As countries around the world begin deploying 5G technology, the promises of faster speeds and better service sometime obscure a host of security issues affecting the next-generation cellular technology. These security concerns exist despite improvements in data encryption, authentication and privacy embodied in recent releases of the Third Generation Partnership Project (3GPP), the technical standards organization for cellular communications.
The most prominent of 5G security fears are highlighted in the Trump administration’s fight to ban technology from China’s tech giant Huawei from U.S. next-generation networks. The U.S. government is also seeking to persuade European and other allies to shun Huawei, an effort that has met with limited success. The basic fear driving the Huawei ban is that the company caters to the government in Beijing and might very well embed surveillance capabilities into its technology or otherwise spy for the Chinese government, making 5G completely insecure from the get-go.
Old cellular vulnerabilities not addressed by 5G
Other security issues in 5G technology have been flagged by experts. One expert, Roger Piqueras Jover, kicked off a talk on the topic at this year’s Shmoocon conference by noting that although some mobile technology companies tout 5G as more secure, researchers are pointing out problems and before the technology has even launched. (Jover is a security engineer in the CTO’s office of Bloomberg L.P. by day but a mobile technology researcher on the side. His mobile technology analysis does not reflect the views of Bloomberg).
In his presentation, and later in discussions with CSO, Jover said the main overarching problems plaguing previous generations of mobile technology – GSM, 4G, and LTE – have not been addressed in 5G standards and plans. One, in particular, the ability to intercept so-called pre-authentication messages between the user’s base station and the cellular tower, still exists in the 5G specifications and proposed architectures and could allow attackers to intercept messages in the clear.
“In cellular, your phone hears broadcast messages from a tower. Could be 3G, could be 4G, could be 5G. The tower is saying, ‘Hey, I’m your operator,’” Jover explains to CSO. “There is no cryptographic way to verify that, so you implicitly trust that that’s true.”
There is a cryptographic handshake once the carrier begins to route the messages. Still, in this pre-authentication stage, “There are a lot of messages exchanged in both directions that you implicitly trust. You trust that you are talking to a real operator, and the operator trusts that it is talking with a smartphone,” Jover says.
By abusing these unprotected messages, malicious actors can do “all kinds of things.” Both LTE and 5G standards developed to thwart this international mobile subscriber identity (IMSI) catching, or in the terminology of 5G technology, Subscription Permanent Identifier (SUPI) attacks, but those standards are optional. In general, optional features never get implemented, Jover said.
The digital certificate solution
One solution to this problem is straightforward, according to Jover. Implement digital certificates in 5G, along with the signifiers that indicate the connection is using encryption technology. “Certificates have been used for over ten years. This technology is fairly mature. Why not use the same technology?” he says. “I personally feel comfortable typing my credit card in a website” that has an HTTPS lock icon in the address bar, indicating an encrypted connection.
“You could, and probably should, use digital certificates to provide these devices with a way to cryptographically verify that they are indeed talking with a base station,” says Jover. These certificates could also help screen out sites from undesirable sources or locations. “If you use digital certificates, you can very easily decide which certificate authorities you trust.”
There are some complications, Jover notes. First, as he acknowledged at Shmoocon, “It would require a lot of global efforts of standards,” because 5G standards don’t currently accommodate this kind of encryption certification. Secondly, smartphones have no way of blocking in advance certificates that were once trusted but have now been revoked, because until users actually make a connection with the carrier, they aren’t able to access the internet.
Although it might be helpful to have digital certificate capability in 5G networks, “There are 20 problems with 5G, and this might be problem number 17,” cryptographer and fellow and lecturer at the Harvard Kennedy School Bruce Schneier tells CSO.
Certificates won’t solve all 5G trust problems
Although Schneier said he had not reviewed Jover’s work, he argues there are much larger and more significant security concerns that surround the deployment of 5G. “You don’t jump from a certificate system that helps authenticate unauthenticated messages to solving the ‘trust’ problem,” Schneier says. “We’re afraid that Huawei puts backdoors in their chips. That is a trust problem that has nothing to do with unauthenticated messages.”
As both Jover and Schneier acknowledge, there are a lot of security problems with 5G up and down multiple layers of its protocol stack. Both appear to be fans of the 5GReasoner proposal put forth by researchers from Purdue University and the University of Iowa that presents a framework for dealing with the complex and use-case-sensitive issues surrounding 5G. “That paper is the greatest thing that has happened in cellular,” Jover tells CSO.
The truth is, “Nobody wants 5G security,” Schneier tells CSO. “Governments like spying on 5G. Carriers don’t care very much. They’ll do what the law says.”
A lot of those vulnerabilities that carried over from 4G were put there by the government, or at least weren’t fixed in the [standards-setting body] ITU,” Schneier says. In short, it’s too late to do anything about 5G security at the foundational levels. If that’s true, the world will have to wait for security fixes in 6G, which will likely deploy commercially around 2030, according to most experts.