It has been reported that security researchers at Purdue University and the University of Iowa have found close to a dozen vulnerabilities in 5G, which they say can be used to track a victim’s real-time location, spoof emergency alerts that can trigger panic or silently disconnect a 5G-connected phone from the network altogether. 5G is said to be more secure than its 4G predecessor, but the researchers’ findings confirm that weaknesses undermine the newer security and privacy protections in 5G. Worse, the researchers said some of the new attacks also could be exploited on existing 4G networks.
The introduction and rollout of new technology will always have challenges. With technology such as 5G, the major problems come when you are retrofitting old technology to suit and work with new technology. The use of functionality in a way it was not designed for is an useful method for finding vulnerabilities and can be a gateway into compromising security controls.
One of the main perks of 5G is that security has been taken into account from the start of the design process. With some of the 5G use cases being designed for low latency use such as location data & sporadic alerting (emergency alerts), these issues will be present independent of 5G, 4G, 3G etc. We need to lock down how that functionality is used and processed in order to remove the risk of it being exploited by a malicious attacker.
In the past, with similar vulnerabilities in software, the argument has been should we really care if someone knows where a handset, what is the risk? In my opinion, this is serious threat as it allows for location tracking to potentially be used discrediting an individual based on location, track and intercept, as well as disconnect your phone at a time of need. This is especially worrying for high profile individuals, and is a really scary threat that needs to be addressed. In addition, as 5G is designed for commercial use, we will no doubt see it being used in the automotive space, as many cars these days have mobile devices inbuilt and the speed of 5G better suites this use case. Thus, if not fixed, this could allow attackers to detect if you are in transit or target drones using the technology.
The other thing to note here is that it is trivial today, as many guides exist online to setup a fake radio base station to target current technologies. No doubt this will also become more mainstream and cheaper for 5G devices as the technology is researched further.
5G networks will bring the next generation of mobile internet connectivity allowing for a smarter and more connected world. However, any new technology is likely to contain vulnerabilities and introduce new cyber threats. The vulnerabilities discovered in this research could put phone users at risk through allowing hackers to track a victim’s real-time location, spoof emergency alerts or disconnect a 5G connected phone from the network. Therefore, 5G providers should take the necessary steps to secure any weaknesses that could undermine 5G security and privacy protections and put users at risk. However, like the cloud, users will have to be aware of these risks and take any necessary precautions to protect themselves.
I\’m not surprised by these 5G developments. Purdue U and Iowa U researchers are excellent at security research, and 5G has massive promise but is a new technology. Whenever a new technology arrives, we will always see a massive spike with risk and then we learn to compensate and fit it into what we do. Security should not be the \”department of no\” but should instead become the \”department of yes\” and where we show the way forward to being connected and resilient. Brakes are not put on a car to stop it; they are on a car to let it confidently go really fast. We\’re already hearing about literally life-threatening services around autonomous vehicles or remote surgery going over 5G, and that\’s scary in a world where confidentially, integrity and availability can\’t be guaranteed.
In general, there are many concerns with 5G equipment and trusting the manufacturer is high on the list. 5G has the potential to expose a lot, from putting too much compute at the edge to support for mesh networks, which are increasingly popular, and demonstrators and dissidents. Whether devices are disruptive via RF (as many are), hacked by hacktivists with screwdrivers, hacked from remote or controlled by rogue suppliers is moot. The real question is what services are critical and shouldn\’t be committed to cellular single points of failure.
5G is such a dramatic increase that any vulnerability has massive implications, and the fact that many 4G resources can be upgraded so-to-speak makes this even more urgent. It\’s also worth noting that some countries, like Switzerland, have slowed or stopped the 5G rollout pending more understanding of the security impact, especially around critical infrastructure.
Everyone is already at risk to some degree, but that\’s no excuse to make things worse. Security isn\’t about just finding flaws though. We have to first ensure, like doctors, that we collectively don\’t make things worse. While location can be tracked in many ways, we shouldn\’t make it easier or cheaper collectively. Then we have a responsibility to fix it!