The UK Government has ambitions for the majority of the population to be covered by a 5G signal by 2027. As major network operators launch new services - including EE 5G, Vodafone 5G, and Three 5G - much of the debate surrounding the network has been around the security risks it represents.
The security of the UK’s telecom networks is at the top of the agenda for the government. As 5G opens up more opportunities in areas such as healthcare, manufacturing and transport, the reality is that it is becoming an increasingly attractive target for cyber criminals, as it increases the available threat surface along with the consequences of any damage inflicted.
Back in June, The Science and Technology Committee asked suppliers, network operators and academics - including the Global Cyber Security and Privacy Officer of Huawei - about the possible security risks involved with 5G communications networks and to what extent those risks could be managed.
Shortly after this, the Department for Digital, Culture, Media and Sport published its Telecoms Supply Chain Review, which provided a comprehensive assessment of the supply arrangements for the UK’s telecom networks. The findings of the review set out the concerns about the security and resilience of the UK’s telecom networks. It shone a spotlight on how much work remains to be done in areas such as strengthening policy and regulation to better ensure telecoms cyber security, as well as diversifying the supply chain.
These reports highlight why it is important to not be under the illusion that, although operators have begun going live with the next-generation network, we are not achieving the full breadth of what 5G has to offer. We still have a long way to go. Achieving its full potential is not a simple case of out with the old and in with the new.
A need to work backwards
The reality is that many 5G networks contain security flaws from day one, due to their reliance on the existing 4G network core.
According to 3GPP Release 15 for 5G, published in summer 2018, the first wave of 5G networks and devices is classified as Non-Standalone (NSA). This means that devices will connect to 5G frequencies for data transmission in cases where greater bandwidth and lower latency are required, such as for communication between smart cars, or to reduce power draw on IoT-enabled devices. For voice calls and SMS messaging, however, they will still rely on 4G and, in some cases, even 2G/3G networks.
However, a recent security audit found that every 4G network contains vulnerabilities which hackers could exploit to perform a range of illegal actions, such as locating users, intercepting SMS messages, and instigating denial of service (DoS) attacks. Bearing this in mind, security threats associated with 3G and 4G will continue to remain long after 5G reaches the public and will heavily influence deployments for at least the next three to five years.
The majority of operators have gone down the road of creating a 5G network based on an existing LTE network core. But using LTE networks as the building blocks for the creation of 5G networks will mean they will not be immune from the same vulnerabilities. Indeed, it means that 100 percent of 5G NSA networks will be vulnerable to DoS, too. In 2018, our researchers found vulnerabilities on 74 percent of the networks they tested. Not only this, every tested 4G network was seen to allow third parties to obtain data about the operator's network configuration.
In order to provide adequate protection for the 5G networks of the future, operators need to work backwards and secure previous-generation networks. Unfortunately, however, security measures can often take a backseat in the quest to deploy 5G.
Security as an afterthought
Every operator is competing to be innovative and to upgrade their networks as quickly as possible - but can be far from adequately ensuring the security of those networks. Often during testing and even during implementation stages, operators are building their networks with little or no thought to generation interworking security.
Security policies are typically an afterthought, which are applied once the network goes live to end-users. While this might be helpful in expediting the deployment of these networks and saving some money, it is a very short-sighted approach. Further down the line, issues will inevitably arise, and operators will be forced to retrofit security that will put a strain on their original budget.
Trying to fix mistakes quickly often results in new solutions being poorly integrated to existing network architecture. Indeed, our experts found that one out of every three successful attacks on 4G networks was related to the incorrect configuration of equipment. This makes it somewhat impossible for the network to tick all the boxes on security requirements.
A complex and different threat landscape
Security challenges can also stem from the need for 5G networks to support a massive number of connected devices. Gartner predicts a huge growth in adoption of the Internet of Things (IoT). With 25 billion IoT devices expected to be connected by 2021, its implementation is set to unleash a highly complex threat landscape, significantly different from previous networks.
As it becomes more widespread, the IoT phenomenon continues to expose more vulnerabilities and security challenges. Device protection is poor - many manufacturers build in only the most basic security provisions from the outset - and malware distribution is easily scalable. Our researchers found that the number of malware campaigns targeting IoT devices grew by an incredible 50 per cent over the last year, during which time we identified more than 1,100,000 vulnerable devices.
The massive DDoS attack carried out by the Mirai botnet which, in 2016, left much of the internet inaccessible on the US east coast, serves as an example of the large-scale damage that can result from exploiting such devices. To avoid a repeat of such an attack, in which regular users can be left without communication, 5G network operators will have to develop new threat mitigation models more attuned to diverse types of devices.
5G security as a foundation
Operators are currently investing heavily in licenses and the development of 5G networks. If left unchecked, though, the security flaws inherent within the foundations from previous generations could be enough to undermine the best security intentions, causing remedial engineering, leaving operators scrambling to keep pace with their peers.
To avoid this, and ensure all bases are covered, 5G security must pay particular attention to what has come before and is still inherent in networks. Considerable efforts have been made by regulatory bodies and operators alike to avoid repeating the mistakes of previous generations, but 5G is not a clean new slate. The mistakes of the past will inevitably exist, and just like restoring an old house telecom networks will throw up unexpected problems we never saw when surveying the structure. However, we must do everything we possibly can.
Acutely aware of vulnerabilities within existing network infrastructure, as well as anticipating and preparing for any that may lie ahead, vendors and operators can – and should – be building security provisions in from the start, during the development of any new network technology. After all, the huge amount of investment into the development of 5G networks requires some form of insurance. As we enter the 5G era, using security as a criteria for quality will give operators a competitive edge. But ensuring this security requires operators to not only look at what they’re building, but at what they’re building on.
UPDATE: EU risk assessment report for 5G
On October 9th 2019 the European Agency for Cybersecurity published a report on the EU coordinated risk assessment on cybersecurity in 5G networks. And it is the first major step in the path towards the implementation of the European Commission Recommendation, adopted in March 2019 to ensure a high level of cybersecurity of 5G networks across the EU. The report outlines the following security issues inherent in the rollout of 5G:
- An increased exposure to attacks and more potential entry points for attackers. With 5G networks increasingly based on software, risks related to major security flaws, such as those deriving from poor software development processes within suppliers are gaining in importance. They could also make it easier for threat actors to maliciously insert backdoors into products and make them harder to detect.
- Due to new characteristics of the 5G network architecture and new functionalities, certain pieces of network equipment or functions are becoming more sensitive, such as base stations or key technical management functions of the networks.
- An increased exposure to risks related to the reliance of mobile network operators on suppliers. This will also lead to a higher number of attacks paths that might be exploited by threat actors and increase the potential severity of the impact of such attacks. Among the various potential actors, non-EU States or State-backed are considered as the most serious ones and the most likely to target 5G networks.
- In this context of increased exposure to attacks facilitated by suppliers, the risk profile of individual suppliers will become particularly important, including the likelihood of the supplier being subject to interference from a non-EU country.
- Increased risks from major dependencies on suppliers: a major dependency on a single supplier increases the exposure to a potential supply interruption, resulting for instance from a commercial failure, and its consequences. It also aggravates the potential impact of weaknesses or vulnerabilities, and of their possible exploitation by threat actors, in particular where the dependency concerns a supplier presenting a high degree of risk.
- Threats to availability and integrity of networks will become major security concerns: in addition to confidentiality and privacy threats, with 5G networks expected to become the backbone of many critical IT applications, the integrity and availability of those networks will become major national security concerns and a major security challenge from an EU perspective.