5G security is inherently prone to security vulnerabilities. Previous-generation networks relied on centralized hardware-based functions that provided security choke points that were relatively easy to monitor. Endpoints in distributed software-defined (SD) networks like 5G are more difficult to keep an eye on.
While 5G addresses security issues in previous-generation wireless networks, for example with enhanced encryption, anti-tracking, anti-spoofing and network slicing features, security holes cybercriminals could potentially exploit have been identified. Some of the security vulnerabilities detected early on were linked to previous-generation networks loopholes. These included ones that allowed attackers to expose a user's location, downgrade their service to a less secure legacy that was more easily attacked, run up costly wireless bills and track users’ activities.
As of the beginning of 2021, 5G is available in more than 30% of countries (60+) worldwide. An AT&T survey — the 2021 AT&T Cybersecurity Insights Report — of 1,000 security practitioners globally found that only 9% of respondents were confident that their security posture was ready for 5G.
Are they correct in worrying?
5G is not backwards compatible with previous-generation networks; transitioning to 5G requires the replacement or addition of physical devices and software. There are two main security concerns associated with the transitioning process: the carryover of existing 3G/4G security problems; and the risks associated with equipment from untrusted suppliers.
Carryover of 3G/4G security loopholes
The vulnerabilities that exist in 4G networks will carry over to 5G networks for as long as the transition period from 4G to 5G lasts. Previous-generation networks are particularly vulnerable to SMS and call interceptions, illegal geotracking and denial of service (DoS) attacks.
In non-standalone (NSA) deployments, currently 5G is the model most operators use and it is inherently reliant on a 4G network core, only connecting to 5G when more bandwidth and lower latency is needed. For some connection types, NSA deployments still use 4G and sometimes 3G.
Researchers have found flaws in 5G NSA deployments that allow downgrade attacks (aka cross-protocol attacks), where a phone's connection is deliberately manipulated to downgrade to legacy networks, giving cyber attackers access to security loopholes in 3G and 4G services. For example, while 5G is designed to protect phone identifiers, like a device's International Mobile Subscriber Identity (IMSI), downgrade attacks enable hackers to force a phone to send them its IMSI number unencrypted, allowing hackers to monitor users’ activities (but not actually read the content of their messages).
Risks and costs when provisioning 5G equipment
Since 2019, several countries — including Germany, India, Britain, Australia, the U.S. and various countries in Eastern Europe and Scandinavia — have restricted the import or usage of 5G technology from untrusted suppliers.
The security issue is twofold: concerns that loopholes have been deliberately built into imported equipment by manufacturers and that foreign-manufactured equipment may not comply with national security standards.
For small businesses, the cost of replacing equipment is prohibitive and many, to save costs, consequently, ignore 5G security recommendations. To address this challenge, in July 2021, the Federal Communications Commission (FCC) agreed to subsidize small telecommunications companies to replace equipment from untrusted suppliers like Huawei and ZTE.
Non-adherence to, and vague, standards
The 3rd Generation Partnership Project (3GPP) provides best practice guidelines for organizations new to 5G. However, to save money and because of inexperience, carriers may take advantage of vague wording in 5G specifications to perform bare bones implementations.
For example, one of the clauses in the 3GPP security specifications (TS 33.501) recommends that, “TLS shall be used for transport protection within a PLMN unless network security is provided by other means.” This opens the door to security vulnerabilities “by other means” that don’t provide the reliable protection offered for Transport Layer Security (TLS). GSMA research shows that a third of successful attacks on 4G networks are due to incorrectly configured equipment.
Insecure by association
Security issues in related technologies have an impact on 5G security.
Related technologies include LTE-advanced, radio access networks (RANs), massive MIMO (maMIMO), millimeter wave (mmWave), artificial intelligence (AI), software-defined networking (SDN), edge computing, network function virtualization (NFV), the internet of things (IoT), cloud computing, and network slicing.
Previous-generation networks relied primarily on SS7 and Diameter protocols. 5G uses common internet protocols (IP) such as HTTP and TLS. These open-web protocols lower the entry barrier not only for operators but also for hackers.
Network slicing splits networks into isolated slices, each with their own NFs, resources and security policies. In theory, a single compromised slice should not affect the network. In practice, network slices are opened to provide services to different verticals, partners and customers but often share resources, creating a security risk. The vulnerability, first discovered by AdaptiveMobile Security, is specific to slices that support hybrid — shared and dedicated — NFs, and is a result of the lack of mapping between transport and application layer identities. This design flaw allows attackers to gain access to the 5G SBA and launch DoS attacks across multiple slices.
5G means traditional security check points like hub-and-spoke hardware-based routers have been replaced by an ethereal cloud of software-defined digital routers that are difficult to inspect and control.
With more routing points and devices, and faster speeds that benefit smash-and-grab attackers, security teams must rely increasingly on automated monitoring and devise new methods to address the increased volume of security vulnerabilities.
Network functions (NFs) previously performed by physical appliances are virtualized in 5G networks. NFs reduce network component isolation as NVFs communicate with each other directly and may share resources. Edge appliances in SD-WANs broaden the attack surface and are often overlooked during patching routines.
Privacy and personal risk
The risk to 5G networks comes from a multitude of devices, including seemingly innocuous home network appliances like smart thermometers and intelligent thermometers that may provide security chinks in network armor.
5G networks cover a much smaller area and require more antenna and base stations. Low-cost, short-range antennas used by individuals provide new physical targets for hackers to access and may compromise users’ locations and identities.
User and signaling confidentiality holes
Enhanced encryption of user and signaling data between a user device and a base station, itself an increasingly sensitive entity in 5G architecture, is mandatory to ensure data integrity but it is an optional feature to protect user confidentiality in the 5G specification. This confidentiality security chink could allow attackers to intercept status and authorization data and track a user's location.
“Cybersecurity implications…”, “Potential vulnerabilities…”, “Attack possibilities …”. This is how 5G security concerns are raised in the media. But there have been no reported instances of 5G security breaches in the wild.
The traditional threat model for identifying suspicious human activity in cyberspace is not possible for IoT devices. So, unless organizations change the way they manage their current cybersecurity strategies, and when 5G is rolled out to more users, the situation could change.