In 2020, Meity shared its vision to push the digital economy from 7-8% of GDP to 20% by 2025. Meanwhile, telecom companies Reliance Jio and Airtel are gearing up to launch 5G services in metro cities across the country. The introduction of 5G could unleash transformative changes by enabling better connectivity, faster surfing speed, enhanced accessibility to services, more bandwidth and increased capacity.

In August 2021, engineers from Lockheed Martin, in association with the US Army, demonstrated a flying 5G network. Since the technology has been adopted by one of the world’s most powerful militaries and the largest defense firm in the world, it’s easy to believe that 5G is safe and secure. After all, technologies evolve to plug existing loopholes. 

What’s worrying, however, is the March data by CERT-In, which reported 2.12 lakhs cybersecurity incidents, in barely two months into 2022. Against this backdrop, it becomes imperative to assess how the introduction of 5G would affect the already vulnerable Indian cyberspace. 

Case study: 5G is hackable

In a research blog published a few weeks ago, Security Research Labs (SRL), a cybersecurity consultancy, uncovered new hacking frontiers that have opened up despite improvements in 5G standards. In a series of red teaming exercises, a team from SRL could hack into the network multiple times, thereby getting hold of customer data or disrupting operations due to poorly configured cloud technology. 

The concerning part is that once the hackers broke into the network, they found it very easy to penetrate deeper due to misconfigured containers, thereby getting access to valuable resources from within the network.

Cloud technology plays an important role in 5G. Modern telcos leverage cloud for scalability and flexibility, but as seen in the given case, they often fail when applying basic cloud security techniques. 

What makes 5G networks vulnerable to hacking? 

Now that the hackability of 5G networks has been established let’s see why the security of 5G networks is a concern. 

The advent of 5G has placed a thrust on the virtualisation of network functions that replaces network appliance hardware with virtual machines to virtualise network services like routers, firewalls etc. However, while providing benefits like simplifying network configuration and management, providing on-demand network functionality and doing away with the need for dedicated proprietary hardware devices, virtualisation comes with several security risks.  

Virtualisation leaves network components vulnerable to newer kinds of attacks. It becomes easier for malware to travel among virtual components in a network compared to isolated hardware components. Also, virtualisation makes 5G networks inherently complex with multiple layers. Thus, blanket security policies become redundant in such cases. 

Since virtualisation permits the mixing and matching of software and services from different companies, it entails the involvement of various suppliers and vendors. Now, different vendors prioritise security differently. Thus, it becomes very difficult to ensure due diligence on the part of each vendor, thereby increasing the chances of misconfigurations. This makes it easier to break into virtualised networks. 

What’s the way out for telcos?

SRL suggests two new testing strategies for telcos to ensure security levels on the cloud. First, software and configuration need to be checked with a range of automated tools in their respective development and deployment pipelines. This will help block insecure configurations from being deployed into production. Apart from this, red teaming, as was done in the above case study, helps provide crucial insights into the security design, configuration and operations aspects of the network and provides feedback on gaps in the automated tests pipeline.

Whether Indian telcos are implementing these safety measures isn’t very clear as of now. In July 2021, at a virtual summit organised by Assocham, Open RAN Policy Coalition and US Chamber of Commerce, India batted for implementing default security features in telcos’ open radio access network. However, there have been no further updates on the same. It is high time that all stakeholders put in place dedicated security architecture. Else, there may be serious ramifications given the vulnerable cyber landscape and the lack of specific data protection architecture.