A hacker’s paradise? 5G and cyber security
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
The rollout of fifth-generation mobile networks — which offer the potential for downloads speeds of up to 10 times faster than today’s — will change how we communicate, work and stream video.
However, the faster speeds are also likely to present an opportunity for hackers to target more devices and launch bigger cyber attacks, experts say.
The problem is unlikely to be the security of 5G technology itself. Despite researchers uncovering apparent flaws in 5G’s security — such as the ability for attackers to use fake mobile base stations to steal information — 5G’s stronger encryption of data and better verification of network users are widely considered to be a significant improvement on 4G.
Experts say that the weak link in 5G’s security is likely to be communication between devices connected to the internet.
These devices, known as the Internet of Things (IoT) — where everything from cars and factory assembly lines to baby monitors and traffic lights have embedded internet-connected sensors — are growing fast. The number of internet-connected items will grow from 14.2bn to 25bn by 2021, according to Gartner, a research company.
As IoT devices connect to 5G networks, they could prove a tempting target for hackers and criminals.
“The sheer number of connected assets and devices heightens security challenges,” says Dan Bieler, principal analyst at Forrester, a research company. Hackers tend to target new technologies as they are often more vulnerable to cyber attacks than well-established technologies, he adds.
Experts say that security can be patchy for some IoT devices, especially low-cost and low-powered items. Hackers can use technology to scan hundreds of thousands of devices for weak security, such as those with the default passwords — “admin”, “guest” or “password” — that they were sold with.
“The likelihood of finding an IoT device that hasn’t been set up properly, or with a weak password, is quite high,” says David Ferbrache, global head of cyber futures at accounting group KPMG.
Criminals have already exploited IoT devices, most notably in the “Mirai botnet” cyber attack in 2016 when hundreds of thousands of cameras, routers and digital video recorders were used to bring down websites including Twitter, Spotify and the New York Times.
The criminals used two common types of cyber attack: a “botnet”, which takes control of internet-connected devices and using them as weapons in a cyber attack; and a “distributed denial of service” (DDOS), which overwhelms a network or website with more messages than it can handle.
When hackers or criminals break into a device connected to 5G, the network’s speed will mean that they can extract and download information, including personal data and customer information, much faster than before.
And because IoT devices connect directly to the mobile internet, hackers will not have to circumvent the more stringent security of home or corporate networks, experts say.
There is also a risk that homes using 5G could become more vulnerable, experts say, if security software of fridges, smoke alarms and other “smart” devices connected to the internet is not updated.
Companies may also face security headaches if employees use 5G networks rather than their corporate networks to send confidential data.
Wherever they occur, cyber attacks on 5G are likely to be an evolution of existing techniques, albeit more extreme versions, says Valentino de Sousa, a cyber security expert at Accenture, the professional services firm.
Mr de Sousa says cyber attacks could include artificial-intelligence powered “robocallers”, which can convincingly mimic family or friends; large-scale denial of service attacks capable of taking down a mobile network; and manipulated videos known as “deepfakes”.
“I think 5G will be a more tempting target for nation state actors than . . . hackers, as 5G will be a core communication technology for most countries,” says Cesar Cerrudo, chief technology officer at IOActive, a cyber security consultancy.
For their part, governments, telecoms companies and technology groups are working on security standards for 5G and the Internet of Things.
Bill O’Hern, chief security officer at AT&T, says the telecoms company expects the massive increase in the volume of data going across an operator’s 5G network “would likely translate to a wider attack surface” for hackers to utilise.
Hackers and criminals will then need to determine how cyber attacks on 5G can serve “monetary or political purposes” — for example, to facilitate extortion or fraud, he adds.
AT&T has created a cyber security unit specialising in the Internet of Things which will evaluate the security of IoT devices and security practices used by manufacturers and industry. “The objective is to prevent common mistakes and improve opportunities to correct issues before they become larger problems,” Mr O’Hern says.