Security Experts Outline Their Concerns
Nokia says 5G services require layered security. (Source: Nokia Threat Intelligence)
So far, much of the discussion about 5G security has focused on avoiding the use of technology from Chinese manufacturers, including Huawei and ZTE, to minimize the risk of China spying on users. But security experts are increasingly concerned that 5G network and device providers rushing products to market aren’t devoting enough attention to security.
“Anytime you see a rush to market, we are not well poised for security,” says Charles Henderson, global head of IBM’s X-Force Red. “As an industry, we must position security above all else.”
Security experts say the primary concerns with 5G devices are similar to those for 4G products: The devices have little or no built-in security and come with easy-to-guess pre-set login credentials that are never reset by the owners.
Sree Koratala, vice president for mobility security at Palo Alto Networks, suggests: “Extending zero trust security principles to 5G by applying security at every location and layer of the network is critical.”
Security Key to Success
Ensuring adequate security through a layered approach will prove critical to the success of the rollout of 5G networks and devices, Nokia Threat Intelligence, a unit of smartphone and communications provider Nokia, says in a new report.
“It is clear that security will not only be fundamental to 5G success – it will be the major differentiator for service providers,” the Nokia report says. “Privacy/encryption and authentication remain key. 5G networks must support a very high level of security and privacy for their users … and their traffic.”
But Jonathan Tanner, senior security researcher with networking and security firm Barracuda, is among those who are concerned that network providers and device manufactures alike are not paying enough attention to 5G security.
“While it [5G] doesn’t seem any less secure than 4G, security was supposed to be a priority for this generation and it fell short, as was shown in the 5GReasoner [vulnerability detection] project,” Tanner says. “A lot of the intended security improvements were not implemented properly [in 5G] or can be circumvented, making attacks against the technology itself as much a concern as before.”
Tanner says attacks waged against 4G devices and networks still pose risks for 5G. “Further, devices connecting over 5G would become exposed to the internet by default rather than through configuration,” he says. “This makes ensuring the devices themselves are free from the common security flaws of many existing internet of things devices much more important.”
IBM says many 5G devices have the same basic security faults as 4G products, including weak security and easy to guess pre-set admin passwords, Tanner points out.
Nokia says the challenge for communication service providers will be protecting against attacks as new subscribers come aboard as well as new 5G-powered “life-affecting applications,” such as medical devices.
Henderson of IBM notes that protecting 5G devices and networks is not inherently more difficult than securing the older 4G models. But 5G products will become so popular that they will be attractive targets for threat actors, he predicts.
“With increased use comes increased risk,” Henderson says.
5G’s Security Architecture
The Nokia report asserts that the average 5G device will lack the resources to properly handle security on its own, which means security efforts should primarily be focused on the service provider level.
But others argue the devices have more than enough computing power to handle security tasks.
Even the most basic 5G device, such as a home thermostat, will contain more than enough computing power to properly run security software, IBM’s Henderson says.
Cybersecurity strategy will need to quickly shift toward devices to perform policy enforcements, Barracuda’s Tanner argues. “Any security solution that has to backhaul traffic via proxy or network routes will suffer from performance degradation and potential reduced efficacy,” he says.
And because devices connecting over 5G become exposed to the internet by default rather than through configuration, ensuring the devices are free from security flaws is essential, he adds.