Cybersecurity agency warns of ‘extremely dangerous’ risks of 5G technology

Superfast 5G mobile networks that will underpin technologies like driverless cars come with "medium to high" cybersecurity risks, the EU agency ENISA has warned. [Wikimedia]

Superfast 5G mobile networks come with “extremely dangerous” cybersecurity risks, the EU cybersecurity agency ENISA has warned. 5G is expected to become available to European consumers by 2025.

The European Commission and national governments around Europe are racing to make 5G available quickly, and have been pushing telecoms operators to invest billions of euros in the new technology.

But ENISA has poked holes in the high-flying political talk about 5G: fast mobile connections come with a “medium to high risk” of cybersecurity attacks, according to the Athens-based agency.

Companies are pinning their hopes for a boom in revenues on 5G because it is expected to drive sophisticated Internet-connected machines that process huge amounts of data and need low-latency connections, like autonomous cars and manufacturing services.

Despite the hype over 5G, the EU cybersecurity agency has cautioned that there are not enough safeguards in place to make sure the new networks will be secure.

Ansip: Europe must switch immediately to 5G

Europe must switch “immediately” to fast 5G mobile networks, EU Commissioner Andrus Ansip told EURACTIV in an interview.

Current internet connections that run on 4G mobile networks are already vulnerable to hacking attacks.

There is a “risk of repeating history” with the next generation of much faster networks, ENISA warned. Since 5G will be available to an even larger amount of data-hungry mobile consumers who demand more internet bandwidth, the fallout could be disastrous.

“As mobile plays a huge role in our digital society, assuring our everyday digital infrastructure in support of the economy itself, the stakes are high,” said a new ENISA report published late on Wednesday (28 March).

It cautioned that “the improvements that 5G will bring (more users, more bandwidth etc.) having the same security risks could be extremely dangerous”.

Steve Purser, the agency’s director of operators, told EURACTIV “the current signalling protocols have not been designed with security in mind, making it impossible at this point to implement native/efficient security”.

Current telecoms protocol systems that underpin SMS messaging and phone calls have already proven to be weak. Last year, German operator O2 reported that hackers had preyed on a weakness in the so-called signalling system 7, or SS7, to raid bank accounts belonging to people who accessed their funds from mobile phones.

EU cybersecurity boss eyes hardware as early target for certification plans

A draft bill to set up an EU system certifying the cybersecurity level of tech products is still trapped up in negotiations after the European Commission announced the overhaul last September.

Telecoms companies have scrambled to patch up security gaps in SS7 and the more advanced Diameter protocol system. But “it is expected that new vulnerabilities will be discovered”, ENISA said.

European telecoms companies are starting to run tests of 5G technology this year. While they gear up to invest huge sums of cash in the new networks, ENISA wants the Commission to earmark public funds to “develop proper protection tools for the private sector”.

ENISA also recommended that the Commission introduce guidelines forcing companies to follow security precautions.

“It might make sense to have EU wide baseline security requirements for telecom providers that must include aspects regarding signalling security,” the agency wrote in its report.

According to a new ENISA survey of 39 European telecoms operators, most companies experience only a small number of cybersecurity attacks every year. Sixty-one percent of companies said they were hit with fewer than ten breaches per year. Seven percent said they suffer more than 100 attacks annually.

But most operators only carry out minimal security measures like routing protection to stop hackers who target SMS messages.

ENISA recommended that companies need to do more as attacks become more complex. “Basic measures only cover basic attacks”, the agency warned.

The agency also suggested that national telecoms regulators in EU countries consider how laws could be changed “so that signalling security should be covered in terms of reporting incidents and adopting minimum security requirements”.

Europe in 'terrible hurry' as pressure mounts in global race for 5G

There will be growing pressure this week on European companies and politicians as they struggle to keep up with Asia and the United States on launching fast 5G mobile services.

Subscribe to our newsletters

Subscribe