The long-anticipated 5G network standard promises to radically transform the way humans and machines communicate. It heralds a new era of greater bandwidth and faster speeds which will unleash the Internet of Things (IoT) in everything from industrial facilities to autonomous vehicles. But with this new generation of network technology set to dominate for decades, how secure is it?
Improvements have certainly been made over 4G in this regard, in areas such as encryption, privacy and authentication. But there are also some reasons to be concerned.
SIM-jacking: why is it a threat in the 5G world?
You’ve probably heard of SIM-jacking in connection to attacks targeting individual mobile phone users. But in 5G there’s a slightly different threat – to the hundreds of millions of IoT machines which will each feature an eSIM. These on-board chips can theoretically be compromised using any one of over 100 telecom-side attacks and their DNS, BGP, and carrier settings altered. They could then be remotely controlled by attackers and used to launch DDoS attacks, facilitate IP theft and large-scale fraud (such as dialling premium-rate numbers), and to sabotage smart factories, among other uses.
A major vulnerability at the heart of 5G networks is in the way telecommunications systems handle identity at the hardware level, in the SIM. By making the identity of devices in both the telecoms and IT domains visible to Identity and Access Management (IAM) systems, even when roaming, existing security tools will be able to inspect the traffic of 5G-enabled IoT devices and detect malicious behaviour like SIM-jacking. The resulting Federated IAM models (FIdAM) are a way of linking traditional IT with telecoms security architectures so that zero-trust approaches can be applied.
5G will herald a new era of IoT everywhere. Should organisations be concerned?
The greater bandwidth and faster broadband speeds made possible by 5G will drive a huge increase in adoption of IoT devices. Some predict the number of global connected things will more than double over the coming five years to top 75 billion by 2024. But these are notoriously prone to security issues, whether it’s in their use of factory default passwords, lack of firmware updates or other design flaws. Security leaders will find new challenges gaining visibility into all of these additional endpoints and finding an effective way to update them regularly. Threat models will need to be updated accordingly.
Should organisations be wary of consolidating onto fewer 5G suppliers?
The news cycle around 5G security has been overwhelmingly flooded with arguments over whether certain suppliers should be allowed to build these critical infrastructure networks. But there’s a bigger picture here. Even if suppliers were restricted to those from “friendly” nations, the security vulnerabilities in software and protocols would remain. The problems are exacerbated by the fact that so few 5G network suppliers exist. In fact, the NCSC recently described the market as “broken” for this very reason.
This means that, where possible, organisations should be looking to spread any risk across multiple vendors, to follow government guidelines over which of these vendors is “high-risk,” and to put in place satisfactory mitigation controls to manage those risks.
What does software-defined everything mean for 5G security?
Several security issues start to emerge from the fact that 5G networks are software-defined. First, there are no centralised traffic bottlenecks where security controls can be placed. The distributed architecture of 5G makes inspection more challenging. Second, software created by humans will always contain some vulnerabilities, and both the software operating 5G networks and the programs managing these networks could provide remote attackers with multiple opportunities to take control. What’s more, the blacklist-enforcing hardware-based security platforms that have worked just fine up to now will no longer be fit-for-purpose when applied to volatile, software-defined network activity.
Is 5G risk mitigation a question of finding the right security tools?
Organisations will certainly need to find 5G-ready security solutions designed to protect this new network architecture. Machine learning capabilities, for example, can be deployed to establish normal “baseline” activity in order to better spot suspicious behaviour across software-defined networks. However, it’s also a challenge for cybersecurity professionals themselves, as many will have no experience of protecting such networks.
As mentioned, software-defined network traffic will most likely be invisible to pre-SDN era security appliances and applications. Security staff will therefore need to learn and add software coding skills to their repertoire to interpret data generated by these new networks. Many organisations may even lack the skilled professionals at the top to teach other staff members.
Most importantly, organisations must not fall into the old trap of treating security as an afterthought when it comes to 5G. These networks will be around for decades, powering the services and smart facilities that keep society and the global economy running. But the only way to take full advantage of these tremendous opportunities will be in effectively managing the new risks 5G brings. Those risks are already apparent today, so there’s no time to waste.
Ian Heritage, Cyber Security Architect, Trend Micro