5G is here to replace not just legacy cellular standards, but a multitude of other wireless and wired communication standards and therefore its scope will cover personal use, business operations, transportation and smart city infrastructure. This, together with its support for dense IoT networks – which could potentially have over 1 million devices per square kilometre – means an exponential increase in the attack surface and exposure to cyber attacks on an unprecedented scale.
The nature of 5G’s shared infrastructure has the potential for mass failure across not just network functions, but multiple networks and connected devices. An attack on infrastructure supporting a smart city could impact power, traffic, lighting and communications simultaneously. Presently these systems co-exist as separate networks and standards, so attackers must invest an enormous amount of effort into targeting a single function which might require reverse engineering an arcane industrial protocol for example – no easy task. The standardisation that 5G brings is good for interoperability, but if implemented poorly, presents a greater cyber risk to future cities.
Wi-Fi versus cellular
The legacy protocols 5G will replace are not without security issues, but the impact of any breach was isolated to a protocol. So, a Wi-Fi bug didn’t impact 4G and vice versa. However, most smartphone users generally assume that cellular data networks are more secure than unknown Wi-Fi and in general this is correct. But, as 5G roll-out starts to gather pace, more and more cellular users connecting via an ever-expanding variety of devices will be exposed to security threats via a process called Wi-Fi offloading.
Offloading happens when a large portion of cellular traffic is passed on to nearby Wi-Fi networks to cater for huge public demand and is common practice in areas like sports stadiums, shopping malls and airports. Currently, the amount of 4G traffic which is being offloaded stands at 59%, but Cisco predicts that with 5G this will rise to 71%. This means those connections can be exposed to common Wi-Fi attacks.
Last year, two 5G attacks, Torpedo and Piercer, were disclosed by security researchers. These allowed hackers to de-anonymise and track individual subscribers.
Torpedo allowed attackers to exploit a weakness in paging protocols normally used to notify a phone before an incoming call or text arrives and involves placing and cancelling several calls quickly in a row to random numbers a subscriber might be identified by as a user, but is a relatively low risk issue. Piercer allowed attackers to go one further and brute force the private International Mobile Subscriber Identity (IMSI) number, which identifies a subscriber a bit like a National Insurance number is our unique personal identifier. Once this information is known, low cost equipment costing as little as £150 can track users across the network.
Because 5G technology, as we have mentioned, is designed for dense IoT, future botnets will take advantage of a growing number of zombies – devices connected to the Internet which have been compromised by malicious software. Gartner is predicting more than 20 billion endpoints in 2020, a 21% increase from last year and if recent experience with IoT security is anything to go by, they will be largely insecure at the point of sale and even less secure several years later.
As a result, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are increasingly likely to be a focus for malicious activity. One of the core features of 5G will be the dynamic re-allocation of resources, especially bandwidth. This may be a great feature when a ‘flash’ crowd appears in a specific location, but at the same time, this could be rocket fuel for botnets, because the demand could well be malicious and the extra bandwidth allocated could exacerbate the impact of a DDoS attack.
The fact that many end user devices will be opened up to more intense scrutiny, means that we can expect to see botnets appear in more unusual places. For example, imagine a firm with a fleet of robots, staff with wearables, smart vehicles and smart buildings, all connected for convenience to a private cloud. The security of the cloud infrastructure will therefore be critical.
Where does the buck stop when it comes to responsibility?
In reality, responsibility for security lies with everybody involved, but in the race for profit and opportunity, of which 5G promises both, security in the UK at least will need to be enforced and maintained by a technical authority such as the NCSC (National Cyber Security Centre).
5G will see a significant change in the ownership of network components, which will move from a walled garden monolithic architecture, to an infrastructure-as -a-service (IaaS) model, where the key components will not be owned by the network operators. Therefore, the responsibility of tackling security problems is likely to be diluted and delegated to the user equipment (UE) OEMs who, to this date, have not had a good track record for endpoint security. This erosion of anonymity is another concern relating to 5G’s million-devices-per kilometre plan and this design change underpins 5G tensions between nations regarding the risk of espionage and nationwide denial of service attacks.
Opening up a single industry to risk of compromise by a foreign actor is a big decision which must be weighed against the benefits. Opening up all your industries, cities, transport networks and private citizens is a risk which warrants its own scale, but it won’t be solved by banning a single vendor such as Huawei. Genuine security needs to be vendor agnostic and if you want to eliminate risk, you need to ban people altogether as they present the greatest and most persistent risk of all.
In practice attackers won’t care whose name is on the outside of the hardware that they’re compromising as they’re focused on the data and the networks beyond it. Virtualisation means network operators won’t own the infrastructure and towers anymore, Instead, the network will be managed by service providers and the operators will lease capacity. This means that the core networks will span operators and a single router therefore could be shared by Vodafone, EE, 02 etc, so any future failures could be unprecedented.
Security regulations are only effective when incentivised through substantial fines for non-compliance – a responsibility which presently lies with the ICO (Information Commissioner’s Office). Equipment vendors have a limited responsibility to maintain shifting security standards so cannot be expected to and should not be automatically trusted, which is where the UK’s world-leading cyber security community can contribute.
Given the incredible range of stakeholders with vested interests, the chances of a productive working group involving all are severely limited. From experience, change will be reactive in response to findings from the fast-moving security research community. The key is to ensure that these findings come from the friendly community and not criminal elements which can be considered an arms race of sorts. This is where the NCSC needs to develop productive and timely working relationships with the community, so equipment and subsequent findings can be shared, in confidence, to everyone’s benefit with a positive outcome. The UK has the technical talent to address this problem, but researchers must be allowed and encouraged to test the equipment in an unconstrained environment before others do. Ultimately, the responsibility lies with the Government for what is an unprecedented and widely shared risk.
It’s not all predictable doom
Despite some of these gloomy predictions, 5G will build upon years of cellular security improvements, which since 3G have had better authentication and encryption than Wi-Fi, for comparison. The focus for 5G is primarily on capacity, not security, so it’s not a ‘security upgrade for 4G’, which despite some early de-anonymisation attacks has proven itself to be a relatively secure standard, sufficient for most use cases.
The concern in cellular security has moved on from eavesdropping to cyber security. The actual channel is pretty well secured now as each call is heavily encrypted with a new key.
As we all know, there are no absolutes in cybersecurity and no such thing as a 100% secure system, it’s all about risk management and judgement. You can’t just patch a national telecoms network like a home PC or small business. When looking at national scale systems, change takes time.
If 5G is going to be the engine of growth and change for the UK economy that people expect, we need the implementations to be secure enough to deliver. That will need many things: a diverse and sustainable supply base, better cyber security in equipment and software used and raising the bar in the basic security of the networks to be able to support a safe digital future.