https://www.schneier.com/blog/archives/2020/01/china_isnt_the_.html
> 5G Security > > The security risks inherent in Chinese-made 5G networking equipment are easy > to understand. Because the companies that make the equipment are subservient > to the Chinese government, they could be forced to include backdoors in the > hardware or software to give Beijing remote access. Eavesdropping is also a > risk, although efforts to listen in would almost certainly be detectable. > More insidious is the possibility that Beijing could use its access to > degrade or disrupt communications services in the event of a larger > geopolitical conflict. Since the internet, especially the "internet of > things," is expected to rely heavily on 5G infrastructure, potential Chinese > infiltration is a serious national security threat. > > But keeping untrusted companies like Huawei out of Western infrastructure > isn't enough to secure 5G. Neither is banning Chinese microchips, software, > or programmers. Security vulnerabilities in the standardsthe protocols and > software for 5Gensure that vulnerabilities will remain, regardless of who > provides the hardware and software. These insecurities are a result of market > forces that prioritize costs over security and of governments, including the > United States, that want to preserve the option of surveillance in 5G > networks. If the United States is serious about tackling the national > security threats related to an insecure 5G network, it needs to rethink the > extent to which it values corporate profits and government espionage over > security. > > To be sure, there are significant security improvements in 5G over 4Gin > encryption, authentication, integrity protection, privacy, and network > availability. But the enhancements aren't enough. > > The 5G security problems are threefold. First, the standards are simply too > complex to implement securely. This is true for all software, but the 5G > protocols offer particular difficulties. Because of how it is designed, the > system blurs the wireless portion of the network connecting phones with base > stations and the core portion that routes data around the world. > Additionally, much of the network is virtualized, meaning that it will rely > on software running on dynamically configurable hardware. This design > dramatically increases the points vulnerable to attack, as does the expected > massive increase in both things connected to the network and the data flying > about it. > > Second, there's so much backward compatibility built into the 5G network that > older vulnerabilities remain. 5G is an evolution of the decade-old 4G > network, and most networks will mix generations. Without the ability to do a > clean break from 4G to 5G, it will simply be impossible to improve security > in some areas. Attackers may be able to force 5G systems to use more > vulnerable 4G protocols, for example, and 5G networks will inherit many > existing problems. > > Third, the 5G standards committees missed many opportunities to improve > security. Many of the new security features in 5G are optional, and network > operators can choose not to implement them. The same happened with 4G; > operators even ignored security features defined as mandatory in the standard > because implementing them was expensive. But even worse, for 5G, development, > performance, cost, and time to market were all prioritized over security, > which was treated as an afterthought. > > Already problems are being discovered. In November 2019, researchers > published vulnerabilities that allow 5G users to be tracked in real time, be > sent fake emergency alerts, or be disconnected from the 5G network > altogether. And this wasn't the first reporting to find issues in 5G > protocols and implementations. > > Chinese, Iranians, North Koreans, and Russians have been breaking into U.S. > networks for years without having any control over the hardware, the > software, or the companies that produce the devices. (And the U.S. National > Security Agency, or NSA, has been breaking into foreign networks for years > without having to coerce companies into deliberately adding backdoors.) > Nothing in 5G prevents these activities from continuing, even increasing, in > the future. > > Solutions are few and far between and not very satisfying. It's really too > late to secure 5G networks. Susan Gordon, then-U.S. principal deputy director > of national intelligence, had it right when she said last March: "You have to > presume a dirty network." Indeed, the United States needs to accept 5G's > insecurities and build secure systems on top of it. In some cases, doing so > isn't hard: Adding encryption to an iPhone or a messaging system like > WhatsApp provides security from eavesdropping, and distributed protocols > provide security from disruptionregardless of how insecure the network they > operate on is. In other cases, it's impossible. If your smartphone is > vulnerable to a downloaded exploit, it doesn't matter how secure the > networking protocols are. Often, the task will be somewhere in between these > two extremes. > > 5G security is just one of the many areas in which near-term corporate > profits prevailed against broader social good. In a capitalist free market > economy, the only solution is to regulate companies, and the United States > has not shown any serious appetite for that. > > What's more, U.S. intelligence agencies like the NSA rely on inadvertent > insecurities for their worldwide data collection efforts, and law enforcement > agencies like the FBI have even tried to introduce new ones to make their own > data collection efforts easier. Again, near-term self-interest has so far > triumphed over society's long-term best interests. > > In turn, rather than mustering a major effort to fix 5G, what's most likely > to happen is that the United States will muddle along with the problems the > network has, as it has done for decades. Maybe things will be different with > 6G, which is starting to be discussed in technical standards committees. The > U.S. House of Representatives just passed a bill directing the State > Department to participate in the international standards-setting process so > that it is just run by telecommunications operators and more interested > countries, but there is no chance of that measure becoming law. > > The geopolitics of 5G are complicated, involving a lot more than security. > China is subsidizing the purchase of its companies' networking equipment in > countries around the world. The technology will quickly become critical > national infrastructure, and security problems will become life-threatening. > Both criminal attacks and government cyber-operations will become more common > and more damaging. Eventually, Washington will have do so something. That > something will be difficult and expensivelet's hope it won't also be too > late. -- Kim Holburn IT Network & Security Consultant T: +61 2 61402408 M: +61 404072753 mailto:[email protected] aim://kimholburn skype://kholburn - PGP Public Key on request _______________________________________________ Link mailing list [email protected] http://mailman.anu.edu.au/mailman/listinfo/link
