Europe warns 5G will increase attack paths for state actors

Increasing reliance on software will increase exposure, and countries will have increased risk from trusting a single vendor.
Written by Chris Duckett, Contributor

A report published by the European Commission and European Agency for Cybersecurity on Wednesday has spelled out the security issues surrounding 5G and how it will require a redesigning of current 3G and 4G networks. It also goes to great lengths to avoid using the word Huawei.

Central to the report's thrust is the increasing use of software within 5G, such as for network virtualisation and slicing, and how a lack of skills within telcos will see a reliance on suppliers.

The report especially warns about relying on a single supplier, especially ones not based in the European Union.

"The increased role of software and services provided by third party suppliers in 5G networks leads to a greater exposure to a number of vulnerabilities that may derive from the risk profile of individual suppliers," the report states.

"Major security flaws, such as those deriving from poor software development processes within equipment suppliers, could make it easier for actors to maliciously insert intentional backdoors into products and make them also harder to detect. This may increase the possibility of their exploitation leading to a particularly severe and widespread negative impact."

In March this year, the board that oversees security of Huawei equipment used in UK telco networks said that technical issues with the Chinese company's engineering processes have led to new risks.

A month earlier, it was reported that it would take Huawei three to five years and $2 billion to fix a number of flaws that were found in its equipment in 2018.

Read: Huawei believes banning it from 5G will make countries insecure

The reported added that countries should go beyond the technical qualities of suppliers and assess them based on the "non-technical vulnerabilities related to 5G networks", such as a strong link between the supplier and government, whether the supplier's country has "no legislative or democratic checks and balances in place, or in the absence of security or data protection agreements between the EU and the given third country", the ownership structure of the supplier, and the ability for the supplier's country to "exercise any form of pressure, including in relation to the place of manufacturing of the equipment".

"In particular, hostile third countries may exercise pressure on 5G suppliers in order to facilitate cyberattacks serving their national interests," the report states.

"The degree of exposure to this risk is strongly influenced by the extent to which the supplier has access to the network, in particular its most sensitive assets, and by the risk profile of the individual supplier."

When Australia undertook its decision to ban Huawei, one of the reasons cited was a lack of separation between edge and core networks.

Last year, Huawei showed off a network it claimed separated the core and the edge in Auckland, however, the report released on Wednesday goes against this.

"In the coming development phases of 5G, traditionally less sensitive parts of the network are gaining importance and becoming more sensitive, such as for instance certain elements in the radio access part of the network, depending on the extent to which they handle user data or perform smart or sensitive functions," it said.

"Moreover, when edge computing is introduced, certain core network functions are expected to be moved physically farther out in the network, closer to the access sites."

The report further warns that telcos will need to increase internal security controls and patch management while battling with a lack of adequately cyber-trained staff.

"5G networks will be composed of a large amount of virtual devices, which can be remotely accessed throughout the network. This vulnerability becomes significantly more acute in cases where the maintenance of networks will be performed by third-party suppliers," the report said.

Must read: The winner in the war on Huawei is Samsung

While the report did not name Huawei explicitly, former United States Department of Homeland Security official and now Senior Advisor for Counterterrorism and Homeland Security at Cambridge Global Advisors Nate Synder was more than happy to do so.

"Huawei networks are a house of cards supported by shoddy coding and a supply chain full of holes, with countless entry points for state and non-state actors, organised crime, and terrorist groups -- cyber-based and otherwise -- to exploit," he said.

"The EU report confirms that a Huawei 5G network across the EU (and US) is a counter-intelligence nightmare.

"Because the 5G network is software-based and so vast, attempting to mitigate these vulnerabilities would be like plugging holes in an infinite wheel of Swiss cheese. The best way to manage risk here is simply not to take it."

The report was created after European member states were asked to complete a national risk assessment of 5G network infrastructures earlier this year.

By the end of the year, a "toolbox of mitigating measures" are expected to be agreed on, and by this time next year, member states should have looked into whether any recommendations require further action.  

Huawei recently warned that 6G networks would be even more vulnerable to backdoors thanks to the use of artificial intelligence.

"With the converge of management and control plane, AI will poses a significant impact on network security, as it might be exploited to launch more effective attacks, and in some scenarios, the security of AI systems is a matter of life and death," Huawei Australia chief technology and cyber security officer David Soldani said in September.

"Unlike security vulnerabilities in traditional systems, the root cause of security weaknesses in machine learning systems lies in the lack of explainability, which leaves openings that can be exploited by adversarial machine learning methods such as evasion, poisoning, and backdoor attacks.

"Attackers may also implant backdoors in models and launch targeted attacks or extract model parameters or training data from query results."

Related Coverage

Editorial standards