Why we need more 5G cyberhacks
How secure are 5G networks? That question should be on the lips of every network operator (and their customers) as the next generation of mobile broadband technology is rolled out across the world.
While the industry is likely to find out the hard way, there are steps that can be taken to head off potential trouble. One such step is for network technology vendors to open up their systems to ethical hackers to see what happens (a scenario that doesn't happen nearly enough in the industry across all types of network technology).
So it was encouraging to see a recent report on what was the world's first 5G cyber hackathon, which was held last November in Oulu, Finland. It was particularly encouraging to see that two of the radio access network market's leaders, Ericsson and Nokia, participated, as more than 80 ethical hackers got stuck into 5G New Radio, non-standalone (NSA) core and 5G fixed wireless access systems to see what vulnerabilities they could uncover.
The other good news is that there's a report on the proceedings from an independent analyst, Patrick Donegan, founder and principal analyst at HardenStance, who has long been focused on network security developments.
Ericsson also published a blog about the hackathon, though as you'd expect it is less neutral.
Donegan notes in his report that, with 5G, the mobile network sector is now adopting protocols and architectures more widely used "at scale by both good and bad actors throughout the IT world," and that, as a result, "the expertise of the global ethical hacker community can start to be effectively exploited by Ericsson, Nokia and the rest of the mobile industry ecosystem to help harden mobile infrastructure hardware and software."
He adds: "Until now third party 5G vulnerability research has mainly been confined to small, isolated, teams of researchers working to find vulnerabilities without much active support from industry. The Oulu event is therefore a potentially important breakthrough in formalizing the role of ethical hackers in the 5G security ecosystem at scale."
Donegan, though, is at pains to point out that such events "should be seen as an important new contributor to the 5G security ecosystem," and not regarded as a panacea. His report is concise, focused and well worth checking out – it's available to download from the Hardenstance website.
But one hackathon is going to change little – this needs to be the start of something bigger if it's going to have an impact. In the report, Donegan suggests that Ericsson and Nokia should stage a similar event in North America and yes, that would help move things along a bit more.
What would be better, of course, is if more vendors were involved – imagine the added value if Huawei and Samsung were also involved in any further 5G RAN hackathons.
But what I'd like to see is an extension of the Oulu event to include standalone, cloud-native core systems, which are, after all, likely to bear the brunt of cyberattacks on 5G networks: These are also the systems with which network operators have the least experience and which will need the most focus in 5G network security strategies.
So how about a 5G cyber hackathon focused on standalone core systems involving not only Ericsson, Nokia, Huawei and even ZTE, but also Cisco, Affirmed Networks, Altiostar et al? With standalone core deployments expected to start this year, that would surely deliver enormous value to the whole industry.
This is the sort of topic that could (and should) have been raised and discussed this week in Barcelona, but with MWC no longer taking place maybe the giant RSA event could be a platform to kickstart such suggestions.
There's still a great deal of excitement around 5G right now and a lot of hopes being pinned on the potential new services that could emerge, particularly in the enterprise market. But that excitement needs to come hand in hand with the realization that 5G also brings a welter of new security challenges that can only be tackled with broader industry collaboration and participation. Let's all make sure that happens.
— Ray Le Maistre, Editor-in-Chief, Light Reading