5G Security: Possible Risks & Challenges

Uploaded on 2020-04-15 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY-Key Areas-5G Networks, TECHNOLOGY--Developments

5G is taking the world by storm. This game-changing technology takes mobile connectivity to a whole new level by introducing jaw-dropping speeds and low latency. Furthermore, its network capacity can reach a million devices per square kilometer, which is ten times the maximum number supported by 4G. 

Whereas the dramatic change in the millimeter-wave frequency spectrum used by 5G compared to its predecessor doesn’t really explain anything to the average person, there are tangible benefits that make a difference and can be noticed with the naked eye.

The speeds can reach 2Gbit/s at the dawn of 5G deployment and will theoretically grow to 100Gbit/s as the technology evolves. That’s up to 100 times faster than 4G. Reduced latency is another breakthrough, allowing data to arrive at its destination about five times quicker.

A simple example of how this improves the user experience is that there is absolutely no buffering time when watching a 4K quality video on a mobile device. Uploading and downloading gigabytes of data is a matter of mere seconds in 5G networks, which transforms the way users interact with numerous cloud-based services. Also, wirelessly connected entities constituting the Internet of Things (IoT), including self-driving cars and smart home appliances, will be able to operate reliably and seamlessly. An extra factor on the plus side of 5G is that people can enjoy fully-fledged connectivity in places where cable modem and Wi-Fi are unavailable.

Having started with field testing and somewhat scattershot regional roll-outs in 2019, the deployment of 5G is currently accelerating around the globe.

In the United States, the European Union, and East Asia, the process of launching next-generation commercial networks is in full swing, occasionally taking place ahead of schedule.To keep up with this telco evolution, all major smartphone manufacturers have already released devices that support 5G. Furthermore, market analysts predict that these gadgets will account for 15% of all global smartphone shipments in 2020. Aside from smartphones, a plethora of different IoT solutions will be heavily relying on high-speed connectivity in the near future.

The booming 5G tech is gradually shaping up to be the mainstay of digital economies going forward. When there is so much at stake, governments and service providers need to make sure the network deployment is flawless in terms of security.

Cybercriminals will undoubtedly look for ways to compromise the emerging communication protocols and thereby orchestrate massive data breaches. The concerns escalate in light of the tightening connection between 5G and ubiquitous cloud computing.

The government-level 5G risk assessment process is now underway in the EU. A report released by the member states singles out the security and privacy pitfalls that may accompany fifth-generation network rollouts. Below is a summary of the experts’ findings.

5G Vendor Monopoly Issue
One of the key points expressed in the report is that the EU will have to rely on a single manufacturer of network equipment, the Chinese vendor Huawei. Despite the fact that the name of this technology company isn’t directly mentioned in the document, the implied cooperation is common knowledge.The potential problems stemming from the monopoly position of the supplier include a possible lack of equipment, dependence on the contractor’s commercial welfare, and cyber-attacks targeting its digital infrastructure. The recent outbreak of the coronavirus in China could become an additional factor undermining mainstream 5G deployment.

Researchers emphasize that such a collaboration has a single point of failure. The manufacturer can be subject to economic sanctions or other forms of commercial pressure. A hypothetical merger or acquisition scenario may also prevent the company from following its obligations.

One more thing to consider is that there are close ties between the vendor and the government of the state it’s headquartered in. This can be a source of politically-motivated tampering with the company’s business processes. Moreover, the scarcity of data protection commitments shared by the EU and the country of the supplier’s origin is yet another possible obstacle to a hassle-free partnership.

According to the European Union, an increasingly strong link between the EU member states’ telecommunication networks and third-party software underlying them is a serious threat as well. Since the vendor will have a significant scope of access to all the data in transit, malicious actors will be tempted to hack these solutions and intercept the information.

Other Stumbling Blocks 
In addition to the solo vendor issue that implies a major dependency on third-party telco gear and applications, secure 5G implementation may also be hampered by quite a few more circumstances revolving around the technical nature of these systems. Here is the lowdown on these vulnerabilities.

● A greater number of attack vectors
The growing role of software in fifth-generation networks is deemed as one of their weak links. It makes them highly susceptible to compromise that piggybacks on security loopholes, including zero-day exploits that may be unearthed down the road. Such imperfections can become a launchpad for cyber incursions that will allow an adversary to gain a foothold in different tiers of the 5G network architecture. The potential outcomes can range from man-in-the-middle (MITM) attacks to large-scale disruption of the services based on wireless connectivity.

For instance, malefactors may insert a backdoor into an application involved in the 5G implementation chain. To do it, they can take advantage of a known or undocumented vulnerability arising out of the supplier’s poor software development practices. Aside from that, a phishing hoax might be used to wheedle out the sensitive credentials of the software engineers and thereby get unauthorized access to the application. The backdoor will allow the attackers to modify the program’s behavior, deposit malware, or steal users’ data.

Cybercriminals may also try to execute an ARP spoofing attack against a mobile carrier’s IT network by flooding it with rogue Address Resolution Protocol packets. This way, the MAC address of the attacker’s device will become associated with the IP address of the default gateway in the telco service provider’s network. In plain words, the threat actor will be able to impersonate a trusted user to intercept, change, or stop any traffic intended for that IP address.
Distributed denial-of-service (DDoS) attacks pose a growing risk to 5G networks and the entities relying on them. According to Statista, the total number of IoT devices in use worldwide will reach 75 billion by 2025, up from 30 billion in 2020. This ecosystem will be expanding dramatically and so will botnets that harness crudely secured IoT devices to fuel massive DDoS incursions targeting major web services.

As a matter of fact, incidents like that have already occurred in the past. The notorious Mirai malware outbreak in 2016 demonstrated how disruptive this attack vector can get. The infection enslaved more than 600,000 unprotected CCTV cameras and routers to execute a series of 1 Tbps DDoS raids. With the rapidly increasing number of 5G-enabled smart gadgets, the likes of Mirai will be booming and the issue will undoubtedly escalate.

● Network slicing security needs an overhaul
5G is expected to bolster the functioning of virtualized ecosystems referred to as “slices,” which host critical services and utilities used by businesses and government networks. Providing proper security of these independent logical networks that reside within the same physical infrastructure is an increasingly serious challenge. Experts have yet to develop effective mechanisms for isolating these slices in the all-new 5G paradigm to thwart data leaks and other forms of intrusions.

●  Meager software update procedures
As previously mentioned, next-generation wireless networks will depend on software to a much bigger extent than the predecessors did. Obviously, seamless application maintenance practices are going to be the pivot of their uninterrupted operation. In particular, software update management will need to catch up with security issues in terms of vulnerabilities and technical bugs and address these flaws before threat actors add them to their repertoire.

● Obsolete standards
Aligning the peculiarities of 5G networks with international and state-level security regulations is a work in progress. The protocols developed by the 3rd Generation Partnership Project (3GPP) organization, which are currently in effect, extensively cover requirements for earlier mobile telephony systems (GSM, UMTS, and LTE) but don’t fully embrace all aspects of 5G standardization at this point. Elaborating the entirety of new security regulations is a matter of trial and error combined with in-depth research that has yet to be conducted.

● Lack of trained personnel
As promising as it is, the 5G technology is also a Pandora’s box filled with opportunities for cybercriminals who will definitely explore it for weaknesses. With that said, the security industry should work proactively to stay on top of new methods as they complement the malefactors’ toolkit. An important prerequisite for bridging this imminent gap is to nurture the expertise of security professionals so that they can identify and fix network imperfections by means of penetration testing and other techniques.

The personnel will need to collaborate more tightly with software suppliers to get a profound understanding of how the new applications work and what exploitation mechanisms they are potentially susceptible to. Furthermore, penetration testers who think like attackers can probe the IT infrastructure of 5G providers and contractors for weaknesses by orchestrating trial network incursions. This will allow the industry to prioritize the areas that need urgent improvement in terms of security.

Final thoughts
5G will become one of the core elements of the global digital economy in the years to come. Therefore, securing these high-tech networks is a top priority for governments and all the parties involved in the deployment workflow. Hopefully, the white hats will team up and succeed in staying one step ahead of the adversaries to make sure people benefit from this awesome technology to the fullest.

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. He runs Privacy-PC.com.
 
You Might Also Read: 
 

The US Has A New 5G Security Strategy:

 

 

« Cyber Resilience Benchmarks - Missed
Japan's New AI-Based Cyber Defence System »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Hack in the Box Security Conference (HitBSecConf)

Hack in the Box Security Conference (HitBSecConf)

HITBSecConf is a platform for the discussion and dissemination of next generation computer security issues. Our events feature two days of training and a two-day multi-track conference

Ericsson

Ericsson

Ericsson is a leading provider of telecommunications services and network infrastructure solutions including all aspects of network security.

Air Informatics

Air Informatics

Air Informatics LLC provides security, information management, analytics and informatics for IT and wirelessly enabled airplanes and operations.

GreyCortex

GreyCortex

GreyCortex uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

Styra

Styra

Styra allows companies to secure cloud environments and applications, including those built on the popular Kubernetes open-source cloud platform.

Tutamantic

Tutamantic

Tutamantic develops software that reduces security risks and weaknesses during the architectural and design stages.

Abnormal Security

Abnormal Security

Abnormal is an API-based email security platform providing protection against the entire spectrum of targeted email attacks.

DCX Technology

DCX Technology

Recognized as a leader in security services, DXC Technology help clients prevent potential attack pathways, reduce cyber risk and improve threat detection and incident response.

Cysiv

Cysiv

Cysiv SOC-as-a-Service combines all the elements of an advanced, proactive, threat hunting SOC, with a managed security stack for hybrid cloud, network, and endpoint security.

KETS Quantum Security

KETS Quantum Security

KETS harnesses the properties of quantum mechanics to solve challenging problems in randomness generation and secure key distribution and enable ultra secure communications.

Polymer

Polymer

Polymer is a Data Governance & Privacy Platform for third party SaaS apps. A modern Data Loss Protection (DLP) approach to remove sensitive data exposure on collaboration tools in real-time.

CIBR Warriors

CIBR Warriors

CIBR Warriors are a leading cyber security and networking staffing company that provides workforce solutions with businesses nationwide in the USA.

Rayzone Group

Rayzone Group

Rayzone Group offers a wide range of Cyber Security solutions and services, providing hollistic protection suitable for both enterprises and National cyber security centers.

Torch.AI

Torch.AI

Torch.AI’s Nexus™ platform changes the paradigm of data and digital workflows, forever solving core impediments caused by the ever-increasing volume and complexity of information.

TrueBees

TrueBees

TrueBees is the first deepfakes detector able to detect AI-generated portraits shared on social media and to prevent their diffusion across the web.

Zafran

Zafran

Zafran is a Risk & Mitigation Platform that defuses threat exploitation by mobilizing existing security tools.