8 ways 5G mobile networks will change IoT security, and how to prepare

Every internet of things security issue will be greatly magnified in a 5G environment. Address these eight areas before you deploy your own.

1 2 Page 2
Page 2 of 2

1. Encrypt and protect 5G network traffic

With 5G, the number of intelligent devices connected to networks is expected to increase dramatically, as will the volume of traffic along those networks. According to Gartner, the number of enterprise and automotive IoT devices will increase to 5.8 billion next year, up 21% from this year's expected total of 4.8 billion IoT endpoints. That makes these networks a target-rich environment for attackers—even more than they are today.

To address this issue, Barnes says, Whirlpool will encrypt all 5G traffic, as well as configuring the 5G antennas to accept only approved traffic. "As we add devices, we configure them as acceptable devices on the 5G," he says. "If it's not whitelisted, we don't listen to them. And since it's encrypted, I'm not as worried about someone trying to capture the signal, because they can't do much with it."

If traffic leaves the local network and goes out over public 5G, or over the internet, the communications will be secured via a protected VPN tunnel, he says. "Since we may have to use the 5G to communicate with the outside world, we set that up, up front," he says.

2. Secure and isolate vulnerable devices

The next line of potential weakness are the devices themselves. "A lot of this industry is not security conscious," says Barnes. Industrial equipment in particular often has proprietary operating systems and either no ability to install patches or licenses that prohibit it. "They're not designed with patches in mind," he says.

In fact, the majority of IoT security mistakes have not been fixed, says Jonathan Tanner, senior security researcher at Barracuda Networks. Some devices have issues that couldn't be fixed with a firmware update, or have no mechanism for updating firmware, he says. Even when device manufacturers add security features to the next generation of their devices, the old insecure ones are still out there in the wild.

Some companies don't bother, Tanner adds, and ignore security researchers who point out vulnerabilities. "Some companies with vulnerable devices have gone out of business," says Tanner. "Leaving their devices stuck with whatever vulnerabilities originally existed."

What can a company do when it's stuck with one of these insecure IoT devices? Network isolation can help protect them, says Whirlpool's Barnes, in combination with other network security technologies. "We have a two-tiered approach," he says. "Network security that monitors all traffic, and a more protocol-driven second-level security that does deep packet inspection, looking for that malicious type of activity embedded inside your protocol."

Then there's general security hygiene on top of that, such as patching whenever possible, regular security audits of all devices, having a full device inventory on everything on the network. 

3. Prepare for bigger DDoS attacks

In general, 5G doesn't mean weaker security than previous generations of wireless technology. "5G does bring new security features that aren't available in 4G or 3G," says Kevin McNamee, director of the Nokia threat intelligence lab. "With 5G, the whole control plane has been moved to a web services type of environment, where it's strongly authenticated and very secure. That's an improvement."

That security improvement will be offset by the increased opportunities for botnets, McNamee says. "5G is going to increase the bandwidth available to devices quite considerably," he says. "And increasing the bandwidth increases the bandwidth available to IoT bots."

One of the things that the increased bandwidth will be used for is to find more vulnerable devices and spread the infection, and there will be more vulnerable devices out there for the botnets to find. Consumers are buying smart home devices at a rapid pace. As with Whirlpool, enterprises are also big users of IoT devices. So are government agencies and other types of organizations.

5G will make it possible for devices to be placed in remote areas, where they can be hard to maintain. "There will be hordes of sensors logging everything from weather to air quality to video feeds," says Cameron Camp, security researcher at ESET and Oregon state co-chair of the Wireless Internet Service Provider Association. "This means there are fresh new swarms of machines that can potentially be hacked and enlisted in botnets. Since these sensors will be largely unattended, hacks will be challenging to spot and respond to."

IoT devices also tend to hang around for a while. Users aren't going to replace a device that still does what it's supposed to do. Attackers want to take a low-key approach to their botnets so that they don't attract any attention. Even if a patch is available, or a manufacturer sells an updated, more secure version of the device, customers might not bother to make the change.

Meanwhile, many smart IoT devices are running real operating systems such as embedded Linux that allow them to be nearly fully functional computers. Infected devices can be used to host illegal content, malware, command and control data, and other systems and services valuable to attackers. Users don't think of these devices as computers that need antivirus protection, patching and updates. Many IoT devices don't keep logs of inbound and outbound traffic. This allows attackers to remain anonymous and makes it more difficult to shut down the botnets.

This makes for a triple threat. The number of potentially exploitable devices, the bandwidth available to spread the botnet, and the bandwidth available for the devices to conduct DDoS attack are all going up. Enterprises need to prepare now for DDoS attacks coming in at an order of magnitude greater in a 5G environment than they are today, since many of the devices are still insecure and some are unpatchable.

4. Moving to IPv6 might make private internet addresses public

As the devices proliferate and communication speeds improve, companies may be tempted to use IPv6 instead of IPv4 that is common today. IPv6, which allows for longer IP addresses, became an internet standard in 2017.

There aren't enough IPv4 addresses to go around; only about 4.3 billion addresses possible. Some registries began running out of numbers in 2011, and organizations began moving to IPv6 in 2012. But today, less than 30% of Google users access the platform over IPv6, according to data from the The Internet Society.

Instead of using IPv6, many organizations as well as almost all residential devices and many mobile phone networks use private IPv4 addresses, says Nokia's McNamee. "This provides them with a natural protection from attack since they are not visible to the internet," he says.

As the world moves to 5G, carriers will naturally move to IPv6 to support the billions of new devices. And if they choose public IPv6 addresses instead of private ones, those devices will be now visible. This isn't a problem with IPv6, he says, or with 5G, but enterprises that move their devices from IPv4 to IPv6 may accidentally put them on public addresses.

5. Edge computing increases the attack surface

Companies looking to reduce latency and improve performance for customers, or for their own dispersed infrastructure, are increasingly looking at edge computing. With 5G, the advantages of edge computing get even greater, as the endpoint devices will have more communication abilities.

Edge computing also dramatically increases the potential attack surface. Companies that haven't yet started moving to zero-trust network architectures should start thinking about it now, before they invest heavily in edge computing infrastructure. When they do build that out, security needs to be a top consideration, not an after-thought.

6. New IoT vendors focus on first to market, not security

The IoT gold rush will inspire new vendors to enter the field and for existing vendors to rush new devices to market. There are already more IoT devices than there are security researchers looking for vulnerabilities, says Barracuda's Tanner. With new manufacturers jumping in, we'll see a whole new cycle of security mistakes, he says.

Tanner is seeing the same mistakes being made over and over again, and reported vulnerabilities in IoT devices are going up, not down. "There's not enough learning from the mistakes of others happening in the industry," he says.

"The vendors don't care," says Joe Cortese, who breaks into corporate networks for a living in his role as penetration testing practice lead at A-lign Compliance and Security. "Earlier this year, I purchased five devices related to switching lights on and off, and I was able to access four of them from outside my house. There are test modes that are built into the devices that the vendor never removed."

All the vendors want to be first to market, Cortese says. For many vendors, the quickest way to get a device out the door is to use a ready-to-go platform like embedded Linux. "I used to work for the intelligence community," he says. "And I recently got my hands on a piece of IoT malware that can bring down a device with seven lines of code." Manufacturers that don't harden their devices are vulnerable to this attack, he says.

Attackers could use this, say, to shut down a factory or critical infrastructure, or hold a company's systems for ransom. "I've not seen it happen yet, but it's only because 5G has not been widely deployed yet," Cortese says. "With more adoption of 5G and increase of IoT, we'll probably see a big increase in exploits of systems like in the manufacturing industry."

7. Be wary of impersonation attacks

Because most 5G networks are non-standalone, they remain vulnerable to some of the flaws inherent in 4G and older protocols. The GTP protocol, used to transmit user and control traffic on 4G and earlier  networks, is one example. It has a vulnerability that allows for the interception of user data, which can lead to an impersonation attack.

Positive Technologies recently released a report on GTP vulnerabilities and their effect on 5G networks. One vulnerability it describes is that GTP does not check the user’s location, making it difficult to determine which traffic is legitimate. All an attacker needs to impersonate a user is their IMSI subscriber identity and TEID tunnel identifier. The latter is easily obtainable, but attackers have several ways to acquire the IMSI, the simplest of which is to buy a database on the dark web.

Impersonation attacks are often facilitated by services that perform pass-through authentication for the sake of convenience. This potentially could expose third-party partners to unauthorized access as well.

The Positive Technologies researchers suggest that organizations track user or device location, but note that the security tools necessary to do this are not deployed on most networks.

8. Someone needs to own IoT security

The biggest single barrier to IoT security isn't technological, but psychological. No one wants to take responsibility. They all want to blame someone else. The buyers blame the vendors for not making their devices secure. The vendors blame the buyers for choosing cheaper, less secure products. In a 5G world, the consequences of assuming someone else is responsible for IoT security will be immensely greater.

According to a survey released by Radware last year, 34% of the respondents believe the device manufacturer is responsible for IoT security, 11% believe service providers are, 21% think it falls to the private consumer, and 35% believe business organizations should be liable. "In other words, there's no consensus," says Mike O’Malley, Radware's VP of strategy. Plus, consumers don't have the knowledge or skills, he says. Enterprises can't hire enough staff. Manufacturers are too uncoordinated and too numerous to control.

Enterprises can hire service providers to take on some of the burden, but that doesn't address the problem of unsecured consumer devices, manufacturers unwilling to make changes, and lack of consistent global regulations and enforcement.

Everyone needs to take responsibility for IoT security. Buyers need to insist that the products they buy don't have default passwords or testing modes, that communications are encrypted and authenticated, and that the devices get regular patches and updates. Vendors need to take the insecure devices off the shelves and start thinking about security at the beginning of their product design process, not after the fact, after the news headlines start appearing.

Copyright © 2020 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)