'Bruce Schneier comments on the issues surrounding 5G security:
[...] Keeping untrusted companies like Huawei out of Western
infrastructure isn't enough to secure 5G. Neither is banning Chinese
microchips, software, or programmers. Security vulnerabilities in the
standards, the protocols and software for 5G, ensure that
vulnerabilities will remain, regardless of who provides the hardware
and software. These insecurities are a result of market forces that
prioritize costs over security and of governments, including the
United States, that want to preserve the option of surveillance in 5G
networks. If the United States is serious about tackling the national
security threats related to an insecure 5G network, it needs to
rethink the extent to which it values corporate profits and government
espionage over security. To be sure, there are significant security
improvements in 5G over 4G in encryption, authentication, integrity
protection, privacy, and network availability. But the enhancements
aren't enough. The 5G security problems are threefold.
First, the standards are simply too complex to implement securely.
This is true for all software, but the 5G protocols offer particular
difficulties. Because of how it is designed, the system blurs the
wireless portion of the network connecting phones with base stations
and the core portion that routes data around the world. Additionally,
much of the network is virtualized, meaning that it will rely on
software running on dynamically configurable hardware. This design
dramatically increases the points vulnerable to attack, as does the
expected massive increase in both things connected to the network and
the data flying about it. Second, there's so much backward
compatibility built into the 5G network that older vulnerabilities
remain. 5G is an evolution of the decade-old 4G network, and most
networks will mix generations. Without the ability to do a clean break
from 4G to 5G, it will simply be impossible to improve security in
some areas. Attackers may be able to force 5G systems to use more
vulnerable 4G protocols, for example, and 5G networks will inherit
many existing problems. Third, the 5G standards committees missed many
opportunities to improve security. Many of the new security features
in 5G are optional, and network operators can choose not to implement
them. The same happened with 4G; operators even ignored security
features defined as mandatory in the standard because implementing
them was expensive. But even worse, for 5G, development, performance,
cost, and time to market were all prioritized over security, which was
treated as an afterthought.'
-- source:
https://mobile.slashdot.org/story/20/01/16/1514231
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174
http://www.cms.waikato.ac.nz/~fracpete/
http://www.data-mining.co.nz/