Authored by: Derek Handova, Senior Technical Writer at Synopsys Software Integrity Group
The fifth generation (5G) of cellular phone technology is upon us. You can hardly turn on your TV or stream a YouTube video without seeing an advertisement for 5G. Beyond the speed and latency advantages that 5G will offer for consumer mobile devices, the Internet of Things (IoT) will benefit from 5G’s capability to support many more simultaneous connections. With a much wider pipe — with up to 20 times the capacity of 4G (minimum peak data rate of 20 Gbps versus 1 Gbps) — 5G can support many more simultaneous connections. And the invention of 5G allows for network latencies as low as 1 millisecond, up to 10 times greater than 4G. Ubiquitous IoT devices, such as sensors in vehicles, traffic lights, and roadbeds, will benefit from performance increases in 5G and make possible sci-fi use cases, including autonomous automotive applications.
But along with all the great benefits of speed, throughput, low latency, and futuristic functionality comes a downside: an expanded attack surface. With the forecast of connected IoT devices and applications estimated to exceed 67 billion by 2025 — perhaps up to 75 billion — the field is rife with targets. And because many vulnerable IoT devices ship with default passwords that are rarely changed and ports that always seem to be open, for hackers, it’s like shooting fish in a barrel. The process of securing IoT devices, like any software development process, is also vulnerable to design flaws and coding mistakes.
However, not every 5G vulnerability can be laid at the doorstep of IoT devices. With new 5G wireless technology replacing older 4G LTE technology, uncertainties and risks can abound within the 5G protocols themselves. And because 5G standards are relatively young, with their definitions still evolving, 5G and IoT devices will need better security.
Would 5G and IoT cyber security compliance standards help?
Cyber security compliance standards for 5G and IoT devices can have overlapping jurisdictions in terms of applications and sectors. For example, the Payment Card Industry Data Security Standard (PCI DSS) applies to 5G networks and IoT devices involved in financial transactions conducted with credit or debit cards, and the FedRAMP cyber security standards apply to transactions involving the federal government. However, the evolving status of 5G standards and fast-changing nature of IoT devices make these kinds of compliance rules and regulations “very cumbersome and overweight,” according to Protocol, and not designed for environments that change regularly.
Nevertheless, the need to manage the risk of billions of IoT devices will continue to change the requirements and scope of 5G security. Consequently, development organizations need a proven, scalable, standards-based technology solution going forward, according to Risk & Insurance.
The National Institute of Standards and Technology (NIST) recently posted a set of draft recommendations regarding IoT cyber security. Though not enforceable, it calls for IoT manufacturers to design cyber security capabilities into their systems, including baselines for data protection, logical access to interfaces, software and firmware updates, and cyber security state awareness.
Even in existing technologies, researchers continue to discover unknown problems. For example, researchers at the Korea Institute of Science and Technology discovered 36 security flaws in 4G last year. So the reality of 5G is that as a new technology, it’s bound to have security vulnerabilities.
Fuzz testing solutions for 5G and IoT security
Today’s cyber security compliance standards, when they exist at all, are simply not broad, flexible, or anticipatory enough for 5G and IoT. So development organisations need to think for themselves. They have to be able to find unknown zero-day vulnerabilities in their 5G networks and connected IoT devices.
Fuzz testing solutions can help development organizations find these security vulnerabilities. With fuzz testing, or fuzzing, organisations can subject their IoT devices to intentionally malformed data. The fuzzer will attempt to input this tainted data into the IoT interface to get the device to malfunction, fail, or execute an undesirable operation. Fuzz testing is one of the best ways to test security protocols, and organisations developing 5G and IoT devices will find it an invaluable tool as 5G standards evolve and 5G networks start to roll out around the world.