Hackers in Finland Test 5G Networks, Devices in Security Exercise

The competition was the first 5G security test that was open to independent hackers, said
Sauli Pahlman,
head of business development at Finland’s National Cyber Security Centre.

“We understand better how we need to change our approach from 4G to 5G,” he said.

The fifth generation of cellular networking, 5G is designed to replace 4G, also known as LTE. Not yet in widespread commercial use, the new technology, up to 100 times as fast as 4G networks, is eventually expected to support Internet of Things products including medical devices, autonomous cars and home appliances, as well as critical infrastructure such as traffic management systems and hospital equipment. Because of the huge number of devices that will connect to 5G networks, cyberattacks could have very damaging consequences, Mr. Pahlman said.

The exercise was intended to share information with 5G suppliers to help them improve their products’ cybersecurity protections, Mr. Pahlman said. Ericsson declined to comment and Nokia didn’t respond.

“It would be a very unfortunate situation if we’re not able to solve the IoT security problem before we have billions of devices on the 5G network,” said
Marko Buuri,
a cybersecurity consultant. Mr. Buuri participated in the exercise, part of a team of hackers who tried to intercept simulated remote communications between a doctor and a patient who were using a virtual-reality headset connected to a 5G network.

Mr. Buuri said he uncovered flaws in devices and software during the 5G test, but no fundamental problems in the network protocols. He declined to name the flawed products.

Many IoT devices available today aren’t secure, Mr. Buuri said. Companies should build products that require users to change passwords before using them, he said. In addition, IoT devices aren’t always easy to update when a security flaw is identified in their software. Manufacturers should make updates available for years to come so products don’t need to be replaced when a flaw is found, he said.

Countries around the world are running trials of 5G networks. The U.S. and other governments are concerned about securing 5G from cyberattacks, and some have implemented measures to restrict equipment suppliers that don’t meet their standards. The European Union is expected to publish details about its strategy to secure 5G networks later this month.

“5G in some areas will have life or death consequences,” said Martijn Rasser, a senior fellow at the Center for a New American Security, a Washington-based think tank.

The new technology will rely on more software compared to older networks. As a result, the networks could be easier for hackers to manipulate by exploiting vulnerabilities in poorly written software, the European Commission, the EU’s executive arm, warned in a report published in October.

Finland is organizing another 5G event in February where cybersecurity researchers and officials from other European countries will discuss outcomes from last month’s exercise and test 5G networks again, Mr. Pahlman said. “We should have a common EU-wide approach,” he added.

Last month, Finland introduced a cybersecurity label for Internet of Things products. To carry the label, devices must be approved by the country’s Transport and Communications Agency. The system is a way to inform consumers that products are safe to use immediately because they meet basic cybersecurity standards such as requiring strong passwords, Mr. Pahlman said.

Write to Catherine Stupp at Catherine.Stupp@wsj.com

Comments are closed.