The vulnerabilities of an unsecure 5G
5G technology promises to revolutionize connectivity for everything from smart cities and utilities to connected cars and the emergency services. But amid all the excitement, critical security questions must not be overlooked.
For many industries, having relied on either rolling out broad Wi‐Fi or tolerating slow mobile connectivity, the rollout of 5G offers the potential to transform both internal operations and customer‐facing services.
5G will dramatically increase connectivity speed, powering the fast transfer of complex information and potentially hitting a high data rate of over 10 Gigabits per second, tens of times faster than 4G. Equally, it offers the reduced latency essential for reliable connectivity, and high system capacity as future networks connect billions of new objects.
By 2025, according to GSMA, the mobile industry association, in Europe alone there could be 200 million active 5G connections. Telecoms gear maker Ericsson expects that at that point there could be a total of one billion global connections.
In the future, with key services relying on 5G, the potential is high for hackers to cause severe disruption
The development of 5G has caught the attention of numerous sectors, with deployment expected in several stages. In many markets, the first stage will see ‘enhanced mobile broadband’ enabling much faster consumer mobile connections. Online and high street retailers are expected to use these advancements to underpin highly immersive virtual and augmented reality services, such as those that allow people to virtually ‘try on’ items of clothing or experience what it feels like to drive particular cars.
The second stage is likely to be characterized by an evolution towards the ‘Massive Internet of Things’ (MIoT). This will precipitate the connection of more and more domestic and enterprise devices, ranging from smart meters and fridges to autonomous vehicles—in essence, supporting basic machine‐to‐machine communications but on a much larger scale than is currently possible.
From there, 5G developments are expected to progress towards use in some of the most essential services provided across society. This is being referred to as the ‘Mission‐Critical Internet of Things’ (MC‐IoT) and will speed up connectivity within emergency services, hospitals, police forces, fire and rescue services and smart cities. Meanwhile, vehicle connectivity technology will enter a much more advanced and sophisticated phase. Internet‐linked factory machines on the industrial IoT side, en‐compassing intelligent automation and remote manufacturing solutions, will also come to rely on 5G. Businesses of all types will also be able to use 5G to enable remote working for everyone from office personnel to teams of engineers in the field.
The scope and potential impact of these developments is clearly enormous. However, it must be remembered that 5G will still take time roll out and demonstrate its potential to industries. According to Ian Fogg, a VP at mobile analytics firm OpenSignal: “It is true that 5G is coming around a lot more quickly that many had thought. But many of the initial approaches to 5G will address it in its more basic form, for smartphone users and at lower capacity, with high‐capacity bands being added later for the more critical and demanding applications such as industrial automation and connected vehicles.”
It is also the case that as 5G is rolled out, important security questions will arise and require serious consideration. While the upsides of 5G are hugely appealing for businesses and service providers across the globe, its introduction will also present significant risks to organizations that use it, especially those depending ever more on virtualized or cloud‐based infrastructure. Part of the problem is that the sheer speed of 5G offers great potential to denial of service (DoS) attacks that can overload company networks.
It’s still unclear how critical infrastructure devices will be implemented on 5G networks
— Todd Thibodeaux, president at CompTIA
The University of Surrey’s 5G Innovation Centre warned in a recent whitepaper of the importance of getting this right, given the “increasingly diverse set of industry verticals” that the technology must support. “These provide a wide range of business drivers for security—for example, the transport vertical needs reliability, integrity and availability to prevent loss of life. Healthcare will also require reliability/integrity and there will be a focus on confidentiality,” it notes. “Smart cities applications will contain an increasing richness of personal information leading to important confidentiality concerns. Factories and energy are part of critical infrastructure which will need robust defense against cyber‐attack.”
It’s clear that any failure to properly secure 5G in advance of its introduction could have dire consequences for businesses and public bodies. The greatest known risk is hackers, be they hostile governments, sophisticated criminals or even tech‐skilled teenagers, accessing systems, switching them off or stealing data. In the future, with key services relying on 5G, the potential is high for hackers to cause severe disruption to hospitals and ambulance services, as well as to the operations of police forces and fire services. Anyone travelling in a self‐driving car could also face major safety risks if a hacker takes control of their vehicle. Meanwhile, core utilities such as gas, electricity and water could see their networks and supply lines interrupted by targeted DoS attacks.
“It’s still unclear how critical infrastructure devices will be implemented on 5G networks. If the end‐points are lazily just Linux or Arduino boxes with full IP stacks on them, they will be vulnerable to the same kinds of attacks that frequently plague servers and desktops,” says Todd Thibodeaux, president at IT industry association CompTIA. “If they are based on more secure proprietary systems, with encrypted communication through secure VPNs, then the chances of suffering an attack are lessened.”
“For sectors where operations are mission critical, as with ambulances, police or utilities, then you need to think about designing a system that functions on 5G but is protected and isolated,” says Jason Leigh, a senior research analyst at the market intelligence firm IDC. “But it’s not only bad for those types of operation. The same principle is true for scenarios like factory automation that will depend on machines constantly communicating.”
In terms of network design, Ericsson states in a research note that each use case can be well served by designing specific and appropriate security, adding: “The trustworthiness not only originates from a set of security features, but also from system design principles and implementation considerations that have all been applied, with a holistic and risk‐based mindset.” Getting this right, the company says, is critical because 5G “will soon be an indispensable part of our connected society”.
Adjacent to the question of security is the issue of availability. When organizations depend on 5G to operate, they need to have a contingency plan should it fail. “People need to think about what happens in the event of a storm, or even someone crashing their car into the light pole transmitting the 5G to them,” says Mr Leigh. “What does that do for corresponding infrastructure—would ambulances and other services lose their coverage?”
As well as mobile network operators ensuring coverage, and users protecting their networks appropriately, regulators will also need to closely examine the best ways to address the security issues thrown up by 5G, especially given the billions of devices set to be newly connected to the web. Harnessing new standards set by industrial leaders may be key to this, and equally to avoiding a situation of fragmented and differing national policies.
“Regulators could demand strict adherence to voluntary industry standards,” says Mr Thibodeaux at CompTIA. “We could have bodies like [independent safety science organisation] UL do testing and verification of equipment and new encrypted communications standards could be developed for critical infrastructure.”
“Certain critical sectors such as the emergency services will of course face a high level of regulatory scrutiny around security and uptime, while for other sectors the main focus may instead be around privacy,” says Mr Leigh at IDC. “At some level, regulation may provide a barrier that slows adoption a little, but without it enterprise users and consumers would not have confidence in the system and it would not take off.”
The desire for much higher mobile internet speeds and the resultant technological innovations will prompt uptake and outweigh any regulatory barrier, adds Mr Thibodeaux. “Consumers and businesses are always hungry for more speed and capability. There’s also a tremendous amount for carriers to gain from continued monetization of even more legacy spectrum,” he explains.
Companies such as G+D, with its deep understanding of network operators and the various sectors set to use 5G, is well positioned to help maximize the technology’s safe use for myriad organizations as services become available.