5G Security: Possible Risks & Challenges

5G is taking the world by storm. This game-changing technology takes mobile connectivity to a whole new level by introducing jaw-dropping speeds and low latency. Furthermore, its network capacity can reach a million devices per square kilometer, which is ten times the maximum number supported by 4G. 

Whereas the dramatic change in the millimeter-wave frequency spectrum used by 5G compared to its predecessor doesn’t really explain anything to the average person, there are tangible benefits that make a difference and can be noticed with the naked eye.

The speeds can reach 2Gbit/s at the dawn of 5G deployment and will theoretically grow to 100Gbit/s as the technology evolves. That’s up to 100 times faster than 4G. Reduced latency is another breakthrough, allowing data to arrive at its destination about five times quicker.

A simple example of how this improves the user experience is that there is absolutely no buffering time when watching a 4K quality video on a mobile device. Uploading and downloading gigabytes of data is a matter of mere seconds in 5G networks, which transforms the way users interact with numerous cloud-based services. Also, wirelessly connected entities constituting the Internet of Things (IoT), including self-driving cars and smart home appliances, will be able to operate reliably and seamlessly. An extra factor on the plus side of 5G is that people can enjoy fully-fledged connectivity in places where cable modem and Wi-Fi are unavailable.

Having started with field testing and somewhat scattershot regional roll-outs in 2019, the deployment of 5G is currently accelerating around the globe.

In the United States, the European Union, and East Asia, the process of launching next-generation commercial networks is in full swing, occasionally taking place ahead of schedule.To keep up with this telco evolution, all major smartphone manufacturers have already released devices that support 5G. Furthermore, market analysts predict that these gadgets will account for 15% of all global smartphone shipments in 2020. Aside from smartphones, a plethora of different IoT solutions will be heavily relying on high-speed connectivity in the near future.

The booming 5G tech is gradually shaping up to be the mainstay of digital economies going forward. When there is so much at stake, governments and service providers need to make sure the network deployment is flawless in terms of security.

Cybercriminals will undoubtedly look for ways to compromise the emerging communication protocols and thereby orchestrate massive data breaches. The concerns escalate in light of the tightening connection between 5G and ubiquitous cloud computing.

The government-level 5G risk assessment process is now underway in the EU. A report released by the member states singles out the security and privacy pitfalls that may accompany fifth-generation network rollouts. Below is a summary of the experts’ findings.

5G Vendor Monopoly Issue
One of the key points expressed in the report is that the EU will have to rely on a single manufacturer of network equipment, the Chinese vendor Huawei. Despite the fact that the name of this technology company isn’t directly mentioned in the document, the implied cooperation is common knowledge.The potential problems stemming from the monopoly position of the supplier include a possible lack of equipment, dependence on the contractor’s commercial welfare, and cyber-attacks targeting its digital infrastructure. The recent outbreak of the coronavirus in China could become an additional factor undermining mainstream 5G deployment.

Researchers emphasize that such a collaboration has a single point of failure. The manufacturer can be subject to economic sanctions or other forms of commercial pressure. A hypothetical merger or acquisition scenario may also prevent the company from following its obligations.

One more thing to consider is that there are close ties between the vendor and the government of the state it’s headquartered in. This can be a source of politically-motivated tampering with the company’s business processes. Moreover, the scarcity of data protection commitments shared by the EU and the country of the supplier’s origin is yet another possible obstacle to a hassle-free partnership.

According to the European Union, an increasingly strong link between the EU member states’ telecommunication networks and third-party software underlying them is a serious threat as well. Since the vendor will have a significant scope of access to all the data in transit, malicious actors will be tempted to hack these solutions and intercept the information.

Other Stumbling Blocks 
In addition to the solo vendor issue that implies a major dependency on third-party telco gear and applications, secure 5G implementation may also be hampered by quite a few more circumstances revolving around the technical nature of these systems. Here is the lowdown on these vulnerabilities.

● A greater number of attack vectors
The growing role of software in fifth-generation networks is deemed as one of their weak links. It makes them highly susceptible to compromise that piggybacks on security loopholes, including zero-day exploits that may be unearthed down the road. Such imperfections can become a launchpad for cyber incursions that will allow an adversary to gain a foothold in different tiers of the 5G network architecture. The potential outcomes can range from man-in-the-middle (MITM) attacks to large-scale disruption of the services based on wireless connectivity.

For instance, malefactors may insert a backdoor into an application involved in the 5G implementation chain. To do it, they can take advantage of a known or undocumented vulnerability arising out of the supplier’s poor software development practices. Aside from that, a phishing hoax might be used to wheedle out the sensitive credentials of the software engineers and thereby get unauthorized access to the application. The backdoor will allow the attackers to modify the program’s behavior, deposit malware, or steal users’ data.

Cybercriminals may also try to execute an ARP spoofing attack against a mobile carrier’s IT network by flooding it with rogue Address Resolution Protocol packets. This way, the MAC address of the attacker’s device will become associated with the IP address of the default gateway in the telco service provider’s network. In plain words, the threat actor will be able to impersonate a trusted user to intercept, change, or stop any traffic intended for that IP address.
Distributed denial-of-service (DDoS) attacks pose a growing risk to 5G networks and the entities relying on them. According to Statista, the total number of IoT devices in use worldwide will reach 75 billion by 2025, up from 30 billion in 2020. This ecosystem will be expanding dramatically and so will botnets that harness crudely secured IoT devices to fuel massive DDoS incursions targeting major web services.

As a matter of fact, incidents like that have already occurred in the past. The notorious Mirai malware outbreak in 2016 demonstrated how disruptive this attack vector can get. The infection enslaved more than 600,000 unprotected CCTV cameras and routers to execute a series of 1 Tbps DDoS raids. With the rapidly increasing number of 5G-enabled smart gadgets, the likes of Mirai will be booming and the issue will undoubtedly escalate.

● Network slicing security needs an overhaul
5G is expected to bolster the functioning of virtualized ecosystems referred to as “slices,” which host critical services and utilities used by businesses and government networks. Providing proper security of these independent logical networks that reside within the same physical infrastructure is an increasingly serious challenge. Experts have yet to develop effective mechanisms for isolating these slices in the all-new 5G paradigm to thwart data leaks and other forms of intrusions.

●  Meager software update procedures
As previously mentioned, next-generation wireless networks will depend on software to a much bigger extent than the predecessors did. Obviously, seamless application maintenance practices are going to be the pivot of their uninterrupted operation. In particular, software update management will need to catch up with security issues in terms of vulnerabilities and technical bugs and address these flaws before threat actors add them to their repertoire.

● Obsolete standards
Aligning the peculiarities of 5G networks with international and state-level security regulations is a work in progress. The protocols developed by the 3rd Generation Partnership Project (3GPP) organization, which are currently in effect, extensively cover requirements for earlier mobile telephony systems (GSM, UMTS, and LTE) but don’t fully embrace all aspects of 5G standardization at this point. Elaborating the entirety of new security regulations is a matter of trial and error combined with in-depth research that has yet to be conducted.

● Lack of trained personnel
As promising as it is, the 5G technology is also a Pandora’s box filled with opportunities for cybercriminals who will definitely explore it for weaknesses. With that said, the security industry should work proactively to stay on top of new methods as they complement the malefactors’ toolkit. An important prerequisite for bridging this imminent gap is to nurture the expertise of security professionals so that they can identify and fix network imperfections by means of penetration testing and other techniques.

The personnel will need to collaborate more tightly with software suppliers to get a profound understanding of how the new applications work and what exploitation mechanisms they are potentially susceptible to. Furthermore, penetration testers who think like attackers can probe the IT infrastructure of 5G providers and contractors for weaknesses by orchestrating trial network incursions. This will allow the industry to prioritize the areas that need urgent improvement in terms of security.

Final thoughts
5G will become one of the core elements of the global digital economy in the years to come. Therefore, securing these high-tech networks is a top priority for governments and all the parties involved in the deployment workflow. Hopefully, the white hats will team up and succeed in staying one step ahead of the adversaries to make sure people benefit from this awesome technology to the fullest.

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. He runs Privacy-PC.com.
 
You Might Also Read: 
 

The US Has A New 5G Security Strategy:

 

 

« Cyber Resilience Benchmarks - Missed
Japan's New AI-Based Cyber Defence System »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Nuix

Nuix

Nuix specialise in extracting knowledge from unstructured data. Applications include Digital Forensics, Cybersecurity Intelligence, Information Governance, eDiscovery.

Arista Networks

Arista Networks

Arista Networks is an industry leader in data-driven, client to cloud networking for large data center, campus and routing environments.

Phoenix Contact Cyber Security

Phoenix Contact Cyber Security

Phoenix Contact Cyber Security is a leading manufacturer of network security appliances for use in industrial environments.

Computer & Communications Industry Association (CCIA)

Computer & Communications Industry Association (CCIA)

CCIA supports efforts to facilitate and streamline information sharing on cyber threats between the private sector and the Federal Government.

ECOS Technology

ECOS Technology

ECOS Technology specializes in the development and sale of IT solutions for high-security remote access as well as the management of certificates and smart cards.

Anglo African

Anglo African

Anglo African is an information technology firm providing end-to-end solutions to different industries, from IT Infrastructure to DataCom as well as Cloud & InfoSec services.

Office of the Government Chief Information Officer (OGCIO) - Hong Kong

Office of the Government Chief Information Officer (OGCIO) - Hong Kong

OGCIO supports the development of community-wide information technology infrastructure and setting of technical and professional standards to strengthen Hong Kong’s position as a world digital city.

Salviol Global Analytics

Salviol Global Analytics

Salviol Global Analytics is a leading provider of Fraud, Risk and Operational Performance Solutions to a number of vertical markets including Insurance, Banking, Utilities, Telco’s and Government.

IBLISS Digital Security

IBLISS Digital Security

How cyber-resilient is your business now? We help companies to continuously answer this never-ending C-level question.

Knowledge Transfer Network (KTN)

Knowledge Transfer Network (KTN)

KTN links new ideas and opportunities with expertise, markets and finance through our network of businesses, universities, funders and investors.

Blackfoot Cybersecurity

Blackfoot Cybersecurity

At Blackfoot, we work in partnership with you to deliver on-demand cyber security expertise and assurance, keeping you one step ahead of threats & compliant with regulations.

Assured Clarity

Assured Clarity

Assured Clarity are a global consultancy, specialising in Risk Management and Data Privacy, through Education, Awareness and Training, throughout an organisation.

Lansweeper

Lansweeper

Lansweeper is an IT Asset Management platform provider helping businesses better understand, manage and protect their IT devices and network.

Turk Telekom

Turk Telekom

Turk Telekom is the first integrated telecommunications operator in Turkey.

Nordic Defender

Nordic Defender

Nordic Defender is the first crowd-powered modern cybersecurity solution provider in the Nordic region.

Compugen Systems Inc (CSI)

Compugen Systems Inc (CSI)

Compugen Systems is an IT service delivery company that focuses on enabling your business outcomes.