The dangers of 5G telephony

I’ve been following the whole Huawei 5G panic over the past years. I have a professional interest in the subject since I have an IT background. On the face of it, the hysteria seems to make sense. Why would we let companies build our infrastructure when the Chinese government can force them to let it eavesdrop?

This article explains why the panic is unfounded, and why we’re looking in the wrong direction.

Background

For those of you who weren’t paying attention, the situation sounds simple. We’re reaching a point where we’re upgrading from our current 4th generation networks, or 4G. (This is why the next generation is 5G). This will provide lightning-fast speeds for mobile data. In turn, that will be the lifeblood of next-generation tech like the Internet of Things (IoT).

Huawei is a huge communications company that bids to build chunks of national infrastructure for 5G technology. But Chinese companies can be forced to obey the Chinese government. Huawei points out that the government hasn’t done this, hoping we won’t ask if it could happen in the future. It follows that if Huawei builds our 5G infrastructure, the Chinese may force Huawei to allow it to eavesdrop.

Nobody wants strangers listening to their private conversations, even trivial ones.

This seems to be why many countries are debating, or have debated, whether they should allow Chinese companies to do this. The US even insists it will not share intelligence data with allies if they use Huawei-built tech.

Again, no one wants strangers listening in on their conversations.

And if those conversations are about military intelligence you’d want fewer strangers around, not more.

So it makes sense to call for a ban on Chinese companies, no?

Not so fast.

Securing 5G

The lie is that if we keep Chinese companies out of the game, then our 5G communications will be secure.

That’s 100% bona fide fake news.

Many state and non-state hackers have broken US and European networks for years. And they did it without needing to control the hardware or the infrastructure. The American NSA has also broken in other networks without having to coerce anyone. Nothing in 5G prevents this from happening in the future.

Our current 4G communications technology has flaws of its own. 5G will give us significant improvements in encryption and privacy. Don’t think that this means we’ll be safe, because we won’t.

The three things we need to worry about are:

• Standards
• Backward compatibility
• Missed opportunities.

Standards

Any software developer will tell you that the more complex a standard is, the harder it is to secure. It’s not impossible but developers make many trade-offs on a daily basis. All software suffers this way but the 5G standards and protocols have specific difficulties. Without getting into too much technical jargon, the design of a 5G network increases the points which are vulnerable to attack.

Don’t forget I mentioned IoT earlier. IoT implies connecting independent devices to the internet. More things will be online and more data will be online. Our networks will become more complicated and complexity is the enemy of security.

Backward compatibility

As users we want to be able to keep using old devices and products. Why would I have to throw my phone or computer away because the government wants a 5G network? We demand that new systems are backward compatible.

It’s a customer-focused approach and it sounds like it makes perfect sense.

But if you’re going to be compatible with something which is old, you’re also going to keep the older vulnerabilities and problems too. No operator will change everything in one go, so we will have mixed-generation networks.

This isn’t like changing the oil in your car where you do it all in one go.

Without a clean break from 4G, it will be nearly impossible to improve security. This means a 5G system will use a more-vulnerable 4G standard or protocol. And we’ll inherit many existing problems too.

Missed opportunities

The standards committees that worked on 5G missed many opportunities to improve security.

I winced as I wrote that last sentence. You’d think the people in charge of designing the future would be up to the job, but it turns out they can make as many mistakes as the rest of us do.

For example, security features in 5G are optional. So if Vodafone feels that implementing them would be too much hassle or too expensive, they can ignore them.

Don’t worry about whether Huawei are going to listen in; do you trust your network operator to make things as secure as possible?

Where does that leave us?

As I write I can see new articles appear in the technical media about new vulnerabilities in 5G. The key thought we need to keep in mind is that any network we connect to may be a compromised network.

Unless the network is 100% under your control, you cannot trust it.

This is why we should use encrypted messaging.

Worrying about the manufacturer isn’t going to help.

It’s like worrying about whether chickens are free-range or not when you don’t know if the cook washes his hands.

You’re still going to get food poisoning no matter how the chicken lived its life.

So don’t think that excluding Huawei will make you safe.

Because you’re not.

References

1. The evolution of security in 5G; 5G Americas; 2019-07
2. A Plea for Simplicity; Bruce Schneier; Schneier on security; 1999-11-19
3. 5G Is More Secure Than 4G and 3G—Except When It’s Not; Lily Hay Newman; Wired.com; 2019-12-15
4. 5G inherits some 4G vulnerabilities; Karen Epper Hoffman; GCN.com; 2019-10-21
5. 5G Is More Secure Than 4G and 3G—Except When It’s Not; Lily Hay Newman; Wired.com; 2019-12-15

All references were valid and correct when this article was published. Changes to referenced websites or web pages may render some references invalid. If this is the case, please leave a comment below.