NSA and ODNI analyze potential risks to 5G networks

U.S. Intelligence agencies warn of weaknesses in 5G networks that could be exploited by crooks and nation-state actors for intelligence gathering.

The U.S. National Security Agency (NSA), along with the DHS Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) have analyzed the risks and vulnerabilities associated with the implementation of 5G networks.

Representatives from the information technology, communications, and Defense Industrial Base sectors also contributed to the report titled “Potential Threat Vectors to 5G Infrastructure.”

Inadequate implementation of telecom standards, weaknesses in the infrastructure, and supply chain threats could pose major cybersecurity risks to 5G networks.

The analysis provides a list of known and potential threats to the 5G networks, sample scenarios of the adoption of 5G technologies and assesses risks to 5G core technologies.

The improper definition and implementation of 5G policies could pose serious risks, for example, states contributing to their drafting could attempt to influence standards into benefiting their proprietary technologies. In other cases, states could lack into defining optional controls, which are not implemented by operators.

The report also highlights the risks for the 5G supply chain such us the introduction of malicious software and hardware, counterfeit components, poor designs, manufacturing processes, and maintenance procedures.

“The exposure to these risks is heightened by the broad appeal of 5G technologies and the resulting rush to deployment. This may result in negative consequences, such as data and intellectual property theft, loss of confidence in the integrity of the 5G network, or exploitation to cause system and network failure.” reads the report.

Experts also warn of weaknesses in the 5G architecture that could be exploited by threat actors as attack vectors.

5G system architectures use a growing number of ICT designed to meet increasing data, capacity, and communications requirements. Anyway, both legacy and new
flaws could be exploited by threat actors to intercept, manipulate, disrupt, and destroy critical data.

“These threats and vulnerabilities could be used by malicious threat actors to negatively impact organizations and users,” states the report. “Without continuous focus on 5G threat vectors and early identification of weaknesses in the system architecture, new vulnerabilities will increase the impact of cyber incidents.”

The list of Policy and Standards sub-threat vectors detailed in the report are:

Policy and Standards sub-threat vectors

• Open Standards
• Optional Controls

Supply Chain Sub-Threat Vectors

• Counterfeit Components
• Inherited Components

5G Systems Architecture Sub-Threat Vectors

• Software/Configuration
• Network Security
• Network Slicing
• Legacy Communications Infrastructure
• Multi-Access Edge Computing
• Spectrum Sharing
• Software Defined Networking

“Organizations and communications providers that choose not to implement optional security controls will likely have more vulnerabilities and be at higher risk for cyber-attacks. In these instances, nation-state actors, who have contributed to security control development or are aware of vulnerabilities in systems that do not have them implemented, may target those entities.” concludes the report.”As a result, malicious actors could identify and utilize methods to take advantage of private networks that do not put these optional controls in place.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, 5G)

[adrotate banner=”5″]

[adrotate banner=”13″]