Security

Researchers find 5G security holes, but suggest fixes before launch

Cellular network security is already important for phone calls and personal data, but in the 5G era it will become life-and-death critical as cars, hospitals, factories, and entire cities will depend on 5G networks for commands. Even though the 5G standard was built with improved security as a fundamental pillar, Swiss government researchers have discovered holes that they’re working to fix before most networks launch.

The 5G standard includes the Authentication and Key Agreement (AKA) — an authentication, confidentiality, and privacy assurance system that lets devices and networks know they can trust each other. According to the Swiss Federal Institute of Technology, known domestically as ETH, the 5G AKA has indeed been improved from the version used in 3G and 4G networks. Amongst other things, it blocks a current technique that can impermissibly track users and device locations.

Unfortunately, however, the 5G AKA has at least two major disclosed security holes. Using a cryptographic tool, ETH researchers found that the 5G standard’s minimum security assumptions fall short of the AKA’s critical security aims — in other words, a “poor implementation of the current standard” could enable a rogue user to offload usage charges onto other users. Additionally, new traceability attacks can still be used to locate phones in the immediate vicinity, albeit without compromising the user’s full identity as before. “We assume that more sophisticated tracking devices could also be dangerous for 5G users in the future,” said ETH senior scientist Lucca Hirschi.

The ETH team says that it’s in contact with international cellular standards organization 3GPP to help improve the 5G AKA protocol, and it’s possible that the 5G standard will receive necessary security improvements before networks launch around the world. Even so, the clock is ticking: Verizon just launched a pre-standards 5G network this month, AT&T promises a standards-based mobile 5G network by the end of the year, and carriers around the world are expected to follow with their own offerings in 2019.