9
Monitoring and Protection Techniques
9.1 Overview
This chapter discusses techniques for the protection of mobile communications, services, users and applications. ‘Traditional’ solutions such as firewalls are important means for the isolation processes, as well as techniques based on the IPSec gateway. The role and principles of monitoring techniques as well as subscription modules are also discussed, including remote estimation of HW deterioration as part of the preparation for possible faults that may even expose security weaknesses. Real‐time network analysis and protection techniques are summarized such as deep packet investigation, virus protection and legal interception. Also a few words about location privacy and health‐related security of wireless systems are presented.
The number of mobile communications users is growing at a global level, and as data utilization increases, the MNOs are facing a constant need to adapt to or further cooperate with the ISPs. At the same time, in addition to the ‘traditional’ MNO role of providing voice calls and data service via a sufficiently well‐dimensioned bit pipe, the stakeholders have new challenges such as how to keep the performance and availability of the services sufficiently good, how to continue delivering new, rich and interesting user experiences and how to protect the networks, end‐user contents, devices and applications against known and future security threats. If the MNOs manage to tackle these challenges, then they enhance customer happiness, retain churn and grow their businesses. In the current, highly competitive environment, these are elemental tasks for any MNO as well as any MVNO.
The enhanced functionality of smart devices and even less complex feature phones have brought new challenges as they function as a key base for the increasing demand for data consumption. So, operators need to satisfy the need for increased use of Internet services while ensuring proper protection against known and all kinds of new security risks in all the deployed network generations.
The statistics clearly show that the smartphone apps have increased the network signalling which may have a negative impact on the overall network performance. In a certain sense, this is a positive challenge for the operators and other stakeholders as it increases revenue, but at the same time, the increased signalling load generated by the legitimate app users may be comparable to a non‐malicious Distributed Denial of Service (DDoS) attack as Ref. [4] has noted. In addition, the new mobile devices and apps may bring along novelty vulnerabilities especially in the application layer. The overall trend for moving towards all‐IP mobile network architectures, which the LTE/LTE‐A deployments are spearheading, also opens potential security holes which may facilitate IP‐based security attacks. This means that the MNOs need to constantly update their security processes and protection mechanisms.
9.2 Personal Devices
9.2.1 Wi‐Fi Connectivity
Wireless devices, including laptops and smart devices which are equipped with Wi‐Fi connectivity, are vulnerable to viruses and security breaches via public Wi‐Fi hotspots. Reasonable care should be taken whenever the device is connected to publicly available Wi‐Fi access points because the hotspot traffic may be monitored by hackers. For the most efficient protection, the safest way would be to completely avoid sensitive information transfer in public Wi‐Fi areas as a hacker may have set up an innocent‐looking but fraudulent Wi‐Fi hotspot (with correct‐looking ID) and route the user’s data via the hacker’s own computer which allows the hacker to monitor incoming and outgoing traffic. Also, hackers may monitor the legitimate signalling of a new user entering the hotspot upon the logon procedure, with the aim of capturing the credentials and computer’s identity information, and logon later to the same services with the replicated set. As some services such as web email and social media may keep the original user logged on for a longer time period, the hacker may thus, once the overall access credentials are replicated, still try to access the original user’s resources via the ‘hijacked’ Wi‐Fi session.
The home Wi‐Fi router is also a potential target for hackers. From the end‐user’s point of view, it is highly recommended to use a sufficiently complicated password to access the equipment, and a separate, equally complicated password to access the access point router within the home Wi‐Fi radio coverage. Additional safety for lowering the risk is simply to switch off the router HW when not in use.
9.2.2 Firewalls
A firewall is one of the most commonly used protection mechanisms to limit the access to and from data networks. The firewall can be deployed within the data network infrastructure as a standalone component, or it can be integrated into other network elements such as the GGSN of the GPRS core. The firewall is very typical as a form of application installed in laptops and other wireless and wired devices.
The firewall can also be embedded into the SIM/UICC card. In this context, the application firewall refers to the functions of the eUICC Runtime Environment that restricts the capability of applications to access or modify data belonging to other applications. The Java Card System Firewall is an example of such an application firewall as stated in Ref. [7].
9.3 IP Core Protection Techniques
9.3.1 General Principles
‘Traditional’ isolation techniques are based on firewalls. As is the case in the fixed Internet, mobile communications networks have also had firewalls since the deployment of packet data services. The core of the mobile communications network consists of elements designed for exchange and routing functionalities. If the elements or interfaces are exposed to unauthorized parties via the public IP networks, the hackers may be able to intercept the traffic and interfere with the communications, modify the contents or block the services. A firewall therefore provides a straightforward and feasible protection method.
The GPRS initiated the all‐IP concept for the GSM system. The packet system architecture already contained an initial firewall by default since the first ETSI Release 97 in the form of the GGSN. In addition to the firewall in the Gi interface between the GPRS core and Internet (or other packet data network), the GPRS also includes other interfaces such as the Gp towards roaming partners (GPRS Roaming Exchange, GRX) which might be equally compromised if not protected accordingly. For that reason, the security of IP‐based mobile transmission needs additional methods for packet filtering to protect the network against spoofing attacks and billing alterations. There also needs to be Network Address Translation (NAT) to hide the internal GPRS network’s user IP addresses (typically in the address space of 10.x.x.x) from the external IP address space. Additional traffic analysis methods are useful for discovering malicious signalling patterns such as intentions to bombard the HLR with false requests to overload the GPRS (and at the same time, the circuit‐switched part of the GSM network).
The situation gets more complicated, though, as the previously relatively closed and protected 2G and 3G core networks are now in transition to full‐IP networks as a result of the deployment of the LTE and LTE‐Advanced systems. As a potential new risk, non‐authorized people could access unencrypted user traffic or network control signalling traffic by utilizing IP‐methods whereas the previously more isolated core network prevented such intentions by the architecture itself.
There are also potential dangers in the internal communications links. An example of this threat is roaming. Even if the roaming partners are trusted by default, there may be malicious attack intentions if hacker enters the international networks and aims to penetrate the partnering networks via such interfaces. With the public Internet and other untrusted external networks being increasingly involved with the routing, the security risks can be assumed to increase. As e radio interface protection has developed, the LTE and its evolved variants will need to be protected with special emphasis on the core side as it is based purely on the IP connectivity. A priority of MNOs is thus to ensure the protection of the mobile system interfaces, including the Gi towards Internet, S1 for the radio access and Gp towards roaming partners [4].
Ref. [4] proposes a holistic approach via the use of a single security platform that integrates the inspection of the interfaces combined with other security applications such as IPS, VPN tunnelling, secure NAT, antivirus, anti‐bot and web security. The benefits of such centralized security solution is the unified policy of the functions and a single point of monitoring and reporting which eases the management of the complete setup.
9.3.2 LTE Packet Core Protection
The LTE core network needs to be protected via the Gi and SGi interfaces by shielding against any Internet attack. One of the challenges is that modern smart device apps include highly advanced functionalities which are often based on the complex utilization of IP addresses. The MNOs therefore need to handle the growing amount of such IP addresses in a scalable way and still be able to identify a single user’s devices, e.g., while not confusing the complex communications with DoS attacks. The public IP address and the translation between private and public domains can be handled by Carrier‐Grade NAT (CGN) in the Gi and SGi interfaces. The migration from the IPv4 to the IPv6 is an essential part of this development which needs to be taken into account in the strategies for supporting both variants during the transition period [4].
The CGN can handle the excess of occasional signalling load which is a result of all kinds of activities in the Internet community, including random port scans, typical in the current environment. In addition to the general signalling load, there can be intentional focused signalling overloading to selected targets within the MNO’s radio and core infrastructure blocking the traffic or, for the mobile devices of selected end‐users, jamming the radio access.
9.3.2.1 Gi/SGi Interface
The idea of the CGN is to hide the core service and device IP addresses behind the Gi/SGi interface so that they are not visible in the public Internet. This method protects the services and devices against targeted DoS attacks. Furthermore, it protects against the potential ‘hijacking’ of the IP address of the device which could otherwise lead to charging attacks. Figure 9.1 depicts an example of the CGN firewall deployment as interpreted from Ref. [4].
Figure 9.1 An example of CGN firewall deployment based on Check Point
Continuing with the solution presented in Ref. [4], the CGN can be used for securing the Gi interface in a stateful NAT firewall mode which is optimized for Internet traffic as for the voice service session‐based applications and protocols. Stateful firewall refers to element tracking the operating state and network connection characteristics by traversing traffic and is thus able to distinguish legitimate packets from the bit stream. The risks of these cases are related to the threats of sharing IP addresses which may open doors for overbilling attacks against subscribers and carriers.
Ref. [4] advices that the NAT firewall, as depicted in Figure 9.2, ideally works as a single, scalable gateway. It can be managed by a single IP address and enables a single‐console security and policy management functions thus easing the tasks and providing efficient traffic balancing. This is especially suitable for chassis‐based solutions with multiple gateway modules stacked on top of one another. The NAT performance and throughput are essential factors along with increasing network traffic and number of devices.
Figure 9.2 An example of Check Point deployment in an IPSec gateway mode, delivering the S1‐MME signalling (SCTP) and S1‐U traffic (GTP‐U over UDP)
Ref. [4] further emphasizes the need for intelligence of the NAT firewall so that it may identify additional data sessions typical in billing attacks. The firewall needs to detect when the initiating party exits the session and force to terminate that specific session. Furthermore, the NAT firewall needs to deliver Deep Packet Inspection (DPI) with additional security functions such as IPS, antivirus, URL filtering, application control and anti‐bot in order to protect the mobile network infrastructure and to prevent the network from being used for launching DoS attacks.
9.3.2.2 S1 Interface
The radio interface of the LTE/LTE‐A system is simplified from the previous 2G and 3G architectures as there is no need for a separate radio network controller. The LTE radio network has a flat architecture model. This opens potential security holes to the LTE/LTE‐A radio interface as the eNB can also reside on the customer sites in the form of home eNBs, or small cells. The benefit of such a solution is the easy deployment of the coverage areas by customers, making the adaptation of the LTE/LTE‐A services as easy as it is for the wireless home routers accessing the Internet. As these LTE sites are now located in public places like homes, hot‐spot locations of small businesses and the office environment, they may be vulnerable to tampering intentions. In the worst case, an unprotected home eNB may open access for attacks towards the MME regardless of the HW shielding intentions, which means that the elements need to be protected with extra care. One feasible solution for shielding is based on the IPSec standard and security gateway.
The security gateway needs to support authentication between the LTE eNB and the packet core network in order to block intentions for establishing unauthorized access from the radio network. The interoperability with third‐party PKI solutions is thus essential to enable certificate authentication for the eNB control plane and user plane. Ref. [4] emphasizes the importance of security gateway support for the Encapsulating Security Payload (ESP) and Internet Key Exchange (IKEv2) to ensure traffic confidentiality and integrity with AES, SHA‐1 or Triple‐DES encryption algorithms, to protect against eavesdropping and data tampering intentions on both control and user planes. Furthermore, the gateway needs to support Stream Control Transmission Protocol (SCTP) deep packet inspection for the S1‐MME control plane in order to provide protection against intentions to inject false traffic into applications. The protection needs to be scalable in order to provide carrier‐grade IPSec throughput and performance and to minimize any network latency.
9.3.3 Protection against Roaming Threats
9.3.3.1 Gp/S8 Interface
The protection of the Gp/S8 interface shields the packet core network against malicious intentions regarding roaming, i.e., when users are connected to services via other MNO networks. The interconnection of the MNO networks is based on the Gp/S8 interface which allows access to the GRX network. The GRX is in practice a centralized hub for connecting roaming users instead of each MNO relying on direct connections with each other. Due to overlapping radio access technologies, the inter‐network roaming traffic from the LTE packet core to the 2G/3G packet core and vice versa needs to be supported on the Gp/S8 interface by the MNOs in a secure way even if untrusted networks are involved.
Figure 9.3 An example of Check Point acting as a roaming gateway
According to Ref. [4],a typical security threat related to the Gp/S8 interface is a DoS attack against service availability in the form of bandwidth saturation, data flooding, spoofing or cache poisoning. In addition, the Gp/S8 interface may be vulnerable to overbilling attacks if the mobile station is capable of hijacking the IP address of a legitimate mobile station and starting data download without the original user’s awareness.
9.3.3.2 Gp/GRX Interface
There are various security requirements for protecting the Gp/GRX interface in the roaming cases. Ref. [4] informs that the most important task is the proper protection of GRX networks against DoS attacks between MNOs’ networks. The DoS attacks are possible if there is a way to insert IP packets into the GRX network domain from another IP network domain. Thus, the security gateway needs to have means for supporting deep and stateful packet inspection of the key protocols on the Gp interface, which are GTP, SCTP and Diameter.
The GTP delivers mobile data services, and thus understanding the GTP traffic eases the enforcing of roaming agreements based on carrier identity‐based policies and provides protection against DoS, DDoS and overbilling attacks. The SCTP is located on the mobile network IP transport layer. Understanding the SCTP flow eases the protection against DoS attacks based on corrupt packets, and gives protection against unauthorized network access. Diameter is a signalling protocol for authorization, authentication, charging and QoS. A deeper understanding of Diameter data flow provides the means to protect the data against potential interception on untrusted, public IP transport networks between service providers. Figures 9.3 and 9.4 present practical options for protection.
Along with the heavily growing LTE/LTE‐A traffic, the SCTP and Diameter traffic also increases. Ref. [4] emphasizes the importance of being able to inspect this traffic in order to provide a way to protect against possible malicious intentions like Data Exposer attacks from the packet core using unauthorized GTP or Diameter commands.
Figure 9.4 An example of Check Point protecting roaming networks
9.4 HW Fault and Performance Monitoring
It can be generalized that the wireless security, in addition to the actual encryption and communications protection mechanisms, also covers the assurance of the network elements and interfaces. This is logical because the non‐ideals in any point of the network, whether this is due to the low performance of faulty SW/HW, may open doors for potential security attacks. Thus, performance monitoring and fault management of the networks can be considered an integral part of the security assurance.
The monitoring techniques include the means to monitor selected network elements and interfaces as well as the status of the user devices. The latter can typically be investigated remotely by the operator, and depending on the supported functionalities, it may be possible to retrieve information about the device HW, SW and the status of the SIM/UICC module.
9.4.1 Network Monitoring
There are various types of network monitoring methods and systems available on the market, which can be categorized into surveillance and security monitoring. Network (and computer) surveillance refers to the monitoring of the connected device’s activity and data stored in its memory, or data that is transferred over computer networks such as the Internet. Computer security, in turn, which can be considered as a synonym of cyber‐security and IT security, refers to the protection of information systems against theft or damage to the HW, SW and the information stored on them, as well as against disruption or misdirection of the services they provide [1].
Network monitoring as it is understood in the operational network management environment refers to performance monitoring and fault management. Both these areas may reveal potential security threats if the respective trend data in signalling or user data traffic starts to deviate significantly per cell or area. Network element vendors typically have integrated or additional solutions for such monitoring, and also external monitoring tools can be deployed for more personalized and focused analysis.
9.4.2 Protection against DoS/DDoS
As stated in Ref. [5], DoS can be defined as a temporary reduction in system performance, a system crash requiring manual restart or a major crash with permanent loss of data. From the early days of computers up to the major breakthrough of consumer markets for the graphical web and personal computers, DoS was not considered an important topic. Nevertheless, as the services are increasingly dependent on an electronic format with connectivity via the public Internet, the importance of DoS, and more its more powerful form, DDoS, have been causing major news as the essential functions of our daily life have been disturbed, such as banking and communications. The protection of wireless systems against Dos and DDoS attacks is thus a ‘daily routine’ for the MNOs.
9.4.3 Memory Wearing
As the memory modules of the devices – both user and network equipment – are made of physical HW, they have certain useful lifetime before they start to fail. This is especially important in devices that frequently read and write in memory blocks such as the SIM/UICC. The gradual wearing of the physical memory surface may cause unpredictable issues and, in the worst although extremely rare case, may open security holes. For that reason, it is important to ensure the correct functioning of the equipment during its planned use.
The UICC has a useful lifetime which is typically long enough to support the practical lifetime of the mobile device, or until the user changes the UICC for a more modern one. The degrading is principally a consequence of the number of read and write cycles in the memory. Some UICC types support, e.g., about 1 million cycles before error occurrence starts to exceed the design criteria whereas some less robust models may support a considerably lower amount of cycles. Nevertheless, there may be occasions when the UICC starts to fail unexpectedly, especially, if there is some active signalling app installed in the card that uses memory more often than dimensioned by default.
There are monitoring solutions that the MNO can deploy to follow the technical functioning of the subscription module. One example is the SIM lifetime monitoring tool (chip health monitor) of which an example can be found in Ref. [6]. These solutions may include the remote estimate of the HW wear and statistics for apps consuming the UICC. There is a certain expected lifetime for different categories of UICC in such a way that as the number of filed read/write cycles starts to increase gradually, the UICC will manage memory utilization by reallocating the memory blocks. So, the respective monitoring of the UICC wearing remotely reveals potential issues before the problem has advanced too far. In these cases, the operator can invite the customer to make a replacement before the UICC fails.
9.5 Security Analysis
Security analysis of mobile communications networks is an increasingly important part of an MNO’s routine tasks. The aim of the analysis is to ensure that all goes fine with the traffic, and that no malicious intentions – whether accidentally or on purpose – can take place. The security thus refers principally to software and IT network related threats that may jeopardize the operator’s or user’s legitimate communications or expenses. The following sections describe security methods based on post‐processing and real‐time surveillance.
9.5.1 Post‐processing
The histograms, i.e., historical comparison data, can be stored as part of the network statistics collection, and used as a basis for deeper posterior analysis for understanding deviations on the users’ or groups’ communications patterns. The monitoring, whether it happens in real time or later, may reveal potential malicious intentions to exploit the network, applications or devices. Thus, the respective monitoring tools may use this historical data as an important part in the complete security threat shielding process.
9.5.2 Real‐time Security Analysis
9.5.2.1 Traffic Analysis
The regular network traffic tends to establish into certain repeatedly similar levels according to certain daily patterns (office hours and free time), weekly (weekday and weekend), seasonally (summer holidays) etc. If the long‐term patterns in the traffic flow deviate suddenly without an obvious reason such as a football match at local stadium, it may indicate malicious intentions of attackers. The network attacks may be, e.g., DDoS efforts or intentions to brute‐force certain element credentials found within the network infrastructure.
As the mobile communications networks are increasingly IP‐based systems, there are many elements involved in the end‐to‐end traffic similar or equivalent to the Internet, such as routers and bridges, as well as the respective controlling and monitoring systems. The division can be done between Network Monitoring Systems (NMSs), Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs). The two latter ones are designed to detect security breaches and to prevent unauthorized activity while NMS indicates the performance of the network. Nevertheless, all these variants can be used in a combined form to monitor the security threats.
9.5.2.2 DPI
In addition to the overall traffic flow analysis, it is also possible to analyse in more detail the traffic type and contents. The aim of DPI is to collect information and, if necessary, take action based on the inspected information or what can be inferred from the content of the communication [1]. The challenge of the DPI is that the IP traffic is increasingly dynamic and distributed both from multiple sources as well as to various receivers. Also, the traffic typically involves various protocols with varying syntax presentations, and many kinds of packet types and respective ports. DPI needs to adjust to this highly dynamic environment in real time to, e.g., prevent access to unauthorized zones and contents, or to limit throughput per communications type, while not interfering with legitimate traffic.
DPI solutions share the same type of requirements for all stakeholders, including MNOs, service providers and governments. These requirements include reliability for correct and timely analysis, fault tolerance, and adequate capacity and ability to distribute the analysis over different elements in a parallel fashion. As an example, the Advanced Telecommunications Computing Architecture (ATCA) complies with typical industry requirements for DPI.
There are many types of DPI applications for the various entities involved. The focus of DPI can thus be adjusted accordingly. Some of the practical roles for DPI are policy enforcement, network security, subscriber analytics, traffic monitoring, legal interception, content optimization, billing volume metering, content caching, load balancing and content modification. Table 9.1 summarizes some of the typical roles and their practical examples.
Table 9.1 Key roles of DPI
| PDI focus | Description | Examples |
| Policy enforcement | Functions for traffic shaping, prioritization, access control, admission, content filtering | Traffic management provides fair utilization of the resources between the users and enhances user experience |
| Network security | Firewalls, network‐based antivirus applications, intrusion detection/prevention, data leak prevention, anti‐spam, spam Internet telephony, spam instant messaging | Web application firewalls for protection and to support less real‐time upgradeable endpoint SW. Aids network‐based security solutions when user devices lack security, e.g., M2M applications |
| Network analytics | Reveals the state of network functioning via performance and capacity analysis | Provides information to MNOs and service providers about network quality |
| Subscriber analytics | Provides understanding about subscriber base behaviour | Provides information to service providers and MNOs about the typical utilization of resources and services, which optimizes marketing efforts |
| Traffic monitoring | Network diagnostics | Ensures information for prompt trouble shooting |
| Legal interception | Regulatory traffic monitoring | Provides contents for legal purposes |
| Content optimization | Proxying and content modification | Reduction of image and video quality to reduce needed capacity. Web page reformatting to optimize the bandwidth. The measures allow increased number of simultaneous users to share the resources |
| Billing volume metering | Traffic volume monitoring | Multiple schemes can be applied, e.g., varying the data rate based on consumed amount of bits or contents. Also division of the payment between different service providers |
| Content caching | Storing popular contents closer to the end users | Allows service provider to select cached content via intercepting the traffic |
| Load balancing | By investigating the content, redirection of the packets to different destination address | The traffic can be offloaded depending on the overall utilization, and by fine‐tuning the redirection based on DPI results |
| Content modification | Examining and modifying content | Packet content modification provides the means to insert tracking IDs, modify packet headers, rewrite or add packets |
9.6 Virus Protection
As soon as the first smart devices were introduced into consumer markets, security threats began to emerge. As the smart devices are based on applications, viruses are becoming an important threat, as they have been in the fixed IT environment for many years. In fact, along with the enhanced protection mechanisms of the network infrastructure, the threats are moving towards the application layer.
The app store concept aims to minimize the incidences caused by malicious code in the apps. There is a prerequisite to pass the testing and certification processes prior to the introduction of the app to the store. Nevertheless, there are certain aspects that cannot completely eliminate the malicious intentions. One aspect is related to the privileges the app may require upon installation in order to function. It is logical that, e.g., a camera app requests permanent permission from the user to access the photo gallery. The situation gets slightly complicated if the app requests privileges that do not sound necessary for the app to work properly, such as a flashlight which wants access the microphone of the device. Even if the app developer does not use these types of extended privileges at the time of the delivery of the app except for perhaps testing purposes, they may expose a severe security threat in the later phase of the app lifetime if the app communication is used for illicit activities such as eavesdropping on the user’s conversations, either by the app developer or someone hacking the app. One way to prevent and minimize such incidences is to evaluate before installing such apps if all the access rights are really necessary compared to the benefits the app brings.
Among other security‐related apps the smart devices may have, there also are plenty of virus protection apps which may embed other useful protection tools. Some of these cost money whereas others are free of charge, and they are designed to protect against malware, adware, spyware and other malicious code. They may also have functionalities that clean up unnecessary files, optimize the device’s power utilization, manage the apps and provide additional privacy via encryption. There may also be anti‐theft tools available, which wipe the contents of the device remotely if it is lost or stolen. The network or service provider may also offer virus protection and related tools as part of the service packet for the end‐user.
Thus, virus protection is an elemental service in smart devices. It can be a real‐time service based on the device’s application layer, or a network‐based service offered by the MNO or service provider. Selection of the most feasible options depends on the needs, remembering that the free‐of‐charge tools are probably equally useful but may be limited as for the protection functionalities, lack technical support and may display advertisements.
9.7 Legal Interception
Legal/Lawful Interception (LI) has been designed for authorized access to the communications of commercial, government and military environments. LI provides the means for mobile and fixed network operators and service providers to collect traffic and identification information of private or organizational communications for post‐analysis for law enforcement officials. This method has been available for a long time in the mobile communications networks. As an example, LI was included as part of the first GPRS networks based on the 3GPP Release 97 specifications, under the term LIG (Legal Interception Gateway) to allow MNOs to mirror the traffic delivered via the GPRS nodes. LI can only be applied in accordance with national and regional laws and technical regulations.
The EPS of the LTE/LTE‐A networks supports the interception of the IP layer’s Content of Communication (CoC) data flows. The LTE/LTE‐A voice connections also represent IP data flows via VoIP solutions. If a fall‐back type of functionality is applied during the LTE voice call to switch over to circuit‐switched technology, the respective 2G/3G network also contains the LI. In addition to the user plane interception, the LI solution of EPS can generate Intercept Related Information (IRI) records in the control plane messages which identifies the called parties, the location of the LTE terminal and other call‐related information.
The functional architecture of the EPS lawful interception is comparable to the functional architecture of the packet‐switched domain of 3G networks of 3GPP. Figures 9.5, 9.6 and 9.7 depict the configurations for the MME, Home Subscriber Server (HSS), Serving Gateway (S‐GW) and Packet Data Network Gateway (PDN‐GW), respectively, as defined in the 3GPP standards for the EPS lawful interception [8]. The key identities for the interception are IMSI, MSISDN and IMEI.
Figure 9.5 The configuration for the MME intercept
Figure 9.6 The configuration for the HSS intercept
Figure 9.7 The configuration for the S‐GW and P‐GW intercept
The MME element manages the control plane while the HSS handles signalling. The interception of CoC is thus applicable only via the S‐GW and P‐GW elements of the LTE/LTE‐A. In the Figures 9.5, 9.6 and 9.7, the Administration Function (ADMF) refers to a functionality that interfaces with the Law Enforcement Monitoring Facilities (LEMF) of the Law Enforcement Agencies (LEA) that may request the interception. The ADMF functionality has a direct interface with the network elements that are intercepted while it keeps the interception‐related activities of each LEA separated from each other. The ADMF, together with the delivery functions of the intercepted information, is hidden from the Intercepting Control Element (ICE), even in the case of various simultaneous activations on behalf of separate LEAs related to the same subscription.
The physical ICE of the LTE/SAE network is connected to the ADMF via an X1_1 interface which delivers the intercepted information from each ICE. Each ICE carries out the interception, i.e., the activation, deactivation, interrogation and invocation procedures independently. The HI1 interface of the ADMF is defined towards the requester of the LI. For the communication between independent delivery functions and LEA, there are HI2 and HI3 interfaces. The delivery functions distribute the IRI and CoC to the relevant LEA.
Some use cases for the activation of the LI may be triggered when there is a change in the location information of the subscriber, or the terminating or originating short message transfer is initiated by the target. Also, when the terminating or originating circuit switched call is being initiated by the target, or the terminating or originating packet data service is initiated by the target, the LI can be set to activate.
The CoC can be intercepted from the media plane entities via the LI concept. In addition, various identities related to the intercepted communications can be stored. Some examples of the IRI that can be intercepted from the subscribers are: MSISDN, IMSI, Mobile Equipment Identifier (ME ID), event type, event time and date, (Network Element Identifier (NE ID) and location.
Ref. [12] contains updated requirements for the LTE Release 10 phase and beyond. As an example, it emphasizes that the intercept function shall only be accessible by authorized personnel and that the interception must take place without the knowledge of either party to the communication. Thus, decryption must also take place without either party being aware that it is happening so no indication shall be given to any person except authorized personnel that the intercept function has been activated on a target.
Ref. [13] contains a more detailed description of the LTE interception as of Release 10 and beyond. It includes additional items such as the interception of the MBMS and IMS conference services. Ref. [13] is thus one of the most relevant and up‐to‐date sources of information for those interested in learning more about the legal intercept in the 3GPP networks.
9.8 Personal Safety and Privacy
9.8.1 CMAS
The Commercial Mobile Alert System (CMAS) was introduced to the LTE networks as of 3GPP Release 9. It is capable of delivering multiple, concurrent warning notifications. The CMAS warning notification is broadcastd in SystemInformationBlockType12. The paging is used in order to inform CMAS‐capable UE about the message in both the RRC_Idle and RRC_Connected state. Upon the UE receiving the paging message with the CMAS indication, it starts receiving CMAS notifications based on the scheduling information list which is found in SystemInformationBlockType1. In order to comply with the requirements of replacing and cancellation of the notifications, additional procedures are included in the LTE between MME and eNodeB. The respective CMAS signalling is presented in Figures 9.8 and 9.9. In this case, the MME initiates the Write‐Replace procedure via a Write‐Replace Warning Request message which contains message identifier, warning area list, instruction of the broadcasting and the contents. The eNodeB acknowledges via the Write‐Replace Warning Response message and initiates the broadcasting. Please note that the ETWS and CMAS are independent services, and that the ETWS and CMAS messages are differentiated over S1 for different handling.
Figure 9.8 Write‐Replace warning procedure
Figure 9.9 Kill procedure
The broadcasting of a Public Warning System (PWS) message is stopped via the Kill procedure. The MME initiates the procedure via the Kill Request message which contains the message identifier, serial number of the message and the warning area list where the broadcasting will be killed. Upon receiving the request, the eNodeB acknowledges it via the Kill Response message and stops broadcasting.
9.8.2 Location Privacy
Along with the considerably growing popularity of the LBSs, with enhancements of the supporting technologies such as satellite positioning (GPS, GALILEO, GLONASS, and variety of other international and national variants), integrated mobile network services such as cell ID, arrival of time from multiple cells and assisted location service and location tracking methods of other wireless systems such as via Wi‐Fi, there may also arise concerns about the privacy protection of the individual users – especially as the location information provided by current user devices may be extremely accurate, in the order of some metres.
The physical location tracking may not be the only issue as long as the information stays in proper hands, the location data may also be embedded automatically to the user’s photos and other contents by default until such functionality is deactivated, e.g., from the smart device’s camera app settings. The issue becomes even trickier when these photos are shared in social media, so it may make the illicit tasks of burglars easier knowing that the family publicly shares photos from a distant holiday resort with location and time stamp tagged automatically to the metadata of the pictures. The issue is two‐fold: it is logically nice to remember the locations and times of such instances among family members and friends, but it may be wise to think carefully about uploading such detailed information for everyone’s eyes in real time.
In addition to the user’s communication devices, there may also be an increasing number of location tracking technologies embedded into other daily objects such as cars. The tracking devices are useful for maintenance purposes and for providing auxiliary measures, e.g., in the event of traffic accidents. Nevertheless, it may be good idea to read the respective privacy conditions of such objects to fully understand how such private data may be observed and by whom.
As Ref. [10] reasons, the trace information may reveal a surprisingly lot about individuals’ habits, interests, activities and relationships, as well as personal or corporate secrets. Despite of the good intentions of some service providers to deliver focused announcements for individuals, the location tracking may trigger also unwanted advertisements and location‐based spams which in turn may have a negative impact on social reputation or even cause economic damage via exploitation of such information by criminals.
There is plenty of literature related to the respective trends, legal aspects and the general pros and cons of location tracking. As an example, Ref. [9] discusses the counter‐measures an individual may be able to take. The high‐level principle is to change pseudonyms of the users frequently, even while they are being tracked. The principle is based on users adopting a series of new, unused pseudonyms for each application with which they interact.
On the other hand, avoiding such tracking by applying anonymous communications – which could be argued to especially interest the illicitly behaving entities wanting to hide themselves – would also prevent the positive impacts such as sufficiently accurate location information embedded to the emergency call. Nevertheless, it is not only about the exposure or revealing of such location information mapped to individuals for trusted parties, but also some important questions are, how accurate this information is, how to trust that the information is not exposed to criminals, and in the case of information monitored by the legal entities, what are the means to ensure the location data is authentically correct in order not to make wrong conclusions of an individual’s movements? Some examples of the legislation of location tracking can be studied from Ref. [11], which discusses the principles of commercially available GPS devices with communication or recording features.
In order to tackle the respective attacks, Ref. [10] discusses the Location‐Privacy Protection Mechanisms (LPPMs), and reckons that their assessment and comparison is problematic because of the lack of systematic methods to quantify them. Furthermore, assumptions about the attacker’s model tend to be incomplete, with the risk of a wrong estimation of the user’s location privacy. Ref. [10] provides a framework for the analysis of LPPM variants by capturing the prior information that might be available to the attacker as well as possible attacks. It also presents a simple model to formulate all types of location‐information disclosure attacks, and by formalizing the adversary’s performance, it proposes and justifies proper metrics to quantify location privacy.
9.8.3 Bio‐effects
A distantly wireless security‐related item is the RF radiation. The RF radiation is non‐ionizing which means that it does not cause genetic alterations as can be the case with, e.g., excess ionizing X‐ray exposure. The consensus of the scientifically relevant investigation bodies and industries is that the only measurable effect of RF radiation is the temperature rise in human cells. If there is too much radiation, the temperature can increase over healthy limits – which can be seen by observing the effects of microwave heating. This can happen on the non‐licensed 2.45 GHz frequency band which is optimal for warming up the water atoms thanks to their resonance peak that results in friction on that specific band. Nevertheless, the radiating power level of a microwave oven being hundreds up to over a thousand watts is far beyond the user devices of cellular systems which typically use power levels up to 1–2 watts. As the topic is related to the health aspects of human beings, it is fruitful ground for debate. To understand the topic in a reliable way, it is recommended to refer to high quality, repeatable scientific results that rely on professional methods and equipment.
The bio‐effects as such do not belong directly within the scope of this book – except when speculating scenarios that involve cyber‐attacks with an aim to deliberately re‐direct high RF power sources such as flight radar antenna systems which are dangerously close to a population. Another theoretical case may involve a hacking effort to increase the radiating power level of the mobile device to its maximum, or to overload the electrical circuits or short‐circuit the device, which could warm up the mobile phone or battery out of the permitted limits. However, these topics would require another cyber‐attack related book. As for the overall mobile communications, there are many guidelines from official entities, and information about limits by, e.g., national frequency regulators. Relevant and scientifically proved information about the effects of RF exposure can be found from various official sources.
Ref. [3] states the COST study results, which also coincide with the common understanding of the field from the last few years of research, have not identified adverse health effects due to exposure to electromagnetic fields at the low levels occurring in most occupational or environmental settings. Nevertheless, Ref. [3] also states that a number of uncertainties still exist about existing exposure situations, and new applications of electromagnetic fields due to emerging technologies may also motivate further research activities. The European Council has recommended its member nations to closely follow further development, and to facilitate research at the national level. For those interested, more details about the EU‐funded studies can be found in Ref. [2], and the COST 244bis study detailing the biomedical effects of electromagnetic fields can be found in Ref. [3].
References
- [1] Radisys. DPI: Deep packet inspection motivations, technology, and approaches for improving broadband service provider ROI. White paper, September 2010.
- [2] Health and electromagnetic fields. EU‐funded research into the impact of electromagnetic fields and mobile telephones on health. http://ec.europa.eu/health/ph_determinants/environment/EMF/brochure_en.pdf (accessed 5 December 2015).
- [3] COST 244bis. Biomedical effects of electromagnetic fields, 3 November 2000. ftp://ftp.cordis.europa.eu/pub/cost/docs/244bisfinalreport.pdf (accessed 5 December 2015).
- [4] Check Point. Next generation security for 3G and 4G LTE Networks. White paper, November 2013. https://www.checkpoint.com/downloads/product‐related/whitepapers/wp‐ng‐mobile‐network‐security.pdf (accessed 5 December 2015).
- [5] Morrie Gasser. Building a Secure Computer System . Van Nostrand Reinhold, 1988.
- [6] Ulrich Wimböck. Securing your M2M business M2Mission Possible. Giesecke & Devrient, Belgrad, 26 September 2013. https://m2m.telekom.com/upload/Event_Presentation_2013_BS_Ulrich_Wimboeck_4276.pdf (accessed 30 December 2015).
- [7] Embedded UICC Protection Profile, Version 1.0. GSMA, 22 September 2014.
- [8] J. Penttinen. The Telecommunications Handbook. John Wiley & Sons, Inc., Hoboken, NJ, 2015.
- [9] Alastair R. Beresford and Frank Stajano. Location privacy in pervasive computing. Pervasive Computing, January‐March 2003.
- [10] Reza Shokri, George Theodorakopoulos, Jean‐Yves Le Boudec, and Jean‐Pierre Hubaux. Quantifying location privacy. IEEE Symposium on Security and Privacy, 2011.
- [11] GPS location privacy in the USA. http://www.gps.gov/policy/privacy/ (accessed 8 January 2016).
- [12] ETSI TS 133 106, V10.0.0 (2011‐05). Technical Specification, Universal Mobile Telecommunications System (UMTS); LTE; Lawful interception requirements, Release 10.
- [13] ETSI TS 133 107, V10.4.0 (2011‐06). Technical Specification, Universal Mobile Telecommunications System (UMTS); LTE; 3G security; Lawful interception architecture and functions, Release 10.