Inadequate implementation of telecom standards, supply chain threats, and weaknesses in systems architecture could pose major cybersecurity risks to 5G networks, potentially making them a lucrative target for cybercriminals and nation-state adversaries to exploit for valuable intelligence.
The analysis, which aims to identify and assess risks and vulnerabilities introduced by 5G adoption, was published on Monday by the U.S. National Security Agency (NSA), in partnership with the Office of the Director of National Intelligence (ODNI) and the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA).
"As new 5G policies and standards are released, there remains the potential for threats that impact the end-user," the report said. "For example, nation states may attempt to exert undue influence on standards that benefit their proprietary technologies and limit customers' choices to use other equipment or software."
Specifically, the report cites the contribution of adversarial nations to the development of technical standards, which may pave the way for adopting untrusted proprietary technologies and equipment that could be difficult to update, repair, and replace. Also of concern, per the report, are the optional security controls baked into telecommunication protocols, which, if not implemented by network operators, could leave the door open to malicious attacks.
A second area of concern highlighted by the NSA, ODNI, and CISA is the supply chain. Components procured from third-party suppliers, vendors, and service providers could either be counterfeit or compromised, with security flaws and malware injected during the early development process, enabling threat actors to exploit the vulnerabilities at a later stage.
"Compromised counterfeit components could enable a malicious actor to impact the confidentiality, integrity, or availability of data that travels through the devices and to move laterally to other more sensitive parts of the network," according to the analysis.
This could also take the form of a software supply chain attack in which malicious code is purposefully added to a module that's delivered to target users either by infecting the source code repository or hijacking the distribution channel, thereby allowing unsuspecting customers to deploy the compromised components into their networks.
Lastly, weaknesses in the 5G architecture itself could be used as a jumping-off point to execute a variety of attacks. Chief among them involves the need to support 4G legacy communications infrastructure, which comes with its own set of inherent shortcomings that can be exploited by malicious actors. Another is the issue with improper slice management that could permit adversaries to obtain data from different slices and even disrupt access to subscribers.
Indeed, a study published by AdaptiveMobile in March 2021 found that security flaws in the slicing model could be repurposed to allow data access and carry out denial of service attacks between different network slices on a mobile operator's 5G network.
"To reach its potential, 5G systems require a complement of spectrum frequencies (low, mid, and high) because each frequency type offers unique benefits and challenges," the report detailed. "With an increasing number of devices competing for access to the same spectrum, spectrum sharing is becoming more common. Spectrum sharing may provide opportunities for malicious actors to jam or interfere with non-critical communication paths, adversely affecting more critical communications networks."
In identifying policy and standards, supply chain, and 5G systems architecture as the three main potential threat vectors, the idea is to evaluate risks posed by transitioning to the new wireless technology as well as ensure the deployment of secure and reliable 5G infrastructure.
"These threats and vulnerabilities could be used by malicious threat actors to negatively impact organizations and users," the agencies said. "Without continuous focus on 5G threat vectors and early identification of weaknesses in the system architecture, new vulnerabilities will increase the impact of cyber incidents."