Let’s talk about the privacy and security of 5G technology

On March 17, 2022, the European Parliament's Science and Technology Programme Assessment (STOA) Special Group released a research report entitled "Privacy and Security of 5G Technology". Focusing on the two main aspects of 5G technology, privacy and security, the report analyzes the EU and global cybersecurity risks and threats, privacy challenges and 5G technology opportunities, and the relationship between cybersecurity risks and privacy issues. It is for review by the European Parliament's Legal Affairs Committee, Internal Market and Consumer Protection Committee, Civil Liberties and Justice and Internal Affairs Committee, Security and Defense Subcommittee, and other EU institutions and member states.

1. Introduction

In a world that is constantly expanding, more and more people are accessing services online. In 2020, global traffic peaked at 700 MB/s. More than 73% of access is made on the move - via mobile phone networks or wireless connections. This huge volume of traffic is putting a strain on existing networks, making it necessary to upgrade them. 5G is expected to meet the growing demand in Europe and beyond, connecting everyone and everything, everywhere.

The unparalleled power and flexibility of 5G are made possible by a decades-long convergence between computing and telecommunications. In this ongoing epochal transition, a wide debate has unfolded around privacy and security. On the one hand, the right to privacy is a fundamental right of citizens, ensured and reinforced by extensive social safeguards and evolving regulatory frameworks in Europe and beyond, guaranteeing the right of individuals (data subjects) to own and control their personal data and to protect their personal identity. On the other hand, security rules and measures in the digital world clarify the protection of data and thus the trustworthiness of the ecosystem, thanks to reliable data access by authorized personnel only (availability) and the protection of stored and exchanged information from unauthorized access (confidentiality) or unauthorized modification (integrity).

After elaborating on the importance and necessity of ensuring fundamental human rights such as the right to privacy, this report presents the findings of a study focusing on the privacy and security of 5G technology.

In practical applications, five generations of mobile communication networks with increasing data speeds have been deployed in the past 40 years. Although each generation has different specific standards, protocol stacks, technical architectures, and radio modulation schemes, the five generations of mobile communication technology can be divided into three different categories based on the additional services they can provide. Mobile networks have evolved from connecting people to connecting machines. In fact, in the 5G standard, people are no longer considered the main end users of communication networks, but machines - the Internet of Things.

2. Privacy and security in the context of 5G technology

The complexity of the 5G ecosystem requires a deep understanding of its main components, especially how each component affects each other in terms of privacy and security. Therefore, in order to accurately describe the privacy and security issues in the 5G ecosystem, this report first defines a 5G research concept map, which contains the key components of the analysis and their relationships, as shown in Figure 1.

Figure 1 5G research concept map

5G can be seen as a complex ecosystem with close relationships with other related technologies, especially artificial intelligence, the Internet of Things and robotics. In addition, robotics and the Internet of Things are technologies supported by 5G, and due to the flexibility and programmability of 5G networks, it can be deployed more widely, which will enable better performance support for robotics and the Internet of Things.

2.1 The relationship between security and privacy

In the 5G system, which is mainly characterized by digitalization and data communication, the term "privacy" has the meaning of respecting and protecting individuals in the processing of their personal data. The EU's General Data Protection Regulation (GDPR) is the cornerstone of services for individuals, and data subjects usually use tools and methods to exercise their rights.

Those responsible for collecting, processing and storing data (data controllers/processors) must establish the necessary rules and deploy appropriate tools to protect data from unauthorized operations that could affect the authenticity, integrity and confidentiality of the data. These rules and tools belong to data security.

Privacy is a fundamental right of citizens, data protection is a means to recognize this right, and security is a means to protect this right. They all require specific safeguards throughout the design and verification of data processing systems, as is the case with 5G.

Furthermore, compliance with ethical principles and relevant legal frameworks regarding privacy and security must adopt the principles of “privacy by design” and “security by design”.

2.2 Privacy and data protection legal framework

At present, the EU data protection legal framework consists of Regulation 2016/679 (General Data Protection Regulation), Directive 2016/680, Regulation 2018/1725 and the E-Privacy Regulation proposal. These legal frameworks do not elaborate on technical aspects, that is, they are not formulated to regulate specific technical solutions, but are aimed at all activities.

3. Document-based impact assessment

3.1 Privacy Risks and Challenges

3.1.1 Cross-border data flow and 5G

5G is a complex ecosystem whose functions are performed under a combination of virtual and tangible infrastructures. Therefore, 5G may require the cooperation of various providers in Europe or other countries. This has an impact on privacy management, and the following two reasons must be considered: first, EU Regulation 2016/679 expands the territorial privacy boundaries of the European Union (EU), and legal persons, whether in the EU or in other countries, must comply with the provisions of the GDPR; second, the GDPR imposes restrictions on the transfer of personal data to third countries or international organizations outside the EU to ensure that the level of personal protection provided by the GDPR is not compromised.

3.1.2 High Data Rate

The high expectations for 5G mobile networks are due to their high data rates and low latency, which ultimately lead to a huge increase in data volume and data transmission capacity. The risks brought by high data rates and big data are usually related to the "three VS" attributes - capacity, speed and diversity of processed data. Capacity refers to the amount of data processed, diversity refers to the variety of data types, and speed refers to the speed at which data is processed.

3.1.3 High throughput and high precision positioning

5G technology will use antennas with multiple-input multiple-output (MIMO) technology, which has higher density and throughput capacity than current 4G technology. Due to the use of higher frequencies, 5G networks have smaller coverage, which will improve the accuracy of device positioning, making it easier to reveal the location information of data subjects. Therefore, the use of 5G can greatly enhance the possibility of achieving real-time positioning services, which takes advantage of the longer battery life of current devices, the accuracy of location information and the lower terminal cost compared to traditional technologies (such as Bluetooth and Wi-Fi).

3.1.4 Massive device connections (Internet of Things)

The low latency of 5G technology means that more devices can be connected. According to the Global System for Mobile Communications, the total number of 5G connections will increase from 500 million at the end of 2021 to 1.8 billion by 2025. 5G will have a potentially disruptive impact in many areas, including:

(1) From self-driving vehicles to renewable energy smart grids, reducing traffic congestion, greenhouse gas emissions and road traffic injuries; (2) From smart cities and smart homes to healthcare, wireless service robots can be used to perform operations and even surgeries; (3) From collaborative robots to future factories, improving energy and resource efficiency and reducing waste and injuries.

IoT developers should always adhere to the principle of data minimization, which essentially means that any data processing activity should only use the minimum amount of data required. In addition, the collected data should not be used for any other purpose or processing without the consent of the data subject.

3.1.5 Internet Protocol

5G mobile communication technology is still an IP-based network. It is well known that in some cases, both dynamic and static IP addresses as identifiers are personal data. When a device is assigned a static IP address, the address does not change; conversely, when a device uses a dynamic IP address, they automatically connect and change over time. Dynamic IP addresses can constitute "personal data" when a third party (such as an Internet service provider) has additional information (such as account details) that can link these dynamic IP addresses to the identity of the relevant individual.

3.1.6 Strategic Choices for Privacy Risks and Challenges

Based on existing technical specifications, scientific literature, and an assessment of the impact of 5G technology, five major privacy risks and challenges were identified, and 11 strategic response options were proposed to mitigate and address these issues, as shown in Table 1.

Table 1 Strategic response options for privacy risks and challenges

3.2 Safety and cybersecurity legal framework

In 2013, the European Commission published the EU Cybersecurity Strategy: An Open, Trusted and Secure Cyberspace, with the aim of strengthening cyberspace security and identifying the actions needed to achieve cyber resilience goals, support domestic markets, strengthen EU security and significantly reduce cybercrime. Through this initiative, the EU has promoted and formed a more unified legislative approach to address cybersecurity threats, especially those that transcend national borders.

In view of this, the European Parliament issued Directive 2016/1148, "Directive on the Security of Network and Information Systems", which stipulates legal measures to improve the overall level of cybersecurity in the EU; and the European Commission issued Regulation 2019/881 (32), which proposed the first EU certification program for digital products, services and processes in information and communications technology.

Among these guidelines, the Expert Group published several reports related to 5G network security, including a risk assessment of 5G networks, a toolbox of measures to mitigate risks in 5G networks, and a report on the progress of Member States in implementing the measures in the toolbox.

As best practices in risk management demonstrate, risk assessments must be continuously performed to identify new potential threats and to evaluate the effectiveness of the applicable strategies. This is mandatory, especially in the context of the 5G specifications, which are still being refined. In fact, the 17th release of the 3rd Generation Partnership Project (3GPP) was launched in March 2022, followed by the codification of the protocol in June 2022. In response, the European Union Agency for Cybersecurity (ENISA) has published supplementary and updated guidelines, in particular a report on the threat landscape of 5G networks, a report on security aspects in 5G specifications, and a supplement to the guidelines on 5G security measures.

The European Commission has recognized the importance of a unified approach to address the risks associated with technical vulnerabilities in 5G networks and has asked ENISA to create a candidate European security certification scheme for 5G networks (EU 5G Scheme). To achieve this goal, ENISA calls for active participation from all parties interested in participating in the ad hoc working group.

3.3 Security risks and challenges

Technical reports, research papers, and institutional presentations have highlighted how 5G technology has greatly improved privacy and security issues in wireless networks through protection mechanisms widely adopted in the 5G specifications. These security specification improvements are still under revision, and protocol encoding details are expected to be available in June 2022. In fact, high-level security is one of the five pillars of 5G's new wireless architecture, which also includes new radio spectrum, huge bidirectional antennas, multiple connectivity, and network flexibility.

In this regard, the analysis of security risks and challenges takes into account the latest versions of the technical specifications, TS 23.501 "5G System Architecture" released by 3GPP in July 2021 and TS 33.501 "5G System Security Architecture and Procedures" released in September 2021 and officially published. This report uses the language and serialization format of Structured Threat Information Expression for exchanging cyber threat intelligence to formally model and describe security risks in 5G technology. The use of STIX has continued to grow over the past few years, and its development is under the control of OASIS, a non-profit standards body.

3.3.1 5G service-based architecture

5G service-based architecture (Sba) is a reference model for the 5G ecosystem, which identifies four main component types: user equipment, radio access network, 5G core, and data network, as shown in Figure 2.

Figure 2 High-level architecture of 5G network

The two green parts in the figure provide interconnection functions (i.e. TN-transmission) and governance functions (i.e. human management and network coordination) for the four components. It is important to emphasize that these two green parts are not currently 3GPP specification components.

In addition, for the purpose of security risk analysis, two main communication channels are considered, namely User Plance (UP) and Control Plance (CP). The User Plane carries user/connected device data, while the Control Plane (CP) handles control signaling services and interconnects all components in the 5G network architecture.

The 5G core network provides all network functions, such as routing, authentication, and policy control, to enable communications within the accessed user equipment (UE) and the data network (DN). One of the most important innovations in the 5G architecture is the full virtualization of the core network. This software-based network function will significantly improve the portability, scalability, and flexibility of systems and services, but it will also bring new concerns and challenges. All components in the service-based architecture (SBA) of the 5G core network communicate through the application programming interface (API).

3.3.2 Network software and flexibility

Of course, network softwareization brings many advantages in terms of flexibility, enabling network operators and service providers to choose the right solutions in a wider and more competitive market. Telecom operators are often considered vulnerable even if they reduce the use of hardware equipment. Softwareization represents the ability to prevent, mitigate vulnerabilities or recover from potential threats. In fact, since network functions can be scaled and replicated according to specific needs, any node of the network may be reconfigured and scaled in time to prevent potential harm in the system and its connected resources, as well as flexibly defined according to the specific needs of the applications served. However, the current problem is that some security controls (such as the lack of encryption of control plane data) and physical deployment configurations (such as RAN and CN functions may be deployed at the same site) are defined as optional in the technical specifications, leaving a certain degree of freedom for vendors in how to interpret, implement and use the controls. This may blur the distinction between the functions, roles and responsibilities of components in the architecture from a security perspective, making it more difficult to identify potential vulnerabilities and threats, thereby undermining the resilience of the entire network.

3.3.3 Multi-connectivity and device density

The network softwareization of 5G technology enables the interconnection of a new generation of mobile devices (i.e., 5G devices) and ensures connectivity with 3GPP-based (e.g., 4G) devices and non-3GPP (e.g., Wi-Fi) devices. This capability, known as “multi-connectivity,” is key to moving toward a standard wireless connectivity infrastructure and one of the five pillars of 5G. Therefore, 5G is expected to promote the deployment of IoT devices and enable the “Internet of Everything” model (e.g., future factories and IoT robots, cars and vehicles, and electronic identification of all devices).

Security mechanisms have been deeply increased and strengthened through stronger encryption algorithms and authentication protocols, but multi-connectivity may hide a wider range of new potential risks from interconnecting with legacy systems that do not implement the latest security guidelines. In this regard, even if there are protection mechanisms (such as proxies and multi-access edge computing components), legacy systems and non-3GPP connected devices may become backdoors for potential attacks.

Additionally, virtualization and the large number of connected devices raise concerns about the potential for exploitation by fraudulent threat actors to clone network virtual nodes (digital twins) and route data communications for eavesdropping and interference. If predictive threat identification algorithms can prevent cloning nodes, this can effectively improve the network’s resilience to attacks, thereby mitigating the impact of attacks.

3.3.4 Protocols and interoperability

Network softwarefication will expand the use of IP protocol in 5G (see Section 3.1.5 for details). The protocol was designed more than 40 years ago for worldwide connectivity and was reviewed 20 years ago to ensure more addressable and connected devices. IP has always been based on packets, with a minimum set of data to be transmitted (such as the header of the packet), which is less efficient for IoT devices that perform frequent and short data communications. Therefore, specialized protocols such as ZigBee and Long Range Wide Area Network (LoRaWAN) are defined for these devices. In addition, IP-based protocols have many vulnerabilities (such as address spoofing, IP route tracing), which allow attackers to obtain information about the sender and receiver of the packet, or change the data route to interrupt network communication, thereby affecting its confidentiality, integrity and availability. In March 2020, the European Telecommunications Standards Institute (ETSI) launched a new non-IP network working group to address the challenges of the new digital era, namely connecting everything together to improve throughput, latency, interoperability and security. The new protocol is being analyzed based on alternative IP protocols, and this challenge will be another important revolution in the development of communication networks.

3.3.5 Identifiers and encryption

As mentioned in Section 3.3.1, according to the current technical specifications, data encryption is ensured between 5G base stations (gNB) and user devices, while individual operators have the flexibility to implement it in other parts of the SBA architecture. Due to throughput and latency limitations, encryption can be a barrier in many latency-sensitive scenarios (e.g., automotive, remote surgery), and therefore, many functions may not be able to implement encryption mechanisms. In this regard, both RAN and Core are key components of 5G networks in the SBA architecture, and therefore, gNB has access to all plaintext data between devices. However, research on new and efficient improved encryption mechanisms is moving forward with effective solutions, such as SNOW-V, a stream cipher that provides 256-bit security, which is expected to be used as the main encryption mechanism in 5G due to its improvements in throughput and latency, also in lightweight architectures.

3.3.6 Strategic Choices for Security Risks and Challenges

Based on existing technical specifications, scientific literature, and an assessment of the impact of 5G technology, five major security risks and challenges related to the security level are identified, and eight strategic response options are proposed to mitigate and address these issues, as shown in Table 2.

Table 2 Strategic response options for security risks and challenges

3.4 The relationship between cybersecurity, artificial intelligence and 5G technology

The increase in overall 5G complexity is due to the virtualization layer and the shift of the network to a programmable, software-driven, service-based and managed architecture. In addition, 5G provides unprecedented operational flexibility to support new business opportunities brought about by technological breakthroughs, including network slicing, which is the provision of network functions to applications/users based on specific or operational needs. The complexity, agility and transformation of the 5G ecosystem require network service management to address the evolving new and sophisticated cyber attacks.

ETSI defines Zero-touch network and Service Management (ZSM) as a standard architectural framework to address 5G network management and security issues. The ZSM framework is envisioned as a next-generation management system with the goal of automating all operational processes and tasks (such as planning and design, delivery, deployment, provisioning, monitoring, and optimization), ideally without human intervention (“zero touch”).

Artificial intelligence, supported by machine learning and big data analytics, is a key factor in enhancing the ZSM framework and autonomous network capabilities. It provides potential benefits for security improvements, enabling more effective and efficient security solutions in cognitive network management, and proactively performing predictive security functions in expected network environments, even in 5G encrypted communications.

4. Final strategy selection

Based on the analysis conducted in this report, potential privacy and security risks, challenges, opportunities and recommendations are identified and described, providing strategic options for this chapter. These include: feasibility of 5G technology applications based on privacy and security risks; effectiveness of 5G technology from the perspective of standardization (promoting privacy and security standards, and promoting ethical standards); sustainability of 5G technology driven by integrity (strengthening the legal and regulatory framework to ensure trust and control after 5G, and supporting trustworthy investment by creating a public technology culture in the EU).

5. Conclusion

We are at another extremely challenging stage in the history of technological innovation, in which human values ​​and technological knowledge seem to be increasingly intertwined, bringing opportunities and risks not only to humans but also to the entire 5G ecosystem. The impact assessment conducted for this report identified 6 privacy and 6 security issues related to 5G technology. For each of the concerns, no technology is inherently harmful nor is there a taboo on technological innovation. The same is true for the impact of 5G on privacy and security, technology is not a means to an end, but a kind of knowledge, and therefore depends on the robustness of security and the awareness and responsibility of the society in which it is located.