Privacy challenges and security solutions for 5G networks
As telecoms roll out 5G across the globe, different actors such as virtual mobile network operators (VMNOs), communication service providers (CSPs), and network infrastructure providers, will all play a pivotal part in designing, implementing, and maintaining 5G networks. Unlike previous generations - where mobile operators had direct access and control over system components - 5G mobile operators are losing the full governance of security and privacy. With varying priorities for security and privacy between each of the actors, synchronizing mismatched policies will be a serious challenge in 5G networks.
With that in mind, let’s examine specific privacy challenges in 5G networks, and explore some potential security solutions. First, let’s take a trip down memory lane on the history of threats faced by mobile networks.
Past security vulnerabilities in wireless networks
From the very beginning, wireless communication systems have been prone to security vulnerabilities.
- In the early 1980s, 1G networks saw mobile phones and even wireless channels targeted for illegal cloning and masquerading.
- On early 2G networks, message spamming was commonplace, as was broadcasting unwanted marketing information.
- With 3G networks and the advent of IP-based communication, the migration of security vulnerabilities seen on desktop computers moved into the wireless domain.
- 4G networks saw the proliferation of smart devices and millions of third-party apps that led to a dynamic and complicated threat landscape.
With 5G wireless networks, over 7 trillion wireless devices serving over 7 billion people will be interconnected, ushering a new era of security threats, and a greater focus on privacy.
Privacy challenges in 5G networks
From the user’s perspective, privacy concerns center around location tracking, identity, and other personal data. 4G network technology has a wide coverage area since the signal is broadcasted from a single cellular tower. 5G networks have a much smaller coverage area and the signal cannot penetrate walls as good as 4G. Subsequently, 5G networks require many smaller antennas and base stations that are placed indoors and outdoors.
The knowledge of which cell tower or antenna a mobile user communicates with can reveal valuable information about the user’s location. Each time a user connects to a 5G antenna, mobile networks can pinpoint a user's location and can even determine what building a user is in. Threats such as semantic information attacks (the use of incorrect information to cause harm) often target the location data of users. Location data can also be leaked by access point selection algorithms in 5G mobile networks. In all, more 5G antennas allow for precise location tracking of users inside and outside.
With respect to identity, International Mobile Subscriber Identity (IMSI) catching attacks can reveal the identity of mobile subscribers. By seizing the IMSI of the subscriber's device, an attacker intercepts mobile traffic in a defined area to monitor an individual's activity. While an attacker can see the number of outgoing calls or text messages sent, they still cannot see the contents of that message. However, even after an individual has left the attack area, the attacker can still monitor the number of past and future calls or messages.
For 5G to succeed on a mass scale, there must be mutual agreement and trust among the various stakeholders
Data collection is another major concern for 5G users. Virtually all smartphone applications require users' personal information before or during installation. App developers rarely mention how and where that data is stored and what it is going to be used for. 5G networks have no physical boundaries and use cloud-based data storage. Subsequently, 5G operators cannot protect or control user data stored in cloud environments. As each country has different levels of privacy measures and enforcement, user privacy is seriously challenged if and when the data is stored in the cloud of a different country.
Privacy solutions for 5G
5G architecture should encapsulate privacy-by-design approaches that are service-oriented and privacy-preserving. Mobile operators need to adopt a hybrid cloud-based approach where sensitive data is stored locally and less sensitive data stored in the cloud. This provides operators with more access and control over the data, and they can decide where and whom to share it with.
Location-based privacy requires anonymity-based techniques and systems where the users' true identity can be hidden, perhaps with a pseudonym. Messages should also be encrypted before it is sent to a location-based service provider. Obfuscation techniques - where the quality of location information is reduced - can also be used to protect location privacy. Location cloaking algorithms have proven effective against timing attacks.
To prevent IMSI catching attacks, mobile operators can protect users' identities by using Temporary Mobile Subscriber Identity (TMSI). In this instance, each mobile device is assigned a random TMSI that is changed by the network at regular intervals. This makes it difficult to identify mobile devices and prevents subscribers from being identified and/or eavesdropped on the radio interface.
Srinivas Bhattiprolu, Senior Director of Nokia Software, presents at the RSA Conference held in San Francisco in February 2020.
E2E security solutions
For CSPs, 5G Security must address five key end-to-end operations: radio transport, telco cloud, IoT and devices, security operations, and slicing security. At a recent RSA Conference, Srinivas Bhattiprolu, Senior Director at Nokia Software argued that security shouldn’t be considered as a technology issue. Rather, it should be addressed holistically across people, process, and technology. He recommends that operators follow the Prague guidelines for securing infrastructure and consider leveraging technology advancements like Analytics and Machine Learning.
Bhattiprolu outlines a 5G trust model for CSPs with recommendations and best practices. He identifies four key 5G security capabilities: adaption, speed, integration, and automation.
CSPs must respond quickly to new cyber-attack approaches (adaption) and reduce the time a hacker stays undetected (speed). Many threats are designed to stay undetected but multi-dimensional analytics and machine learning can correlate and analyze data to catch anomalies and provide contextual intelligence about threats.
To further build digital trust, CSPs must integrate 5G security systems with centralized reporting (integration) and produce automation to boost efficiency (automation). Collectively, automation, central monitoring capability and design for security (DfSec) are all essential to improve efficiency and reduce human intervention. Combined with comprehensive visibility, integrated intelligence, and high-powered analytics, CSPs create a foundation for comprehensive 5G security solutions.
5G will soon promote the rapid proliferation of IoT, connecting billions of devices to billions of people. 5G’s strong and robust data transport capacity - 1000 times faster than 4G - will produce enormous amounts of information where location, identity, and personal data leakage becomes the new security challenge.
As more 5G antennas and base stations are placed around high-density areas, location privacy protection of IoT and end-users is expected. By implementing privacy protocols into the very architecture of 5G networks, the actors in 5G deployment can collectively take a proactive approach towards privacy protection, and ensure users their identities, location, and data are in safe hands.
