Many organizations increasingly rely on 5G technologies for mobile communications, making any 5G security weaknesses of interest to attackers. The good news is that 5G standards have significantly improved cybersecurity for mobile communications overall. Even so, threat actors inevitably still target 5G devices, networks and services.
While mobile network operators are responsible for countering many of these threats through their own security controls, organizations that use 5G services should still consider how bad actors could use the technology against them. What follows are my top insights on 5G security threats for enterprise CISOs, based on a series of 5G cybersecurity white papers I co-authored for NIST’s National Cybersecurity Center of Excellence.
Top 5G security threats
Major 5G cybersecurity threats tend to fall into the following three categories: threats against 5G services and infrastructure, attacks against 5G devices and unavailability of 5G networks.
1. Threats against 5G services and infrastructure
Mobile network operators follow 5G standards in their implementations, but those standards do not require operators to implement or enforce all defined cybersecurity features. Attackers might take advantage of resulting gaps to target devices using 5G services.
For example, attackers might use 5G to spy on users’ geographic locations. Each 5G user, or “subscriber,” is assigned a unique subscription permanent identifier (SUPI). Some 5G implementations transmit unprotected SUPIs, which can enable eavesdroppers to track those subscribers’ physical whereabouts.
2. Attacks against 5G devices
Typically, 5G devices are always connected to mobile networks — often while simultaneously connected to other types of networks, such as Wi-Fi and Bluetooth. This significantly increases the attack surfaces of these devices, providing more ways for attackers to access and compromise them.
Also, 5G devices often aren’t protected by enterprise security controls to the same extent as other endpoints, making threats harder to detect and stop.
3. Unavailability of 5G networks
Much of the cybersecurity of 5G devices and their communications relies on protections built into 5G standards. In the event a 5G network isn’t available, a 5G device will automatically step down to use a 4G network — in the process, losing 5G safeguards.
Attackers can take advantage of this vulnerability by performing downgrade attacks that force or trick 5G devices to use 4G networks, resulting in predictable loss of protection.
How to defend against these threats
In any cybersecurity architecture, it’s best to rely on layers of defense so a weakness in one layer can be offset by other layers. Consider, for example, the following suggestions.
Engage mobile network operators regarding their 5G security practices
- Ask your organization’s mobile network operator what 5G cybersecurity features their services and infrastructures support or mandate.
- Specify in agreements the features your organization requires. Learn what aspects of these features, if any, are your organization’s responsibility to enable or maintain, and make sure you address any discrepancies.
- One tactic to consider: Tell your network operator to enable subscription concealed identifier (SUCI) capabilities on its network and on the SIMs of your 5G devices. Then use SUCI in place of SUPI to prevent subscriber location tracking.
Use enterprise mobile security technologies to protect 5G devices
A wide variety of mobile security tools and services can secure, manage and monitor enterprise 5G devices. By deploying and using these technologies strategically, cybersecurity teams can reduce the risk of compromise and detect threats more quickly.
Implement a strategy for handling 5G network unavailability
When it comes to managing 5G network unavailability and associated risks, the appropriate strategy for any organization, or group of devices within an organization, depends on many business and risk factors. Basic policy options include the following:
- Enterprise 5G devices must use only 5G networks because of the additional cybersecurity features those networks provide.
- Enterprise 5G devices can use non-5G networks if the devices have additional cybersecurity controls to compensate for the loss of 5G network features.
- Enterprise 5G devices don’t need 5G networks’ cybersecurity features to achieve sufficient protection, so it’s OK for them to use non-5G networks when necessary.
Karen Scarfone is a general cybersecurity expert who helps organizations communicate their technical information through written content. She co-authored the Cybersecurity Framework (CSF) 2.0 and was formerly a senior computer scientist for NIST.
