Hacker News new | comments | ask | show | jobs | submit login
If 5G Is So Important, Why Isn’t It Secure? (nytimes.com)
243 points by kurthr 26 days ago | hide | past | web | favorite | 169 comments



The author does not seem to understand the engineering background. Security should not be trusted on such a low layer of the network stack.

No matter which attacker we want protection against, the points to secure are client and server, not the middle-boxes.

This is one of the well known reasons HTTP/2 is implemented by browser vendors only on a secure channel.

Here we are talking about implementing security in hardware (bad idea: hard to upgrade as security requirements and practices chage) at a very low level (at data link layer). If this is to skip security at higher levels of the stack, you have to trust all hardware vendors and operators worldwide. If we don't, we can as well communicate on an insecure channel: that's what modern TLS provides.

Of course to get all users to use only secure channels is a lot of work, it's just that there is no easier alternative that provides this same result.

Granted, the author might have something else in mind: he might want communication to be safe only against some parties, but not others.


I disagree with you - security is important at all layers of the stack. Right now, your mobile phone will connect to fake towers (Stingray). This means that SMS 2FA codes can be intercepted to you, I believe.

https://nakedsecurity.sophos.com/2018/04/06/washington-dc-aw...


No, you're not reasoning through this all the way. Yes, SS7 vulnerabilities mean that SMS 2FA codes can be captured. But that's not an argument for improving SS7; it's an argument for not trusting SS7 in the first place, and modern 2FA systems don't. Even if you "fixed" SS7, you'd still have to trust the phone companies with part of your authentication to unrelated third-party services.


> modern 2FA systems don't

Sure, if you're defining 'modern' as something other than what's actually used by the vast majority 2FA users. Even for people who use U2F or TOTP as their primary Gmail 2FA, what percentage do you think have actually correctly deleted their phone numbers from both their primary account and any recovery accounts? I have no idea, but I'm guessing less than 1%.


Not sure why there's such a hang up on prevalent vs modern. Yes, sms is prevalent. That doesn't make it modern.


Next you’ll tell me email isn’t encrypted.


Poe's law is biting me.


No, the problem is that the SMS standard was never updated with an encrypted version.

Apple didn't want to open iMessage to the world. EU/USA should enforce a common, secure method for sending text messages to mobiles.


> EU/USA should enforce a common, secure method for sending text messages to mobiles.

No way do we want any regulation here! I will accept balkanization of messaging apps for the lack of government interference here. If a government messaging standard is introduced, it will absolutely be designed to consider lawful intercepts like US CALEA. It would be a key escrow system upon inception.

EDIT: downvoters, join the debate. Do you feel differently? If so, why?


More importantly, even if the standard wasn't required to have lawful intercepts, carriers want would provide it. They aren't in the business of making legal stands to protect privacy.

There is a new standard to replace SMS in flight called RCS. Arguably, this makes the world better -- SMS sucks, RCS brings a lot of the iMessage features to standard carrier messaging. But therein lines the problem: it's carrier-controlled, and carriers want lawful intercept. So, the standard does not call for end-to-end encryption and it is not implemented.

I still think this is a better state of the world than SMS, but it's pretty depressing that it's 2019 and e2e encryption isn't the default. I understand why it isn't when there's government interests in play, but it's still depressing.


> If a government messaging standard is introduced, it will absolutely be designed to consider lawful intercepts like US CALEA.

Then that is obviously not what the parent is asking for. The government could decide to enforce an insecure messaging standard at any time. What does that have to do with the people demanding them to enforce a secure one? Are you suggesting that if we demand a secure messaging standard, it will give them the idea of turning around and enforcing an insecure one instead, as though they haven't had that idea already?


I downvoted you because you show disdain regulation but it is clear the marketplace for a secure, unified messaging solution has failed. EU regulation of the telcom sector has proven effective in protecting consumers from poor decisions (such as exorbitant roaming fees). Regulation should not be the first option, but the last, and it is clear it is the only solution left in this regard.


Literally every single time government create a communication system the first thing they do is to make sure they can read it completely breaking the overall security. Look at all the state version of 'email' non of them used end-to-end encryption. Germany had a nice example but of course the project crashed and burned.

Also, its simply false that the market has not produced good solutions and if there was a 'unified message solution' then people would cry 'monopoly' and demand government regulation as well.

The fact is that the standard tool for most people use for messaging in Europe is an incredibly secure protocol.


I'm curious to know how you feel about Tor being primarily funded by the Office of Naval Research and DARPA


I feel that there is a significant difference between funding and owning/building. I also feel confusing the two harms both the value of grants and the legitimate privacy concerns for public sector tech projects.


They provide money to an independently organised group who I trust with code and a design that has nothing to do with the government. Totally different situation.


Honeypot?


It's not a general disdain but IMO here it makes sense.

Has it really failed though?


Do we have secure SMS messages? Do we have unified mobile messaging with a mature protocol that is both widely accessible as well as secure? How many more decades shall we wait? (asked rhetorically, yet politely) Yes, I argue it has failed, and an SMS/MMS successor would look like a descendent of iMessages and Google's RCS.

iMessages supports CALEA (but is still end to end encrypted, as well as FaceTime), all US messaging products must support it (even Twilio supports it [1] [2]). You are unable to subvert nation state legal jurisdictions within fundamental telcom infrastructure. Signal can get away with it, Apple, Google, and cellular carriers cannot.

Can't have your cake (universal messaging) and eat it (end to end encryption with zero trust requirement) too. So can't we push from something better than SMS, using regulation if required? It must not be perfect, but simply extensible in the future (similar to SS7). In jurisdictions that are favorable to it, you support E2E encryption. In those that are not, you downgrade loudly. Compromises must occasionally be made.

[1] https://www.twilio.com/legal/law-enforcement-guidelines

[2] https://support.twilio.com/hc/en-us/articles/223136547-Submi...


The telcos were a national monopoly, which then became "deregulated" but for all practical purpose they hold a monopoly position with regards to cable-in-the-ground and various local right-of-way rights.

So, the SMS solution is what these quasi-regulated entities gave you. Whereas iMessage, RCS, Signal, etc is what private industry gave you.


I think it's great when private industry innovates and utilities can incorporate that innovation in new standards.


> If a government messaging standard is introduced, it will absolutely be designed to consider lawful intercepts like US CALEA.

Happened exactly like that when Germany introduced their "official version" of e-mail, called "De-Mail".

When the Chaos Computer Club pointed out how their whole system is insecure, due to, amongst other issues, a lack of end-to-end encryption. The German government simply decided to declare the whole thing as "secure" trough legal definitions [0].

Which means that in practice the system is not secure, but the law considers it secure because it fulfills the arbitrary, political, definitions for "secure transmission", which also includes the capabilities for lawful interception.

[0] http://www.spiegel.de/netzwelt/netzpolitik/de-mail-bundestag...


I agree with you. If security is the goal, trusting a nation state with the rules would be antithetical.


I agree with you. The Balkanization of messaging services is a minor inconvenience compared to the cost of a government mandated standard.

That, and I’m fairly certain any government mandated standard would just be one more service to support.


"it will absolutely be designed to consider lawful intercepts" is a bit of a stretch. If we were talking just the US, I would agree that that precedent has been set. But we're not, we're also talking the EU - which doesn't have a history that dystopic.


I dunno, Articles 11 and 13 came pretty close... the old EUCD proposal some years ago...


Those articles were rejected.


Introducing a better "SMS" standard wouldn't kill your messaging apps, so I don't see the problem, even if they come with lawful intercept crap. SMS gets strictly better, even more secure messengers still exist and will continue to be used widely.

drb91 25 days ago [flagged]

It seems silly to reject regulation without seeing it and assuming the worst. After all, we already have the worst—closed source manipulative chat apps that exploit for profit for a small cabal of capitalists.


"Small cabals of capitalists" didn't murder a hundred million of their own customers in the last century alone. It took governments to do that. (Or, I suppose, tobacco conglomerates.)

So when the regulators come to you and explain why they need a back door in the messaging protocol you're working on, try downvoting them.


> "Small cabals of capitalists" didn't murder a hundred million of their own customers in the last century alone. It took governments to do that. (Or, I suppose, tobacco conglomerates.)

lol I appreciate you offering an excellent counter-example to your own point within the sentence.

drb91 25 days ago [flagged]

The foreign policy of the US, including all invasions, death squads, oppressive trade deals supporting open slave labor (sometimes to death), is primarily to support the business interests of the upper class of the united states. The petite bourgeois’s increased “quality of life” (which is an incredibly misleading term) is a byproduct of the largest wealth redistribution in history, at american gunpoint.

So, it’s incredibly disingenuous to reduce all alternatives to capitalism to murder when american capitalism is objectively morally broke.

e3b0c 25 days ago [flagged]

If "the business interests of the upper class" makes governments do all the evils, why do you think this time will be different?

drb91 25 days ago [flagged]

It won’t, permanently, and who thinks that about anything? But it would be a good change to try and have human ethics reflected on a societal level. I do have faith with enough failed attempts at capitalism we’ll learn, and at some point in the future capitalism will have the big failure, the one that makes it obvious how unsustainable it is. I’d like to avoid that one in my lifetime. One way that could happen is our AUTOMATED nuclear system built to protect capitalism fails and accidentally destroys civilization. This could happen at literally any time.


'Whataboutism' isn't the answer, I'm afraid.


[flagged]


Perhaps you could point out what's 'stupid' about the assertion I made, rather than overtly violating the site's commenting guidelines.


[flagged]


First, I didn't ask any questions, I made an assertion.

Second, to answer a question that you didn't ask, what you're feeling is called cognitive dissonance. When you feel certain that someone is wrong about something but you can't articulate how or why, you may be tempted to use words like "stupid" that deflate your own point more effectively than they rebut the other person's. It's as if two conflicting motivations are at war in your own mind, consuming intellectual resources needed to form a cogent response. I'm right, he's wrong, but... no, I'm right, he's wrong.

If you work towards learning to recognize cognitive dissonance when it arises, you can fight it consciously, and help yourself (and perhaps whoever you're arguing with) to get closer to the truth of the matter.

(Yes, this is off-topic, and I'm already bending the rules by replying to you at all, so I'm done with the thread.)


It’s better than entrusting messaging to a cabal of socialists. Capitalism means that there is diversity in products. If you don’t like Apple’s iMessage or What’s App, create your own. You might like your government today, but I am unwilling to bet my life on government being trusted to do the right thing. Also, the right thing for you might not be the right thing for everyone. That’s what capitalism understands that socialism doesn’t.


Capitalism means there’s a diversity of products and they are ALL bad. We need collectivization to actually produce software that primarily benefits the user.


If we want the equivalent of 1987 Aeroflot, then sure, let’s do that. If the products are all bad, what’s stopping you from making a good one? You’d be a billionaire overnight, assuming the market agrees that they are all bad. I’ve used France’s government sponsored taxi app and it doesn’t come close to Uber’s. I’ve ridden in public buses and they don’t come close to the private FAANG shuttles in Silicon Valley. If you build technology optimized for everyone, that means it’s necessarily optimized for no one.

As far as messaging apps, iMessage benefits me greatly. The premise that apps don’t benefit the user is flawed: if they didn’t benefit the user, nobody would use it — except government, we have no choice on using government or not. If the government meets 99 people’s needs, but doesn’t meet my needs, I’m stuck. I can’t switch to an alternative. If an app meets 99 people’s needs but not mine, I can switch to an alternative or build my own. Nothing is stopping you and your friends from building the most amazing messaging app ever. From someone who grew up remember Lada and Yugo, my faith in collectivism in product development is admittedly thin. Very few products from Soviet era factories were any good, I have no expectation that a government built Messaging service would be any better.


> what’s stopping you from making a good one? You’d be a billionaire overnight,

This is exactly the problem with this site: no good tools made anyone rich.

There’s a reason I am having this discussion on HN: People should separate the building of valuable things from the pursuit of riches. Those two are inherently contradictory, and we have nothing but closed mediocre technology making someone rich who barely worked at all.

I believe cooperatives, collectives, and trade unions should be discussed more here. Nothing about Yelp is hard to build, and yet it’s a piece of crap, but the only piece of crap we have. Capitalism is a future of absolute mediocrity, where your needs are considered proportional to your wealth.


I'm sure both of your positions have merit, however I do think it's a bit disingenuous to claim that a capitalist system rewards a good solution in any way. It rewards good marketing.


Shouldn't such old standards like SMS just die?

I didn't write or receive any SMS for like 5 years now (except some confirmation codes) since encrypted messengers became so common and accessible.

I think it's obvious that SMS is outdated either way and I too think that encryption should be P2P on the "application layer" for many reasons. Encrypting the actual physical transport would add extra cost in terms of latency and hardware and could become a maintenance disaster over time if I'm not mistaking.


I agree with your main point but I feel like SMS is going to remain cleartext forever. It's basically like email (it's not like encrypted email formats ever gained mainstream traction). Besides I can't really imagine the EU/USA pushing for end-to-end SMS encryption.

Fortunately as data plans get cheaper we have plenty of alternatives for encrypted messaging on smartphones.


Didn't the UK prevent SMS encryption when the standard was developed?


Consider a world where the cellular data protocol is totally secure and nothing else changes. Your SMS 2FA codes can still be intercepted by your service provider and anyone else who handles the message before it gets to them.

Now consider a world where SMS is end-to-end encrypted. Nobody can intercept your 2FA codes, no matter how insecure the transport is.


End-to-end encryption doesn't solve your problem when the attacker is your first link network provider, without out-of-band signaling.

Which I believe was parent's point. Attestation and authentication of network infrastructure (in a way that would preclude Stingray attacks) is equally important as anything you layer on top.

Otherwise, without some sort of global PKI you can consult out of band, you're just rolling the dice that the cellular station you're connecting to isn't rogue and performing a man in the middle attack.


If you have to trust your first network hop, then the "ends" of your "end to end" encryption are not the actual ends. The trust boundary needs to be pushed all the way up into the application on both sides.

Some sort of global PKI like what iMessage uses under the covers?


Without some sort of global PKI, how do you know your data connection actually goes to your cell provider?


I assume the way most embedded devices guarantee security for their limited number of use cases -- pre-seed trusted root keys in hardware + validate signing against them when connecting.

My point was that app-layer security magic doesn't mean much if your first network step is "connect to closest, highest power base station and implicitly trust it."

There are wonderful things we can do on top of lower layer protocols, but the lower layers are pretty damn important too.


That’s how, for example, TLS works too.

I don’t understand what you mean when you say that app-level security doesn’t mean much if your first network step is compromised. TLS will protect you there, as will any other decently implemented end-to-end encrypted protocol.


TLS has the benefit of a world-wide PKI built around it to attest to authentication.

I was trying to note the risks to PKI-less / web of trust participants, and should have called that out explicitly.

Mostly because I'd much rather live in an encrypted world where WoT is the dominant mode, vs corporate-controlled PKI. And the biggest risks there seems like the step no one can get around in ordinary use.


How are the end-to-end encryption keys distributed? What happens if you lose your phone, or give up your number and someone else gets it?


What are the answers to those questions for encrypting the last mile?


Having a user verify that a piece of infrastructure is correct (aka not a spoofed cell tower) is a much easier problem than having a user verify that a different user is correct (necessary for fully verified e2e).

If all the user needs to verify is the infrastructure, then something like https's certificates could work, but it could be simpler because it would be managed entirely by one organization. So more concretely, your sim card could contain some root CAs that it trusts.


Couldn’t those root CAs also be used to handle end-to-end encryption for your 2FA codes?


Yeah I think you're right, a form of end-to-end wouldn't be too hard.

But it would only protect against passive attacks by your provider. It wouldn't protect against active attacks by your provider. Your provider could issue itself a new cert for you and your correspondent and then intercept the messages. It's certainly an improvement over what we have now though.


I port your number to another provider, 2fa sms simply doesnt work.


Still, anyone can read the metadata. Perhaps we should address that problem too, somehow.


Now consider a world where both are true, both statements hold and it's ridiculously harder for anyone to try to leverage vulnerabilities in implementations.


Protecting the network link is a good thing, no argument there. Doing both is good, but it’s not particularly useful compared to protecting the entire connection.


Seriously? The problem is using SMS for anything where security is needed. SMS is garbage, don't use it for 2fa.


Is there court precedence of a vendor (for example a bank) being held responsible for customer loss due to relying on SMS for 2FA?

The insecurity of SMS needs to have way more awareness and vendors need to feel it in their pockets for this to improve. There are better alternatives like TOTP.


But if you visit an HTTPS website via a fake tower your connection is still secure


Assuming there is never a vulnerability in the HTTPS implementation on the server/client. In reality there are.


Making all layers secure is just an exercise in redundancy.


You have to have security at that level as well. The protocol stack services that maintains the radio links to cell towers are client and servers, other parts are between the cell phone and the mobility management node are client and servers.

These are services you as a cell phone user don't interact with directly, but still very important as they provide authentication of the user and (ideally and hopefully) authentication of the network, access or indication of your location, and other neccesary services needed to seamless move between cell towers.


yup, its called defense-in-depth


> No matter which attacker we want protection against, the points to secure are client and server, not the middle-boxes.

> Here we are talking about implementing security in hardware (bad idea: hard to upgrade as security requirements and practices chage) at a very low level (at data link layer). If this is to skip security at higher levels of the stack, you have to trust all hardware vendors and operators worldwide. If we don't, we can as well communicate on an insecure channel: that's what modern TLS provides.

So you're turning off WPA on your wireless router, I take it?

TLS is not a panacea, and there are many attack vectors for devices and applications throughout the entire network path. Defense in depth suggests security be applied wherever there is a vector.


You turn on WPA to stop other people from using your WIFI, and to provide a minimum level of protection for your non-encrypted communications (legacy apps).

And, of course, every few years the current wireless protection systems are defeated, rendering the whole thing useless until you upgrade your hardware (because nobody wants to spend money to provide a software fix for something you've already bought).


The same could be said for TLS, this seems like you're strengthening the argument of defense in depth.


Tls is better than nothing, but still not that great. The best would be per app end to end encryption, but that would be a ton of work, and suffer from each implementations mistakes, so you're left with a trade-off between security and doability.


I agree that the security of communication between endpoints mustn't be trusted to the lower layers, but this is only the application layer.

The network itself needs to be secured just as well -- thinking especially of SS7 and BGP and the likes here.


The error here is in think of security as something you have or don't have. But of course, it doesn't work like that. Security is an economic problem. You deploy countermeasures to raise the cost of an effective attack beyond what rational or realistic attackers will be willing to pay. What does that mean for SS7? It's a little tough to say: you have to peel off all the layers above and below it and factor out the security they provide, and then map what's left to attacks that are meaningful to realistic attackers.

All this is to say, the kind of security most people think about when they discuss 5G and SS7 security --- universally trustworthy cryptographic secure channels --- is not a good fit.

I tend to think the same thing about BGP (vis a vis global signing schemes like RPKI), but I recognize that I'm an oddball in that regard.


I tend to agree with you, tho when I consider security of the 5G network I think more about large-scale disruptions due to compromise rather than targeting of individuals. Example scenario: War breaks out between two nations (such as the US and China, or US and Russia, or some other country). Cyber attack from enemy shuts down many if not all wireless communication. That would be a catastrophic disaster, and something that does seem like a legitimate defense consideration.

That said, I tend to think that free and mutually dependent trade is a good solution here (basically the opposite of Trump's trade war). Going back to the ancients, the countries with the most trade are the least likely to engage in hostile acts. There's an old saying, "where goods cross borders, armies don't."


This is where mesh networking comes into play for LWAN fallback.


Good point. With BGP you can cause a denial of service. But again, TLS should reduce the risk to just that and nothing worse (intercepted/counterfait information.)


This isn't just about preventing denial of service. It's also about preventing direct attacks to your phone's base-band controllers. It's also about reducing the leverage attackers have to manipulate weak applications.


By that logic, we shouldn't bother securing wifi APs because everything's encrypted at the application layer anyways. Also, AFAIK SMS and VoLTE don't have additional encryption, so if the data layer is compromised, so are those services.


> By that logic, we shouldn't bother securing wifi APs because everything's encrypted at the application layer anyways.

Sure. Why not? I do banking and I read my email on public, untrusted networks like airport and hotel wifi, Starbucks and the internet.

I see not problem with that.


Public & untrusted != Unencrypted. Otherwise TLS ain't doing shit for you if I control everything you see at layer 2 and up, including the encryption keys and their validity.

Would you care to try doing your banking over my WEP-only secured 802.11b network?


> Public & untrusted != Unencrypted

This is exactly my point.


well, people do use wifi from hotels and airbnb...


In that case, having secure/unsecure wifi doesn't really change the equation because the operator itself can still be hostile, even if the link is secure. Having secure (eg. WPA enterprise) wifi only means that some random guy can't intercept your traffic. However, at home, having a secure network is definitely important because of legacy protocols (SMB) or unsecured services (LAN facing http servers)


HTTPS isn't automatically secure. It depends on certificates being issued correctly. But certificate issuance depends on insecure protocols: DNS and BGP.

Also there's hijacking account recovery and 2 factor codes via SMS.

https://www.theverge.com/2017/9/18/16328172/sms-two-factor-a...


SMS 2fa has long since been considered harmful.


Yes, but many sites still use it for 2fa. And regardless of 2fa, it's also commonly used in account recovery which is even worse than 2fa.


When I think about lower level security, I think about things like jamming and signal intercepting, and I think about things like being able to tell that you've connected to the right tower.

Secuirty at the client and server layer doesn't help you if you can't get connected at all.


The author does not care about security, he cares about increasing funding and power of the FCC.

> Mr. Wheeler is a former chairman of the Federal Communications Commission.


One can both be a former chairman of the FCC and care about security. I think you need to expand on your argument to justify your claim. Has the author previously opposed pro security proposals?


Yes, you are right.


Still, it would've been nice if the new RCS messaging system would've had end-to-end encryption by default. Or at least that 5G got strong protection against Stingrays.

But we all know why none of that happened. The wireless network protocols are designed with the "help" of the world's top intelligence agencies (and no, that's not so we can benefit from the additional security).


If I don't trust security in the low levels of the stack, why should I trust no security in the low levels of the stack? If I'm not certain of the low levels I can always add security. Why not just have security in the low levels so you completely eliminate insecure communication. Security by default.


Why isn't the network cleartext then?


It is to the network operator. And anyone that has compromised the operator by any imaginable means, including whatever star chamber forces the operator to hand it over.


The same is true of any endpoint trust relation, including that of certificates for HTTP/2. That you can't fully trust anyone but yourself isn't an argument for less security.


End of the day, even CA compromise is failure evident in most cases. If you're worried about nation-state actors, the risk is really defects in key negotiation.

With mobile standards, the technology is fundamentally such a joke that people come up with wonky technical reasons to avoid talking about the political problems. We probably offer better security for sporting event feeds than we do for critical communications infrastructure.


Certificates allow for decentralized trust, we just rely on a centralized CA. If we didn't trust the central CAs, we could still all run our own CIs and trust individuals.

Whether that's actually something anyone would do is different, but technologically, https allows for not trusting anyone but yourself and the organization your speaking to.


> It was 4G that gave us the smartphone.

Smartphones existed since the early 2000's, well before the first 4G deployment in 2009. From the Smartphone wikipedia entry:

"The first iPhone also faced criticism for not supporting the latest 3G wireless network standards, but was praised for its hardware and software design, and its June 2007 release was met with heavy demand"


The original iPhone was 2G, not even 3G (I owned one, along with a Palm Treo). I built Wi-Fi networks at the time, and suddenly we were inundated with iPhone users who were frustrated with the 2G speeds.

OP author doesn't seem to know their history...


The iPhone was late to 3G, 4G, texting multiple people, and a lot more. Apple has always taken a very wait and see approach.


And who can blame them, what with the whole "US 4G is 3.5G" issue. US cell advances always seem to have caveats and market-confusing details.


I have had 4g disabled for years as I’ve found it somehow slower and significantly less reliable than 3G, across multiple devices. I can stream music and watch YouTube videos just fine.

This is on O2 (UK). Maybe I need a new network.


I'm on O2 too and it's garbage. I can't wait till my contract is up to switch. I often have full signal but nothing will load, whilst mates on Three or EE are fine. When it does work, it's so slow. And it's not a local thing either, it's everywhere I go.


Interesting, post above yours says O2 and Vodafone share network, and I'm on Vodafone but rarely if ever have issues.


Over time as they reduce the amount of spectrum allocated to 3G though reallocating spectrum to 4G, I suspect you'll find you're better off using 4G.

Here in New Zealand the telcos have, for some time, been reducing their 3G capacity to the bare minimum and using freed up spectrum for 4G.

Before: 10–60 MHz allocated to 3G (across 850/900/2100 bands) and 20 MHz allocated to 4G (1800 band only).

Now: 5–10 MHz allocated to 3G (either one of 850 or 900 bands only) and 20–60+ MHz allocated to 4G (across any number of 700/900/1800/2100/2300/2600 bands).

4G has improved here not only due to capacity being refarmed from 2G/3G (e.g. 2degrees NZ dropped 2G to provide 4G capacity at 900MHz, and Vodafone NZ has swapped their 3G 2100 MHz out for 4G 2100 MHz) but also 4G supports a wider range of frequencies including 700MHz which has improved rural signal strength.

I understand generally what is happening other countries is not too much different to what's happening here. I know UK and Australia have seen similar strategies being implemented.

UK Note: O2 UK shares their network with Vodafone UK, so you might like to have a look at EE UK/Three UK who also operates a shared network. In the UK most sites are operated by either one or the other (sometimes both groups cooperate and all networks are served from the same site).


Yeah, I remember the iPhone was 2G only and didn't even support MMS.


I find nothing in the article that shows 5G is not secure. It is a blatant appeal to increase FCC's power and funding.

Shame on the NYT for publishing unsubstantiated position papers written by a political operator ("By Tom Wheeler, Mr. Wheeler is a former chairman of the Federal Communications Commission.") under a misleading headline.


You should look deeper. Wheeler has had an interesting career.

At one time he was head of the main cable industry trade group, back when cable was trying to be David to the TV network's over-the-air Goliath. This was when cable was just about video, because cable internet had not yet been invented.

Later, he was head of the main cellular and wireless trade group, when they were the newcomers for both voice and data, against the big wired telecommunications companies.

These past positions had a lot of people worried when he was appointed FCC chairman, over concern that he would favor industry. What most observers failed to notice was both of those positions were at times when their respective industries were the upstarts, going against established monopolies or near monopolies, trying to bring competition and wider services to consumers. In other words, he represented those industries at a time when being pro-cable or pro-wireless, respectively, was being pro-consumer.

When he was at the FCC, several decades after his association with the cable industry, and about a decade after his association with the wireless industry, when the interests of those industries and consumers had diverged, he tended to go with the consumer side. The cable and wireless companies were definitely not fans of Wheeler's FCC actions, fighting in court against almost everything he did.

In the 20 or so years between the job representing the cable industry and the job representing the wireless industry, he was a founder or major executive in several companies, including at least one that failed due to lack of net neutrality. Some of these companies have been telecommunications related, but some had nothing to do with that (e.g., one is in aerospace components, and one or more have been in banking).

He's also a former director of PBS and was chairman and president of the National Archives Foundation. He's combined his interest in American history and telecommunication in a well reviewed book about the Civil War called "Mr. Lincoln's T-Mails: How Abraham Lincoln Used the Telegraph to Win the Civil War" [1].

Dismissing him as merely a "political operator" seems rather shallow.

[1] https://www.amazon.com/gp/product/0061129801/


Wheeler's past history doesn't invalidate the article's lack of substance.


Agreed. In fact the disconnect should make anyone reasonable ask why he would write such an article.


Tom Wheeler actually proved himself to be quite independent during his tenure at the FCC. Many (myself included) expected him to act similarly to how Ajit Pai is now given Mr. Wheeler's previous industry experience. Personally, I feel that he generally advocates for policies to benefit consumers.


The USG has a bad history when it comes to "aiding" telecommunications security[0]. Historically they have prioritized making sure things are weak against their own attacks over making sure things are secure against other attacks (and, of course, from the perspective of a private citizen the government's attacks may well be malicious.)

[0]https://en.wikipedia.org/wiki/Clipper_chip


I realize he's writing to a general audience here, but I hope he writes a more technical version of what the heck he's talking about here. 5G is basically L1. IMO most of the security should happen at higher layers, for practical implementation reasons as well as flexability. For how long it's going to be around, anything built into the protocol will probably be broken at some point, and since it's L1 it's extremely hard to fix.


I definitely don't want anyone to tap into my phone calls or SMS. And I also don't want carriers to sell the data they collect about me, or have insecure infrastructure so that it can be obtained by criminals. It's not that I'm not giving them any money, they shouldn't sell my data.


Agreed, but it can be done at higher layers. Just use some secure app instead of SMS and phone calls.

The carrier should not be able to know much about you, except some vague metadata (an histogram of the amount of data you exchanged with some IPs.)


This is a common and incorrect misconception.

The network needs security, as does the applications running on it. These are different security layers, and cannot be provided together.

With an insecure network, even if your applications are secure, then bad actors (government, company, whoever) have a much easier time attacking your phone directly. Perfectly secure applications and an insecure network leaves your phone open to attack from nearby radios. If we assume your applications are all perfectly secure, and your phone software and hardware are also all perfectly secure, then that leaves abuse of the network as a tool to affect denial of service, spying on presence meta-data, and not limited to the carrier.

But of course there are no perfectly secure applications, nor any perfectly secure phones. So keep in mind that the weak network greatly expands the attack surface from which bad actors can mess with your phone.

This isn't a problem solved with layer-7 security.


Since the infrastructure is beholden to governments, one must assume that the data link layer is compromised.


>Agreed, but it can be done at higher layers. Just use some secure app instead of SMS and phone calls.

But then you lose the whole network of SMS/phone numbers. You can probably get all your friends & family to contact you using whatsapp/fb messenger (or if you try really hard, signal), but good luck convincing your bank. Your phone calls with your bank/broker probably contains more sensitive information than your phone call with your friends/family.


> The carrier should not be able to know much about you, except some vague metadata (an histogram of the amount of data you exchanged with some IPs.)

And your approximate location at all times due to their triangulation capabilities.

Not much you can do about that one though.


I know we live in the app age now but apps don't have many of the properties that SMS and phone calls have, including that they aren't federated and typically disallow alternative clients. Due to this, you can't just use some secure app, but you have to use the app that the people you want to stay in touch with use. For SMSs you have a very wide choice of frontends. I'm already using non-SMS apps but I'd love them to become more like SMSs: federated and with free client choice.

Edited to add: Also, as long as phone calls and SMS are around and used we should strive to work to make them more secure.


5G includes it's own MAC layer, would you say Wi-Fi and Ethernet shouldn't have included encryption/security layers?


Ethernet doesn't have encryption or security layers.


802.1AE - encryption

802.1X - authentication


Umm 802.1AE?


It's not secure because any widely rolled out physical layer is by definition compromised.

All infrastructure in a country is beholden to that country's government, and that will never change. Any attempt to put encryption into a widely used physical layer will fail, because no committee will agree on an effective implementation that actually works (governments WILL subvert any committee). Governments will insist upon backdoors or sniffers, and hardware has the disadvantage of being in one physical place, easily targeted by a government.

The physical layer is compromised, and always will be.


> "It was 4G that gave us the smartphone."

The iPhone was released in June 2007, more than 3 years before the first LTE phone was released in November 2010. The iPhone wasn't the first smartphone, but it did kick off the smartphone boom. And it did it without even 3G; the original iPhone only supported 2G (despite widespread, but not universal, rollout of 3G in the USA).


The first Iphone didn't even have 3G.


Yes, I said that.


Is this article just implying that because security isn't regulated the network is insecure? Or has some legitimate vulnerability been found here? Seems very politicized too.


I was hoping to see at least some hints as to why the security of 5G is flawed in its current state. The only argument I seem to parse out of this is what you stated.

Note that the author is Tom Wheeler - former chairman of the FCC. It does seem to be a 100% political piece rather than anything to do with the tech.


I get that it is an opinion piece, but claiming that autonomous cars need 5G or that these cars would be remote controlled (so not autonomous at all and useless in a tunnel) makes this article just sound horribly uninformed.


I don't really blame them, because I've seen it as part of pretty much every 5g promotional material I've seen.


Why? It's the truth. Tesla is already connected to cellular networks. Once 5G really takes off, what makes you think manufacturers aren't going to race to have the first autonomous vehicle connected via 5G? There will be whole marketing campaigns revolving around that very thing.


I believe the parent was trying to point out the inconsistencies in calling something "autonomous" yet still saying that it's incapable to doing things without a cell connection.


In my industry (it's one of the businesses that are involved in NEMA) the use cases touted for 5g are vehicle-to-vehicle and vehicle<>infrastructure although I think 5g's going to prove too expensive and Dedicated Short Range Communications (DSRC) will predominate.


Autonomous cars need internet access to display relevant ads to the passengers.


> It was 4G that gave us the smartphone

I remember using my trusty BlackBerry back with 2G. The first iPhone launched with just 2G. If you want to talk about the general rise of the smartphone, then it would be about 3G.


Almost any wireless link will be subject to man in the middle attacks by nature, in my view. If you can sniff the medium, you eventually can probably find a way to intercept it.

Wired connections are more secure, or perceived to be so because the assumption is that sniffing the medium is more difficult, which is generally true because someone would have to physically make a connection (unauthorized) to your cable and the assumption is that it would be detected (perhaps).

It's just a lot easier to sniff your channel over the air.

5G can be implemented on any piece of spectrum, sub-1Ghz, mid-Ghz or so called mm-wave. One thing about mm-wave that makes it "more cable like" is the highly directional nature. 5G that is being deployed on mm-wave bands (e.g. 28Ghz) have extremely small beam widths due to the use of Phased Array antennas. This makes it much more difficult to "sting-ray". or at least is more easily detected.

Having said all this... everyone should always keep in mind that whatever wireless network you are on, GSM, CDMA, HSPA, LTE, Wifi, 5G whatever, you cannot count on the phy layer for protection.


Well, first off, is there a way to get stingrays broken such that they would be identified as rogue base stations and locked out as untrusted? If not, then hello to being compromised. Not that it would stop the NSA, but at least 3rd party or rogue states would not be able to deploy them if this could be achieved.


To me, it's absolutely unclear what the author is actually talking about. Should telcos be responsible for monitoring the devices in their network?

Mobile networks provide Internet access with all the risks associated to the Internet. But the radio access is reasonably secure, if we compare with public WiFi. It's encrypted, authenticated and the operators are more trustworthy than the random person that puts up an Access-Point with years-old firmware. (the operators have something to loose here)


We haven't built anything flawless so I'm not sure if it is fair to blame anyone for building something that might not be secure without any evidence.

No matter who is going to lead 5G technology, The service provider will have full control as they already have. They will be still able to do everything that they are doing already.

So we will have our domestic controls and it is secure it that sense.

Perhaps, What we might not have is having our backdoors to have the same powers in all other countries around the world.


Slightly off topic, but I wonder how much net savings (% world GDP?) would we have if there was no need to secure our communications. At least some energy and time would be saved as a result, comms would be faster.


I wonder how many (security-related) jobs would be lost as result?


If you put the security in the baseband, you're stuck with whatever you put in there for many decades, if you put it in higher level protocols, you're probably not.


what applications, exactly, are waiting in the wings for more mobile bandwidth? i can already stream video in both directions...

i think i'd prefer more innovation in terms of security and privacy rather than more bandwidth that nobody really knows what to do with...


     The new Congress should use its oversight power 
     to explore just why the administration has failed to do
     to protect against that risk, ...
New York Times, grammar, really?


Is 5G so important?


Yes


Why? It's just faster and I already can stream video and play realtime games on 4g. What are other more demanding applications?


No. It's not just faster.

I understand that US based media and forums like HN are little behind on mobile tech, but how it is that this thing persists even 2019.

For starters, There is bandwidth not owned by carriers. You can have your own 5G hubs. Companies can have their own 5G networks in factories. Unlike Wi-Fi, you can have more control of latency and reliability. So for example factory with 5G networking between robots etc. is possibility.

Connection density, energy efficiency, area data rate, very low latency, virtual networks etc. allow completely different applications.

Say, you have peak utilization of graphics card for gaming around 5%, if you can have the card in the edge servers and play the game by streaming it from nearby servers, it's more efficient use of HW and enables mobile games that phone hardware does not support. South Korea or some Chinese cities might be the first to lead mobile gaming to this direction.

ps. Nvidia has already demoed GPU in base station over 5G with 60Hz 16ms lag and promises 3ms in the near future.


Companies already can have their own 4G networks in factories etc. It's fairly common in mining or oil fields.

There have been wireless access platforms with much more control over latency and robustness for well over a decade.

Bandwidth not owned by carriers is also not new. LTE-U is a recent example.

This all sounds similar to the hype that comes with every other new generation of last-mile access technology.


> Companies already can have their own 4G networks in factories etc. It's fairly common in mining or oil fields.

Without getting special permission from a carrier? The ability to set up your own wireless equipment that can supply normal phones is an important use case.

> Bandwidth not owned by carriers is also not new. LTE-U is a recent example.

Wikipedia says LTE-U died. And as far as I can tell LTE-LAA only speeds up existing LTE connections; it can't work standalone. There's MulteFire? It's only half-developed though.


I wonder if OP is confusing factories getting a carrier to install a cell site (whether it be a pico/microcell or a proper macrocell site) on/near the factory property. It's not unusual for that to happen (especially if said factory is a big customer for the carrier) but it wouldn't be their own 4G network. Would be interested if any actual examples of real life non-carrier 4G networks could be provided.


I'm well aware of the differences between pico, macro etc. and am referring specifically to usage of privately owned eNodeBs running in spectrum that is either unlicensed, sublicensed, or just reused without authorization because the deployment site is sufficiently rural.

> Would be interested if any actual examples of real life non-carrier 4G networks could be provided.

For one, you can just look for companies deploying Redline, Nokia, etc eNodeBs that aren't traditional telcos...

http://rdlcom.com/applications/private-lte

LTE equipment for 5.8Ghz spectrum / LTE-U has been on the market for some time and in use by private industry and boutique service providers. E.g. https://www.doubleradius.com/Manufacturers/Kits/baicells-sta...


The difference is that in 4G the ability may be available in some areas and not in some areas in ad hoc manner. In the case of 5G 3GPP is committed to unlicensed spectrum.

In 4G, instead of LTE-U you are getting LTE-LAA (License Assisted Access). You are basically getting the permission from carrier or from some alliance that buys licenses depending on the country, city or region.

5G will support: LTE-U/LAA as well as stand-alone NR-U (stand-alone operation in unlicensed spectrum).


Thank you for this response.


There's only one atmosphere around you.

Faster means that your download takes up less spectrum. Allowing more users to have a good experience at the same time.


By that logic, why did we need 4g? Depending on your frame of reference 3g was fast enough to stream videos.

Point being, there will always be uses for higher bandwidth and lower latency even if you don't need it yourself.


I love to have more of everything. I just don't get the hype.


We don’t need 4g. Anyone who says otherwise is blatantly lying to themselves.


probably enterprise reasons and less personal consumer.


progress. is it better to have to much or too little? with more room to grow there is more posibilities.


[flagged]


These days?


I was expecting a discussion around the safety around 5G, as there is no scientific consensus around whether 5g is actually harmful to humans. https://www.jrseco.com/european-union-5g-appeal-scientists-w...


since when is "secure" ever associated with "healthy"?


In German, the words for "secure" and "safe" are the same. 5G being safe doesn't sound too far from 5G being healthy.


Even in this context?

They're synonyms in English in some contexts, (e.g. 'I feel safe/secure here') just not this one.


Came here to see if anyone was going to post about this. Saw this today. https://needtoknow.news/2019/01/michigan-state-senator-says-...




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: