HUAWEI TECHNOLOGIES CO., LTD. Page 1HUAWEI Confidential

IoT Security Considerations in 5G

ETSI Security WeekJune 11 – June 15, 2018

Marcus WongHuawei Technologies

HUAWEI TECHNOLOGIES CO., LTD. Page 2HUAWEI Confidential

Background

HUAWEI TECHNOLOGIES CO., LTD. Page 3HUAWEI Confidential

5G Major Use Cases as Defined by ITU

Enhanced Mobile Broadband

Ultra-Reliable and Low-Latency Communications

Massive Machine Type Communications

3D video and UHD screens

Work and play in the cloud

Augmented reality

Industry automation

Mission-critical applications

Self-driving carsSmart City

Voice

Smart Home/Building

Gigabytes in a second

Source: ITU-R M.[IMT.VISION]

HUAWEI TECHNOLOGIES CO., LTD. Page 4HUAWEI Confidential

IoT in 5G

HUAWEI TECHNOLOGIES CO., LTD. Page 5HUAWEI Confidential

Network Slicing

SlicingFlexible and on demand

Connections

1Mper square kilometer

Mobility

500 km/h

for express trains

Throughput

10 Gbit/s

per connection

Latency

1 ms

end-to-end latency

100 Mbit/s 10,000 350 km/h30–50ms Inflexible

30–50x 100x 100x 1.5x NaaS

5G Requirements

5G

LT

E

HUAWEI TECHNOLOGIES CO., LTD. Page 6HUAWEI Confidential

Threats & Challenges

HUAWEI TECHNOLOGIES CO., LTD. Page 7HUAWEI Confidential

Attacks on IoT Devices

• Physical constraints, low power, low costPhysical constraints, low power, low costPhysical constraints, low power, low costPhysical constraints, low power, low cost

• Unsecure credentials (hardcoded, defaults, etc.) Unsecured Unsecure credentials (hardcoded, defaults, etc.) Unsecured Unsecure credentials (hardcoded, defaults, etc.) Unsecured Unsecure credentials (hardcoded, defaults, etc.) Unsecured interfaces interfaces interfaces interfaces (web interface, open ports)(web interface, open ports)(web interface, open ports)(web interface, open ports)

• Unprotected data pathsUnprotected data pathsUnprotected data pathsUnprotected data paths

• SW implementation errorsSW implementation errorsSW implementation errorsSW implementation errors

• Protocol weaknessProtocol weaknessProtocol weaknessProtocol weakness

• DoS / DDoSDoS / DDoSDoS / DDoSDoS / DDoS

• Theft Theft Theft Theft and and and and tamperingtamperingtamperingtampering

• Difficult to update firmware, OS, or security patchesDifficult to update firmware, OS, or security patchesDifficult to update firmware, OS, or security patchesDifficult to update firmware, OS, or security patches

HUAWEI TECHNOLOGIES CO., LTD. Page 8HUAWEI Confidential

IoT Attacking the network

IoT server

How to filter out an DDoS

attack from IoT device?Normal IoT devices

Malicious IoT devices

gNB

DDoS attack from IoT device

HUAWEI TECHNOLOGIES CO., LTD. Page 9HUAWEI Confidential

Challenges

• User User User User Plane/Control Plane delays due to crypto operations Plane/Control Plane delays due to crypto operations Plane/Control Plane delays due to crypto operations Plane/Control Plane delays due to crypto operations

(authentication, key updates, ciphering, etc.)(authentication, key updates, ciphering, etc.)(authentication, key updates, ciphering, etc.)(authentication, key updates, ciphering, etc.)

• Aggregating point at the RAN for multi Aggregating point at the RAN for multi Aggregating point at the RAN for multi Aggregating point at the RAN for multi IoTIoTIoTIoT DevicesDevicesDevicesDevices

• Quicker authentication Quicker authentication Quicker authentication Quicker authentication protocol protocol protocol protocol

• Lighter Lighter Lighter Lighter cryptographic algorithms or/and cryptographic algorithms or/and cryptographic algorithms or/and cryptographic algorithms or/and protocols protocols protocols protocols

• Network AccessNetwork AccessNetwork AccessNetwork Access

• Efficient data protectionEfficient data protectionEfficient data protectionEfficient data protection and privacy protectionand privacy protectionand privacy protectionand privacy protection

• EndEndEndEnd----totototo----end securityend securityend securityend security

Latency Challenges Efficiency Challenges Security Challenges

HUAWEI TECHNOLOGIES CO., LTD. Page 10HUAWEI Confidential

Meeting The Challenges

HUAWEI TECHNOLOGIES CO., LTD. Page 11HUAWEI Confidential

5G Security Architecture

User Application Provider Application

SN

HE

3GPP AN

Non-3GPP AN

(I) (I)

(I)

(II)

(IV)

(V)

Application

Stratum

Home Stratum/

Serving Stratum

Transport Stratum

(II)

(I)

(III)

(I)

ME USIM

(I)

HUAWEI TECHNOLOGIES CO., LTD. Page 12HUAWEI Confidential

Security features 4G ���� 5G

Mutual authentication:

• 5G AKA & EAP-AKA’, 5G authentication

protocols, inherit all features of EPS AKA

• .Unified authentication

Air interface protection:

• Same as in 4G

• NAS/RRC: ciphering and integrity protection

• UP: cipher

• User Plane security is terminated in CUIdentity privacy and enhancements:

• Temporary ID, SUPI/SUCI.

Network Domain Security:

• IPsec/TLS can be used to protect network

domain interfacesKey separation between base stations:

• Target base station doesn’t know the key used

in source base station, and vice versa.

HUAWEI TECHNOLOGIES CO., LTD. Page 13HUAWEI Confidential

Other Considerations of due to 5G

• Devices and Applications proliferationDevices and Applications proliferationDevices and Applications proliferationDevices and Applications proliferation

• Public key algorithmsPublic key algorithmsPublic key algorithmsPublic key algorithms

• Larger key size considerationsLarger key size considerationsLarger key size considerationsLarger key size considerations

• Lighter weight security Lighter weight security Lighter weight security Lighter weight security

• URLLCURLLCURLLCURLLC

• Public safetyPublic safetyPublic safetyPublic safety

• Security policy due to differing capabilities and requirementsSecurity policy due to differing capabilities and requirementsSecurity policy due to differing capabilities and requirementsSecurity policy due to differing capabilities and requirements

• Privacy of Privacy of Privacy of Privacy of userlessuserlessuserlessuserless devicesdevicesdevicesdevices

HUAWEI TECHNOLOGIES CO., LTD. Page 14HUAWEI Confidential

Security enablers: On-demand security

Motivation

• IoT Devices/Applications have different security

requirements and constraints

Security Service negotiation

• RAN gets security policy from SMF via AMF.

• RAN determines security based on security policy,

RAN’s capability and IoT Device’s capability.

• The selected algorithms are sent to the UE.

• Activate security

UE RAN

(128-Cipher+IoT 3

(Lighter weight cipher) SMF

Security policy

UE PCF UDM SMF

Security Policy input

O&MThird party

Configure

Configuration input

IoT(128-Cipher+integrity)

1

IoT(integrity only)

2

HUAWEI TECHNOLOGIES CO., LTD. Page 15HUAWEI Confidential

Continued Research:

Blockchain and IoT

HUAWEI TECHNOLOGIES CO., LTD. Page 16HUAWEI Confidential

• Validate and attest the security posture of the IoT devices.

• Blockchains provide data integrity to perform trust-based operations:

› Distributed operations

› Configuration management

› Software lifecycle management

› Remote asset management

› Field services for updating and adjusting configurations of these industrial assets.

• Blockchain to maintain important data, e.g., s/w signatures, configuration, security policy, network activities, device location, IP address, host and user behavior, file system activities, and etc.

• Decentralization and consensus-base make hacking more difficult and network inherently resilient with no single point of failure.

• Immutable, incorruptible, mathematically provable

Blockchain Based IoT Device FW/SW Remote Attestation

HUAWEI TECHNOLOGIES CO., LTD. Page 17HUAWEI Confidential

IoT FW/SW Management - Traditional Solution

• Traditional Solution: Public Key Cryptography/Signature-based

• Device rejects any firmware update that is not cryptographically signed with the device's manufacture private key

• Limitations

› Potential for Compromise of Private Key.

Revocation of keys when compromised

› Complexity of Key Management

› Expensive Sig validation computation

› Usually only software package is validated before the installation. Once the software is

unpacked and installed, they cannot be validated using the manufacture’s signature.

› The configuration files and security policy are different from host to host and therefore

cannot be protected using digital signature validation.

› Dynamic running environment cannot be protected by the software manufacturer’s digital

signature.

HUAWEI TECHNOLOGIES CO., LTD. Page 18HUAWEI Confidential

Blockchain for IoT security

IoTArea

Network

IoTGateway

IoTArea

Network

Smart Objects

Access network

Corenetwork

BlockchainCore Cluster

IoT AnalyticsIoT Analytics

Data Storage/cloudData Storage/cloud

Compute grid

resources

Compute grid

resources

Blockchain GW Blockchain GW

connectionconnection

APIAPI

APIAPI

APIAPI

APIAPI

APIAPI

Lo

ca

l n

etw

ork

Sta

ck

s

Enterprise IoT APP local

hosting platform/Server

Co

re N

etw

ork

NF

V p

latf

orm

Aggregation Network

AA

BB

CC

DD

EE

Nano

End-To-End IoT Platform

A IoT gateway

BLocal Network Node (Edge) -- Data

& Control

C IoT Orchestration/service chaining

D Aggregation Network

E Blockchain Core Cluster

@Leverage present &

proximity to subscribers

@Leverage Carrier

cloud infrastructure for hosting management

and billing

IoT

vN

F

www.huawei.com

Copyright © 2017 Huawei Technologies Co., Ltd. All Rights Reserved.The information in this document may contain predictive statements including, without limitation, statements regarding the future

financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actualresults and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such

information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change theinformation at any time without notice.

Thank you