One of the least surprising announcements at Apple’s annual iPhone event earlier this month was the addition of 5G across its lineup of phones. They join a growing list of manufacturers, including Samsung, OnePlus and Motorola, that have included the technology in their flagship offerings. All the major carriers have run advertisements promising faster speeds, better coverage, and more security. So, what does this mean for our future?
The fine print on these ads talks a lot about “ideal conditions"—which means that while the major carriers are in a race to provide nationwide 5G, most early adopters outside of large cities will see limited coverage at best for the near future. Sports stadiums, which have been notably empty this year, will see noticeable improvement in capacity, allowing for much faster photo and video upload at games and concerts. Once coverage has improved, we can expect a greater adoption of 5G as the connection standard for home internet providers, mobile computing in tablets and laptops, as well as Internet of Things (IoT) devices like smart speakers and TVs.
What's the biggest benefit of 5G? Well for one—its a huge leap forward for security.
Increased security has been a focus of 5G (“Fifth Generation”) development, since the initial draft of the specification by the 3rd Generation Partnership Project (3GPP). The 3GPP, with oversight from the UN International Telecommunication Union (ITU), has designed the specifications for each generation of mobile communication since 1998, starting with 3G. The three key principles of their “Secure by Design” approach are mutual authentication, zero trust networking, and mandated encryption.
Authentication is core to wireless networking, establishing a device’s identity and validating access credentials. In the 5G specification, both primary (inside a carrier’s network) and secondary (connecting to a different network, such as another carrier or the wider internet) authentication methods utilize a mutual approach that secures the connection end-to-end (E2E).
Zero trust has become a buzzword in cybersecurity as a new model for interacting with networks as they evolve from the traditional perimeter approach. At its core, zero trust means that no device on a network should automatically trust other devices, but rather trust should be established before two devices communicate. This has become critical as the rise of BYOD and IoT devices brings many unmanaged devices into corporate networks. It is good to see this practice extended into telecommunications as well.
Mandated encryption seems obvious when you consider how long confidential transactions—such as online banking—have been taking place on the internet. Still, a good amount of metadata on existing 3G and 4G networks could be intercepted and pieced together to create a narrative about a device or user, seeing where, when, and who they communicated with. 5G looks to change this by acknowledging that any link could be tapped and ensuring that any encrypted data intercepted is worthless.
These security changes that come with 5G are a marked improvement over the existing telecommunication networks of today. Still, they are not without fault or flaw, as has been highlighted in several research projects including a presentation at Black Hat 2019, called “New Vulnerabilities in 5G Networks” by Altaf Shaik, a graduate student at the Technical University of Berlin and Kaitiaki Labs, and his partner Ravishankar Borgaonkar of SINTEF Digital. The pair were able to demonstrate the ability to track devices across networks in the U.S. and Europe, using the small amount of information that is exposed in plaintext. They also outlined attacks that could force slower speeds, quickly drain batteries, or downgrade the connection to disable voice over LTE and force it to use 3G or 2G voice calling.
As is the case with most responsible disclosure, these flaws were addressed in more recent releases of the 5G standards. It does highlight, however, a core issue with most progressive standards: backwards compatibility. Until all connections are 5G, they remain vulnerable to issues affecting previous generations. The good news is that most of the major carriers have announced plans to shut down their 3G networks in the next several years, removing one rung from the ladder.
As more types of devices get 5G capable chipsets, the traditional network model erodes further. When all devices have an independent internet connection, the idea of a network perimeter vanishes almost entirely. This shifts the security burden to the device itself, instead of a network firewall or intrusion prevention system, you are placing trust in the device vendor to secure it against attacks coming from the internet at large.
It also creates out-of-band (OoB) connections that can’t be monitored with purpose built security tools for risks such as data exfiltration. Corporate networks will need to adopt stricter policies on use of personal devices and ensure connected devices use secure configurations, disabling OoB connections if possible.
Many current smart TVs collect data about the content they play, with features designed to better tailor ads to your interests. These features can often be disabled or blocked at the firewall, but in the future manufacturers could include cellular connections to collect that information in a way that can’t be prevented.
To protect yourself, the best course of action will be to thoroughly vet the vendors that you purchase devices from and choose ones that focus on privacy and don’t profit from information sharing. Keeping your devices up to date on security patches and firmware updates will limit your risk exposure.
As dystopian as some of this has sounded, our connected future has its bright spots. The standards group places a heavy emphasis on security and privacy, and has shown that they will quickly respond to flaws discovered in the technology used to connect us. With proper caution and attention to the potential risks, 5G is on track to make our increasingly mobile world more secure.
At IGI, we help our customers navigate nearly all aspects of cybersecurity, and in many cases serve as a virtual Chief Information Security Officer (vCISO) that manages their complete security program. The future of organizational security starts with understanding how secure our connected devices are, which is why we built Nodeware.