The proliferation of software within 5G networks is one of the top security challenges facing the next generation of mobile networks, according to a report out this week from the European Union.
5G networks are fundamentally different than prior wireless networks in that they are largely software-defined and virtualized; network functions, historically defined in hardware, become virtual software capabilities in 5G, all orchestrated via a flexible software control plane. Even the air interfaces in the radio access network (RAN) are software-defined in 5G.
Also, 5G networks will make use of edge computing, where applications, general-purpose compute, storage, and associated switching and control functions that are required to run them are housed relatively close to end users and internet of things (IoT) endpoints or both. That’s a shift from centralized architectures common to 4G and before, and creates a much larger computing footprint.
All of this vastly expands the attack surface and the possibility for the emergence of rafts of exploitable vulnerabilities throughout the architecture — in places that were never exposed before, the EU warned.
“With 5G networks increasingly based on software, risks related to major security flaws, such as those deriving from poor software development processes within suppliers are gaining in importance,” the 33-page report, released Wednesday, noted. “They could also make it easier for threat actors to maliciously insert backdoors into products and make them harder to detect. Due to new characteristics of the 5G network architecture and new functionalities, certain pieces of network equipment or functions are becoming more sensitive, such as base stations or key technical management functions of the networks.”
Nate Snyder, senior counterterrorism official with the US Department of Homeland Security and the Countering Violent Extremism Task Force under US President Obama, weighed in on some of the practical issues this presents.
“Because the 5G network is software-based and so vast, attempting to mitigate these vulnerabilities would be like plugging holes in an infinite wheel of Swiss cheese,” he said in an emailed statement. “The best way to manage risk here is simply not to take it…do not opt into a mortally-vulnerable network. Instead, the EU and the U.S. need to focus on setting their own interoperable standards, diversifying supply chains, and working with groups such as the O-RAN Alliance to unlock the competitive potential of other global providers to diversify the threat, secure supply chains, and build a stronger foundation and protocols for the world to jump on the 5G highway.”
Supply Chain Concerns
As Snyder pointed out, related to software proliferation is another main concern for the EU: The supply chain. The report points out that embedding threats into the components provided by telecom suppliers would be an efficient way to infiltrate 5G networks. It also warns against using government-owned suppliers.
“Threats posed by states or state-backed actors are perceived to be of highest relevance,” according to the report. “They represent indeed the most serious as well as the most likely threat actors, as they can have the motivation, intent and most importantly the capability to conduct persistent and sophisticated attacks on the security of 5G networks.”
The EU also noted: “Certain non-EU countries represent a particular cyberthreat to their national interests, based on previous modus operandi of attacks by certain entities or on the existence of an offensive cyber program of a given third state against them.”
Many took this to be a reference to Huawei, the banned-in-the-U.S. Chinese giant who is one of the top three global 5G equipment suppliers (along with Ericsson and Nokia).
“The new EU-wide 5G risk assessment further validates warnings from the cybersecurity community, which has been waving a red flag regarding Huawei’s involvement with next-generation wireless networks for many months,” said former U.S. Secretary of Homeland Security Tom Ridge, in a media statement. “The group of ‘certain non-EU countries’ referenced by the report that represent a ‘particular cyber threat’ to ‘national interests’ identified by ‘several member states’ clearly includes China….A company that’s been accused of both ‘intentional or unintentional backdoors’ noted in the assessment can’t be trusted to construct critical infrastructure like 5G. If countries needed more reason to implement stricter security measures to protect 5G networks, this comprehensive risk assessment is it.”
The report also warned against carrier reliance on a single supplier, which could increase the impact of any cybersecurity issues or vulnerability exploitation.
“A major dependency on a single supplier increases the exposure to a potential supply interruption, resulting for instance from a commercial failure, and its consequences,” the report reads. “It also aggravates the potential impact of weaknesses or vulnerabilities, and of their possible exploitation by threat actors, in particular where the dependency concerns a supplier presenting a high degree of risk.”
High Stakes
The EU’s report also noted that 5G security should be of utmost importance given the expected sociological and digital shift expected to come in its wake. Billions of IoT devices are expected to be connected to 5G; and because of its promised technological improvements, new use cases are expected to roll out, such as self-driving cars, smart-city and smart-utility applications, and remote robotic surgery. As such, a cybersecurity incident can literally be a matter of life or death.
Also, with 5G networks expected to become the backbone of many critical IT applications, the integrity and availability of those networks will become a major national security concern, the EU warned.
“5G networks is the future backbone of our increasingly digitized economies and societies,” according to the report. “Billions of connected objects and systems are concerned, including in critical sectors such as energy, transport, banking and health, as well as industrial control systems carrying sensitive information and supporting safety systems. Ensuring the security and resilience of 5G networks is therefore essential.”
What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.
