Despite conspiracy theories about how 5G towers were the cause of COVID-19 and security concerns about Huawei, there is still much optimism about the next generation of connectivity. An IHS Markit study estimates that 5G will generate $13.2 trillion in global economic value by 2035 and an Omdia report cited that there were more than 17.7 million connections in Q4 2019.

The benefits of low latency, high bandwidth and more reliable connections to edge devices paves the way for a hyperconnected future. Everything that can become smart, will become smart: retailers will be able to track the condition of perishables in transit; utility companies will be able to accurately bill customers while gaining better insight into usage; transportation can become autonomous and drones could be widely used. These are just a handful of prospective use cases and they will only grow once companies become more accustomed to the next generation of wireless.

5G has become an economic imperative and those countries that fail to keep up with initial roll out plans will be at a disadvantage. Deployments have already been interrupted by disruption to global supply chains due to the health crisis and the global standardization body, 3GPP, delayed critical releases earlier this year, but GSMA notes that 5G is now live in 24 markets and expects it to account for 20% of global connections by 2025.

It’s very easy to get carried away with the benefits of 5G and envisage a wireless utopia, but as with any new technology, security is a concern. 62% of respondents to an Accenture survey expressed fears that 5G will render them more vulnerable to cyberattacks and 74% say they expect to redefine policies and procedures as 5G emerges. For companies to adopt 5G securely, existing and future infrastructure needs to be considered and adapted accordingly, particularly because vulnerabilities have already been identified.

Early 5G security vulnerabilities

One of the inherent problems of early deployments of 5G is that they are typically non-standalone (NSA), meaning that they make use of the 4G LTE infrastructure. Although this enables operators to get to market quicker with 5G services, it also means inheriting the security shortcomings associated with legacy network technologies including SMS interceptions and DDoS attacks.

In 2019, academic researchers highlighted 5G vulnerabilities at the security conference Black Hat. As security protocols and algorithms for 5G are being layered on top of 4G standards, there is still the possibility to conduct man-in-the-middle attacks as well as device fingerprinting. The over the air security included encryption but not end-to-end, with some data being transmitted in plaintext. This vulnerability has now been fixed, however as 5G infrastructure is introduced, the likelihood of vulnerabilities being discovered increases dramatically.

Another academic study by researchers at Purdue University and University of Iowa found 11 vulnerabilities which can be used to spoof emergency alerts, track real-time location or silently disconnect a 5G-connected device from the network.

Identity & IoT access conundrum

The introduction of new smart devices into a company’s ecosystem diminishes the corporate perimeter security model even further. With more applications and devices sitting outside of the data center, feeding data back and forth, access and security becomes further complicated. A challenge for many businesses is identity management, as many utilize user authentication when deciding to grant access. However, the big difference between IoT devices and traditional devices is that there is no human identity associated with the former, just device identity. Companies will need to consider how machine-to-machine trust is established and monitored for these devices as well as what level of privilege they are given to systems. Least-privilege access and microsegmentation also become important in limiting entities to defined corporate resources and preventing any lateral movement. If the security of IoT devices is improperly considered, then it could prove a weakness in a company’s defense. There have already been instances of IoT devices being used to create botnets to launch DDoS attacks.

How can companies better protect against 5G?

5G only accelerates the need to adopt Zero Trust Network Access (ZTNA). Companies need to learn from the security shortcomings borne from remote user access and rapid acceleration of cloud computing and apply more to the wave of devices being added to the IT ecosystem.