Welcome to 5G: Privacy and security in a hyperconnected world (or not?)


image from portal gda (cc)

Many people are still confused by what is 5G and what it means for them. With cities like London, New York or San Francisco now plastered with ads, talks about national security, and the deployment of 5G protocols being treated like an arms race, what happens to our privacy and security?

5G is the next generation of mobile networks, which is meant to be an evolution of the current 4G protocols that mobile providers have deployed over the last decade, and there are already several explainers that analyse the technology.

For the sake of this piece, we will focus on the technology’s main features: 5G will enable higher download and upload rates, lower latency, and more connection density. This means that users will be able to download more megabytes per second, with less delay in the connections, and with more users being connected at the same time in a single geographical point (so mobile data will actually work in crowded places.)

The attack surface is not really being reduced

First of all, we need to clarify what isn’t changing with 5G, and the most important aspect of this is that the underlying physical infrastructure of the Internet will remain the same. In other words, 5G antennas will still need to be connected to the internet through fibre optics cables, which are typically run by internet service providers, which are interconnected with other ISPs and the broader Internet through more fibre optic cables.

What does it mean? In practice, whatever exploitation of our data governments or companies are currently capable of doing will remain possible, including communications surveillance, data retention, information sharing or traffic analysis, amongst many others exploitative techniques.

On the security side, 5G protocols have upgraded standards to protect the communication between the devices and the antennas, bringing some improvements that should prevent the abuse of signalling protocols (necessary for roaming) or the deployment of IMSI catchers to gather metadata, bringing some needed improvements.

But the story is not that simple, since new protocols like 5G will need to coexist with older ones, such as 4G, 3G or even 2G. Those protocols are still vulnerable, resulting in security risks for devices still operating on older networks. This happens either because of a downgrade attack, where devices are tricked into operating in older protocols, or because of the lack of availability of 5G networks, or finally, because some devices are actually designed to operate on older networks, like payment devices or industrial control systems.

On top of that, there is another problem to consider: with 5G, most antennas will have much shorter distance range, meaning that pinpointing the geographic location of specific users within a mobile network will be much more precise, adding significant privacy and security risks to users, particularly those already vulnerable.

Your device is out of control (and other security risks)

The adoption of 5G networks will likely generate risks on its own. Most of them are not exactly fault of the new protocol itself, but rather a consequence of the increased speed and lower latency that 5G affords. This will very likely lead to an expansion of connected devices, such as Internet of Things (IoT) devices, with many of them being directly connected to the network, without any intervention of the user.

As has been well documented by researchers on the privacy and security risks of IoT, a widespread adoption of the Internet of Things under current regulatory frameworks, will likely come at a huge risk for consumers. That means that many devices will be connected by design and by default, without user intervention, like some cars are already today. One of many problems is that many devices will not have the same level of attention and level of technical support that a car manufacturer has, and the widespread adoption of devices connected without user intervention could lead to a security nightmare.

In this security nightmare, we can envision an exponential increase of design flaws, from hardcoded credentials, where some devices have a ‘master password’ that anybody can exploit (see: Mirai), to unpatched vulnerabilities that allows skilled attackers to control devices regardless how it is being configured (See: Wannacry).

All of this would happen with us not being able to control our devices, disconnect them from a wi-fi network, and not even the option to install a firewall to protect them, since the device will be directly connected to the internet.

A dream come true for corporate exploitation

On top of all the security risks, another huge issue derived from having connected-by-default devices is the issue of not being in control of them. There is the risk that always-connected devices could translate into powerless users, putting us in risk of abuse.

One of the problems has to do with increasing the indiscriminate data collection and transmission that is currently taking place. The ability to have everything directly connected without connection density issues, could lead device manufacturers into negotiating the connectivity of their devices directly with mobile providers, and people would lose even more control over whether their devices are connected and what they can do.

But losing control of devices could also happen in a very literal way: devices will work (or not) outside of the control of a given user. A house appliance we buy using credit instalments, might decide not to work unless we are up to date with its instalments. 5G could be the gateway for new and dystopic future in which the meaning of property has radically changed, leading to an era where we don’t really own our devices, but instead possess a device that works as a service.

5G can also make power abuse even worst, with devices controlled by people outside the household, including gender and domestic violence and users - and victims! - not being allowed to disconnect those devices, or maybe not even aware of their existence, since they could be easily be concealed and remain connected, sending data to somebody else.

Wait... there's more!

Even though it isn't necessarily a privacy or security issues by itself, we need to make clear that 5G might not be able to fulfill the promise for more connectivity. As mentioned before, antennas will have shorter reach, so its main use-case is not to increase connectivity in rural areas that are in need of Internet access: 5G is rather designed for densely populated cities. As a result, rural areas will remain underserved, and probably will still be operating under current 3G-4G protocols, which will remain vulnerable to known attacks.

In addition to that, mobile communications do need spectrum to work, which is a limited resource, and each part of the spectrum has different abilities, so every time a new mobile generation is implemented, there is the need to assign that spectrum, which require solid public policies to guarantee a fair distribution of that resource, keeping in mind its impact on community owned networks and even the ability to do reliable weather forecasting.

At Privacy International, we have also compiled a list of examples of abuse related to the Internet of Things. Many of those examples should be of use to demonstrate its risks and how much worse they can become when users have even less control over those devices.

Is there a way forward? (Spoiler: maybe)

In general, the debate around the risks of new communication protocols would be way more productive if we started by focusing more on the actual risks for users and less around geopolitical speculation around countries and companies.

In any case, there are some valid concerns about countries with a dubious human rights record taking over the deployment of new protocols. And we are not only talking about China, likely the biggest offender, but also about the United States as well as other countries and companies. In an ideal world, tech companies would be transparent about their governance and practices (ahem, Huawei), and governments should allow and encourage the use of secure communications protocols, including the use of solid encryption standards.

But the truth is that poorly designed protocols and software are as risky for users as hypothetical ‘super-secret cyber backdoors’ installed by governments or their companies. And whilst finding those backdoors is like finding a needle in a haystack, implementing measures that empower users and people, especially those at risk, can be a more sensible approach and benefit us all.

We also need to keep in mind that despite the focus of this article, many of the risks derived from 5G are not necessarily because the protocols are at fault, but because they need to coexist in a complex ecosystem with multiple fabricants, vendors, governments and users.

How to move forward, then? Here are some suggestions:

For corporations:

  • Implement a holistic approach to digital security, considering the protection of people, devices and networks.
  • Improve corporate transparency and human rights due diligence in the assessment and adoption of new communication protocols.
  • Conduct privacy and security assessments according to the highest possible standards, minimising the data they collect and retain, and testing their security measures before the launch of their products, monitoring them through their lifecycle.
  • Give users enough information and control over how their devices work, including indicators and interface elements that allow them to know and control their connection status, without regard as to where the devices operate.

For governments and policy making bodies:

  • The focus on 5G should start from privacy and security considerations, and national security debates should be conducted from a human rights perspective and based in available evidence and risk assessments.
  • Data Protection Authorities should issue guidelines and conduct investigations on the functionality of connected devices and their data processing activities.
  • Cybersecurity bodies should support the adoption of strong security standards for always-connected devices, and abstain from recommending any measure that could weaken it, such as the establishment of legal requirements for government access or mandated backdoors.
  • Review digital privacy legislation, including provisions that guarantee the security and confidentiality by design and by default of machine-to-machine communications.
  • In case there is any, removing legal and policy barriers for security research, such as cybercrime laws that criminalise ethical hacking.
  • Consumer Authorities should issue guidelines and conduct investigations on the functionality of connected devices, and its potential harms on consumers.
  • Telecommunications regulators should conduct oversight over how companies are providing connectivity to IoT producers, in order to guarantee that minimum standards are in place and that end users have control over their devices.
  • Given its improved accuracy, the sale of location data should be banned, and its access by law enforcement bodies should be restricted solely to judicial authorisation.