16 May 2020 - David Rupprecht
Responsible for adding mandatory full-rate integrity protection to 5G networks is the 3GPP, a consortium that specifies the 5G standard in the form of releases. In particular, release 16, frozen in June, is the last chance to add mandatory integrity protection to the 5G specification. This is because release 16 is the first feature freeze release for the 5G NR Standalone radio layer. Adding security in a later release is an inadequate option, as backward compatibility weakens even newer releases. Thus, if mandatory full rate UP IP is not specified for release 16, we face 5G networks that are prone to sustainable attacks. There is a lot of back and forth on this topic. Integrity protection causes an additional overhead and that is always expensive. Let's have a look at the discussions.
Discussions
- The issue of missing integrity protection is known since March 2018 [1]. Some 3GPP documents even date back to 2006, stating that missing integrity protection can be a security problem [12].
- March 2020: To mitigate the threat of attacks in 5G networks, a large group of providers and some vendors have attempted to mandate integrity protection in the 5G specification [3,4].
- This attempt was postponed due to some vendors’ objection, mainly baseband vendors, e.g., Qualcomm, OPPO, and Samsung [5,6]. They argue that it is challenging to integrate full-rate integrity protection due to the performance requirements and need more technical discussion on a working group level [7].
- May: Another attempt tried to add mandatory full rate integrity protection [8,8a]. Again this was postponed (3GPP term “noted”) by the vendors [9,10,11].
What do we learn from this? Things are never easy! One the one side who would complain about better security? On the other side, who wants to invest additional resources for something that could be exploited through some very advanced attacks? I'm curious what we will end up with.