That was barked in a headline from a post I recently received. The funny part is that I wholeheartedly agree!
And just this morning I received a post from a company called NetNumer who just wrote a white paper discussing 5G security, with the primary topic being that it must be included in the design and not be treated as an afterthought.
Does this mean the acuteness of 5G security is growing? Unlikely, but at some point, all this is going to come crashing down if the industry does not get committed to making security a priority in 5G – and from the ground up.
I have been “barking’ the failure of security in the wireless ecosystem (as well as other industries) for years. With next-generation 5G and all of its new platforms and technologies, the threat surface is orders of magnitude more prevalent.
While 3GPP does address some of the security issues of wireless networks, the requirement in it is weak. The security architects have been warning about that from the beginning. But the money players managed to keep the security framework to a minimum. The problem is that security is not a marketable feature. It costs money to integrate and has no real RoI. Therefore, companies tend to make it as low a cost item in their products as possible.
It has worked well for them over the years. Rarely are vendors, or organizations, held accountable for security flaws or failures. That is a slippery slope but why should users always be the ones to eat the costs, even when it is clear that a vendor is at fault?
Now, on the other hand, do end-users not bear some responsibility? Certainly. However, end-users (consumer and otherwise) want a solid platform going in. They do not what to have to manage supplier’s backdoor, or weak algorithms, or poorly secured APIs, etc. And if it is their bad that they have not done their homework assignment and secured their stuff as best as possible, then they need to accept the consequences.
What brought on this diatribe was a recent report about the security weaknesses in network slicing. That is only one security vector, but certainly a critical one. Let us drill down on that a bit.
Network slicing whatever flavor is the most promising enabling technology for 5G. intelligent spectrum management, particularly in the lower spectrum where there is lots of congestion, is the only way this spectrum is going to even come close to handling the massive amounts of data expected in the next five to 10 years.
One of the biggest challenges with a dynamically provisioned spectrum is isolation. A second is trust. In some cases (such as CBRS) there is the reusability provision. There are others, of course, but when it comes to security, the tight integration of such spectrum, vulnerabilities are not as easy to isolate.
Things like user data extraction (location tracking), denial of service, and vertical partner’s access of services of a network function have the potential, if not properly secured, for fraud or data leakage against another network function. And, because slicing builds atop other technologies, there are known security challenges attributed to the underlying SDN and NFV technologies, and the access networks, as well.
It has been shown that, in a networks slicing scenario, one vertical can gain access to the services and related information of another vertical. Properly exploited, fraud and/or data leakage is probable.
The issue is that the 3GPP standard is weak in the slicing department. Instead of requiring that a ticket entrance to a service is validated, in whatever fashion, an authorization ticket from one service, on behalf of another vertical does not require security measures. This is because the details that are within the request are not well specified. Thusly, within 3GPP standards, literally, anybody in the network can ask for any kind of ticket and be granted access.
While that makes sense for lower-level shared network functions, it also allows for a fraudulent request to obtain a different ticket. Depending on the services and information on the slices, data can be stolen from other users within the network. Basically, it allows for impersonation to occur. This also involves trust. While this functions well if everyone in the network is trustworthy, what happens if a vertical partner has been compromised?
This is a typical scenario where relying on standardized protocols, in this case, the transport layer security (TLS), does not secure the services. And implied trust is not sufficient for 5G network security.
There are some interesting lessons in this. And, of course, this is only one security issue. There are many more in 5G, some known, some yet to be discovered. Therefore, to be fair, there is only so much one can do with specifications. 3GPP is aware of this weakness. Whether they will address it in the upcoming Release 17 is yet to be determined. They have until the stage 3 freeze in the fall of next year to decide.
However, globally, security is still reactive. Getting proactive on security seems to be a hard sell. Because of the conversions of IP and telecom protocols in 5G, attackers already have access to the tools and techniques that are known to be effective and easily accessible. That means we are already a step behind.
So watcha gonna do when they come for you? End users do have a pretty well-equipped arsenal to combat the various infringements of bad actors. Sadly, many have been both warned and stung, and yet they still do not take the necessary actions to shield themselves.
We all know it is expensive to implement effective, preemptive security methodologies. As long as the fallout costs are borne by the consumer, the bar will not likely be raised much.
Finally, standards are not really the solution. They can develop a framework for what is general but what they need to do is set requirements (i.e., levels for things such as trust, authentication, confidentiality, authorizations, etc.) that must be agreed to by the players. If not, then it becomes a take it or leave it scenario. But then, standards bodies rely on vendor support to succeed. There seems to be a bit of a dichotomy in all of this.
The bottom line is that, as I and many others have said, security needs to be a priority, not an afterthought. It is going to get much worse before it gets better so hardening going in will work much better than patching after the fact.
Ernest Worthman is an executive editor with AGL Media Group, a senior member of IEEE and an adjunct professor at the CSU Walter Scott Jr. College of Engineering.