5G Is No Exception: Cellular Is Still Insecure

Cellular connectivity from 2G to 4G has been unsecured, and 5G is no magic bullet.

For cellular IoT to operate securely, we must all understand the dangers of the global mobile infrastructure and accessible solutions.

Virtually all verticals will use cellular connectivity for IoT and M2M devices at some point in their digital transformation. Whether remote sensors, smart city edge-routers, asset-trackers, point of sale devices, or medical monitors, cellular data provides the most ubiquitous terrestrial coverage and remains the most commonly available technology. Cellular is here to stay. We have a moral responsibility, not only to protect user data and secure mission-critical devices from bad actors, but also to shepherd the growth of our industry, which could be stunted by any prevalent insecurity. Yet, few are even aware of the risks that inter-operator connectivity itself presents.

A large-scale denial of service attack could bring a smart city to its knees, while even a small-scale attack diminishes the confidence in any new initiative being made. The blackmail opportunity this would offer might devastate an enterprise or compromise an official institution. Data and SMS can be intercepted while traversing the mobile network, before the data even sees the public internet. Tracking the location of a device using signalling messages could expose individuals and enterprises to fraud, data breach, and other more physical dangers. All of these attacks (and more) can easily be executed despite the regular security measures (VPN, encryption, other forms of IP-layer security, and device security) all being in place.

The move from legacy systems to 5G is much slower, painstaking, and complex than network operators would have us believe. Moreover, many IoT devices being deployed today are still intended for use on 2G and 3G systems – which will inevitably maintain demand to keep these RF bands operational. Finally, the 5G standards and regulations, despite making some attempt to learn from the past, have still allowed for the persistence of known flaws and troubling security gaps.

In this talk, we will discuss the history of legacy mobile networks, how they became exposed, why they were never secured, possible attack types and how they are perpetrated, the status and challenges of 5G security, and what can still be done about it. You will learn what protections are currently available against threats perpetrated using mobile network infrastructure, and how these fit into best practices for end-to-end IoT security. This may be of interest to security professionals as well as systems integrators, solutions providers, manufacturers, and anyone working in cellular communications.


Stuart Mitchell is the Chief Evangelist and Head of Product at ZARIOT and is driven by a desire to safely connect the world’s devices. Having held a senior management position at VeriSign, Stuart moved into strategic roles in mobile telecom service providers and, just before joining the ZARIOT team, bootstrapped and successfully exited an internal IoT startup venture. A strong advocate of customer-first, Lean startup methodology, Stuart brings an entrepreneurial and characteristically lateral approach to every project he undertakes.