The Dream of 5G IoT Could Be a Cybersecurity Nightmare
You probably already know because your friends keep interrupting you to ask Alexa something, but the Internet of Things (IoT) is on the rise. Industry analysts expect the number of connections and size of the market to grow much more over the next several years. Since it’s still October, which, in case you didn’t know, is National Cybersecurity Awareness Month, we thought it’d be a good time to consider the security implications of the IoT and the next-generation cellular network that will be doing much of the heavy lifting to support it.
The rush to be the first implementer of a 5G network has been called an “arms race” by many commentators, with the US and China taking technological and regulatory steps to come out ahead. In March of this year, the US Treasury Department blocked a Singapore-based telecom from buying out Qualcomm, a US company, on the basis that it would have strengthened the Chinese position on 5G. As for the Trump administration’s ongoing trade war with china, Jessica Rosenworcel of the Federal Communications Commission has said it could end up hurting the US since its telecoms companies rely heavily on equipment manufactured in China.
Being first to 5G is such a coveted position because it is sure to boost the development of new technologies that depend on faster and more reliable coverage, like self-driving cars, and likely create entire new markets. Everyone in the running wants first crack at that economic jolt, but who’s first also carries consequences for cybersecurity. “Building and designing a telecom network gives you an intelligence advantage,” James Lewis, a cybersecurity expert, told the Wall Street Journal. “If you’re going to burgle a house…it’s easier to burgle” if you build it. To stem the national security threat, Congress has already passed laws that keep government agencies and contractors from using the technology of China’s 5G companies.
But a Chinese or other state-engineered “back door” into the 5G network may not be as large a security threat as regular old hackers, any one of whom could turn any Thing on the IoT into a portal to corporate and even governmental networks. Those networks are already home to just about all our personal information, and they are fast becoming the gateway to our literal homes too. Two years ago this week, hackers took control of thousands of IoT-connected devices whose default credentials had not been changed, using software known as Mirai. These devices were then turned into a so-called botnet that overwhelmed websites including Twitter, the New York Times, and Spotify, making them inaccessible for as much as a day.
The Mirai code, an open source hack, employed a very common tool known as a DDoS (Distributed Denial of Service) attack to bombard a site with so much traffic it shuts down. It’s a common weapon that cybersecurity experts have been aware of for many years, but the IoT presents a new challenge. Now, every camera, smartwatch, Google home assistant, or any of the other “smart” appliances on the market can be turned into a hacker’s pawn. With speeds that could best fiber ISPs and offer wider coverage areas, 5G is expected to provide a more robust network for the IoT – and all the security vulnerability it brings with it.
Earlier this year, the Trump administration was considering nationalizing the 5G network to meet the threat to national security posed by Chinese equipment and software on the US system. That idea was widely rejected by policy makers in both parties and the White House appears to have let it go. Whether the threat is a government or rogue hackers, even those who are optimistic about 5G security standards admit that the largest vulnerability is “poor user hygiene” – for example, not protecting your smart TV with a password and making it that much easier for it to be recruited for a DDoS attack. Just as they have been increasingly recommended as proper hygiene for safeguarding our online accounts, two-factor and multi-factor authentication methods will likely be central components of user security in the IoT universe too.
Still, technology and the IoT are likely to outpace vast shifts in the online privacy and security habits of millions of people. Blockchain technology could end up a means of defense that is less dependent on user adoption, and it’s already being leveraged in some driverless car applications. Its cryptographic security could help prevent IoT devices from being controlled by unauthorized users and its decentralized architecture could make it harder for hackers to seize devices en masse by doing away with a central point of failure. Scalability is already a challenge for the blockchain, though, so a much lighter weight solution will need to be engineered in order to maintain a distributed ledger of IoT transactions – everything from turning up the heat on your smart thermostat to tracking your run.
Currently in the US, preparation of the early 5G infrastructure has relied on cellular signal transmitters that operate on the millimeter wave spectrum, which offer high speeds only in relatively limited ranges. To account for their limited range, Verizon and other providers are busy installing small cell transmitters on poles in the middle of many cities, eliciting protest from residents who see them as infringing on public space. A San Francisco Bay Area town even halted small cell installation due to concerns of exposure to radio waves and their feared link to cancer.
Last week, the White House issued a directive to the Commerce Department to draft a long-term strategy for the 5G network with reports due next July. That strategy is expected to detail how new bandwidth will be made available to service providers. Many telecoms are hoping that the strategy will make mid-spectrum bandwidth available, the sort of high-speed frequencies currently in active development in China and elsewhere that have a larger range than millimeter wave. Those and other regulatory decisions in the coming months could determine what the US network looks like, how secure it is, and whether or not it comes online first. Fow now, at least in the US, if the real explosion of IoT is waiting on 5G, it seems it still has some time to go.