Why 5G Could Get Us All Hacked
Full disclosure: I’m actually excited for 5G and all of the advancements it will bring. Think about it for a moment here…we have already seen remote surgeries performed across 5G networks and more than enough bandwidth to ensure that our continual internet of things (IoT) growth is sustainable. Smart cities and buildings could soon interconnect with the help of smart building companies to give management a complete overview of every aspect of their operation -- not to mention that it could offer its citizens and tenants blazingly fast internet that doesn’t require wiring. The one thing, though, that many people miss as they prepare for this future is that with the good comes the bad. Lest we forget the fourth law of cybersecurity, “With Innovation Comes Opportunity for Exploitation.” How we prepare for this malevolence could ultimately decide the success or failure of 5G as a positive force in our lives.
Before personal and corporate threats can be discussed here, it is important to understand that there is already some controversy as to who is supplying the actual infrastructure for 5G: namely, Huawei. With alleged ties to the government of China, many have serious concerns about Chinese state-sponsored surveillance (paywall) via any Huawei 5G infrastructure that is installed within the United States. In a plain-English nutshell, a mobile phone’s data gets transmitted to a “receiver” and then routed to the internet to connect the user with wherever they wish to go. If that “receiver” has the ability to capture and record what the user is texting, emailing, video chatting, streaming, and more, then it may be able to send that information elsewhere -- such as to a foreign government.
I've seen an explosion in this type of hacking, known as supply chain hacking, including when the Chinese government was accused of installing microprocessors into a major server supplier (paywall) that provides servers to organizations like the United States Navy, Apple, Amazon, and others. The issue with Huawei supplying critical communication infrastructure is so serious that other U.S.-allied countries like Australia, New Zealand, the United Kingdom, Germany, and others are reportedly reconsidering their relationships with Huawei as an equipment source for essential and critical components, and the U.K. may only allow nonessential equipment from Huawei. The United States even threatened to withhold intelligence from Britain if it chooses to move forward with the installation of 5G infrastructure from Huawei. Plus, imagine if a foreign country was able to simply “turn off” communications for an entire region or country. There's no need to imagine, really. Russian hackers reportedly did this to Ukraine in 2015 by killing a local electrical grid that supported as many as 80,000 Ukrainians and then hitting the phone system infrastructure so no one could call and complain.
On top of this situation, I believe it’s a universal truth that criminal hackers both need and love more bandwidth. With a reported increase in Denial of Service attacks (such as 2018 Akamai research, via CSO) since the Mirai IoT infection of 2016, hackers will likely require more and more bandwidth to do everything from hitting critical infrastructure to hijacking computers, not to mention for more intensive crypto-mining infections and beyond. Data exfiltration continues to be a serious issue I see, and more mobile bandwidth means that these hacks may be able to move significantly more data out of a network before we detect them and shut them down. That alone should make everyone extremely concerned for data security, as should the need to increase the amount of threat monitoring most organizations currently employ.
And to top all of this off is the issue of hearts and minds in terms of actual awareness and education on this situation. We are arguably living in the most prolific era in humanity in terms of self-publishing and sharing via social media, which has also exploded the amount of fraud online. I believe humans, in general, are trusting when they shouldn’t be -- not so much of the people in our lives, which may vary with emotional attachment, nostalgia, and experience with said people, but of the infrastructure around us that we rely on. We trust that the wireless we use is safe when many times it’s not. Hackers can spoof Wi-Fi, which makes it easier for them to steal personal information, insert infections into devices, decrypt passwords, and more. And yes, we can even spoof cellular towers, which means that even some of the more security-minded people who choose not to use the free Wi-Fi wherever they are may be at risk.
In terms of corporate security, 5G presents a set of problems that many IT and cybersecurity professionals may not have considered, including that the traditional network for a corporation may be going away. If a cellular carrier can give any computer or device blazing-fast internet connections and, as our critical and protected information moves to the cloud, many companies may find it completely pointless to install wired and wireless infrastructure due to cost. Why not let all the employees simply connect to wherever they need to go on the 5G connection and be done with it? This presents significant challenges for cyber-defense strategies. Traditionally, corporate cybersecurity has been perimeter-based, meaning (in the most basic terms) that all the company assets are behind a firewall that creates a filter between the massive network that is the internet and the office network. More advanced corporate networks employ a zero trust configuration, which can help to isolate and protect devices even more securely.
If these barriers are gone and devices connect to their 5G carrier at will, organizations will have to create cloud defensive postures to ensure that their devices are properly defended when they connect to the internet and share common infrastructure with millions of other subscribers on their carrier. Already, mobile security can be a large headache for IT and cybersecurity professionals, and this will likely only get worse as many organizations who don't currently have good mobile defense strategies start adopting a technology stance that is even more mobile.
If we don’t address these issues and come up with secure solutions that can be universally adopted, I believe 5G could be the death of us all.
Written by: Nick Espinosa, Chief Security Fanatic at Security Fanatics, CIO, Keynote Speaker, Author, Radio Show Host, and Cybersecurity Expert, for Forbes.