from 2015.
No Eavesdropping, Please
Alleged eavesdropping by China on phone calls is one of the major concerns that drove U.S. thinking it should roll its own 5G network. The government is also concerned that using network equipment from Huawei or ZTE may potentially create opportunities for spying (see Memo to the White House: Forget the 5G Moonshot).
Williams says he's hesitant to declare that 5G calls couldn't be hacked. But it is an improvement over 3G or 4G. "There is no doubt that 5G is more difficult to spy on than 3G/4G," he says.
Some believe the most clear-cut solution is not use Chinese-made equipment at all. One U.S. lawmaker has already proposed legislation that would stop government agencies from using equipment from Huawei, which for years has been dogged by largely unfounded speculation it is connected to Chinese intelligence.
And on Tuesday, Bloomberg reported that in response to U.S. government pressure, Verizon will not carry Huawei's Mate 10 smartphone, following a move earlier this month by AT&T.
Pierson says that regardless of what type of security is built into the 5G protocols, the supply chain behind telecommunication components is a concern.
"Much of the backbone for the circuits, antennas, microprocessors, and other conductive equipment may be supplied by foreign entities and any potential exploit in protocols or weaknesses could be exploited," he says. "Protecting the supply chain and conducting third party assurance of these products will be a daunting task."