As the rollout of 5G networks accelerates, government officials are voicing concerns around the security of the deployments, in a new analysis that highlights supply-chain threat vectors and vulnerabilities on legacy infrastructure implementations.
The fifth-generation technology standard for broadband cellular networks has long been touted as a gamechanger for the connectivity levels needed for emerging applications, including Internet of Things (IoT) devices, smart cities and autonomous vehicles.
However, 5G has also sparked security concerns, highlighted this week in a joint analysis by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Office of the Director of National Intelligence (ODNI) on the potential threat vectors inherent in 5G infrastructure.
The deployment of 5G can “introduce significant risks that threaten national security, economic security, and impact other national and global interests,” according to the analysis. “Given these threats, 5G networks will be an attractive target for criminals and foreign adversaries to exploit for valuable information and intelligence.”
As major U.S. carriers like AT&T, Verizon and T-Mobile build out 5G strategies, and smartphone manufacturers like Apple and Samsung offer devices with 5G compatibility, government officials have been mulling over how to proactively secure 5G networks.
In August, CISA released the National Strategy to Secure 5G, which outlined step-by-step measures for rolling out 5G, assessing and addressing the security risks of 5G infrastructures and promoting “responsible global development” of 5G networks. As part of this national strategy, a 5G Threat Model Working Panel was established, which released the joint analysis paper on Monday.
5G Networks Roll Out
5G decreases power requirements for devices and offers improved network performance - including 100 times faster download speeds over 4G, according to CISA. 5G networks are comprised of several key components. Like 4G networks, 5G networks will leverage macro towers - providing radio coverage served by a high power cell site - however, they will also require small cells, which will serve as signal repeaters for devices to provide improved speed.
Mobile devices, such as smartphones and tablets, communicate with these cells via a radio base station that generates a radio frequency signal between the two. Finally, data is routed through all the different parts of the radio access network, which connects mobile devices to other parts of the network overall through radio connections.
5G is being implemented in a number of different ways during its rollout, with a future goal for 5G deployments being stand-alone mode (SA-NR), where the 5G radio access network will connect to a 5G core network. Currently, however, many 5G networks are being deployed on non-standalone mode (EN-DC), where 5G base stations are integrated with existing 4G networks.
Vulnerabilities 'Inherited' From Legacy Infrastructure
This use of existing infrastructure creates concerns for organizations deploying 5G network-enabled applications without considering the security implications, Jonathan Nguyen-Duy, vice president, global field CISO team at Fortinet, said.
“5G brings a new set of security challenges, stemming from its limited built-in security, open nature and ubiquitous adoption in the enterprise,” said Nguyen-Duy. “5G will require security at the edge for all devices and applications. As more endpoints are added to the network, the threat landscape becomes larger, splintered, and harder to manage and maintain.”
Vulnerabilities have previously been discovered both in 4G and 5G networks, including flaws uncovered in 2019 by a group of academics who claimed that they could be exploited to intercept phone calls. The joint analysis illustrated one scenario where a bad actor could tap into previously disclosed vulnerabilities in the Signaling System 7 (SS7) telecoms standard, for instance. In a hypothetical scenario, according to the analysis, attackers could access a 5G small cell near a U.S. government office, and configure the small cell to allow them to exploit these vulnerabilities, ultimately allowing them to access components in use by employees in that nearby office.
“The threat actor can then use that information to gain further access into more secured networks, potentially gaining access to sensitive data,” according to the analysis.
The idea of 5G paving the way for edge compute applications like autonomous vehicles - where traffic computing is moved from the centralized cloud to the edge - opens up more potential security holes. According to the analysis, edge applications that contain various system components, such as operating systems, applications and hypervisors may provide threat actors with a wider attack surface to intercept sensitive data. The joint analysis pointed to a scenario where a firmware vulnerability in a multi-access edge computing application could be used by cybercriminals to give them a persistent foothold on the system - enabling them to deny access to data and impact the ultra-low latency required by many 5G use cases.
“The malicious actor can use this access to impact the confidentiality, integrity, and availability of the network by stealing sensitive sensor and user equipment data, modifying data streams, and denying access to certain data or sensor streams,” according to the analysis. “The malicious actor now has the bandwidth to gain full access to the RAN and is able to clone end-users’ devices.”
Supply-Chain Security Concerns
The joint analysis also pointed to several supply-chain security challenges. U.S. intelligence agencies have previously alleged that manufacturers like Huawei with close ties with the Chinese government could lead to national security concerns. While intelligence agencies have not publicly shown evidence backing up these claims, the joint analysis highlighted potential scenarios for bad actors to introduce various holes in the supply chain that “enable a malicious actor to impact the confidentiality, integrity, or availability of data that travels through the devices and to move laterally to other more sensitive parts of the network.”
This possible introduction of “untrusted technologies” could be malicious hardware or software, such as counterfeit components - or it may be an inadvertent weakness, such as poor designs, manufacturing processes or maintenance procedures, according to the analysis.
For instance, as various nations contribute to the development of technical standards, the analysis warned there is a potential for these standards to include “untrusted technologies” that may force customers to adopt them - and ultimately limit the ability of "trusted" companies to compete in the 5G market. According to the analysis, the global market for 5G radio access networks is dominated by manufacturers like Huawei, Nokia, Ericsson, and to a lesser extent Samsung and ZTE.
“The custom 5G technologies that do not meet interoperability standards may be difficult to update, repair, and replace or they could be entirely invisible to the customer,” according to the analysis. “This potentially increases the life-cycle cost of the product and delays 5G deployment if the equipment requires replacement.”
Securing 5G: Moving Forward
In its National Strategy to Secure 5G, CISA outlined five strategic initiatives to tackle the overarching security concerns facing 5G networks.
These initiatives include increased collaboration with “trusted market leaders” in order to develop of 5G policy and standards, the development of a common framework to evaluate 5G supply chain risks and the encouragement of innovation to foster trusted 5G vendors.
At the same time, CISA is looking to engage with critical infrastructure sectors that are deploying 5G networks to communicate best practices for securing the infrastructure, and taking steps to share risk management strategies across the market.
Nguyen-Duy said that every part of the ecosystem has a role to play when it comes to security, from mobile network operators to service providers and enterprises, to end users who also have a role to play in terms of security best practices.
“Edge cloud policies and enforcement will need to remain consistent with those in the core, meaning the inclusion of centralized orchestration and autonomous edge security to ensure both consistency and time to respond,” he said. “If organizations don't have a platform approach that can provide security across all edges, this will be difficult to impossible.”