5G: The Final Frontier

This story was written by Kevin Mcgrath · April 7th, 2022

Today Trellix Threat Labs is excited to announce the release of a whitepaper dedicated to 5G and its potential security concerns. As we look at the potential of 5G, we foresee it impacting nearly every facet of digital life in the developed world. From (vehicle to anything communication) to air travel to IoT and mobile broadband, it seems the only way to avoid the impacts of 5G is to live a strictly analog lifestyle and not interact with the rest of humanity. While I enjoy amateur radio as much as the next “ham,” I don’t spend much time on analog communications – even amateur radio communications have gone digital and will see enhancements from 5G.

With the substantial increase in commercial 5G rollouts and the number of devices and industries touched, we at Trellix felt a gap exists in the deep understanding of the fundamentals and security of 5G. Addressing this gap required a deep dive into the 5G protocol from a security perspective. As with every other aspect of technology, there is a never-ending race between malicious actors and security researchers to find critical vulnerabilities in emerging technology. As history teaches, industry professionals losing this race can cause significant financial and societal burdens. In theory, we expect 5G to be inherently more secure than previous generations, but we won’t know for sure without researchers taking the time to investigate. You know what they say about theory and practice…

Within Trellix Threat Labs, we wanted to investigate the full stack of 5G, from radio interface through application layer security. All previous standards have had security flaws, from compromised encryption keys to baseband bugs. We first needed to understand what has changed since the LTE standard. We looked hard at the protocol definition, the security requirements, and the move to software-defined infrastructure with the 5G-NR (5G New Radio).

Labeled as Release 15 of the 3GPP, the protocol definition itself comprises hundreds of pages of technical documentation. While much of the documentation dealt with the needs of carriers (billing, handover, roaming agreements, and similar), a significant portion dealt directly with the security requirements of mobile equipment – standard-speak for edge devices such as phones, IoT widgets, mobile hotspots, and anything else that can connect to 5G. After digging into the latter, we have enumerated the attack surface on the core 5G network from the perspective of malicious devices and created a detailed threat model of the most critical attack surfaces. And because nothing truly exists until it is in writing, we have published this whitepaper so that others may benefit from the work we have done to this point. Also, anything that makes a standard easier to parse is a welcome addition to the body of knowledge on a topic!

Within the whitepaper, we provide an overview of the history of how we got to 5G, with it poised to become one of the most widely used mobile technologies. We discuss some of the benefits and costs of 5G and the move to infrastructure-as-code (SDN, SDR, and virtualization). We detail our proposed attack surfaces, discuss characteristics a malicious device or access point would need, and even look at some of the recent news touching on 5G. As a preview, no, 5G did not cause COVID-19.

We also paid close attention to the proposed use cases within the standard to look for any pointers to where any weaknesses may exist – new functionality adds new complexity, after all. While we can summarize most of the use cases of 5G as “The same as with LTE, but with more bandwidth,” some novel new uses weren’t possible with LTE due to limited bandwidth, i.e., ubiquitous AR. Whether any of these new use cases will bear poison fruit remains an open question we plan to pursue.