By Catherine Stupp
(EurActiv) — Superfast 5G mobile networks come with “extremely dangerous” cybersecurity risks, the EU cybersecurity agency ENISA has warned. 5G is expected to become available to European consumers by 2025.
The European Commission and national governments around Europe are racing to make 5G available quickly, and have been pushing telecoms operators to invest billions of euros in the new technology.
But ENISA has poked holes in the high-flying political talk about 5G: fast mobile connections come with a “medium to high risk” of cybersecurity attacks, according to the Athens-based agency.
Companies are pinning their hopes for a boom in revenues on 5G because it is expected to drive sophisticated Internet-connected machines that process huge amounts of data and need low-latency connections, like autonomous cars and manufacturing services.
Despite the hype over 5G, the EU cybersecurity agency has cautioned that there are not enough safeguards in place to make sure the new networks will be secure.
Current internet connections that run on 4G mobile networks are already vulnerable to hacking attacks.
There is a “risk of repeating history” with the next generation of much faster networks, ENISA warned. Since 5G will be available to an even larger amount of data-hungry mobile consumers who demand more internet bandwidth, the fallout could be disastrous.
“As mobile plays a huge role in our digital society, assuring our everyday digital infrastructure in support of the economy itself, the stakes are high,” said a new ENISA report published late on Wednesday (28 March).
It cautioned that “the improvements that 5G will bring (more users, more bandwidth etc.) having the same security risks could be extremely dangerous”.
Steve Purser, the agency’s director of operators, told EURACTIV “the current signalling protocols have not been designed with security in mind, making it impossible at this point to implement native/efficient security”.
Current telecoms protocol systems that underpin SMS messaging and phone calls have already proven to be weak. Last year, German operator O2 reported that hackers had preyed on a weakness in the so-called signalling system 7, or SS7, to raid bank accounts belonging to people who accessed their funds from mobile phones.
Telecoms companies have scrambled to patch up security gaps in SS7 and the more advanced Diameter protocol system. But “it is expected that new vulnerabilities will be discovered”, ENISA said.
European telecoms companies are starting to run tests of 5G technology this year. While they gear up to invest huge sums of cash in the new networks, ENISA wants the Commission to earmark public funds to “develop proper protection tools for the private sector”.
ENISA also recommended that the Commission introduce guidelines forcing companies to follow security precautions.
“It might make sense to have EU wide baseline security requirements for telecom providers that must include aspects regarding signalling security,” the agency wrote in its report.
According to a new ENISA survey of 39 European telecoms operators, most companies experience only a small number of cybersecurity attacks every year. Sixty-one percent of companies said they were hit with fewer than ten breaches per year. Seven percent said they suffer more than 100 attacks annually.
But most operators only carry out minimal security measures like routing protection to stop hackers who target SMS messages.
ENISA recommended that companies need to do more as attacks become more complex. “Basic measures only cover basic attacks”, the agency warned.
The agency also suggested that national telecoms regulators in EU countries consider how laws could be changed “so that signalling security should be covered in terms of reporting incidents and adopting minimum security requirements”.