When accessing sensitive information via a smart device (for example an online bank account), most people assume that a cellular network is safer than Wi-Fi. But as new 5G deployments bring new security risks, this assumption is no longer accurate. Why? Over the next decade, 5G will be handing-off connections to Wi-Fi networks at a staggering pace, exposing more and more “cellular” users to Wi-Fi security threats. In addition, the increase in internet-connected 5G devices will likely bring a sharp increase in attackers looking to exploit cellular connectivity directly.
The reality is that cellular providers can’t keep up with user’s bandwidth demands, forcing them to embrace Wi-Fi network “offloading,” which is more commonly referred to as Hotspot 2.0 or Passpoint. It works by seamlessly transitioning a user device’s cellular connection over to Wi-Fi whenever in range of an access point (AP) configured for Passpoint (this is most common in large cities, public transportation areas, airports and shopping malls). In fact, Cisco predicts 71% of 5G traffic will be offloaded to Wi-Fi networks (up from 59% of today’s 4G traffic). That’s key to this issue – a majority of cellular data users are actually using a nearby Wi-Fi hotspot for much of the time without knowing it. And that means they are vulnerable to Wi-Fi hacks.
Hopefully by now you’re familiar with the six standard Wi-Fi security risks, but if not, here’s an overview (you can get more information on the six Wi-Fi threats and sign a petition for better Wi-Fi security standards across the industry here). The six risks are:
Rogue Access Point (AP): Unauthorized APs that are physically connected to a network and not supposed to be, allowing attackers to bypass perimeter security.
Rogue Client: Victim devices that have connected to malicious APs and may be infected with malware payloads trying to spread onto secure networks.
Neighbor AP: Client devices on private networks that connect to nearby neighbor SSIDs and risk accidentally connecting to malicious APs and getting infected.
Ad-Hoc Connections: Sharing files client to client (Air Drop for example). This is convenient, but anything shared this way, including infected files, will bypass security controls.
Evil Twin AP: An AP set up by a hacker to mimic the SSID of a legitimate AP to intercept victim’s connection without them ever noticing.
Misconfigured AP: APs on the network that do not comply with minimum security standards such as encryption settings. These open the network up to attack.
Of the six threats, the Evil Twin AP is the most dangerous for 5G connections. Attackers primarily eavesdrop and intercept Wi-Fi traffic via man-in-the-middle positions and are constantly looking for easy ways to steal valuable information, like user credentials for a juicy target like cloud-based HR sites, email, or online shopping and travel sites. For example, if a 5G user has their cellular connection offloaded to an Evil Twin AP mimicking a legitimate Passpoint AP, then the attackers have full visibility into the data stream they thought was private and secured via cellular technologies.
Offloaded Wi-Fi is technically supposed to be protected by enterprise versions of the WPA2 or WPA3 security protocol. However, both of these encryption methods have suffered serious flaws lately with the KRACK and Dragonblood vulnerabilities, which have exposed fundamental flaws in the system design (although enterprise versions are considered a bit safer). In addition, tools and research are being developed to exploit this protection constantly. Encryption, after all, is supposed to be the last resort of protection for our connections.
Wi-Fi attacks via offloading are the most pressing security risk to 5G users, but 5G traffic itself also has security vulnerabilities that can be exploited. In February 2019 security researchers disclosed two attacks, Torpedo and Piercer, that allow novice attackers to intercept calls and track mobile phone location without the users’ knowledge. The Torpedo attack allows attackers to exploit a weakness in 4G/5G paging protocols normally used to notify a phone before an incoming call or text arrives and involving placing and cancelling several phone calls quickly in a row. Using it, attackers can track the location of devices silently. Torpedo also enables Piercer, which allows attackers to obtain and decrypt International Mobile Subscriber Identity (ISMI) numbers, basically the unique numbers that link us to our phones. Once an ISMI is known, cellular man-in-the-middle tools like the popular Stingray can be used to eavesdrop on anyone’s calls. The researchers claim the attacks can be carried out with equipment costing as little as $200.
Although a security solution that prevents these Wi-Fi attacks is technical possible today, it would require cooperation between the companies that make Wi-Fi infrastructure and those that make client devices. If these two sets of ecosystem players joined forces and create a new security standard for Wi-Fi that is implemented via software patches on top of existing hardware, it could solve the rampant issue of Wi-Fi hacking and prevent the risk of 5G traffic being offloaded to an insecure AP.
Ultimately, the technology world will continue to push the envelope of mobility. We in the security industry ask that product creators remember to bring security with them in this era of fast-paced wireless innovation. Security matters to everyone.