The last few years have seen multiple critical remote vulnerabilities in mobile handsets, with the potential to affect millions of users, but the impact was mitigated by legacy walled garden designs. Take the 2019 Apple iMessage bug or the 2017 Samsung SMS bug, which could be leveraged by attackers to target an Apple iPhone or Samsung Galaxy handset if the victim’s number was known.
If an attacker doesn’t have the number but wanted to target every device in an organisation, they would either have to get access to the closed signalling network or establish their own fake base station. Both options are complex, expensive and require substantial specialist knowledge of cellular air interfaces and arcane signalling protocols like Stream Control Transmission Protocol (SCTP).
Security researchers looking for vulnerabilities in mobile basebands and user equipment (UE) such as handsets and tablets for example, must invest a substantial amount of effort in supporting infrastructure to be able to test a device ‘over the air’ (OTA). As a minimum, a researcher would need high end radios, a GPS timing source, spectrum licensing, protocol stacks and for 3G/5G testing, programmable SIM cards to get past the mutual authentication.
This substantial requirement list is why cellular vulnerabilities aren’t more common. It doesn’t mean they aren’t there, it’s just that they’re beyond the reach of most. In our experience, cellular interfaces are less scrutinised than Wi-Fi/IP for example, because they’re harder to reach.
Above: The 2017 Samsung SMS bug, which could be leveraged by attackers to target a Samsung Galaxy handset if the victim’s number was known.
Removing the wall
The flatter design of 5G networks will remove many barriers to cellular security testing; in particular the air interface which will lead to increased security focus on this previously opaque and remote interface.
However, more attacks on the cellular side of user equipment are anticipated with the onset of 5G. This is because the walled garden architecture of cellular networks up until now largely shielded UE from external security because they connect to the world via a gateway, which uses Network Address Translation (NAT) to prevent attackers from accessing them directly.
From our experience in OTA testing, we have seen weaker than standard software security on cellular interfaces because the OEMs shirk responsibility for traffic security and label this the obligation of the network, which, until 5G, was true. There is an unhealthy degree of ignorance among integrators, especially around traffic security, as it is common knowledge that cellular traffic has been encrypted since the 90s. But there’s far more to cellular security than protecting signals from eavesdroppers. The previously listed SMS exploits operate several layers further up the Open Systems Interconnection (OSI) model and have no concept of encryption or even physical medium as they can be delivered via GSM, UMTS or LTE.
With 5G’s decentralised design, the technology will be opened up to scrutiny by a much wider range of threat actors. For example, an intelligent, low budget and amateur hacker with the skill to crack software might lack the budget for cellular testing equipment but will be able to afford a budget 5G picocell. This will then give them a route to 5G devices for cellular security testing.
Cellular software stacks could easily go from being the least scrutinised interface to the most scrutinised, as the barrier to entry is lowered and they are forecast to handle the most traffic in the future.
As 5G technology is designed for dense Internet of Things (IoT) networks in the order of 1 million devices per square kilometre, the sheer number of projected and insecure devices using 5G means an exponential increase in attack surface and potential vulnerabilities. The size of botnets (networks of devices that have been compromised and are controlled to some extent by malicious software – aka ‘zombies’) is likely to increase, given the scale of the future IoT; Gartner is predicting more than 20 billion connected things by next year and if recent experience with IoT security is anything to go by, they will be largely insecure.
As a result, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are increasingly likely to be a focus for malicious activity. One of the core features of 5G will be the dynamic re-allocation of resources, especially bandwidth. This may be a great feature when a ‘flash’ crowd appears in a specific location, but at the same time it could be ‘rocket fuel’ for botnets and the extra bandwidth allocated to them could exacerbate the impact of a DDoS attack.
The fact that many UE devices will be opened up to more intense scrutiny, means that we can expect to see botnets appear in more unusual places. For example, imagine a future firm with a fleet of robots, staff with wearables, smart vehicles and a smart building, all connected, for convenience, to a private cloud. Prior to 5G, these devices would co-exist on distinct mediums via 4G, Wi-Fi or LPWAN.
As 5G is forecast to become the dominant method of wireless communications, not only will many eggs be placed in one basket, but they will be reachable from one another. Once just one of these devices is compromised, dozens more are then reachable. Fixing this kind of scenario would be an enormous undertaking, which is exactly why the security of UE devices and the cloud infrastructure will be critical.
Responsibility and risk
5G will see a move from a walled garden monolithic architecture to an Infrastructure-as-a-Service (IaaS) model where key components will not be owned by the network operators. This change underpins the 5G tensions between nations regarding the risk of espionage. The reason for the change is capacity. No single operator can support the quantity of devices forecast, so an elastic infrastructure service is needed. This will mean operators relinquish control, which will pass into the hands of router OEMs and middleware service providers. New technologies, like Software Defined Networking (SDN) and Network Function Virtualisation (NFV), will enable infrastructure to be more flexible and opaque than the brittle cellular network designs that we are currently used to.
The responsibility of tackling security problems, as well as botnets on IoT devices, will be diluted due to shared infrastructure and is likely to be delegated to the UE OEMs who to date have not had a good track record for endpoint security.
While the flexibility and potential are huge, so is the risk if the underlying infrastructure were to be compromised. By virtualising functions like SMS or voice calls, multiple functions will share a single point of failure – the hypervisor on which they are hosted. In the event of an attack on a hypervisor or hosting environment all 5G functions could potentially be compromised or disappear simultaneously, which would be worse than current outages which typically affect a single function like the May 2019 EE ‘voice only’ outage and the day long O2 ‘data only’ outage.
These outages describe hardware failures in brittle systems, dedicated for one function – which isn’t an entirely bad idea when you run critical systems as despite the failures, EE customers could still text and O2 customers could still make calls.
Precision geo-location for attackers
The erosion of anonymity is another concern. 5G precision could reveal the specific floor within a building a device is located on, because the macro cells used in deployment are substantially smaller than in cellular networks.
By design, each base station has a unique ID, so if you can find the base stations near or inside your target on the 5G network, much like a home router, you can begin to enumerate devices attached to it.
Using a watering hole cross-domain attack, a device from an unreachable private network is lured to an external website where its browser is tricked into scanning and reporting identifiers for adjacent devices on the internal network. This technique is used against IP NAT networks already and 5G will be no different due to abstraction.
The precision available, if abused by malware either on the UE or at the network level, would present an increased risk as amateurs could perform precision targeting of organisations and users remotely, which would need mitigation by end point and cloud security solutions. Mitigating the risk through solid defence-in-depth principles and security testing of products is recommended to reduce the risks associated with an increasingly egalitarian – and opaque – 5G architecture.