CISA Identifies Possible 5G Threat Vectors
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) released a new report identifying the potential threat vectors introduced by the emerging 5G wireless technology. The report was produced by a public-private workgroup—officially the Enduring Security Framework 5G Threat Model Working Panel.
5G will connect billions of Internet of Things devices. It's critical that government & industry collaborate to ensure that cybersecurity is prioritized within #5G design and development. Our latest paper assesses the risks & vulnerabilities of 5G: https://t.co/pN6J3LdJOf pic.twitter.com/XvhO8P61kl— Cybersecurity and Infrastructure Security Agency (@CISAgov) May 17, 2021
The CISA panel identified three categories of threat vectors: policy and standards threats, supply chain threats, and systems architecture threats. In general the threats identified involve ways vulnerabilities could be incorporated into 5G networks—either intentionally or through negligence—through which criminals or nation-states can launch cyber attacks.
First, however, here is a quick, oversimplified description of why 5G matters. The Massachusetts Institute of Technology’s (MIT’s) Sloan School helpfully points out that 1G made cellular phone calls possible in 1980 if you didn’t mind carrying around a cinderblock-sized phone. Next, 2G introduced messaging, followed by 3G, which brought Internet access (though time needed to access anything larger than a website with a couple of low-res images was best measured with a sundial).
It was the advent of 4G that changed those devices we carry around in our pockets from communications gadgets to always-available entertainment platforms, with vastly improved download speeds. At fist glance, 5G’s promises of even more speed and vastly reduced latency might sound lackluster, but rest assured, it will be just as game-changing as each previous generation.
Among several use cases outlined by MIT, augmented reality (overlaying virtual information over a live view of the world) requires low latency. In addition, the high speed and low latency will revolutionize the use of sensors to gather and analyze information. The Internet of Things (IoT) is expected to grow exponentially with 5G—meaning not only will businesses and individuals be increasingly reliant on 5G, but the number and variety of connected devices mean more attack points.
And that brings us back to the 5G security discussion. An August 2020 Today in Security post, “With 5G Power Comes Heightened Threat Risk,” describes the two fundamental issues. Frist, the extent to which vital systems are expected to rely on 5G means threats are magnified and could reach catastrophic proportions quickly. Second, the rapid development and deployment of 5G technology around the world introduces risk. The new report from the CISA panel delves into the categories of risks.
Policy and Standards Threats
The report delineated two primary risks with regard to standards. First, it mentioned that nation-states may pressure international boards to create standards they deem more favorable. “Nation-states may attempt to exert undue influence on standards that benefit their proprietary technologies and limit customers’ choices to use other equipment or software,” the report explained.
Second, the report said standards may develop optional controls when more rigid requirements are needed. Companies could choose not to implement the optional control and open themselves to cyber vulnerabilities by bad actors targeting companies that ignore the control.
Supply Chain Threats
The supply chain in the report refers to the supply chain of manufacturing 5G components and devices. The CISA panel cited malicious software, the possible prevalence of counterfeit components, and compromised hardware, as well as poor design, manufacturing, and maintenance processes and procedures.
In addition, the report said, “countries that purchase 5G equipment from companies with compromised supply chains could be vulnerable to the interception, manipulation, disruption, or destruction of data. This would pose a challenge when sending data to international partners, where one country’s secure network could be vulnerable to threats because of an untrusted telecommunication network in another country.”
The CISA panel’s exploration of the vulnerabilities inherent in the 5G architecture are both related to the other threats and more technically complex. The explosion of IoT devices expected to use 5G is part of this vulnerability, as it introduces new pathways criminals can use.
Fundamentally, 5G differs in that the range of its components is much smaller than previous cellular technology, meaning there will be many more components that are potentially exploitable as the 5G systems builds out. In addition, 5G introduces new or expanded use of communications technology, summarized in the report as “software defined networking, cloud native infrastructure, network slicing, and edge computing,” which “may introduce an increased attack surface for malicious actors to exploit.”
Finally, the report noted that, like previous generations, 5G is made to overlay 4G technology, meaning the legacy vulnerabilities of 4G are still potentially dangerous if an attack successfully forces a system to use the downgraded network.
One of the leaders of the CISA panel, Dan Dagher, discussed the new report with government IT news organization MeriTalk. He summarized the state of 5G security this way: “When you look at all the benefits that 5G can bring, we have established security tools in place, we just need to modify them for what 5G can bring. I think OpenRAN [a standard being developed] is going to be something where we might find new tools cropping up, but we’re not there yet. You mix 5G components with prior generation in nonstandalone networks, and that may bring new vulnerabilities we’re just not aware of yet. But for right now I think we’re where we need to be, we just need to make sure we cover the 5G spectrum.”