Europe warns 5G IoT deployments fundamentally insecure

    5G security needs to be tightened as important lessons still haven’t been learned from previous technology generations, warns ENISA report.

    The European Union Agency for Network and Information Security, ENISA, has warned that existing security flaws in mobile networks may be perpetuated and broadened in 5G networks, potentially affecting IoT deployments that use the technology.

    • The report comes after Internet of Business published its own expert panel report in February, which revealed that 5G will introduce new types of security problems that, when linked with IoT systems, could cause widespread disruption. We proposed a number of solutions to these challenges in that article.

    According to the new report from ENISA, known flaws in SS7 and Diameter, the signalling protocols used in 2G, 3G, and 4G networks, will find their way into 5G deployments unless urgent steps are taken to fix the problems.

    Failure to address these issues could mean hackers being able to intercept and change data between IoT sensors and an organisation’s infrastructure, for example.

    Signalling problems

    SS7 is a set of signalling protocols used in the worldwide Public Switched Telephone Network (PSTN) standard to handle calls, while Diameter is an improved AAA (Authentication, Authorisation, and Accounting) protocol. Both technologies were designed for the 2G and 3G eras, with little attention paid to data security.

    ENISA said, “The industry is still trying to understand exactly what the implications are and to identify possible workarounds. It is highly probable that in the near future we will see real attacks as well as suitable solutions becoming available.”

    While some progress has been made in securing the protocols over the years, ENISA believes that they remain fundamentally flawed, a situation that now needs urgent review.

    “In this context, ENISA has developed a study, which has examined a critical area of electronic communications: the security of interconnections in electronic communications, also known as signalling security,” said Udo Helmbrecht, ENISA’s executive director.

    “An EU-level assessment of the current situation has been developed, so that we better understand the threat level, the measures in place, and the possible next steps to be taken.”

    ENISA advises that signalling security should be properly covered within the new 5G standards. The agency recommends broadening the legal environment to include signalling, obliging all electronic communications providers to strengthen their solutions in terms of incident reporting and the adoption of minimum security standards.

    The report concludes that all authorities responsible for 5G networks should analyse the situation at national level and be more aware of new developments that could trigger security incidents.

    Internet of Business says

    Internet of Business warned last month that 5G represents an overhaul in the way that networks are run and managed. In contrast to the hardware-based networks of the past, the technology takes advantage of virtualisation and cloud systems, leaving it more vulnerable to breaches if not properly secured.

    In addition, 5G’s low-latency and high-bandwidth capabilities could be used to increase the potential scale of a distributed denial of service (DDoS) attack, where IoT devices are targeted by hackers and used to form a botnet.

    Our report also warned that network slicing is new to 5G, and standards have yet to be formalised. Malware could be placed on individual network slices, causing widespread disruption and takedowns.

    Read our expert panel report on how to secure 5G here. Meanwhile, we have also published a 10-point programme for GDPR compliance in IoT projects.