Securing the Internet of Things in the age of 5G
The next generation of mobile communications is upon us and it promises not only drastically increased speed but connectivity for a wide variety of devices that have been gaining popularity in recent years. The increasing adoption of IoT (Internet of Things) devices and industrial automation through ICS (Industrial Control Systems) is a key focus area for 5G in addition to simply supporting mobile phones, as was the focus of previous generations of mobile communications.
5G is already being deployed in parts of the U.S. with plans for more widespread availability in 2020 by major carriers. Meanwhile, widespread coverage is already available in parts of Europe and Asia, putting pressure on carriers in other countries to hurry deployment.
The race to roll out new technologies is always at odds with the efforts to ensure they are properly secured, but with 5G seeking mass adoption in industries, including critical infrastructure, security becomes of paramount importance. Security professionals must be ready to address and understand the threats and vulnerabilities associated with 5G.
Specifically, IoT poses a challenge since the majority of mistakes of the previous generation of IoT devices have not been fixed nor have lessons been learned on the part of many manufacturers.
Many IoT devices are insecure from a lack of maintenance
In the literal sense, there are devices out there that either had issues that a firmware update could not fix or no mechanism for updating firmware. In the best case scenario, the companies fixed future iterations of these devices, but not all companies respond when security researchers contact them about vulnerabilities. It's also likely that some companies with vulnerable devices have gone out of business, leaving their devices stuck with whatever vulnerabilities originally existed.
In the figurative sense, the movement to take IoT security more seriously is still gaining momentum outside of the security community. Although we can be hopeful that companies with prior vulnerabilities have since made the necessary updates, there are more vulnerabilities than researchers. Further, there are new companies breaking into the field every day, so even as the more veteran IoT manufacturers patch and learn, a whole new cycle of mistakes awaits.
IoT mistakes are repeating themselves
If you look at the findings from recent research, compared to a few years ago, unfortunately a lot of the same mistakes are being made. Despite the likelihood that increased research into devices may have had an impact, searching MITRE's Common Vulnerabilities and Exposures list for terms indicating IoT devices shows a definitive upward trend in vulnerabilities being reported in IoT devices and their associated applications.
This pattern of repeating the same mistakes, however, has not gone entirely unnoticed, as both OWASP and NIST have put in efforts towards improving awareness of common vulnerabilities and security best practices in recent years. However, it falls on the developers of IoT devices to seek out this information in addition to individuals capable of utilizing this information to make devices more secure.
Privacy remains a top concern
Privacy is another major area in which IoT has had major issues. While some level of data communication is required for devices to operate as intended, there are certainly devices and applications that connect to those devices communicating significantly more data than is necessary.
Even when data is encrypted – which often it isn't – it may be used by the company who made the device in ways not desirable to the consumer, or simply sit in a database to be leaked publicly when a data breach occurs. In some cases, manufacturers may even have intentions for user data that are less than desirable such as resale or espionage.
Consumers play a role in IoT security, too
While it's easy to chastise the manufacturers for carelessly allowing common vulnerabilities into their devices, the consumer must also be held accountable to some extent. At the most basic level, consumer willingness to pay more for higher quality and more secure IoT devices is a prerequisite to solve the IoT security issue. As long as the consumers don’t demand it, manufacturers will continue to put out devices lacking in security.
Consumers must also gain a better basic understanding of security themselves, as it relates to configuring these devices. The recent news around Ring users having their devices compromised is a perfect example of the lack of consumer security knowledge. Devices with fairly solid security have been compromised through users who re-use bad passwords across multiple accounts and fail to enable more advanced security options available, such as Multi-Factor Authentication (MFA).
While Ring could have implemented a few more security precautions at the cost of user experience, the failure here is primarily on the part of the user since it wasn’t the software or hardware which was exploited, but rather lack of personal security measures. This issue is compounded in less secure devices where failing to reset the admin password or enable encrypted communication can lead to incidents.
The impact of 5G on IoT
Unlike previous generations, 5G has been designed with a wide variety of devices in mind, including IoT devices. This will undoubtedly lead to an increasing number of devices being designed to connect directly to the Internet over 5G rather than through gateways which separate local networks from the Internet.
The previous approach has some distinct advantages for security, such as the possibility of implementing firewalls and application security software to protect the network from attack via these devices. Some devices may never even need access to the Internet and thus can remain fairly safe barring a breach of the local network.
Conversely, the ability to connect 5G devices directly to the Internet does have the advantage of preventing devices from being used to compromise entire networks (assuming they are not simultaneously connected to the local networks as well). This tradeoff, however, puts the majority of security responsibility onto the device manufacturers who have a pretty bad record at creating secure devices.
5G also stands to blur the distinction between what is currently regarded as IoT devices and ICS, since once industrial control systems have Internet access, they will join the Internet of Things. Perhaps more than even IoT devices, network isolation has been an important security measure for ICS devices. Removing this may well lead to a major security concern for industry and critical infrastructure which are already under attack.
A final risk for IoT and ICS devices utilizing 5G for connectivity over local networks is flaws in 5G itself discovered by the 5GReasoner project. 11 vulnerabilities were discovered, some of which were carried over from previous generations, and thought to have been fixed in the new specification. The issue of rogue cell stations known as “stingrays” appears to not have been resolved -- a specific issue 5G was said to have fixed. This could lead to new attack vectors through interception, injection, and service denial of mobile communications.
The future of IoT and 5G
While IoT has already had its share of issues, 5G connectivity has the potential to exacerbate some of these issues as well as broaden the scope of devices considered IoT.
Device manufacturers will take on increasing responsibility for their role in making sure devices are secure as some network-level measures will only be available to telecom rather than users. This creates some opportunity for 5G to aid in securing devices and networks, but as has been revealed 5G is not without its share of issues.