4G LTE Security for Mobile Network Operators

https://api.army.mil/e2/c/images/2014/03/05/334248/max1200.jpg
Photo Credit: U.S. Army

Posted: February 10, 2016 | By: Daksha Bhasker

6. Access:

Figure 3, depicts the access as the EUTRAN, and the interconnection between the UE and the EUTRAN.

Key Security threats/risks:

  • Physical attacks
  • Eavesdropping, Redirection, MitM attacks, DoS
  • Rogue eNodeBs
  • Privacy

Physical Attacks: Increased demands for LTE bandwidth and footprint in densely populated areas have given rise to smaller cell sites, installation of eNodeB’s in public locations (such as shopping malls, utility poles), introduction of femtocells and installation of less expensive HeNBs on the LTE edge. eNodeB’s in public location are vulnerable to physical tampering allowing for unauthorised access to the network as MNOs do not tend to invest in securing these smaller access points.

Rogue eNodeBs: Unlike legacy base stations, smaller LTE eNodeB’s are not cost prohibitive. Being accessible, attackers attempt to introduce rogue eNodeB’s into the LTE network. Rogue eNodeB’s can impersonate the operator’s node, and intercept voice and data transmission from the UE.  The attacker can then passively eavesdrop or redirect user traffic to a different network.

Eavesdropping, Man in the middle attack (MitM): Attackers can take advantage of a known weakness in LTE wherein the user identity transference occurs unencrypted, in clear text between the UE and the eNodeB, during the initial attach procedure [10] [11]. This allows an eavesdropper to track the user cell-location or launch a man in the middle attack by user international mobile subscriber identifier (IMSI) impersonation and relay of user messages. [10] [11]

Privacy: Privacy threats have been exposed by Arapinis et al. where attackers can utilise paging procedures to locate phones by injecting paging requests multiple times and correlating the gathered temporary identity (TMSI) of the phone with the paged permanent identity IMSI [12]. Attackers can further replay the intercepted authentication request and determine the presence of a specific phone in a certain location. When the UE receives a replay of an intercepted authentication request it will send a synchronisation failure request. This attack has the potential to enable location tracking thus compromising privacy and security.

Preventative measures:

  • Physical security
  • Network monitoring, IPS systems
  • ŸAuthentication, authorization, encryption
  • Security Architecture

Physical security: MNOs can begin by being aware of security exposure as a result of leaving HeNB’s physically accessible and vulnerable in public locations and doing their best to secure such sites.  In areas where attackers could tamper with the device implementing access control lists or alternate access and identification measures on the HeNB would deter attackers.

Authentication, Authorisation, Encryption: 3GPP specifies access security in TS 33.203 which includes authentication related mechanisms and traffic protection between the UE and core networks. Strong encryption in the attach phase and UE authentication to the eNodeB will deter both rogue elements and man in the middle attacks. Adopting public key infrastructure (PKI) with the public key of the MNO being stored in the USIM allowing the UE to encrypt privacy related information such as the IMSI transmitted to the eNodeB will enable confidentiality [12]. Encryption should be implemented between the UE and eNodeB to thwart attackers leveraging IMSI paging and location identification vulnerabilities thus protecting subscriber privacy [12] and security.

Network monitoring:  Wireless Intrusion prevention and wireless intrusion detection systems may be used towards rogue eNodeB detection and network security. It is recommended that MNO’s monitor their access networks real time for rogue access points and wireless attack tools, to identify attacks quickly, minimising impacts [13].

Security Architecture: With volumes of data on LTE rising exponentially, MNOs are further faced with the challenge of managing bandwidth overhead allocated to security measures such as authentication and encryption without adversely affecting latency and QoS of user data traffic transmission. MNOs are best to consider security upfront in the network design phase and architect scalable networks enabling security operations in LTE networks.

Want to find out more about this topic?

Request a FREE Technical Inquiry!