The Impact of 5G: Unpacking Security and Privacy Concerns

5G, or the fifth generation of cellular networks, is expected to transform wireless communication with features such as high-speed data transfer capability, extremely low latency, and higher connectivity. 5G software has made it possible for a vast host of applications to be developed, ranging from self-driving cars to telesurgery, to smart cities, to industrial Internet of Things (IoT). It is important to note, however, as with any disruptive technology, there is security and privacy risk associated with 5G that should be considered before widespread implementation. Analyzing 5G risk is critical in understanding its implications for users, enterprises, and society at large.

Key Aspects of 5G Technology

5G leverages advanced technologies for superior performance compared to previous network generations.

Some key aspects of 5G technology include:

• Higher frequency—Operating in the 5GHz to 6GHz range
• Millimeter wave (mmWave)—Enabling high data band capability and network speeds up to 20Gbps
• Multiple-input multiple-output (MIMO)—Using more antennas to improve network capacity, signal quality, and system energy
• Beamforming—Narrowing down the desired signal for improved efficiency and reduced interference, crucial for high-frequency mmWave use
• Edge computing (also known as fog computing)—Bringing computation closer to end users for faster processing
• Network slicing—Creating separate, logical networks within a physical environment for more efficient usage and enhanced security for specific applications

Cybersecurity Risk of 5G

The advanced nature of 5G technology increases the potential for cyberthreats. This is due to several factors:

• The expanded attack surface—Hacking and data theft vulnerabilities in the main architecture of 5G are due to the virtualized and software-based nature of the system; hackers may take advantage of the network slicing scheme to launch attacks from apparently secured slices. For example, a black hat could compromise the slice that belongs to a certain application, such as that of an autonomous vehicle, to influence services, trigger accidents, or steal information. The systems involved here are also integrated, meaning that if there is a breach of one area, the entire system could be made accessible for the attacker to move laterally across the network.
• The growth of software-defined networking (SDN)—SDN can introduce new risk if not properly secured. It separates the control plane from the data plane, allowing for more flexibility and programmability. However, this also introduces more opportunities for software-based attacks such as malicious code injections or unauthorized access to the control plane.
• The prevalence of IoT—IoT’s ability to connect numerous devices on a 5G network simultaneously makes it difficult to assess each one, leaving the network susceptible to attacks. It is expected that IoT devices all over the globe will total 75.44 billion by 2025, which will present an immeasurable attack surface.¹ Many IoT devices have inadequate security measures, use default passwords, and are rarely updated.² They are suitable for hackers who want to organize botnets to conduct distributed denial of service (DDoS) attacks or gain access to various networks.
• Edge computing—Also known as fog computing, this brings computation and network tasks closer to users, increasing the risk of security breaches if edge devices are compromised. This may include:
  • Interference with data exchange between edge devices
  • Execution of malicious programs on edge devices
  • DDoS attacks
• Supply chain risk—5G networks consist of equipment and software supplied from different parts of the global value chain, comprising a variety of vendors and countries. This makes it difficult to determine the reliability of every element of the network. It is possible for backdoors to be deliberately planted by state actors or incorporated unintentionally by supply chain partners, resulting in security risk to the entire network. Since many supply chain processes are not disclosed and there is no way to audit every segment, it becomes challenging to evaluate and manage risk properly. Discussion about geopolitical conflicts and controversies highlights the need for effective solutions to address supply chain security threats.

5G Privacy Implications

Apart from the security threats that can be introduced by 5G networks, there are privacy issues that users are likely to encounter as well. The degree of geographical precision and high volumes of data that can be collected due to versatile 5G could be used to spy on users without their consent. This could take the form of:

• Location tracking—Beamforming and millimeter waves help in tracking the specific location of a user’s device with an accuracy of a few meters. Such accuracy could mean the constant, intrusive monitoring of people’s movements by advertisers, the state, or potential aggressors. For example, a market could adopt 5G location tracking to observe customer behavior and shopping habits—all without their knowledge. While it is possible to anonymize the data generated by 5G networks, the large amount of metadata involved (e.g., the IDs of the devices connected, the time during which the connection is maintained, the volumes of data sent or received) could be exploited to deanonymize and reconstruct the actions of the users with the help of complex algorithms for data analysis and machine learning (ML).
• Invasive data collection practices—Personal data that captures users’ preferences, habits, and behaviors is transmitted from smart homes, wearable gadgets, self-driving cars, and other connected devices. It is possible that this data could be used for advertising purposes, price discrimination, or other forms of invasion of the user’s privacy without the appropriate measures and user consent. For example, health insurers could charge their customers unequitable rates based on the risk involved in their lifestyle as recorded by the wearables. Another risk that might be taken advantage of by advertisers is the use of IoT data to provide targeted, invasive advertisements that violate user privacy and inhibit agency.
• Out-of-bounds data processing—Edge computing in 5G poses privacy issues because user data can be processed on the edge server outside the geographical boundary of data protection laws (e.g., the EU General Data Protection Regulation [GDPR]).³ This may reduce users’ abilities to assert their rights and govern what is done with their data.
  
  There is often little rhyme or reason in terms of how data is collected at the edge and who is able to access it. For instance, edge servers residing in nations that lack stringent privacy laws could be relied on to manage sensitive user information without sufficient safeguards or any legal regulation.

Addressing 5G Security and Privacy Risk

To overcome the security and privacy obstacles of 5G, proper collaboration between policymakers, industries, academics, and civil societies is needed. International governments are forming 5G security principles, standards, and policies to provide security in the context of 5G’s core infrastructure. For example, the European Union has shared the EU Toolbox for 5G Security, which contains activities for addressing the primary cybersecurity threats that concern 5G networks.⁴ In the United States, the Federal Communications Commission launched the 5G Fund for the provision of secure and reliable 5G networks.⁵ Yet, due to the interconnectivity of the 5G supply chain and other systems globally, the collaboration and coordination of security policies across borders are crucially important to achieve similarly adequate security levels. Organizational efforts should be proactive, including through the incorporation of robust cybersecurity into the foundations of 5G. This encompasses:

• Facilitating secure network slicing where different applications and users are kept in separate virtual networks to avoid compromise
• Using encryption to safeguard data on the move and at rest
• Ensuring edge devices’ physical protection
• Monitoring edge environments continuously for threats
• Applying patches at the appropriate time

In summary, both 5G equipment and IoT devices require a standardized level of security, so common security standards must be established for IoT devices as well. Schemes and programs including the Global System for Mobile Communications Association’s (GSMA’s) Network Equipment Security Assurance Scheme (NESAS)⁶ were developed to present a methodology for the evaluation of the security of 5G network equipment.

Mitigating supply chain security threats requires more transparency and cooperation among suppliers, operators, and governments. Measures such as demanding extensive testing of equipment for potential vulnerabilities, mandatory reporting of sourcing information, and limitations on high-risk vendors might be required. For example, the United States has taken steps to regulate the purchase of equipment from some Chinese suppliers due to security considerations.⁷ Limiting the reliance on single vendors and expanding the use of open-source and interoperable products can also be useful in managing risk. To ensure privacy, 5G operators must apply proper data protection measures that reflect transparency, user control, and data minimization. This includes informing users clearly and accurately about data collection, including only processing data with the user’s prior consent and enabling the user to view, change, or delete their data. Methods such as federated learning and differential privacy can be used to maintain user privacy in ML and artificial intelligence by keeping the data at the edge and adding noise to make it unidentifiable. For example, Google has applied federated learning in the Gboard keyboard app, through which personalized language models are developed without transmitting the raw data of the user to the cloud.⁸ Authorities should also revise existing privacy laws as they relate to 5G, specifically with regard to location data and data processing at the edge. The European Data Protection Board (EDPB) has published recommendations on personal data processing in the context of connected cars, stressing the necessity of implementing data protection by design and default in the development of 5G automotive applications.⁹

Security and privacy cannot be an afterthought when it comes to the architecture, implementation, and management of 5G networks. They must be strongly linked with the development process and incorporated at each stage. This signifies a shift from the conventional approach of safeguarding against threats once they have been identified, to adopting preventive measures and evading the potential threats. Prioritizing trust in design will prove beneficial for the implementation of 5G technology, especially given concerns about privacy that may otherwise impede the use of certain applications. To overcome these barriers, organizations must implement transparent privacy policies. Thus, 5G security research and the continuous cooperation of the stakeholders will continue to be essential for addressing new threats and creating reliable and secure networks. This is why investing in security architectures such as zero trust networks, quantum-resistant cryptography, and advanced, AI/ML-powered threat detection and mitigation solutions is crucial. Industrial, academic, and governmental cooperation will improve the sharing of information, the latest trends, and secure practices regarding these threats.

Conclusion

5G is a revolution in technology with opportunities in multiple fields; however, it presents new security and privacy issues that cannot be ignored. These include the increased attack surface, the integration of edge computing, and the complexities of the global supply chain. All these threats call for further established cybersecurity measures and the protection of data. These issues will need to be managed continually through cooperation between governments, commerce, academic institutions, and civil society to create and enforce the proper security measures for cloud computing. Ensuring security and privacy in the architecture and management of 5G, the technology’s success can be ensured among users, preventing potential threats.

However, with the continuously growing role of 5G and its rising use cases, it is vital to stay vigilant and constantly respond to threats and risk. There is a need to continue research, monitoring, and information sharing to meet challenges and threats. A sustained commitment to cybersecurity research and innovation and the proper training of a labor force can mitigate the security risk inherent in 5G technology. The security and privacy of 5G is not merely a technology issue, but a social, economic, and political one. While applications powered by 5G are still developing, they are set to transform society, leading to potential issues with data rights and algorithmic fairness. Solving these global issues will necessitate a complex, successful interprofessional and multifaceted intervention that entails policymakers, ethicists, social scientists, and community members.

As we enter into this new age of connection, it is imperative that much consideration is paid to 5G security and privacy, so that the positive potential of this technology may be unlocked for the benefit of all.

Endnotes

¹ Statista, “Internet of Things (IoT) Connected Devices Installed Base Worldwide From 2015 to 2025,” 2024
² Mammela, O.; Hiltunen, J.; et al.; “Towards Micro-Segmentation in 5G Network Security,” European Conference on Networks and Communications, 2019, 
³ Gdpr-info.eu, General Data Protection Regulation, European Union
⁴ European Commission, “The EU Toolbox for 5G Security,” European Union, 29 January 2020
⁵ Center for Strategic and International Studies, “Criteria for Security and Trust in Telecommunications Networks and Services,” USA, 2020
⁶ Global System for Mobile Communications Association, “FS.13 - NESAS Overview v.2.3,” 2019
⁷ Schneider, P.; Mannweiler, C.; “Providing Strong Security and Privacy in 5G Networks,” Wiley 5G, 2020
⁸ Jover, R.; “The Current State of Affairs in 5G Security and the Main Remaining Security Challenges,” arXiv, 17 April 2019, 
⁹ European Data Protection Board, “Guidelines 01/2020 on Processing Personal Data in the Context of Connected Vehicles and Mobility Related Applications,” European Union, 9 March 2021

MAHMOUD MOHAMED | PH.D., CISM, ISC2 CC

Is a certified cybersecurity professional with experience securing networks and mitigating risk for top enterprises. His areas of expertise include network architecture, system hardening, access controls, and threat detection.