Experts are concerned about challenges to 5G security and privacy protection. There are new reports warning about heightened risks of DDoS attacks, flaws in Internet protocols, and vulnerabilities passed on from 4G. Only this time, with the growth of IoT, the attack surface has expanded rapidly.
Cybersecurity experts from Positive Technologies say in their recently published report that future 5G networks may turn out to be as vulnerable as the predecessors (if not more). In addition to existing vulnerabilities of signaling networks, there may be added vulnerabilities of Internet protocols, as well as vulnerabilities of SDN/NFV.
Researches from Positive Technologies are known to have previously discovered numerous security holes in other mobile signaling protocols, such as Signaling System 7 (SS7), Diameter, and GTP. In a report on 5G Security Issues, they present an overview of the main concerns regarding the nearest future of 5G signaling networks with their recommendations on how to mitigate such vulnerabilities.
5G inherits the weaknesses of LTE networks.The exploitation of mobile signaling network vulnerabilities, like Signaling System 7 (SS7), has previously caused the exposure of private information, such as user data interceptions (voice, SMS, data), subscriber tracking, as well as DoS attacks on services or network elements. The Diameter system, which replaced the SS7 in LTE, promised to fix these issues, but they still exist, even if they have now taken a different form.
“Research indicates that 100% of LTE networks are vulnerable to DoS through Diameter exploitation. This means that 100% of 5G Non-Standalone networks will be vulnerable to DoS, too,” the report stated.
5G is as secure as a web application; this is not a good sign. The 5G network core is built on well-known Internet protocols (HTTP, REST APIs, TLS, and others). These Internet technologies are open and well-studied. There are many techniques to search for vulnerabilities, and there are many tools readily available that make it easier to exploit those vulnerabilities. Considering a quarter of all security breaches in 2018 were done at the web application level, there is a lot at stake.
More configurations lead to more errors.SDN and NFV technologies are utilized for building Network Slicing architecture and assigning different resources and specific security policies to each slice. While the architecture undoubtedly has its perks, it also leads to a vast increase in the number of configurable parameters.
According to Positive Technology, “The more complex the system and the more components it contains, the greater the probability of error when administering it. Increasing the number of slices on a 5G network may lead to more configuration errors and even deterioration of operator awareness, adversely impacting the overall security of the 5G network.”
The scope of possible compromises could grow exponentially.One of the most impactful improvements of the 5G network is that it can sustain a large number of connections, not the least from IoT devices. By some estimates, by 2025, there will be more than 20 billion IoT devices, which effectively leads to an increase in potential attacks. The number of devices lacking proper protection is high, even now, and will continue to grow. The bigger the scope of potential attacks, the higher the standards need to be set.
Finally, the report offers several recommendations for these security-related issues:
The 5G will start working based on previous technologies. That means that MNO has to start with analyses and improve the security level for already existing networks.
To mitigate concerns regarding the SDN/NFV and network slicing, the operator should perform timely and regular audits to determine whether there are any weaknesses and that the configurations are adjusted correctly.
Operators should treat any changes as part of an ever-evolving process. The proper security of the 5G network is a result of many variables, other than just architecture. It should be a community effort, fueled by shared practices and team cooperation.
The full text of the report is available here.