Our societies and industries will soon run increasingly on top of 5G networks, from critical infrastructures to transport systems and even in our homes with IoT. This is exactly why network trustworthiness is – and will always be – a top priority in any high-level discussion.
Breaking the status quo with ethical hacking
A common approach used across most IT domains is the use of ethical hacking. Traditionally, so-called “white hat hackers” have played an integral role in identifying software vulnerabilities and guiding overall software development practices.
What if we could take that concept and apply it to mobile networks? What if we could apply the wealth of knowledge of the wider IT industry in safeguarding the future integrity and security of 5G mobile infrastructure software.
With 5G, we can do that.
In many ways, the new 5G standard breaks the status quo of all previous standards. One such example is the greater adoption of common distributed IT architecture and protocols, such as Service Based Architecture (SBA) in addition to common HTTP2 and JSON standards for signaling.
This architectural paradigm shift has broadened the inclusivity of the 5G cybersecurity ecosystem. It has taken the domain of cybersecurity and vulnerability research away from treating telecommunication as a closed ecosystem and made it accessible to the wider IT industry. This lays a critical groundwork for greater cross-industry collaboration in mitigating 5G security risks.
The world’s first 5G hackathon
In November 2019, for the first time ever, we exposed our new 5G radio equipment for the ethical hacker community in order to test, learn and improve. This event was the world’s first 5G cyber security hackathon arranged by Traficom (Finnish Transport and Communications Agency).
The event, which took place at the Tellus Arena at the University of Oulu in Finland, invited more than 80 ethical hackers from ten countries to put 5G security to the test. All in all, the hackers had 24 hours to try to find holes in real commercial and pre-commercial 5G equipment. We awarded the hacker teams based on their success, with winning teams receiving up to EUR 10,000.
Although our products do go through extensive security testing throughout their lifecycle, we are always open for feedback. In the Ericsson challenge, we had 40 hackers to hack into our equipment, equating to almost 120 full working days of hacking.
The vast array of expertise on display gave our security professionals valuable insight into their unique way of thinking when it came to identifying vulnerabilities.
Learnings for the future and our continued approach
Here at Ericsson, we foster the principle of responsible disclosure when it comes to vulnerabilities found by external researchers and white hats. We want to make sure that our equipment is as robust and safe as possible when they are being used by our customers in various deployment scenarios across the globe.
No critical issues were identified in our equipment during the event. As is usual and expected, all minor findings were processed rigorously by our security experts and fed back to our research and development teams.
Overall, the event was a great success. In addition to our findings, we were able to set a new benchmark in identifying 5G security risks and strengthen our collaboration with security communities.
Security is part of our DNA
Security is not a standalone concept, it’s a mindset.
As the landscape rapidly evolves and new use cases and applications develop, the security safeguards of 5G mobile networks must continue to be built-in – holistically, by design and from ground up.
The whole chain needs to be managed – from global standardizations fora up to the vendor development processes and implementations, going further even to the deployment of the network equipment and operations. Our mission is about constant improvement, detection and response.
At Ericsson, we live by a framework called the Security Reliability Model. This model promotes security and privacy by design and follows up actual product security in all our deliverables. We also want to learn about all vulnerabilities so that we can fix these issues to prevent them posing risks to our customers.
To summarize, the industry must evolve from a traditional telecommunications mindset to a more transparent direction. That’s why we believe in exposing our development processes and quality of product to be tested and improved across a much broader and deeper set of competences.
We participated in the world’s first 5G cyber security hackathon to benchmark how our development and design choices are seen from the eyes of the real-world experts: white hat hackers.