As telecoms roll out 5G across the globe, different actors such as virtual mobile network operators (VMNOs), communication service providers (CSPs), and network infrastructure providers, will all play a pivotal part in designing, implementing, and maintaining 5G networks. Unlike previous generations – where mobile operators had direct access and control over system components – 5G mobile operators are losing the full governance of security and privacy. With varying priorities for security and privacy between each of the actors, synchronizing mismatched policies will be a serious challenge in 5G networks.
With that in mind, let’s examine specific privacy challenges in 5G networks, and explore some potential security solutions. First, let’s take a trip down memory lane on the history of threats faced by mobile networks.
Past security vulnerabilities in wireless networks
From the very beginning, wireless communication systems have been prone to security vulnerabilities.
- In the early 1980s, 1G networks saw mobile phones and even wireless channels targeted for illegal cloning and masquerading.
- On early 2G networks, message spamming was commonplace, as was broadcasting unwanted marketing information.
- With 3G networks and the advent of IP-based communication, the migration of security vulnerabilities seen on desktop computers moved into the wireless domain.
- 4G networks saw the proliferation of smart devices and millions of third-party apps that led to a dynamic and complicated threat landscape.
With 5G wireless networks, over 7 trillion wireless devices serving over 7 billion people will be interconnected, ushering a new era of security threats, and a greater focus on privacy.
Privacy challenges in 5G networks
From the user’s perspective, privacy concerns center around location tracking, identity, and other personal data. 4G network technology has a wide coverage area since the signal is broadcasted from a single cellular tower. 5G networks have a much smaller coverage area and the signal cannot penetrate walls as good as 4G. Subsequently, 5G networks require many smaller antennas and base stations that are placed indoors and outdoors.
The knowledge of which cell tower or antenna a mobile user communicates with can reveal valuable information about the user’s location. Each time a user connects to a 5G antenna, mobile networks can pinpoint a user’s location and can even determine what building a user is in. Threats such as semantic information attacks (the use of incorrect information to cause harm) often target the location data of users. Location data can also be leaked by access point selection algorithms in 5G mobile networks. In all, more 5G antennas allow for precise location tracking of users inside and outside.
With respect to identity, International Mobile Subscriber Identity (IMSI) catching attacks can reveal the identity of mobile subscribers. By seizing the IMSI of the subscriber’s device, an attacker intercepts mobile traffic in a defined area to monitor an individual’s activity. While an attacker can see the number of outgoing calls or text messages sent, they still cannot see the contents of that message. However, even after an individual has left the attack area, the attacker can still monitor the number of past and future calls or messages.
Data collection is another major concern for 5G users. Virtually all smartphone applications require users’ personal information before or during installation. App developers rarely mention how and where that data is stored and what it is going to be used for. 5G networks have no physical boundaries and use cloud-based data storage. Subsequently, 5G operators cannot protect or control user data stored in cloud environments. As each country has different levels of privacy measures and enforcement, user privacy is seriously challenged if and when the data is stored in the cloud of a different country.
Privacy solutions for 5G
For 5G to succeed on a mass scale, there must be mutual agreement and trust among the various stakeholders such as the end-user, network operators, app developers, and device manufacturers. 5G architecture should encapsulate privacy-by-design approaches that are service-oriented and privacy-preserving. Mobile operators need to adopt a hybrid cloud-based approach where sensitive data is stored locally and less sensitive data stored in the cloud. This provides operators with more access and control over the data, and they can decide where and whom to share it with.
Location-based privacy requires anonymity-based techniques and systems where the users’ true identity can be hidden, perhaps with a pseudonym. Messages should also be encrypted before it is sent to a location-based service provider. Obfuscation techniques – where the quality of location information is reduced – can also be used to protect location privacy. Location cloaking algorithms have proven effective against timing attacks.
To prevent IMSI catching attacks, mobile operators can protect users’ identities by using Temporary Mobile Subscriber Identity (TMSI). In this instance, each mobile device is assigned a random TMSI that is changed by the network at regular intervals. This makes it difficult to identify mobile devices and prevents subscribers from being identified and/or eavesdropped on the radio interface.