Sign In

Communications of the ACM

ACM News

Is 5G Opening Security Holes in the Internet of Things?

View as: Print Mobile App Share:
A literal hole in security.

As with all infant technologies, we hardly have an inkling about 5G wireless security flaws alone, and the Internet of Things is no less subject to attack as vendors trade native security capabilities for swift time-to-market.

Credit: Castle Rock Entertainment

Market research company Research and Markets, looking at the intersection of the Internet of Things (IoT) and the increasingly popular fifth-generation cellular broadband technology 5G, said, "The global 5G IoT market size is expected to reach USD$11.35 billion by 2027."

The 5G technology and IoT devices are inextricably linked. According to the U.S. Government Accountability Office (GAO) report 5G Wireless Capabilities and Challenges for an Evolving Network, IoT devices are primary consumers of 5G networks.

In the 5G IoT market, IoT devices will multiply exponentially as 5G wireless connectivity enhances their capabilities. Smart factories in industry 4.0, for example, will leverage 5G and an abundance of industrial IoT to increase data visualization and enhance productivity while turning away from wired solutions, according to NetworkWorld .

Yet criminal hackers stand to benefit, too. With 5G wireless, sprawling IoT networks, and the flood of IoT device communications that follow, IoT becomes more vulnerable. As with all infant technologies, we hardly have an inkling about 5G wireless security flaws alone, and IoT is no less subject to attack as vendors trade native security capabilities for swift time-to-market.

Their combined shortcomings will open IoT to many more exploits.

IoT Device Capabilities, Exponential Growth

"The 5G is ushering in a new era. The smart factory will get a boost with 5G as the lower delay and higher bandwidth allow the use of edge computing and AI/ML. The service industry will be able to develop service models based on virtual reality/augmented reality for supporting after-sales services," says Surinder Dahr, director of mobile solutions at Valid, a Rio de Janeiro-headquartered cybersecurity firm that safeguards people's and objects identifications.

As for specific devices, IoT deployments such as live 8K UHD video cameras will thrive with support from 5G, according to TVU Networks, a cloud and IP-based live video technology firm. Factories, businesses, and municipalities will apply 8K video to surveillance cameras and feeds to capture high-quality video evidence with a satisfying overlap in camera coverage, clearly capturing incidents of crime, weather, accidents, injury, and wear and tear.

These 8K cameras are only one example of the devices that 5G will attract. As 5G  supports a plethora of new and existing devices, and many more of them in a given space, organizations will pack them in to collect more data. IoT device density will permeate, pressing a staggering number of devices into a finite area. According to data from market research firm IDC, 5G will connect as many as 1 million IoT devices per square kilometer.

Sensors are another good example of IoT deployments responding to 5G. What 5G promises for IoT is that as sensor density rises, manufacturers will gather more data, digitize their factory floors, elevate visualization of IoT data analysis, raise productivity, and skirt requirements for complex wiring and legacy analog technologies.

According to Valid's Dahr, "Wired programmable logic controller systems have served the factory floors efficiently for years. With 5G, wireless things are destined to change. However, the pace of production floor adoption of the new technology will vary from industry to industry. I see early adopters in high-volume product companies like consumer durable, automotive, and hazardous chemical."  

5G Makes IoT More Vulnerable

While the strengths of 5G incentivize business to deploy more IoT devices, the resulting population and capabilities of IoT devices create a broad and vulnerable attack surface. Explains Peter Liu, vice president of the Technology and Service Provider Research Group of Gartner Research, "The significant issue that 5G precipitates in massive IoT is the increased bandwidth, resulting in more poorly designed devices on the network, and ultra-low latency, so devices can now communicate with each other." Liu says In such scenarios, a cyberattack on an IoT  device can spiral out of control.  

Meanwhile, 5G has its own direct vulnerabilities, says Liu. "The network moved from centralized, hardware-based to distributed, software-defined. The traditional network had hardware choke points where security could be implemented; that won't work for 5G."

The 5G technology will present still more weaknesses. Here are some security concerns that the U.S. Cybersecurity & Infrastructure Security Agency (CISA) offers regarding 5G Security and Resilience:

  • The breadth of 5G Information and communications technology (ICT) components will multiply network vulnerabilities from improperly deployed, configured, or managed 5G equipment, making networks vulnerable to disruption and manipulation.
  • The 5G supply chain is open to cybersecurity risks from malicious hardware and software, counterfeit components, and poor designs, manufacturing processes, and maintenance procedures.
  • Existing 5G deployments that use legacy 4G LTE infrastructure and untrusted components with known vulnerabilities create equipment and network vulnerabilities despite 5G security enhancements.
  • China's Huawei is an untrusted vendor building proprietary interfaces into its 5G technologies, limiting customers' choices of equipment, since it may not be interoperable with Huawei products.
  • Untrusted 5G components could increase the attack surface by introducing new vulnerabilities.

Another 5G security concern arises in private 5G networks. Phil Solis, research director for connectivity in the semiconductor group of IDC, says where people and companies are configuring their own private IP cellular 5G networks, which are starting to come online, there is a greater chance that they won't set 5G security correctly. 

IoT Devices Vulnerable

Some advantages of IoT work for cybercriminals, too. Says Chris Rouland, CEO of Phosphorus Cybersecurity, an IoT device cybersecurity firm, "Many IoT devices are multi-homed, having not only 5G interfaces but also Wi-Fi, Ethernet, and Bluetooth. I can exploit a 5G IoT device, then use the other interfaces to further my attack. Multihoming provides long-term persistent communication, which hackers love. The devices are low bandwidth, and so the persistence would go undetected."

IoT software is inviting to criminal hackers. According to Rouland, vendors often use hand-me-down firmware that passes through four or five generations of devices from different makers in different countries. "When they recycle the firmware, they lose the ability to patch its vulnerabilities," says Rouland.

A lack of vendor experience creates additional vulnerabilities. According to Fred Cohen, CEO of consulting firm Management Analytics, companies making IoT and 5G solutions may lack everything from good governance to technical understanding in terms of cybersecurity, and especially expertise in building devices and systems that can withstand widely known and used exploitation techniques.

Still, vendors have had time to respond to ongoing cyberattacks on IoT. It's not likely IoT vendors haven't heard about the intelligent toasters that cybercriminals enlisted in a botnet-enabled DDoS attack on the Dyn Domain Naming System (DNS) service in 2017; a lot more IoT attacks, hacks, and botnets have happened since then. A new Mirai-botnet variant affecting IoT devices was active as of this March, according to ThreatPost.

A commonly reported reason that IoT vendors' cybersecurity is missing is that they trade it for time-to-market, cost savings, and profits. Yet IDC's Solis doesn't buy that all IoT vendors behave this way. "In some cases, yeah, there could be situations like that. Not every company is going to be careless about security," Solis says.

5G/IoT Vulnerability Cross-Pollination

The combined shortcomings of 5G and IoT will lead cybercriminals to exploit these devices further. The industry is already familiar with some attacks that cybercriminals will employ. A post by HelpNetSecurity describes two:

  • Criminal hackers will almost certainly try man-in-the-middle attacks that enable them to hijack data transmitted between IoT devices, networks, and machines.
  • Black hats will launch DDoS attacks to control video surveillance systems and medical equipment.

And Rouland suggests one more: "You can pop your own 5G SIM card into an IoT device and take it over."

Wait, There's More

The recent breach of Verkada, an enterprise security camera firm, in which cybercriminals cracked a superuser account to breach data from 150,000 security cameras, including those at Tesla, jails, and hospitals, is one example.

More attacks are coming. As long as cybercrooks reside in foreign nations that don't assist victim countries in prosecuting the culprits, they will continue to prey on weak links in emerging networks and devices.

It could take an attack of SolarWinds' severity for vendors to stand up for better IoT security. "We still haven't had an Equifax moment totally attributed to IoT. That will happen. It will happen in 5G because of the persistent connectivity, speed, capacity, and multihomed nature of IoT devices," says Rouland.

Maybe that's when IoT/5G security will improve.


David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.


No entries found