Why 5G could be a cyber security nightmare
By Connor Jones
If you’ve been keeping up with the headlines, you’d be forgiven for thinking the paramount concern with the security of 5G, the latest in hyperfast mobile networking technology, is the alleged threat Huawei poses to national infrastructure. But, if you speak to the experts, there are far more troubling concerns afoot.
It’s not often the network gets blamed for the cyber security incidents that bring a business to its knees, a devilish strain of malware can often be the culprit, as can a hacker looking to bolster their CV. However, 5G will offer speeds much greater than have ever previously been available and it will allow more traffic to reach more devices than ever before. This can be used by cyber criminals as a way to floor a business and make off with sensitive data, money or cause massive disruption.
There are sharp divisions among experts, however, as to what kind of threat the advent of 5G actually poses, but one thing is for sure: 5G presents security concerns in one way or another and you need to prepare your organisation for when it comes.
Secure those endpoints
One of the main corners experts seem to be fighting from is claiming that 5G is the enabling technology that will weaken the already fragile endpoints being exploited in businesses every day.
Speaking to IT Pro, Jason Hart, cyber security expert at Thales says: “5G is just the connectivity element of it – 5G is just connectivity, it’s faster, quicker connectivity.”
“It’s going to accelerate the adoption of things at the end of it, so it’s [these things] that are the issue – not 5G. 5G is just a communication channel.”
It’s no secret that IoT devices are infamously churned out by different companies with security often implemented as an afterthought or, indeed, not at all.
These unsecure devices are reaching the biggest businesses around the world. From shipping conglomerates deploying thousands of sensors on their crates to SMBs from tiny towns fitting cheap CCTV cameras to their building, everyone is geared up with IoT and adopting a ‘set it and forget it’ policy.
Failing to change passwords from the default factory setting – or being unable to – can make accessing a network through these devices as easy as performing a Shodan scan and a quick Google search of the device’s default credentials.
It’s not just the speeds of 5G that raise concern. The massive bandwidth that will enable more devices and more data packets to travel through it is also troubling, particularly when it comes to unsecured endpoints. 5G will lend itself to massive IoT deployment – it’s a cornerstone of the Industry 4.0 prophecy – and there are estimates that by 2025, IoT devices will outnumber computers.
There certainly isn’t any legislation either, at least not yet in the UK, that mandates security by design for IoT devices. When you have leaky products being deployed on a network, you’re essentially powerless to the inevitable distributed denial of service (DDoS) hacks, says Mike Bursell, chief security architect at Red Hat.
“We’ve seen it with Mirai and cameras, we are absolutely going to see it in 5G. If you’re a vendor and you’re just creating devices, it’s very easy to create a cheap sensor device or simple connected 5G device and just put out there on the market. It’s difficult to do security right, a lot of people are not going to do it right, and therefore we are going to see attacks.”
D-day DDoS attacks
In the other corner, we’ve got those who believe the features of the network itself are 5G’s biggest threat to cyber security. After all, the endpoints could always be secured after deployment. What can’t be changed are the inherent features of a technology that are practically an attacker’s dream – especially one that wants to target businesses with DDoS attacks.
Despite experts shifting their concerns towards the entry points, the DDoS threat is still very real. Due to the reduced latency that it provides, IoT devices connected via 5G are able to access a network far quicker than they ever could before. “That can have an impact on how quickly you can mitigate attacks [and] how quickly you can monitor and put things in place,” says Bursell.
In addition to the reduced ‘window of opportunity’ to fight off an attempted cyber attack, he adds that “decreased latency leads to potentially more connections per second”.
“Those connections could be good, desired traffic or they could be DDoS-based attack vectors.”
Surely we can all agree that no-one wants a repeat of 2016’s Dyn DNS’ DDoS attack, nor GitHub’s in 2018. But, unless measures are taken to mitigate the risks associated with 5G’s core features, businesses may want to hold fire before deploying private 5G networks.
What’s being done about it?
For some time now there have been calls from the industry for a law that would act somewhat like the British Kitemark for IoT devices – a clear symbol to indicate top-tier devices. Right now, despite the vast deployment of IoT, there’s nothing stopping vendors from pumping out cheap and unsecured products other than the UK government’s Secure by Design code of practice, adherence to which is merely discretionary. But with the government’s recent IoT consultancy now closed, we might not be far off from seeing a much-needed mandate in this area.
“I think it’s always going to be a carrot and a stick [situation] and typically legislation lags behind technology – we’ve seen that over decades, if not centuries,” says Bursell. “But having something there and seeing that the government’s paying attention is absolutely a very good thing to be happening.”
The issue isn’t just a British one either; it transcends our own borders as the EU is also still in the embryonic stages of implementing an adequate certification. ENISA (the European Union Agency for Cybersecurity) is currently investigating certification schemes that would involve enforcing similar rules as Britain’s Secured by Design code as bloc-wide law.
Away from legislation, other technologies can also be used to combat the threat. The ability to slice a 5G network has long been touted as a major security feature of the mobile network and a way to deliver business-specific security.
“This means that the network can be isolated from end to end, delivering monitoring on-demand and real-time supervision and notification if there was an issue, to filter and clean the network,” an Orange spokesperson tells IT Pro.” It also means a slice network can prevent attackers from gaining a foothold in one slice and moving laterally across the rest of the network. However, it might not help in the case of a DDoS attack.”
There is also some headway being made in the IoT gateway space to streamline the management of unsecured devices. Managing all the data sent via IoT devices through various networks to different locations can be an impossible task to do comprehensively with the naked eye, which is why the demand for network monitoring tools such as these hardware or software-based gateways is growing.
What this ultimately comes down to is the fact that 5G is a new technology and there will always be bad actors – people who want to explore new attack vectors and be the first to exploit them. 5G and IoT devices are just two new tools out of a vast range of often otherwise benign technologies that can be used to launch assaults. Cyber attacks are inevitable and whether 5G is going to make this threat worse or not is yet to be seen. However, you can bet good money that hackers around the world are already planning how they can be the first to launch an attack on 5G.