5G security is top of mind for those who recognize that 5G is going to be higher risk. Fuzzing is one of the leading testing techniques for securing 5G.
5G is fast—faster than 4G, which is faster than 3G, which was, of course, faster than 2G. 5G is anywhere from 10 to 100 times faster than a typical 4G connection, depending on whether you’re citing theory or practical reality.
But speed is not its only selling point. Promotions for the next-generation 5G cellular technology also note that it has 1,000 times the capacity of 4G and delivers 10 times less latency, which is another version of faster. As in, you can do more and more things in real time.
Still, those are not the only reasons Kimm Yeo is excited about 5G.
The Synopsys senior staff product marketing manager for the fuzzing tool Defensics said the general public tends to perceive 5G as “just another mobile broadband speed enhancement,” though it is much more. “Defensics supports more than 250 different types of protocols, from network protocol fuzzing to file format, web, API, device drivers, and so on. It shows our level of commitment to our customers and their fuzzing needs.”
“And we are the only commercial fuzzer that provides that level of support and assurance, with our large number of predefined test suites and a separate SDK [software development kit] so teams can easily define, fuzz, and test both their commercial and custom proprietary protocols.”
Yeo said the implications of 5G for consumers, businesses, and nations go well beyond speed; it “will have a significant impact on convenience, privacy, safety, and security.”
Indeed, the potential is staggering. Yeo said one forecast is that from 2020 to 2026, 5G will grow from $5.54 billion to $668 billion. In other words, the 5G industry will have a 122% annual growth rate.
“We are talking emerging use cases beyond imagination,” Yeo said. She noted that at the commercial and industrial level, 5G offers a new way to monitor the performance of critical operations that require high-speed, ultra-reliable, low- to zero-latency performance.
Examples of those include critical surgery, smart surveillance, and utility management, massive machine-to-machine communications such as vehicle-to-vehicle, smart cities, and smart traffic.
The consumer level includes wearables, digital lifestyles, and “entertainment beyond imagination—it’s a really broad range,” she said.
That is a technological leap that will “transform all business models. It will redefine entertainment, communication, and how businesses and consumers connect to the internet globally.”
Not to mention that the Internet of Things (IoT) is forecast to include more than 75 billion devices by 2025.
A second reason for excitement is that from the early stages, there are solutions to build security into 5G, such as 5G protocol fuzzing with Defensics.
Besides the current generation of 3G/4G LTE cellular and wireless networks, Defensics has recently released 5G test suites, and enhanced 3G/4G test suites for businesses building the 5G network equipment and infrastructure, and as well as operators with plans to roll out devices and services supporting the 5G network.
“Fuzzing is a great way to perform negative testing, as you can enter an unlimited number of random, malformed inputs to test the robustness, safety, and security of systems, apps, and services before they are released,” Yeo said. “It is used to uncover any unknown vulnerabilities and potential zero-day attacks that can lead to product recalls, brand damage, litigation, and more, not to mention taking considerable time and money to repair and replace.”
The leading edge of companies getting on the 5G train includes global network equipment and services providers. “That means products and the infrastructure to support them,” Yeo said. “We have seen a ramp-up of activities in the past year, even among the mobile carriers, with 5G advertisements from AT&T, T-Mobile, and Verizon. And it is not going to stop here. It won’t be long before other adjacent industry players such as device makers, chipset firms, and cloud/edge computing look into supporting 5G.”
“Cloud/edge computing providers looking to offload the cellular network traffic and bring the capability faster and closer to the content source and users will find 5G helps to further reduce latency and improve overall performance and quality,” she said.
The growth in 5G compatibility is well underway. “In just six months, from last March to October, GSA [Global Mobile Suppliers Association] reported that the number of devices that will support 5G had grown from 38 to 172, from 71 vendors,” she said. “They’re not all commercially rolled out yet, but we’re not just talking mobile devices. It’s also PCs, laptops, tablets, drones, routers, robots, displays—everything that requires it.”
Of course, as is the case with any next-gen technology, there are risks and uncertainties. Among uncertainties, “the jury is still out with regard to cellular vs. wireless rate of adoption—5G vs. Wi-Fi 6,” Yeo said.
Also, 5G standards are relatively young. Yeo said the specifications are “still evolving and being defined by standards bodies such as 3GPP [3rd Generation Partnership Project].”
“We are actively monitoring and tracking the evolving specifications as defined by 3GPP to ensure that Defensics gets updated accordingly,” she said.
And then there is security. Greater connectivity means a greater attack surface. Yeo said 5G will bring more security risks than the current generation of cellular technology. “In recent years, we have seen some of the potential exploits with 4G LTE,” she said, noting that about a year ago, a team of South Korean researchers found 36 security vulnerabilities in networks through the use of fuzz testing, described in this white paper by Synopsys.
“With the coming increase in connectivity and smart everything, it’s going to open the door to more attack surfaces that will be very difficult to anticipate and prevent,” she said.
Among those major attack surfaces:
All those can affect both national security and consumer privacy. “That’s why it is not enough to rely on traditional application security testing tools, which detect only known (reported and recorded) vulnerabilities,” Yeo said.
“We definitely will need fuzzing, because it’s the only way you can do negative testing,” she said. Fuzzing involves inputting massive amounts of random data to a test subject. The goal is to crash a system, equipment, or a service and thereby expose unknown vulnerabilities.
The good news is that Synopsys is already working with major network communications equipment and services providers on that kind of testing.
“Security is coming to the forefront for policymakers,” Yeo said. “They recognize that 5G is going to be higher risk, and they know there is no way to catch an unknown. You don’t know what you don’t know, so you need to fuzz.”