Since operators started preparing for 5G, security has been a hot topic. Concerns about espionage risk have led to the need to define security standards and certification. A lot of this focuses on the network side and seeks to minimize unauthorized access to data. On the device side, we can distinguish the 5G communication stack and the non-communication part of the device (including the hardware, OS, and applications).
From a communication point of view, 5G provides a quality improvement over 4G: it is faster, more reliable, and has less latency. This will not only enable a new generation of phones, but also many new devices with applications in medical, automotive, home automation, and industry. Communication security is well standardized and not that different from 4G.
In several years we will see thousands of devices that are based on, and benefit from, capabilities offered by a limited number of 5G communication stacks. While there may be security problems in the communication stack, we know that the majority of security issues will be in the device platforms and applications. An adversary who takes control over the device will not be limited by 5G security but will use 5G as a reliable and standard interface to access the device and set up communication with any other endpoint globally.
For reference, one can look at recent attacks on smartphones. These attacks often do not focus on the communication stack but target the system behind it. Take, for example, the work we did on the Samsung Galaxy S10, which targets the Trusted Execution Environment. We used one physical device and public information sources to discover critical vulnerabilities and a remote exploitation chain. Such attacks will continue to happen and will not be mitigated by 5G whatsoever. In fact, new 5G devices would only have their attack impact enlarged, enabling remote attacks from anywhere.
So, what are the vulnerabilities that devices suffer from? A primary problem is configuration. Many off-the-shelf products have weak default settings, which are sooner or later compromised. Beyond that point, the software is the biggest risk. We know that fresh code typically has a vulnerability density of 10 issues per kloc (1000 lines of code). This can be lowered through a quality process (code review/analysis), but even heavily scrutinized code often still has 0.1 issues per kloc. Modern chips used in IoT products can easily contain code that exceeds 100k lines of code. From experience, we know that all software products have bugs, but not all products are broken in the field since finding and exploiting those bugs is not always trivial.
Sophisticated physical attacks, like Side-Channel Analysis and Fault Injection, are increasingly used to extract secrets or trigger a code dump. Indirectly, this enables the analysis of code and detection of exploitable vulnerabilities. An attacker would use one instance of the device to find a scalable software vulnerability that can be remotely exploited over the 5G network. This is a real scenario and the biggest risk for 5G devices.
While perfect security does not exist, it is certainly possible to reduce the risk. This is done by implementing a robust development process and by thorough evaluation through independent experts. The development process must include security training and usage of a toolchain to find and fix security issues in hardware and software. The evaluation process uses independent experts and possibly certification to ensure that the final product is sufficiently protected against the newest attacks.
Device vendors and users must understand that 5G will protect their data traffic but offers no guarantees against non-communication-related threats, which still need to be addressed and mitigated.
Contributed by Marc Witteman, CEO, Riscure. If you have any questions, contact us at firstname.lastname@example.org.