5G is taking the world by storm. This game-changing technology takes mobile connectivity to a whole new level by introducing jaw-dropping speeds and low latency. Furthermore, its network capacity can reach a million devices per square kilometer, which is ten times the maximum number supported by 4G.
By David Balaban, Computer Security Researcher, Privacy-PC.com
Whereas the dramatic change in the millimeter-wave frequency spectrum used by 5G compared to its predecessor doesn’t really explain anything to the average person, there are tangible benefits that make a difference and can be noticed with the naked eye. The speeds can reach 2Gbit/s at the dawn of 5G deployment and will theoretically grow to 100Gbit/s as the technology evolves. That’s up to 100 times faster than 4G. Reduced latency is another breakthrough, allowing data to arrive at its destination about five times quicker.
A simple example of how this improves the user experience is that there is absolutely no buffering time when watching a 4K quality video on a mobile device. Uploading and downloading gigabytes of data is a matter of mere seconds in 5G networks, which transforms the way users interact with numerous cloud-based services. Also, wirelessly connected entities that constitute the Internet of Things (IoT), including self-driving cars and smart home appliances, will be able to operate reliably and seamlessly. An extra factor on the plus side of 5G is that people can enjoy fully-fledged connectivity in places where cable modem and Wi-Fi are unavailable.
Having started with field testing and somewhat scattershot regional rollouts in 2019, the deployment of 5G is currently accelerating around the globe. In the United States, the European Union, and East Asia, the process of launching next-generation commercial networks is in full swing, occasionally taking place ahead of schedule.
To keep up with this telco evolution, all major smartphone manufacturers have already released devices that support 5G. Furthermore, market analysts predict that these gadgets will account for 15% of all global smartphone shipments in 2020. Aside from smartphones, a plethora of different IoT solutions will be heavily relying on high-speed connectivity in the near future.
All in all, the booming 5G tech is gradually shaping up to be the mainstay of digital economies going forward. When there is so much at stake, governments and service providers need to make sure the network deployment is flawless in terms of security. Cybercriminals will undoubtedly look for ways to compromise the emerging communication protocols and thereby orchestrate massive data breaches. The concerns escalate considering the tightening connection between 5G and ubiquitous cloud computing.
The government-level 5G risk assessment process is now underway in the EU. A report released by the member states singles out the security and privacy pitfalls that may accompany fifth-generation network rollouts. Below is a summary of the experts’ findings.
5G Vendor Monopoly Issue
One of the key points expressed in the report is that the EU will have to rely on a single manufacturer of network equipment, the Chinese vendor Huawei. Even though the name of this technology company isn’t directly mentioned in the document, the implied cooperation is common knowledge.
The potential problems stemming from the monopoly position of the supplier include a possible lack of equipment, dependence on the contractor’s commercial welfare, and cyberattacks targeting its digital infrastructure. The recent outbreak of the Coronavirus in China could become an additional factor undermining mainstream 5G deployment.
Researchers emphasize that such a collaboration has a single point of failure. The manufacturer can be subject to economic sanctions or other forms of commercial pressure. A hypothetical merger or acquisition scenario may also prevent the company from following its obligations.
One more thing to consider is that there are close ties between the vendor and the government of the state it’s headquartered in. This can be a source of politically motivated tampering with the company’s business processes. Moreover, the scarcity of data protection commitments shared by the EU and the country of the supplier’s origin is yet another possible obstacle to a hassle-free partnership.
According to the EU officials, an increasingly strong link between the member states’ telecommunication networks and third-party software underlying them is a serious threat as well. Since the vendor will have a significant scope of access to all the data in transit, malicious actors will be tempted to hack these solutions and intercept the information.
Extra Stumbling Blocks to Tackle
In addition to the solo vendor issue that implies a major dependency on third-party telco gear and applications, secure 5G implementation may also be hampered by quite a few more circumstances revolving around the technical nature of these systems. Here is the lowdown on these vulnerabilities.
- A greater number of attack vectors
The growing role of software in fifth-generation networks is deemed as one of their weak links. It makes them highly susceptible to compromise that piggybacks on security loopholes, including zero-day exploits that may be unearthed down the road. Such imperfections can become a launchpad for cyber incursions that will allow an adversary to gain a foothold in different tiers of the 5G network architecture. The potential outcomes can range from man-in-the-middle (MITM) attacks to large-scale disruption of the services based on wireless connectivity.
For instance, malefactors may insert a backdoor into an application involved in the 5G implementation chain. To do it, they can take advantage of a known or undocumented vulnerability arising out of the supplier’s poor software development practices. Aside from that, a phishing hoax might be used to wheedle out the sensitive credentials of the software engineers and thereby get unauthorized access to the application. The backdoor will allow the attackers to modify the program’s behavior, deposit malware, or steal users’ data.
Cybercriminals may also try to execute an ARP spoofing attack against a mobile carrier’s IT network by flooding it with rogue Address Resolution Protocol packets. This way, the MAC address of the attacker’s device will become associated with the IP address of the default gateway in the telco service provider’s network. In plain words, the threat actor will be able to impersonate a trusted user to intercept, change, or stop any traffic intended for that IP address.
Distributed denial-of-service (DDoS) attacks pose a growing risk to 5G networks and the entities relying on them. According to Statista, the total number of IoT devices in use worldwide will reach 75 billion by 2025, up from 30 billion in 2020. This ecosystem will be expanding dramatically and so will botnets that harness crudely secured IoT devices to fuel massive DDoS incursions targeting major web services.
As a matter of fact, incidents like that have already occurred in the past. The notorious Mirai malware outbreak in 2016 demonstrated how disruptive this attack vector can get. The infection enslaved more than 600,000 unprotected CCTV cameras and routers to execute a series of 1 Tbps DDoS raids. With the rapidly increasing number of 5G-enabled smart gadgets, the likes of Mirai will be booming and the issue will undoubtedly escalate.
- Network slicing security needs an overhaul
5G is expected to bolster the functioning of virtualized ecosystems referred to as “slices,” which host critical services and utilities used by businesses and government networks. Providing proper security of these independent logical networks that reside within the same physical infrastructure is an increasingly serious challenge. Experts have yet to develop effective mechanisms for isolating these slices in the all-new 5G paradigm to thwart data leaks and other forms of intrusions.
- Meager software update procedures
As previously mentioned, next-generation wireless networks will depend on software to a much bigger extent than the predecessors did. Obviously, seamless application maintenance practices are going to be the pivot of their uninterrupted operation. In particular, software update management will need to catch up with security trends in terms of vulnerabilities and technical bugs and address these flaws before threat actors add them to their repertoire.
- Obsolete standards
Aligning the peculiarities of 5G networks with international and state-level security regulations is a work in progress. The protocols developed by the 3rd Generation Partnership Project (3GPP) organization, which are currently in effect, extensively cover requirements for earlier mobile telephony systems (GSM, UMTS, and LTE) but don’t fully embrace all aspects of 5G standardization at this point. Elaborating the entirety of new security regulations is a matter of trial and error combined with in-depth research that has yet to be conducted.
- Lack of trained personnel
As promising as it is, the 5G technology is also a Pandora’s box filled with opportunities for cybercriminals who will explore it for weaknesses. With that said, the security industry should work proactively to stay on top of new methods as they complement the malefactors’ toolkit. An important prerequisite for bridging this imminent gap is to nurture the expertise of security professionals so that they can identify and fix network imperfections by means of penetration testing and other techniques.
The personnel will need to collaborate more tightly with software suppliers to get a profound understanding of how the new applications work and what exploitation mechanisms they are potentially susceptible to. Furthermore, penetration testers who think like attackers can probe the IT infrastructure of 5G providers and contractors for weaknesses by orchestrating trial network incursions. This will allow the industry to prioritize the areas that need urgent improvement in terms of security.
5G will become one of the core elements of the global digital economy in the years to come. Therefore, securing these high-tech networks is a top priority for governments and all the parties involved in the deployment workflow. Hopefully, the white hats will team up and succeed in staying one step ahead of the adversaries to make sure people benefit from this awesome technology to the fullest.
About the Author
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs, and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
Related story: 5G Networks Present New Risks and Security Challenges