5G is the next step in the evolution of mobile communication. More than just a quantitative evolution similar to previous generations, 5G will provide completely new capabilities for a myriad of new use cases on a large variety of devices across many new industries. Our future civilization will run on 5G. 5G networks will change the market landscape, influence stakeholders’ relations, and process much of the world’s business in real time; think medical procedures, financial transactions, remote industrial automation, military operations or delivery of local emergency services. It comes as no surprise, then, that 5G is expected to become the most critical infrastructure. 5G networks are expected to serve about 7 trillion of heterogeneous connected things. Compared to previous generation of mobile communication, 5G infrastructure we are building now must achieve this scale while providing:
- 1000 times higher wireless area capacity and more varied service capabilities;
- Creating a secure, reliable and dependable Internet with a “zero perceived” downtime for services provision;
- Up to 100 times higher user data rate;
- Up to 10 times longer battery life for massive IoT devices;
- Up to 5 times reduced end-to-end latency; and
- Address diverse requirements such as higher speeds for enhanced Mobile Broadband (eMBB), Ultra-reliable and Low-latency communications (URLLC), and large density of connections and long battery life for massive Machine Type Communications (mMTC).
- Millimeter-Wave communications with new waveforms – same in UL (Uplink) and DL (Downlink);
- Massive MIMO (Massive Multiple In Multiple Out) with beam-forming and beam management is available due to frequency range – wavelength, size of antenna and spacing characteristics;
- Network slicing – provides a way for service providers to enable Network as a Service (NaaS) to specific subscriber groups, giving them the flexibility to manage their own devices and services according specific needs;
- Very high throughput (1-20 Gbps) – eMBB (Enhanced Mobile Broadband) supports 3D video transmissions with 4K or 8K resolution screens, online gaming etc;
- Ultra-low latency (<1ms) – important for mission critical services such as augmented and virtual reality, telemedicine and healthcare, intelligent transportation and industry automation;
- Massive connectivity for vehicles, mobile subscribers, enterprises, IoT etc;
- High availability and dense coverage capable of providing unlimited connectivity for billions of different subscribers; and
- Low energy consumption with up to 10-year battery life for M2M (Machine to Machine) communications.
5G security challenges in architectureSome of the most important 5G architectural changes are in:
- the physical structure of the network (to provide low latency and localization);
- networking functions virtualization (components are placed across distributed edge and centralized core clouds); and
- implementation of flexible software-based architecture technologies such as SDN (Software Defined Networks), SDA (Software Defined Access) and SDR (Software Defined Radio).
- User equipment threats – malwares, sensor susceptibility, TFTP (Trivial File Transfer Protocol) MitM (Man in the Middle) attacks, bots DDoS (Distributed Denial of Service), firmware hacks and device tempering.
- Air interface threats – MitM attack and jamming.
- Typical RAN threats – MEC server vulnerability and rogue nodes.
- Representative backhaul threats – DDoS attacks, CP/UP sniffing and MEC backhaul sniffing.
- Packet core and OAM (Operation, Administration, and Maintenance) threats – virtualization, network slice security, API (Application Programming Interface) vulnerabilities, IoT core integration, roaming partner vulnerabilities, DDoS and DoS attacks, and improper access control.
- SGI (Service Gateway Interface)/N6 and external roaming threats – IoT core integration, VAS (Value Added Services) integration, Application server vulnerabilities, Application vulnerabilities, API vulnerabilities.
5G security and encryptionEncryption is affecting 5G security too. And other way around. In an increasingly digital world, encryption has become the primary mechanism for securing information. However, while encryption techniques were developed to enable enterprise security over the Internet, they are now being co-opted in service of cyber-attacks. Gartner predicts that encryption will be used in more than half of new malware campaigns in 2019 and more than 70 percent in 2020. The security of mobile, cloud and web applications depends on proven and optimally implemented encryption mechanisms, including their keys and certificates. But, threat actors are updated with the latest encryption mechanisms as well. Network visibility becomes more complex. Where encryption is used, the network operator’s ability to analyze the traffic and conclude if it is malicious is limited. Security solutions need to provide estimates about protected and unprotected traffic by encryption, while simultaneously estimating what traffic is contaminated and what is not. With deep packet analysis not being viable any more due to the encryption, as well as the volume and speed of data, other technical solutions such as intra-flow metadata (Encrypted Traffic Analytics) should be explored. Quantum computing may take root within the next decade, but the growth of 5G infrastructure is far more imminent and certain with an expected service life way past the expected arrival of quantum computing. Which means that the risks of quantum decryption need to be addressed now. Quantum technology is expected to be capable of breaking 99% of the encryption used by today’s enterprises, including data stored on a digital Blockchain. This means that governments and ICT stakeholders will need to upgrade to quantum-resistant cryptography soon, before quantum computers become available. SK Telecom, South Korea’s largest mobile operator has already developed Quantum Key Distribution (QKD) technology for its 5G network.
5G and Privacy IssuesProtection of personal privacy is a critical aspect of 5G security. Challenges include access to location information, or leakage of personal voice, health, and lifestyle data.
Location PrivacyAs the use of positioning technologies has become more widespread, mobile applications using Location-Based Services (LBSs) have contributed more and more to mobile big data. This has raised important privacy security issues. Users usually need to submit some personal information to the trusted LBS server to obtain the service data, and traditional procedures assume that this information is discarded immediately after use. However, the data may be cached and reused in the future, exposing it to increased threats. Privacy requirements need to be elevated, and breaches prevented by stopping certain queries from being sent directly to the server. WiFi localization based on fingerprint is considered to be a promising technology for indoor localization. However, mapping the recorded fingerprint to the service provider’s database could be used to divulge a subscriber’s location. Threats such as semantic information attacks, timing attacks, and boundary attacks mainly target the location privacy of subscribers. At the 5G physical layer, location privacy can be affected by inappropriate choice of available access point algorithms.
Data PrivacyGenerally, subscribers allow service providers to access their data without awareness of the privacy risks of sharing their data or an understanding of how their data will be used. They are often left with no choice but to trust that private data are being handled properly by the service provider, and are not redirected to unauthorized destinations. However, if users were more aware of and more knowledgeable about privacy risks, they would be able to make wiser choices about where and how they share their information. Even personalized privacy policies can include sensitive information desirable to privacy attackers. Most smartphone applications require details of subscriber’s personal information before installation. The application developers or companies rarely mention how data are stored and how they are going to be used. International Mobile Subscriber Identity (IMSI) catching attacks can be used to uncover the identity of a subscriber. Such attacks can also be initiated by setting up a fake base station, which the user’s device recognizes as the preferred choice with which to share the subscriber’s IMSI. Moreover, 5G networks have different actors such as Virtual Mobile Network Operators (VMNO), Communication Service Providers (CSPs) and network infrastructure providers. All of these entities have different priorities for security and privacy. Synchronizing these disparate privacy policies will be one of the chief challenges of 5G privacy. In previous network generations, mobile operators had direct access and control of all system components. However, 5G mobile operators do not have full control of the system, as it is logically and physically dislocated. User and data privacy are seriously challenged in shared environments, where the same infrastructure is available to different stakeholders. Moreover, there are no physical boundaries of a 5G network, because cloud-based data storage and NFV features are implemented.
Sensitive InformationSocial networks attract a lot of users, and social network data contain users’ sensitive information, such as social relationships, social habits and personal data. This data is stored in different forms. For example, since images contain rich and colorful content, image search has been deployed in a wide variety of applications. In the era of big data, many small organizations choose to outsource image search to public clouds to reduce costs. This creates increased opportunity for privacy breaches. Many images contain sensitive information, such as personal identity, locations or healthcare information – storing these with appropriate protection is a major concern. The integration of Internet of Things (IoT) and cloud computing is becoming a key driver of digital transformation in the healthcare industry. The emergence of cloud-assisted e-healthcare systems enables patients to supply their personal health information (PHI) to high quality and efficient medical services. While this paradigm shift has brought new opportunities and many benefits to healthcare organizations, it has also raised a number of security and privacy issues. There are also regulatory aspects of security which affect 5G architecture. For example, in order to comply with the GDPR, any company in Europe which collects, stores and processes personal data has a number of obligations. Failure to comply with the GDPR can have significant consequences. Only a secure and threat-centric approach to 5G architecture can ensure conformity to GDPR. Effective 5G security cannot be achieved through a one-size-fits-all approach. Different 5G system entities will have different security needs – understanding this will be foundational to building secure network operations.
5G Security ConclusionYes, 5G will enable new use cases that aren’t available today, with huge potential benefits for the world at large. But it will also create new opportunities for those who wish to exploit this new technology. As potentially the most critical of critical infrastructures, it will also need to be the safest and most secure. Understanding how enormously different 5G cybersecurity challenges are from the traditional ones is the first step.
 The 3rd Generation Partnership Project (3GPP) unites seven telecommunications standard development organizations (ARIB, ATIS, CCSA, ETSI, TSDSI, TTA, TTC) and covers cellular telecommunications network technologies, including radio access, the core transport network, and service capabilities – including work on codecs, security, quality of service, and thus provides complete system specifications.
(This article was originally published on https://5G.Security)