Superfast 5G mobile broadband could power smart cities and the internet of things, (IoT) but as more devices get connected, telecoms and security experts are warning that cyber-attacks could increase in number and severity.
Our homes and cities are getting “smarter” – thermostats, video doorbells, sprinkler systems, street lights, traffic cameras, cars, all connected to the internet, collecting and transmitting useful data.
And 5G superfast mobile is seen as a catalyst that will light up this massive network.
GSMA Intelligence forecasts that there will be more than 25 billion “internet of things” connections by 2025.
But experts are queuing up to issue stark warnings about security.
“Security around IoT devices hasn’t been very good, so if they’re opened up to better connectivity they’re opened up to more hackers, too,” says Cody Brocious, education lead at security consultancy HackerOne.
“Not enough is being done to improve their security, and it’s only going to get worse when they become 5G-connected. We’ll see increases in spam and cyber-attacks.”
Steve Buck, chief operating officer at telecoms security company Evolved Intelligence, goes so far as to say that “5G will power critical infrastructure, so a cyber-attack could stop the country.”
The problem is that a lot of these IoT devices – think small sensors measuring air humidity or temperature, for example – are cheap and need to have a very long battery life.
“Implementing good security into such devices will require more processing power and this drives up costs and drains power,” says 5G expert Dave Burstein, editor of WirelessOne.news.
Which is why it won’t happen.
The danger is that insecure devices will provide rich pickings for hackers. Just this month, internet security firm Sophos Labs warned about a new “family of denial-of-service bots we’re calling Chalubo” targeting IoT devices.
The malware tries to recruit insecure devices into a botnet that can be commanded to bombard websites with requests and knock them out. Hackers then normally ask for a ransom to stop the attack.
“Google and Facebook spend billions on security and both have recently been hacked,” says Mr Burstein.
“If they can’t be fully protected, how can an ordinary person be expected to secure the dozen or more connected devices many of us will soon have?”
This is why Jeff Lipton, vice president of WaterSmart in San Francisco, a company that makes connected programmable water meters, thinks “these systems need to be very carefully thought through before rushing to make every device in a city smart”.
And it isn’t just the devices themselves that are vulnerable – the network potentially is, too.
“With 5G we’ll be consuming services from all over the place, so we want to deliver those services very quickly as close to the customer as possible to reduce latency [delay],” says Adam MacHale, managing director of technology strategy at IT and networking firm Cisco Systems.
So instead of one central delivery centre serving an entire country, there’ll be thousands of local ones, he explains.
“But this increases the threat surface [the number of potential weak points in a network that hackers can attack] and the risk.”
It’s a point reiterated by Michele Zarri, technical director at GSMA, the organisation representing the global mobile industry.
“5G is being developed to work within the cloud, and so the migration from physical to virtual networks will introduce new threats and widen the attack surface,” he says.
And the way national telecoms companies talk to each other also needs to be made more secure, says Steve Buck.
“The interconnect which joins international networks together is the weak spot. A hacker can spoof your location and redirect your calls and texts. All he needs is your phone number.”
So what should the industry be doing about all these security concerns?
Cody Brocious believes you could stop “99% of hacker attacks” on IoT devices by “preventing inbound connections” to them, routing the communications through an intermediary server, most likely operated by the device manufacturer.
“5G services are likely to be subscription based, so the security will have to become a small part of the overall cost,” he says.
Our 5G smartphones will become key weapons in the battle against the hackers. So-called two-factor authentication – supplementing username and password log-ins with codes sent to our locked phones, for example – will become the norm.
As many IoT device makers won’t bother spending the extra money beefing up security on their devices, Cisco and other security firms are switching to monitoring how devices behave on a network – the typical data they send and receive, the patterns of traffic – and looking for anomalies.
“If a device starts connecting to something it doesn’t usually connect to, we might step in and block that traffic,” says Mr MacHale. “And we can spot suspicious behaviour even if the traffic is encrypted.”
And the GSMA’s Mr Zarri says 5G networks are being designed to allow sections to be isolated if they’re attacked or compromised.
New 5G security standards will be needed to make each mobile network authenticate itself before relaying our encrypted calls and messages, Mr Buck believes.
“The regulators have been very concerned about this threat, but they haven’t legislated for it yet,” he says.
“But if we don’t do this we’ll have missed a once-in-a-lifetime opportunity.”