These aren’t the 5G security flaws you’re looking for
In the first (but not best!) Star Wars movie, there’s a famous sequence when Ben Kenobi (as we still know him as at this point) plays a ‘Jedi mind trick’ on some guards to convince them, ‘These are not the droids you’re looking for.’ A puzzling story published as a big scoop in WIRED this Summer is a similar kind of mind trick—suggesting something that should be very concerning to the 5G community, but actually… isn’t what it first seems at all.
Like good Jedis, let’s try and clear up the confusion. In One of 5G’s Biggest Features Is a Security Minefield, the widely-read tech and business magazine reported on “new research” that it claims has “found troubling vulnerabilities in the 5G platforms carriers offer to wrangle embedded device data”.
The story then says that one of the most “touted” features of 5G turns out to be an upgrade that, rather worryingly, comes with its own raft of potential security exposures.
The alleged chink in 5G’s armour is where “interfaces” set up by carries to allow 5G-capable devices to manage IoT data are “riddled with security vulnerabilities” that could lead to the “beginning of a new type of attack in telecom”.
These vulnerabilities were said to be found in the 5G IoT “APIs” of 10 mobile carriers around the world, which could be exploited by malicious third parties to gain authorised access to data or even direct access to IoT devices on the network.
The source of these claims turns out to be one investigator—a Technical University of Berlin researcher called Altaf Shaik.
What he did: look under the hood of the application programming interfaces carriers are offering to make IoT data accessible to developers.
These, he said, are to be found in IoT service platform specifications. Possible issues stem from “basic flaws” in how the APIs were set up, like weak authentication or missing access controls.
The story then a little casually does say that these service platforms aren’t part of the 5G standard.
And so… these claimed API issues aren’t 5G issues at all, are they?
Those are 5G IoT APIs, so are not the same thing as vulnerabilities in the 5G network itself.
And, even if the researchers used 5G data for the connected devices, that's not the same thing as what the industry means by a 5G API.
Yes, those are indeed APIs and should correctly be called 5G APIs, but those are not the same as an API that a carrier might expose to a user so they can configure and manage their IoT services, for example.
When we talk about APIs, we need to differentiate between APIs that are used internally in the network for connecting different things together, and those that are provided by the network owner to enable external users to do something. In the former case, think, HTTP/2 interfaces in the service-based architecture that use REST APIs to enable one network function to talk to another network function.
5G bugs? Tell us about them, for sure. But be accurate
Though as good rational people we can allow there MAY be security flaws at that much deeper level (and we’ll definitely be writing about that soon), what WIRED has got excited about is at a completely different level of the network.
All sorts of standards and approaches can get used to connect to IoT, from 2G on. So, the APIs Mr Shaik was probing are nothing to do with the underlying network per se. Instead, they are to do with capabilities that carriers choose to expose through a platform to users of their IoT services, allowing them to register devices, control them, take them in and out of service, and so forth.
So, the headline sounds great and is certainly eye-catching. But based on this evidence, it’s simply not true to say the main 5G standard is leaky or unsafe at all.
The sector is completely happy to be told by scrupulous researchers that there MAY be 5G security challenges. The sooner we hear about them, they can be investigated, and we’ll kill them off as issues soon-as.
But for this round, the WIRED sub-editors tried to play a bit of a Jedi mind trick on us and get clicks for something that we don’t actually need to worry about in the context of 5G; it’s not ‘5G’ that’s possibly in trouble, but ‘connecting to IoT devices’ via existing APIs that have long been exposed. The radio access carrier is irrelevant to this here.
So, vulnerabilities in these APIs are, for sure, a problem. But not in any way new news, or a serious question mark over 5G.
So One of 5G’s Biggest Features Is a Security Minefield is a well-written piece of journalism… but is a misleading and possibly damaging headline.
Please be more accurate next time!