The next generation of mobile cellular technology known as fifth-generation wireless (5G) is hitting a peak in the hype cycle, emerging as a major theme at the Consumer Electronics Show (CES) this week. Wireless carriers are investing billions of dollars into the technology, which requires a completely new approach to network infrastructure and management, not to mention new types of spectrum. But the payoff, once the switch is flipped later this year and in 2020, is the ability to support new business models and revenue streams, including legions of low-latency, low-power industrial Internet of Things (IoT) devices, self-driving cars, smart city deployments, tele-surgery, and home broadband and video services that can compete with cable and satellite.
The downside? As ever, there are concerns that security could be an afterthought, lost in the fervor surrounding this newest, shiniest tech bauble.
“Carriers have prioritized first-to-market strategies and efficiency rather than securing their products and services,” Steve McGregory, senior director of application and threat intelligence at Ixia, told Threatpost. “History has shown us that when we expand our computing power and connectivity, we open up a new landscape for attackers to use against us, with prime examples of this being the cloud and connected IoT devices.”
He added, “Who knew that simple consumer-based video cameras would be the basis of the largest DDoS in history? And who knew that the cloud had the ability to enable hackers to gather systems to continuously try to brute-force networks?”
Deployments Begin This Year
The immense buzz around 5G makes sense given what it promises: It aims to deliver 10 to 100 times faster throughput than existing 4G networks, allowing tens of thousands of simultaneous users to receive at least 1Gbps, which is as fast as the top tier of a cable connection at home. But 5G isn’t just a bigger, better version of LTE—its view is broader than that.
“In general, there are three 5G families of use cases,” explained Chris Pearson, president at 5G Americas. “There’s an enhanced mobile broadband (EMBB) requirement for delivering faster speeds for the same kinds of consumer and business apps that we have today; a massive IoT play, where the network has to be designed to deal with billions and billions of connections and have the flexibility to handle different types of connections; and then there’s the low-latency machine-to-machine (M2M) and critical communications piece.”
The Big Four – AT&T, T-Mobile USA, Sprint and Verizon – all plan to launch limited 5G deployments this year, though some, like AT&T, are already using “5G” as a marketing term, albeit a bit misleadingly given that the network they claim to be 5G is not based on approved 5G standards (and doesn’t deliver on the promised benchmarks). True standards-based 5G networks are very slowly rolling out this year, with the first widespread commercial launches expected in 2020 and beyond.
That means that carriers and the businesses that plan to capitalize on the improved network connectivity still have time to address security concerns before the proverbial genie is fully out of the bottle.
“Despite 5G’s early growth, we are still in the early stages of the technology and have not yet seen it implemented on widespread levels,” McGregory said. Because of this, there’s still time to do the right thing from a security standpoint and prepare for the risks that come with 5G’s benefits.”
Security Concerns, New and Old
On the most basic level, 5G faces the same security pitfalls that its predecessors faced, including issues around authentication, confidentiality, authorization, availability and data security.
In 2018, researchers at Purdue University uncovered gaping holes in 4G LTE security. The research paper, LTEInspector: A systematic Approach for Adversarial Testing, outlined crucial procedures in the 4G LTE protocol (attach, detach and paging) and how to compromise them.
“5G promises stronger security policies than the previous generations for a number of aspects of cellular networks,” the LTEInspector team told Threatpost. “However, since many of the 5G protocol specifications have been carried from 4G and 3G networks, the unexplored vulnerabilities of previous generations will remain in 5G. Nevertheless, due to the lack of formal verification of 5G specification, new deeply rooted vulnerabilities are likely to be lurking underneath the new security policies in 5G.”
The team also pointed out that 5G could inherit some of the problems thanks to a vulnerability to a network downgrade attack.
“Sensitive information could be exposed, e.g., International Mobile Subscriber Identity (IMSI) could be gathered, through side-channel attacks,” they said. “This will continue to enable malicious actors to intercept phone calls and track the locations of the users. Also, the lack of authentication of the base station at the initial connection setup phase will allow the adversary to downgrade the victim’s network from 5G to 4G/3G thus enabling them the capability to perform known attacks.”
Another security aspect to consider involves 5G’s role as a driver of innovation in the IoT space. It’s expected to support billions of newly connected sensors and new classes of devices, which will greatly expand the IoT threat surface.
That threat surface is already prodigious, with security by design proving rare and segment after segment (from medical devices to connected toys to smart-home appliances) shown to be rife with vulnerabilities. Cybercriminals have shown their potential to take over industrial equipment and hijack video cameras. Botnets like Mirai and Reaper, which contain millions of compromised IoT devices, were used to bring down Reddit, Twitter, The New York Times and Spotify in a massive DDoS incident back in 2016. For years the search engine Shodan has highlighted the looming problem of insecure connected devices, with vulnerable cameras, industrial controls and other IoT consumer tech all easily uncovered via its interface.
All of this is set to be exacerbated as 5G allows the deployment of literally billions more connected devices.
“5G gives us the potential for an era of hyperconnectivity, with almost everything connected,” Ken Munro, researcher with Pen Test Partners, told Threatpost. “For instance we’ve already found vulnerabilities in every tracking device we’ve looked at – watches, cars – there is a massive problem with privacy and that’s just going to grow exponentially.”
Aside from known concerns, 5G also presents brand-new security dimensions, thanks to its pioneering technology.
One of the defining features of 5G networks is that they rely heavily on virtualization and software-defined resources.
This will give operators the ability to serve up custom “network slices” to individual enterprise customers, with each slice being uniquely tailored to suit the requirements of specific verticals and/or enterprise applications. One slice may offer ultra-low latency and high throughput, for example, to support self-driving cars; a different factory automation and sensor application may require low power consumption and high reliability, but not so much throughput. This network approach allows a much more efficient use of network resources. However, it also requires a security framework that ensures the total isolation of each network slice from each other.
“Organizations across multiple industries will leverage 5G network slices to roll out transformative business applications and will require multilayered security functions when configuring these slices,” explained Peter Margaris, researcher at Palo Alto Networks, in a Tuesday posting. He added, “Becoming a premium provider of 5G network slices requires a new security approach for the operator that allows them to build brand equity over time while protecting their own network. Organizations will need to trust that their sensitive data and applications are protected in the 5G operator’s network. Likewise, the operator needs to be able to trust that the rest of its network resources – and its obligations to other customers – are fully protected against misuse by any one enterprise user.”
Also, because network slices can be instantiated on-demand, it drives a new security requirement: The security capabilities will also need to be “highly automated, software-driven, and allowing of security instances to be spun up anywhere in the network with consistent capabilities being deployed where needed,” Margaris noted.
Overall, the realm of 5G networking opens up a new landscape of potential abuse that most have not yet considered, McGregory said: “Recent Keysight data shows that we are racing into 5G just as we did with IoT and the cloud — with more than half (54 percent) of companies surveyed already adopting 5G technologies. If that trend is to continue, then we must plan and prepare for the unthinkable.”
The unthinkable would be wide-scale service disruption to corporate connectivity, malicious use of IoT devices and millions or likely billions of dollars in losses, he added.
In terms of tackling the issues, federal and state-level regulation could help to ensure 5G’s focus on security.
For instance, in July of 2018, Senator Mark Warner released a position paper on how the U.S. should proceed with a federal data privacy and security law. The document contained statements that the “U.S. could adopt rules mirroring [the EU General Data Protection Regulation (GDPR)], with key features like data portability, the right to be forgotten, 72-hour data breach notification, first-party consent, and other major data protections.”
There are also already some regulatory tools in place. The Federal Trade Commission (FTC) for instance has released a set of guidelines for businesses to follow to better protect consumer privacy and security. The FTC’s guidelines have recommendations including the use of multiple layers of security, as well as security by design.
California meanwhile has been taking aggressive legislative action in 2018 to address residents’ concerns over data privacy and security. The state legislature turned its attention to connected devices and IoT with the Information Privacy: Connected Devices legislation (SB-327 and AB-1906), which was signed into law on September 28 and is the first law in the nation to address IoT security.
The California Consumer Privacy Act (CCPA) meanwhile was passed in June and gives residents certain rights on how their personal data can be stored, accessed, sold and deleted. It also provides residents an “opt-out” on having their data collected without penalties from businesses.
There’s also the proposed Internet of Things Cybersecurity Improvement Act of 2017, a yet-to-be-passed bill that would direct government agencies to include clauses in their contracts that demand security features for any IoT devices that will be acquired by the U.S. government.
In all however, there’s plenty of room on the regulation front to come up with a more cohesive policy for securing 5G.
The Differentiation Opportunity
Regulation aside, mobile network operators do have a commercial incentive for focusing on the security dimension. For instance, automation and industrial digitization will generate an estimated $619 billion in new revenue opportunities (a 36 percent growth in addressable revenue) for operators by 2026, according to 5G network supplier Ericsson. In the rush to capture those opportunities, enabling network security capabilities for industries will be a fundamental differentiator for these services, according to Margaris.
“Organizations will focus heavily on the network security that is offered and tied to their 5G applications as a critical factor in their selection of service and/or slice provider,” he predicted. “Operators will have the opportunity to become ‘secure business enablers’ in this 5G world by delivering real value beyond connectivity.”
That value comes from the ability to offer self-service and on-demand service creation; rather than creating a fixed menu of network slices, operators can put the control into the hands of organizations to design their own service, including security features.
“Differentiated 5G networks will hold the key to success in capturing this market opportunity,” Margaris said. “Security is the key differentiator. Subsequent evolutions in network slicing will require additional security features and greater flexibility in the way different security features can be attached to a given slice.”
Bottom line, 5G is looming on the horizon and promises to represent a step-change for the wireless industry. Where security falls amidst the hype remains to be seen.
Mike Meikle contributed to this report.