5G and IoT security: Why cybersecurity experts are sounding an alarm
By Esther Shein
Without regulation and strong proactive measures, 5G networks remain vulnerable to cyberattacks, and the responsibility falls on businesses and governments. Seemingly everywhere you turn these days there is some announcement about 5G and the benefits it will bring, like greater speeds, increased efficiencies, and support for up to one million device connections on a private 5G network. All of this leads to more innovations and a significant change in how we do business.
But 5G also creates new opportunities for hackers.
Gartner predicts that 66% of organizations will take advantage of these benefits and adopt 5G by 2020 — with 59% of them planning to use 5G to support the Internet of Things across their business.
The 5G landscape today
Already, manufacturers including Nokia, Samsung, and Cisco have either started developing 5G enterprise solutions or have publicly announced plans to do so. In the enterprise, full deployment of private 5G networks will take time, as it requires significant investments to upgrade legacy network infrastructures, observers say. In the meantime, there are instances of devices in the workplace already operating on a 5G network. But using IoT devices without a private 5G network or adequate technical knowledge could put organizations’ and their employees’ privacy at risk. “You absolutely have to have [5G security] on your radar right now,” said Monique Becenti, channel and product specialist at cybersecurity provider SiteLock. It’s also critical to have security measures in place for personal data. “If you’re using a mobile device for banking transactions you’re leaving that susceptible to an attacker intercepting that data,” she said. “With 5G, our main concern is with IoT innovations.” Often, developers face pressure to get software quickly to market so critical testing could be missed, Becenti said. “With 5G this isn’t any different–especially in a market where security may not be top of mind.” She pointed out that the IoT devices market isn’t regulated and therefore not required to meet certain security requirements, despite cyberattacks like the Mirai botnet in 2016 and 2018. “Devices are open right now and susceptible … so there are more potential entry points for attackers” that are scanning for open ports in the devices’ software so they can deploy malicious bots and scripts. Telecom provider Ericsson concurred, saying that it is imperative that IoT devices are secure from the start to protect personal data, business-sensitive information, and critical infrastructure.
Why 5G networks pose greater security concerns
There are five ways in which 5G networks are more susceptible to cyberattacks than their predecessors, according to the 2019 Brookings report, Why 5G requires new approaches to cybersecurity. They are:
- The network has moved from centralized, hardware-based switching to distributed, software-defined digital routing. Previous networks had “hardware choke points” where cyber hygiene could be implemented. Not so with 5G.<>/li
- Higher-level network functions formerly performed by physical appliances are now being virtualized in software, increasing cyber vulnerability.
- Even if software vulnerabilities within the network are locked down, the 5G network is now managed by software. That means an attacker that gains control of the software managing the network can also control the network.
- The dramatic expansion of bandwidth in 5G creates additional avenues of attack.
- Increased vulnerability by attaching tens of billions of hackable smart devices to an IoT network.
A call to action on 5G security
From the 5G network point of view, trust in IoT devices is based on trustworthiness of the device’s hardware, software, and configuration, as well as the applications running on it, Ericsson said. It will also be defined by how well network operators and those who manage IoT devices govern:
- Identities and data
- Security and privacy
- Actor compliance with agreed security policies, end-to-end
For their part, businesses can enhance security by ensuring patches are applied in the form of software updates, Bencenti said. “They should also be properly testing these devices in QA [quality assurance] testing before they go to market, and ensure they close any open ports that lead to exposed entry points.” The lack of regulations for 5G security, “is why these attacks happen day in and day out” and is also the reason, “2019 was considered the worst year for cybercrime,” Bencenti said. “If nothing is done to regulate security behind this nothing will get better,” she said. “So we can only communicate with consumers to tell them what best practices” they should follow, such as choosing strong, unique passwords and being aware of their cybersecurity posture. To be sure, the new capabilities that will be made possible by applications on 5G networks hold tremendous promise, the Brookings report said. While the emphasis is on the connected future, at the same time there must be a strong focus on the security of those connections, devices, and applications, the report said.
“To build 5G on top of a weak cybersecurity foundation is to build on sand,” the report said. “This is not just a matter of the safety of network users, it is a matter of national security.”