5G networks: why more security can still mean more risk

Improved network security is one of the promises of 5G – which will become crucial with more and more industry applications relying on mobile connections. As security experts, would you say that a 5G network is secure by design?

Pedro Simao: The 5G specification can definitely improve network security. There are just two issues: most of the current 5G rollouts still depend on 4G and secondly, many security features are optional and – as of now – not widely-adopted throughout the industry.

What kind of security issues will we also come across, with 5G?

Caglar Ekmen: As Pedro mentioned, initial 5G deployments are referred to as NSA, short for Non-Stand Alone. That means the service is anchored on 4G networks. It is basically a boost of speed for the network, but the vulnerabilities in 5G NSA are the same as in 4G. This includes attacks on the interconnection, like location tracking as well as the interception of communications. Also, there are other vulnerabilities when it comes to the air interface, which enable impersonation and interception attacks. We continue to see attacks on APNs, access points to the internet, as well as voice services. To mention just a few.

“Many vendors do not include by default this level of protection”

What is anticipated to improve with standalone 5G?

Pedro Simao: The 3GPP, which is the global cooperation of mobile network standardization bodies, included a lot of security research work in the update of 5G specifications. That is important to acknowledge. One core aspect is the protection of user identity on the radio side. Right now, on certain occasions, your IMSI, short for unique mobile identifier, is transmitted without any encryption. Which opens the door to many kinds of abuse. 5G will include an encryption for this unique identifier, called SUCI. The problem is: the feature is optional, and for this to work, mobile operators need to integrate a certificate in the SIM card. Vendors would need to replace every SIM card in use. Which is why – for lack of knowledge or maybe because of the high pressure to deliver solutions as soon as possible – many do not include this level of protection.

If we look at the huge impact of telecommunication technology on our lives today – how is the threat landscape developing?

Caglar Ekmen: We have been monitoring threats for 15 years and there have definitely been shifts. In the beginning, most of the attacks were related to fraud or to abuse of the network, for example to get services for free. Currently – as mentioned before – most of the risks are related to information leakage, like intercepting communication or the location of subscribers. But new technology brings new risks. With 5G the stakes just become so much higher, because autonomous driving and other business cases will be built on top of it. This includes many critical mission services, like emergency services, police response or energy management. And in many of the industries, like automotive or energy, there is often little knowledge about telecommunication risks.

Pedro Simao: With 5G, the technology moves closer to IT. So the industry is importing the advantages and disadvantages of IT technologies. We expect, for example, more zero-day exploits in the web services and implementation issues that will allow attackers to exploit the infrastructure. In addition, the adoption of cloud services will increase the risk of escaping attacks and abuse of resources. All in all, there will be more attacks and these will be more sophisticated. And by the way: we have been talking about mobile networks all along. Yet 5G heavily relies on fixed fiber lines on street level. So it is also a topic for fixed line operators.

“Mobile operators need automation for security testing”

How can mobile and fixed line operators react to the threats in this new environment?

Caglar Ekmen: We do not believe in a single security assessment methodology anymore. The mobile and fixed line operators need automation of security services, because the environment is changing so dynamically. That is why we automated parts of our testing portfolio, and all of it can be executed remotely.

Pedro Simao: Clients need to create and execute their own security assessments and do continuous monitoring. Our most important resource are our security consultants with a deep understanding on how the networks operate. The architecture, the protocols and services. That is the foundation. On that basis, we can develop security assessments and do penetration testing. There are Blackbox tests, which means we just get SIM cards from the operators shop and conduct attacks towards the network. There are gray-box-type assessments, where we conduct interconnection attacks on network protocols like SS7, Diameter, GTP or SIP. And lastly there are white-box tests, which include interview-based audits, configuration reviews and penetration testing from some internal level of access.

Caglar Ekmen: It is crucial to keep security efforts in mobile and fixed line networks up to speed with the technological ecosystem built on top of them. Otherwise, we are running into a whole lot of trouble.