5G wireless technology and IoT devices are a staple of both modern consumers and businesses, helping people and organizations communicate quickly and effectively, as well as collect, transmit and process data for better outcomes.
However, as with all technologies, the attack surfaces of 5G and IoT are growing with increasing popularity and usage and the corresponding demands of consumers or companies. As such, these innovations always bring new or looming risks that malicious hackers can exploit, as well as explicit strategies that organizations should know to counter these threats.
Current challenges and risks of 5G / IoT
An important difference between 5G and its legacy networks is that 5G involves an untrusted core network between the subscriber end and the unified data management environment, while legacy networks had a hierarchical trust model.
SEE: Mobile Device Security Policy (TechRepublic Premium)
As usual, security is downplayed here in favor of speed and efficiency to meet the increasing data and traffic demands of 5G, but this can actually be a costly understatement of security value, even when only using private 5G networks. New technologies are often not fully analyzed and understood before or during rollout, leading to security gaps.
A Trend Micro report on the challenges of securing 5G cites the fact that “48% of operators admit their biggest challenge is not having enough knowledge or tools to deal with security vulnerabilities. A limited pool of security professionals, as reported by 39%, further reduces internal knowledge.”
A lack of knowledge can have devastating consequences. The global coronavirus pandemic has proven the value and importance of supply chains to provide consumers and businesses with necessities and supplies.
A 2021 report by the Cybersecurity and Infrastructure Security Agency on potential threat vectors to 5G infrastructure identified supply chain risks as a particularly dangerous threat in the 5G space.
“Those countries that buy 5G equipment from companies with compromised supply chains could be vulnerable to data interception, tampering, disruption or destruction,” the report said. “This would pose a challenge when sending data to international partners where one country’s secure network could be vulnerable to threats due to an untrusted telecommunications network in another country.”
In terms of IoT devices, using unencrypted data storage can pose a huge risk, especially when it comes to portable, easily lost, or easily stolen items. Malware poses a significant threat to unsecured data.
These devices typically lack strong passwords and network access controls, and tend to rely on public Wi-Fi data transmissions. Botnets are another disruptive factor that can target IoT devices for malicious purposes.
A 2021 Intersog report on IoT security statistics identified some similar concerns about 5G security: “Globally, 32% of companies that have already adopted IoT consider data security issues related to the lack of qualified personnel as the most critical concern for their IoT ecosystem . Thirty-three percent of these organizations consider device attacks to be a top concern.”
This is a significant concern for an industry expected to spawn a nearly $31 billion security market by 2025 with 40 billion connected devices worldwide.
This report also found that 58% of IoT attacks were perpetrated with the intention of mining cryptocurrency, demonstrating the myriad of ways malicious actors can capitalize on IoT vulnerabilities.
Anubhav Arora, Vice President of Security Engineering at Cradlepoint, a provider of cloud-managed wireless edge network equipment, advocates a comprehensive understanding of 5G technology and the establishment of security infrastructures to support all transport layers. This is because increased traffic path and routing complexity can result in an inability to detect normal activity.
“The misconception is that 5G is just a data transport technology,” Arora said. “Most cybersecurity teams focus on application and operating system vulnerabilities due to their criticality and scale. On the surface, 5G networks are a transport technology – it moves data from one place to another – and as such is often deprioritised in security reviews. However, this view fails to take into account the significant difference between 5G and other transport protocols, including how 5G may create or reduce risk.”
Arora noted that an attacker could capitalize on 5G vulnerabilities by using 5G network connections for lateral movement or as a proxy for initial access to victim organizations. By not distinguishing between normal and suspicious 5G transport behavior, a threat actor could roam the network more freely with less chance of detection.
Recommendations for business end users, IT departments and consumers
Arora recommended a zero-trust network access environment to protect and secure 5G.
“Examples would include a built-in next-generation firewall, robust network slicing management, intrusion detection and response, and user access awareness,” said Arora. “It’s also important to understand that new vulnerabilities will not only be introduced by 5G, but also by how other technologies in the environment interact with 5G.”
In my view, symmetric encryption is another key element to secure 5G. This is more powerful than a public key infrastructure, can significantly reduce attack vectors and is fast, efficient and easy to implement. This type of encryption relies on a single key, which makes the technology easier to use, but it’s important to rotate the key regularly for best results.
5G edge security can be another viable tool in the fight, especially multi-access edge computing that can protect mobile device activity.
Managed security services for 5G are another option to ease the burden. Sometimes it can be a valuable investment to delegate responsibilities to experts, freeing company resources for other endeavors. Examples of such providers are Palo Alto Networks, A10 Networks, AT&T, Ericsson and Nokia.
SEE: How to Recruit and Hire a Security Analyst (TechRepublic Premium)
A comprehensive guide to 5G security from CISA includes a number of strategic initiatives and can be found here. Reading of the guide is recommended for IT professionals tasked with deploying, maintaining and/or securing 5G networks.
For IoT devices, Arora recommends using network segmentation and slicing to isolate devices from potential threats. He also stressed the importance of a differentiated implementation plan, IPS/IDS systems to protect IoT devices and their respective networks, and thorough and regular risk assessment.
I also urge companies to routinely patch and update IoT devices, use strong password measures, and avoid authenticating to corporate systems or transmitting data over public networks. Implement device tracking and monitoring whenever possible, and always use an employee check-in and check-out process for issuing and returning IoT devices. Ensure that terminated employees no longer have such devices in their possession.
Any given set of information is only as valuable as it was last published, updated, or examined. Threat vectors are constantly evolving and new risk variants are inevitable, so subscribe to vendor alerts and newsletters and stay up to date with the latest developments and conditions. Proper understanding of how new technologies work, identifying the risks and vulnerabilities, determining how to apply official security standards and policies, and ongoing education and awareness training is critical for both IT professionals and end-users and consumers at large.