The arrival of 5G technology will offer incredibly fast wireless communication that can be used to transmit all sorts of data, and while it won’t be able to replace cables entirely, it could replace the need for them in some applications and industries. Apart from fast mobile networks, 5G will also be used to deliver internet to your home. Its speed is also suited for upcoming technologies, such as providing a continuous stream of data required for many self-driving-car systems. However, despite all of these advancements, some experts are saying that if you value IoT security, then you don’t want 5G technology to be deployed any time soon.
The European Union Agency for Network and Information Security (ENISA) has warned security flaws in existing mobile networks could find their way into 5G networks too, which could mean bad things ahead for IoT devices. Currently, millions of insecure devices are being connected to mobile networks without adequate enough thought being given to the authentication and encryption of communications. And why are these devices insecure? The answer is a combination of three factors:
- There is a rush to produce IoT devices which often results in a lack of security considerations in the design phase
- Many IoT devices don’t have the processing power or storage required to host endpoint security software
- Many companies have the intention to fix vulnerabilities through firmware upgrades, but never get around to it because they do not want to disrupt the user base.
With a lack of security features in the connected devices, experts are now fearing that known flaws in SS7 and Diameter, which are signal protocols used to exchange signaling messages between network elements in 2G, 3G, and 4G models could also be included in 5G as well. If so, then we can expect traffic to be eavesdropped or spoofed, and location information to be intercepted.
Even if malicious users are looking at a casual text thread between friends, having an unauthorized third party looking at any of your information is concerning. And with SMS two-factor authentication becoming a more popular method of organization, a lot of your personal information, like banking passwords and more, could be compromised. While SMS two-factor authentication is useful in securing our online accounts, many organizations are under the risky assumption that only a phone’s owner will be able to see the message being sent to them.
ENISA notes, several German banks have seen customer’s accounts drained of funds when mobile one-time passwords sent via SMS were intercepted. The flaws in these two signaling protocols can also be subjected to denial-of-service attacks, as researchers were able to implement DoS attacks on 4G networks using the Diameter signaling protocol, allowing them to disconnect a target’s mobile phone from the network temporarily or permanently.
In a recent report published by ENISA, the organization comments that the ability of 5G networks to support more users and more bandwidth increases many potential dangers. “While work is being done in addressing SS7 and Diameter attacks, only a small portion of the protocols has been studied,” the report says. “These types of attacks are only the beginning. It is expected that new vulnerabilities shall be discovered.”
Yet, one of the biggest issues facing the industry is the lack of action taken towards fixing known flaws. ENISA complained, “Several proposals to secure SS7 and Diameter have never been adopted by the industry (MAPsec, TCAPsec. Diameter over IPsec, Diameter over SCTP/DTLS).” Meanwhile, 5G networks use other protocols in addition to, or instead of. SS7 and Diameter, but this alone won’t put an end to the problem. The use of common internet protocols such as HTTPS, TLS, and the REST API in 5G networks mean that when vulnerabilities in those protocols are discovered, exploits and penetration testing tools for them will be readily transferable to mobile networks too.
Of particular concern to ENISA is that network operators are already talking about rolling out 5G networks, while standard bodies still haven’t nailed down all the security issues.