Security news that informs and inspires

Enterprises Lack Clear Security Guidance for 5G

By

Plans for 5G networks are underway, but enterprises trying to understand and address the security challenges are stymied because the discussion is still bogged down with insinuations and fear-mongering.

In a call with reporters about “Securing 5G Networks,” the former secretary of Homeland Security Tom Ridge and governor of Pennsylvania; fomer senior counterterrorism official Nate Snyder; and former under-secretary for management at Homeland Security Chris Cummiskey skipped talking about 5G’s technical challenges and honed in on the Chinese technology company Huawei. The fact that Huawei dominated the 5G market was a national security concern because that gave the Chinese government access to all the networks using the company’s equipment, they warned.

“The challenge we have in the development of the 5G network, at least in the early stage, is the dominance of the Huawei firm,” Ridge said on the call, which was organized by lobbying group Global Cyber Policy Watch, an offshoot of consulting firm Cambridge Global Advisors.

Intelligence officials have been warning about the dangers of letting Huawei take part in building out 5G networks for a while now, arguing that Huawei was wholly owned by the Chinese government (its ownership structure is, for lack of a better word, murky), and the United States had an adversarial relationship with the country. Intelligence officials have also repeatedly accused its political and economic rival of economic espionage—stealing intellectual property and research—as well as stealing sensitive information for political purposes. The former officials on the call repeatedly linked the two, arguing that the Chinese government would be able to compel Huawei to provide backdoor access to networks that use the company’s telecommunications equipment, or hand over all data passing through the network.

“To embed that technology into a critical piece of infrastructure which is telecom is a huge national security risk,” Ridge said.

A Huawei network would expose the United States to Chinese espionage operations and curtail how it shares intelligence information with allies, Ridge said. Ridge seemed a little frustrated that despite U.S. officials pushing hard on this topic, many companies have continued to work with, and plan to continue working with, Huawei. Even the “Five Eyes” countries—Australia, Canada, New Zealand, the United Kingdom and the United States—don’t view the risks the same way.

The deadline for the European Union to complete the security assessment is Oct. 1.

No Backdoors Found Yet

Despite all the assertions of national security risks, there were no details. None of the speakers provided any specific evidence of Huawei backdoors. Snyder discussed how the Chinese government is cracking down on dissidents in Hong Kong and how the Chinese police have been surveilling the protesters. When pressed, he admitted there was no “direct evidence” linking Huawei to the crackdown. However, it wasn’t hard to “connect the dots” considering that consumers are likely to have Huawei-made phones and much of the city infrastructure is based on Huawei technology, Snyder said.

“Connecting the dots” isn’t the same as evidence.

That isn’t to say Huawei isn’t without problems. The company subjected its code to the United Kingdom’s Huawei Cyber Security Evaluation Centre for review, and the oversight board’s scathing report earlier this year highlighted multiple security vulnerabilities and “serious and systematic defects in Huawei’s software engineering and cyber security competence.” Rather than being proof of government interference, the issues signalled poor software development practices.

“The bigger threat is that Huawei gear could be hacked by just about anyone who cared to make an effort,” wrote Ars Technica, regarding the board’s report.

When asked if the national security concerns would be addressed if the code was regularly analyzed, the speakers unanimously rejected the idea. Cummiskey didn't “necessarily feel comfortable” with code reviews because there was no guarantee that Huawei wouldn't just upload the problematic code at a later time when no one was looking. Cummiskey did concede that independent cybersecurity standards groups could certify whether hardware meets certain security requirements.

Ridge claimed to have spoken with security experts who said the current tools and processes would not be able to keep up with how quickly code can change and that the volume of work required would not be sustainable.

It was a surprising claim to make since there is a whole segment of the security industry devoted to enterprise code scanning and third-party software reviews.

Call for Open Standards

The problem with all this discussion about how Huawei is a national security risk is that there isn't a lot of guidance for enterprises on what to do right now. Telecommunications providers have to make purchase decisions. The restrictions on U.S. carriers from buying Huawei equipment is slowing down their deployment plans.

Huawei appeals to business interests because it offers advanced equipment at a cheaper price than most of its competitors, but those benefits don’t outweigh the "massive, massive security threat" as it would give foreign adversaries billions of ways to access U.S. critical infrastructure, Ridge said. To counter the attractiveness of Huawei’s price tag, governments should fund research and development of 5G technology. The U.S. Department of Defense has allocated $500 million in its latest budget towards the development of end-to-end encryption software and other technologies, but Ridge, Snyder, and Cummiskey would like to see more investments.

The national strategy to take a slower approach "is a good first move to give the U.S. time" to get more federal and private investment in 5G technology, Cummiskey said.

The former government officials, now advisors at Global Cyber Policy Watch, called for open and interoperable standards as that would help increase the number of 5G providers in the market and give U.S. carriers alternatives to Huawei. They did not offer specific security recommendations that should be part of the standards—their argument seemed to be that any other company as an alternative to Huawei would improve security. That isn’t helpful for enterprises trying to figure out how they should be handling encryption on 5G networks, designing secure applications, and other technical challenges.

Huawei recently proposed licensing its 5G technology-the company owns about two-thirds of the patents related to 5G-to an outside entity to help ease concerns. License-holders would be able to create technology that would interoperate with Huawei's technology. Ridge said licensing Huawei gear doesn’t “solve problems related to security” but didn't elaborate further.

Snyder called the idea a "trojan horse," saying it was a way to "sidestep opening up to interoperability standards.”

There is an “undeclared digital war” between China and the United States and 5G is one of the battlegrounds, Ridge said. “It’s one thing for them to try to secure as much information as they can about our country and everything related to it through the back door,” Ridge said. “But the notion that we would willingly, knowingly permit them to embed software into our telecommunications infrastructure for me is just a security risk that's not worth taking.”

5G's Vulnerabilities

While government officials battle over who will power the deployments, security researchers have been scrutinizing 5G networks. There are issues, and it's not clear at this point whether the problems will be addressed in some of the earlier 5G network deployments. Researchers have identified that some transmissions are being sent unencrypted, potentially exposing device information and other details.

Security researchers at the Technical University of Berlin and Kaitiaki Labs discussed how attackers could intercept device capability information and use it against 5G mobile subscribers at Black Hat in August. The researchers found that when a mobile device registered on a 5G network, details about the device and its capabilities—such as its throughput categories, app data, radio protocol support, security algorithms, and carrier information—are transmitted insecurely. Attackers could use the intercepted data to identify specific devices on the network, degrade performance, create denial-of-service conditions, and drain the battery, the researchers found.

Researchers from ETH Zurich, Berlin Technical University and Norwegian research institute SINTEF Digital claimed to have found "a new privacy attack against all variants of the AKA protocol, including 5G AKA, that breaches subscriber privacy more severely than known location privacy attacks do." The Authentication and Key Agreement (AKA) protocol is designed to provide security between mobile users and base stations, but has been exploited in the past by surveillance devices. This particular issue is a logical vulnerability in the protocol–which is why it affects 3G, 4G LTE and 5G networks.

The 3rd Generation Partnership Project (3GPP), the standards body in charge of 5G wireless network security, is believed to be drafting new requirements addressing how device information should be handled on the network for the next release of the 5G standard. However, 3GPP said the AKA issue will be likely be present in early implementations of 5G, according to The Register.