5G Security Blog Series: 5G security is a journey not a destination
I wanted to look a little into the future, to a time when we are all allowed outside again, to visit our local Vodafone or Apple stores (Note there are other phone manufacturers and network operators, it just happens that these are the ones I use). This is a time when governments have concluded the 5G auctions, the mobile carriers have selected their network vendors and handsets are once again flooding in from China.
This is a time of, 5G induced happiness! But wait a minute, what is that you ask? Is 5G secure?
In this modern era of hyper connectivity and the human compulsion to never be more than an arm’s length away from our mobile phones. When, Sunday drivers get nervous about going further when they are down to one bar of signal strength. The intimate connection between mobile phone and the individual has never been stronger. This fact has driven an industry of intelligence gathering and interception of communications by security agencies and hackers/fraudsters alike.
2G, 3G and 4G networks, we know have been compromised or can be compromised at will unless they are heavily protected by additional security measures. Even then it is a game of escalating arms by the attackers to try and regain the upper hand. Maybe I should have sugar coated it a little? Yes, if you are a mobile carrier thinking that by some stretch of the imagination, your network is not vulnerable to attack without security firewalls and constant surveillance, then you are mistaken. A penetration test is not needed to “prove” the vulnerability, trust me on this one. Call interception, denial of service, identity theft, location tracking and worse are risked by every mobile device from an unprotected network. At least we can depend on the industry to have learned from its mistakes? 5G will be better right? More Secure?
In any network technology deployment there are factors that will inherently increase the security risk. I am ignoring the user behaviour, and yes, clicking on those spam SMS messages, or downloading those cheaper than expected video games are never a good idea. Social engineering still remains a major attack vector by downloading spyware or malware, and assuming your handset SIM doesn’t have the wrong version of the S@T or WIB browser. Focusing on the network technology however, new rarely means good.
New often comes with steps forward in multiple directions, new standards, supporting new services that run on new networks using new handsets. Sometimes even new suppliers and new deployment models. What’s not to like about a virtualized mobile network or faster download speeds? Network sharing, slicing, edge computing and web service integration? Well, complexity of technology and the ecosystem adds to the attack surface, which creates opportunities for vulnerabilities to be exploited. We don’t only have to deal with the complexity of the new 5G technology roll out, but we also need to deal with the integration of the legacy 2G, 3G and 4G networks. They will be needed for some time yet, and the smartest mobile device and network will have to revert to “string-can-and-cup” communications when they roam. I suspect when I retire (hopefully within 10 – 15 years) there will still be significant numbers of 4G networks still doing the heavy lifting for many networks and subscribers.
It is clear to me that securing 5G also means making a good job of firstly (or additionally) securing 4G networks as a minimum (ok so 4G+ and 5G- networks, I don’t want to get into what is real 5G anyway!).
5G brings some additional complexity internally that is new to mobile networks at least. Some standout features are RAN sharing, edge computing and network slicing. This level of internal exposure and distributed infrastructure in my mind, creates physically and functionally, a bigger risk. In reality, either indirectly through lower G’s or directly through the huge attack surface, 5G networks could become one of the most attacked technologies we have ever developed. Luckily, this time the network equipment vendors have us covered? Right?