5G builders test vulnerabilities in Finnish hackathon

The Finnish government has embarked on a new 2020 plan to deepen its collaborative relationship with business in cyber incident response and cyber security disaster planning.

Closer cooperation between the state and private sector is expected to lead to joint ventures in cyber security and joint defence exercises.

The impending roll-out of 5G technology has added a new layer of risk to Finland’s national security, and the potential risk to both corporate and national security was demonstrated at the 5G Cyber Security Hackathon in November. The event was hosted by the University of Oulu and organised by Finnish transport safety agency Traficom, a department of the transport and communications ministry.

The Oulu Hackathon, the first to focus specifically on cyber security risks to 5G technologies and networks, provided a timely meeting point for more than 150 Finnish and international cyber security experts who are engaged in developing network defences to safeguard the future digital society.

With 5G widely regarded as one of the main building blocks of the global digital society, the transition to 5G technology is certain to bring more significant change than any previous generations of mobile communications networks.

The new 5G mobile networks will become the backbone of future digital operations worldwide, making cyber security in networks crucial for the services provided by public organisations and private sector businesses.

For consumers, 5G will not appear any different from existing cellular communications and connections, said Olli Liinamaa, director of the University of Oulu’s 5G test network.

“5G will be faster and appear more powerful on bigger screens,” said Liinamaa. “The expansion will see 5G, over a period of several years, become a common feature in our homes. It will connect wirelessly to our environment, even in areas and places and applications where we are not used to seeing it.”

The future promise and inherent risks in next-generation electronic communications was showcased in the University of Oulu’s 6G Flagship programme, which is supported by the hackathon’s Nordic partners and 5G innovators Nokia and Ericsson.

Finland’s most populated northern city, Oulu, has a reputation as a centre of technology excellence which peaked in the 1990s when Nokia located much of its high-end research and development operations to this innovation hub.

About 60% of the world’s mobile phone traffic still uses network technologies that were developed by Nokia within the Oulu ICT ecosystem, which still produces a high percentage of Finland’s tech startups. Oulu is also home to a cluster of global cyber security specialist firms, including Bittium, F-Secure, Nokia 5G Factory and Tosibox.

“Cyber security is the key pillar in our digital society,” said Jarkko Saarimäki, director at Finland’s National Cybersecurity Centre (NCC) until recently. “Accepting this as a reality, it is critical to ensure that cyber security should be a joint effort between equipment manufacturers, technology users and state authorities.

“There is a need to first generate expertise and create a common front to improve 5G cyber security. As a national agency, we want to collaborate actively with international technology businesses and leading security professionals to achieve our common goal of a reliable and secure digital society.”

However technology-competent they are, small countries like Finland are better equipped to secure their critical IT infrastructure against ever more sophisticated cyber attacks by engaging in strategic international cooperation, said Saarimäki.

“High-end technology events like this hackathon help us to better understand risks and grasp emerging opportunities,” he said. “It is both smart and important to be one of the first to generate expertise and create a common front to improve 5G security.”

The Oulu 5G Hackathon gave IT experts from Finland’s private and public organisations the opportunity to witness and interact with hackers at work. About 100 of the world’s top hackers, from 20 countries, were put through their paces in a broad range of defined challenges set by Nokia, Ericsson and the University of Oulu.

The results of the hacking exercises were reviewed by expert panels comprising Finnish and international IT professionals. Risk benchmarking, as well as next-generation threats from 5G and 6G technologies, was discussed in workshops.

For the hackers, the degree of difficulty embedded into the challenges was increased by their general lack of familiarity, and hands-on experience, with the 5G networks they were tasked to penetrate.

Cyber security professionals and decision-makers gained significant value-added knowledge as hacker teams attempted to expose cyber security vulnerabilities in the 5G networks tested. The results will be incorporated into the development of improved 5G security measures.

Mikko Karikytö, Ericsson’s head of network security, said: “For Ericsson, there are huge benefits to be had from taking part in a 5G cyber security hackathon exercise like this. 5G is the most secure communication technology we have seen so far – further improving the security and privacy from the already strong 4G. That said, it is useful to expose our 5G technology to hackers to test and assess any vulnerabilities that might exist.”

Although the hacker teams were unable to expose any critical issues during the 5G security challenges set by Ericsson, Nokia and the University of Oulu, all findings from the exercise were processed and relayed by security experts to each organisation’s R&D department.

Public trust in 5G is crucial for the future success of the technology, said Niklas Lindroos, head of security for mobile networks and global services at Nokia.

“In order to win that critical public trust in 5G, it is vital that security is built in from the beginning and that potential security gaps are identified and resolved at an early stage,” said Lindroos.

The fundamental security issues of most concern to Nordic 5G network equipment suppliers are security vulnerabilities in components and network misuse, user identity exploitation, the risk of overloaded authentication systems, interception of network traffic and the misuse of network services.