5G Security Problems Must Be 'Addressed from the Offset'

Study: 5G Security Problems Must Be ‘Addressed from the Offset’

Written by James Anderson
December 16, 2020

The method of 5G delivery is going to evolve, and so must security.

Channel partners must play a key role in ensuring their customers’ 5G security.

Jimmy Jones, telecoms cybersecurity expert at Positive Technologies, said partners will need to increase their lines of communication with mobile operators, analysts and customers as 5G presents new threats and attack surfaces.

“They’re going to need to start speaking to the mobile operators as much as possible, because the mobile operators can secure things and will do everything to secure things. They just need to know what they’re securing,” Jones told Channel Partners.

Positive Technologies’ Jimmy Jones

The cybersecurity company on Wednesday released a report on 5G standalone core security. Positive Technologies examined the 5G core in lab environments, working with mobile operators in Asia. Asia-Pacific is outperforming Europe and the U.S. in terms of 5G development.

The report examined standalone 5G networks, which today do not represent the norm. At present, most mobile operators take a non-standalone approach to 5G, which entails a 4G network core and a 5G edge.

However, Gartner predicts 5G investment to surpass that of 4G in 2022. And Jones said development of standalone 5G networks may ramp up as the internet of things matures. The situation will evolve to the point where the core is 5G and parts of the edge are 4G. Jones said this might be a five-year process.

Source: Positive Technologies’ Standalone 5G core security research

The Concern

Positive Technologies noted that although mobile operators are making a gradual evolution to standalone 5G, they will encounter a drastically different set of 5G security problems at the end of that path. Thus, operators and partners need to tackle those head-on before it’s too late.

“There is a risk that attackers will take advantage of standalone 5G networks while they are being established and operators are getting to grips with potential vulnerabilities,” said Dmitry Kurbatov, chief technology officer of Positive Technologies. “Therefore, security considerations must be addressed by operators from the offset. Subscriber attacks can be both financially and reputationally damaging — especially when vendors are in tough competition to launch their 5G networks. With such a diverse surface of attack, robust core network security architecture is by far the safest way to protect users.”

One such example is packet forwarding control protocol (PFCP), a key 5G protocol that threat actors can exploit for denial-of-service and other attacks. Positive Technologies also found vulnerabilities in HTTP/2 protocol, which aids network functions in registering profiles on 5G networks. You can find detailed analysis in Positive Technologies’ 21-page report.

But in the Meantime …

Positive Technologies examined non-standalone 5G networks back in the fall and concluded that most 5G networks will rely on 4G LTE networks in the upcoming years. As a result, mobile operators would be foolish to focus on 5G-only security.

“… true 5G security must go beyond the features built into standalone architecture,” said Pavel Novikov, head of the Positive Technologies’ telecom security research team. “Cost efficiencies can be gained by building a hybrid network that supports both LTE and 5G which will enable a future-proofed next generation network in the longer term.

Palo Alto Networks last month updated some of its firewalls with protocol that reflect “industry-first” 5G security.