Cellular Access Security: 4G LTE, Mobile WiMAX, 5G, and MIMOs
Mobile computing device (mobile devices) are information systems that are capable of storing and processing large amounts of data without having a fixed-in-place or set physical location, all while being portable. Examples of mobile computing devices include smartphones, mobile devices, personal digital assistants (PDAs), and notebook/tablet computers. Since the introduction of these devices into society, the impact of the change on our everyday lives has increased significantly. Mobile devices have provided the user with the ability to multitask like never before. They allow people to send and receive e-mails and text messages, all while surfing the web and streaming high-definition video.
The cellular wireless generation (G) denotes a change in the overall nature of the service being provided, non-backward-compatible broadcast technology, and new bands of frequency for data and voice transmission. A new generation has appeared approximately every 10 years since the first generation (1G), the analog generation, to the second generation (2G), the digital generation (Patil and Wankhade, 2014). After 2G came the third generation (3G), allowing the use of graphics, video, and audio applications, followed by the fourth generation (4G), which uses an Internet Protocol (IP) switched network with a focus on supporting broadband-level performance, as well as enabling both video and voice multimedia applications. Over the past two decades alone, the cellular industry has witnessed major growth in terms of its subscribers and its overall mobile technologies. By the end of 2010 alone, the number of cellular subscriptions was four times higher than that of fixed telephone lines.
First-Generation Cellular Network
1G cellular networks are the only ones to use analog transmissions. These were introduced in 1980 and continued to be used until they were replaced by 2G cellular networks. They were first commercially launched by Nippon Telegraph and Telephone (NTT) in Japan. This was followed by the launch in 1981 of operations in Denmark, Finland, Norway, and Sweden controlled by Nordic Mobile Telephone (NMT. NMT was the first to launch international roaming. Advanced mobile phone system (AMPS) was the first mobile phone system widely deployed in North America.
1G was unencrypted and vulnerable. Anyone with an all-band radio receiver could listen in to the conversation. The frequency division multiple access (FDMA) mechanism was used, which required large bandwidths. Different countries followed their own standards, which were incompatible, and 1G also had poor sound quality.
Second-Generation Cellular Network
2G mobile services were commercially launched on the GSM standard in Finland by Radiolinja in 1991. Radio signals on 2G networks are digital, and fast out-of-band phone-to-network signaling is used. The primary benefits of a 2G network over its predecessor were more efficient service, signals that were digitally encrypted during the transmission, and the provision of data services. 2G was followed by newer technologies such as 2.5G, 2.75G, 3G, 4G, and 5G.
Depending on the type of multiplexing used, 2G technologies can be categorized into two types of systems: time division multiple access (TDMA) and code division multiple access (CDMA). The main 2G standards are GSM, IS-95 (CDMA One), PDC, and iDEN.
The capacity of a 2G network is much greater than that of its predecessor, due to the use of digital signals instead of analog signals for the transmission of data between the network and the end user. More calls can be transmitted within the same bandwidth by employing compression and multiplexing techniques. The only problem is that the weaker digital signal that is transmitted by a mobile phone may not be sufficient to reach the cell tower. However, this will only be a problem when the signal is transmitted on higher frequencies. Since telecom regulations vary between different countries, this problem may not persist everywhere. Digital signals tend to perform better when the signal strength is strong, but they become worse when the signal strength is poor. Digital calls are free from static (white noise) and background noise (noise from the environment).
The 2.5G and 2.75G technologies were implemented to help bridge the gap between 2G and 3G cellular networks. 2.5G implemented packet-switched networks in addition to circuit-switched networks. This is where the introduction of the general packet radio service (GPRS) takes place. 2.75G was brought into existence along with enhanced data rates for GSM Evolution (EDGE) networks, which employed 8PSK (phase-shift keying) encoding schemes. This is a backward-compatible digital mobile phone technology that brought forward enhanced rates for data transmission. GPRS provides a data transmission rate of 50 kbps (40 kbps practically), whereas EDGE offered speeds of up to 1 Mbps (500 kbps practically). Internet service was first launched by NTT DoCoMo in Japan in 1999. 2G made services such as text messaging, call forwarding, and caller ID possible. Most network operators are planning to phase out 2G services by 2017.
2G does not perform proper authentication. The lowest level of encryption is easily crackable with a laptop. No data integrity algorithms are used either. Cryptographic algorithms used for security (A5/1 and A5/2) are exploited only for authenticating the user to the network and not vice versa.
Third-Generation Cellular Network
3G cellular networks are the networks that comply with IMT-2000 specifications. The first precommercial and commercial launches were done by NTT DoCoMo in Japan. 3G offers greater security as mutual authentication between networks and terminals is used. Universal Mobile Telecommunications System (UMTS) and CDMA2000 phase 2 are two of the most important 3G technologies. Since it is an IP network, 3G and its users are exposed to all kinds of threats that are currently being faced by Internet service providers. As it is an IP network, 3G and its users are exposed to all kinds of threats that are currently being faced by Internet service providers.
Security in UMTS was boosted with enhancements such as mutual authentication and strong encryption with 128-bit key lengths. Network access security in UMTS is achieved by Authentication and Key Arrangement (AKA) Protocol. This is an enhanced version of the authentication mechanism used in GSM 2G networks. Unlike GSM, wherein only networks authenticate users, AKA provides a mechanism for mutual authentication.
The three main entities involved in this process are the user (MS or USIM),* the serving network (visitor locations register [VLR] or serving GPRS support node [SGSN]) and the home environment (home location register/authentication center [HLR/AuC]). The serving network is the actual network that the user connects to, and the home environment is the network to which the user originally subscribed. Circuit-switched and packet-switched services are handled by VLR and SGSN respectively. HLR plays a vital role in the process as it is the place where the user database resides, next to the AuC (Figure 18.1).
The three stages in AKA are (1) initiation, (2) transfer of credentials, and (3) challenge-response exchange. During the first initiation stage, the mobile station sends its IMSI/TMSI* number to the network. Based on the type of identity received by the mobile station, the network initiates the authentication procedure. In the second transfer-of-credentials stage, the security credentials of the user are transferred by the HLR to the VLR. These credentials are also referred to as authentication vector (AV). The HLR may send multiple AVs to the VLR for a specified user. Mobile Application Part (MAPsec) Protocol might be used for the establishment of secure channels between the HLR and VLR. In the third stage, the challenge and response transmissions occur.
Figure 18.1 AKA authentication in 3G UMTS and CDMA2000.
CDMA2000 made significant improvements to previous CDMA security schemes for the following reasons:
■ Weakness of CAVE, CMEA, and ORYX algorithms
■ Weakness of 64 bit keys
■ Lack of mutual authentication
CDMA2000 adopted AKA Protocol with some changes. These changes can be seen in the implementation of new cryptographic functions such as f11 and UMAC.† The UIM‡ authentication key (UAK) is generated by f11 to be included in AV and UMAC, which is the message authentication function of UAK. Rogue shell attacks can be prevented by using UAK. Rogue shell refers to a mobile unit that does not remove its CK and IK even after its UIM is removed.§ In this attack, a mobile unit can still make fraudulent calls by using the still active CK/IK until the registration is removed or a new AKA challenge is initiated. UMAC also provides an efficient reauthentication method.
3G falls back on 2G when the 3G network is not available, compromising the security of the user. International mobile subscriber identity (IMSI) is sent in clear text when allocating temporary mobile subscriber identity (TMSI) to the user. The transmission of IMEI¶ is not secured. The user can be lured to camp on a fake base station (BS). Once this connection is established, the user will be out of reach of the paging signals of the signaling network.
In AKA, the authentication of the user by the network is done by a one-pass challenge-response mechanism, but the user verifies the network only by the message authentication code (MAC) address, so AKA in its present form does not provide full mutual authentication. Full mutual authentication can only be done by using a challenge-response mechanism. However, it is not implemented for performance reasons.
In order for security to be efficient in all the main sectors, it must be implemented in all portion of the network and processing components. Regrettably, this is not something that comes easy for cellular and wireless networks. In attempting to avoid security problems like the ones that overwhelmed the 1G cellular systems, network designers must implement security into any new technology, as it can’t be added as an afterthought. In order for all security aspects in 4G technology and cellular networks to be implemented and maintained properly, these major players (government regulators, network infrastructure providers, equipment providers, service providers, and the end-device user) must work together and apart to create a secure wireless system.
Before pursuing the design and implementation of wireless security, you must first understand what the vague concept of security really means. In this specific case, wireless security is a blend of wireless channel security, or the security of the radio transmissions; and network security, or the security of the wired network through which data is transmitted.
The infrastructure for cellular networks is immense and intricate with numerous entities working together, such as the IP Internet working in part with the core network. Thus, a challenge is presented for the network to provide security at every possible communication path.
Goals and Objectives in Security
Some of the goals and objectives of security are as follows:
1. Making sure that information generated by or relating to a user is suitably protected against misapplication or misappropriation
2. Ensuring that the resources and services provided to end users are sufficiently protected against misapplication and misappropriation
3. Guaranteeing that security features are compatible with worldwide availability
4. Making sure that security features are sufficiently homogeneous to ensure worldwide interoperability and roaming between the different service providers
5. Guaranteeing that the level of security afforded to users and service providers is better than the security in a modern-day fixed and mobile network
6. Ensuring that the application of security features and mechanisms can be drawn out and enhanced as demanded by the rise of new threats and services
7. Making sure that security features permit new “e-commerce” services and other advanced applications
The above-stated goals are a representation of what the policies and technologies used in wireless cellular networks should achieve when analyzing and implementing security. These objectives can be used as guidelines for better directing the efforts of security when defending against certain security dangers.
Boundaries and Limitations in Security
1. Open wireless access medium: Since the actual transmission of information and data is being completed through wireless connections, the physical barrier keeping an attacker from accessing the network is non existent.
2. Limited bandwidth: Due to channel conflict, users are forced to share the same medium, resulting in limited bandwidth.
3. System complexity: With the evolution of mobile cellular networks, the complexity behind the networks has evolved as well, thus constantly bringing new security weaknesses to light.
4. Relatively unreliable network connection: When comparing the reliability of wireless cellular networks to wired cellular networks, the wireless medium is much more volatile. Wireless networks have a much higher error rate.
With the design of new cellular mobile systems over the past 30 years, the mobile devices that have followed have also become more and more complex. The physical layer of these devices has not changed much during the transition from 1G to 4G devices, but now that we are in the fourth generation, new layers of software have been implemented, adding a whole new weakness to mobile cellular devices. 4G wireless devices are known for their software applications, which provide advanced new features for users. Although these software applications can be beneficial and afford easier use, they introduce new types of security risks that can provide easier access and more avenues for hackers to attack.
The following are different security issues that need to be noted when examining cellular systems and their security risks:
1. Authentication: Cellular networks have large quantities of subscribers, who have to be authenticated to guarantee that the correct subscribers are using the network. Its location is a very important factor in guaranteeing that the correct subscribers are using the network. As the number of subscribers using the network is getting bigger and bigger, issues relating to cross-region and cross-provider authentication arise.
2. Integrity: With a growing number of ways to share information and communicate with one another, it’s important to guarantee that the data being transmitted does not get altered or corrupted. With services such as short message service (SMS), chat, and file transfer, it is important that the data arrives without any modification.
3. Confidentiality: It is very important to ensure that the information being transmitted gets to the end user securely and successfully. Since there has been a major increase in the use of cellular phones for sensitive communication, there is a major need for secure channeling in order for information to transmit.
4. Access control: Cellular devices may have files that need restricted access to be added to them. The device might also access a database where some form of role-based access control is required.
5. Operating systems (OSs) in mobile devices: Cellular devices have progressed from having low processing power and ad hoc supervisors to having high power processors and fully functional OSs. Issues may become apparent in the OS, which could expose security holes that can be exploited by attackers.
6. Web services: A Web service is a component that offers functionality, available through the web, using the Hypertext Transfer Protocol (HTTP) standard. This leaves the cellular device open to a number of different security issues such as viruses or malware, denial-of-service attacks, and eavesdropping or hijacking.
7. Location detection: The physical location of a cellular device needs to be kept disclosed for the privacy of the user. With the move to IP-based networks, the issue has arisen where a user may be linked with an access point, causing their location to be compromised.
8. Device security: The mobile devices should have a fail-safe or application set in place that can be opened from another device, allowing the user to delete all the important information stored on the device, just in case of theft.
9. Viruses and malware: With an increase in functionality being provided in cellular systems, problems arise in systems such as viruses and malware. A device that has been infected can also be a tool for attackers to attack the infrastructure of the cellular network by being part of a large-scale denial-of-service attack.
10. Downloaded contents: Spyware or adware can be downloaded by the user, by accident or unwittingly, creating the potential for security issues to arise. Digital rights management is another major problem. Users can accidentally download unauthorized copies of videos, music, and games.
This analysis of the issues relating to wireless cellular networks and with wireless mobile devices is just a basic overview and does not define an overall solution for security. Instead, the concepts that have been listed are intended to help in the understanding of security problems that have become apparent through previous wireless generations or ones that may arise in future generations, such as 5G.
1. Theft: One of the most common forms of attack, especially with the portability of mobile devices, is through physical theft of the device. The mobile device user runs the risk of losing all information and data stored on the device, including financial documents or personal pictures, when their device is stolen. Even more importantly, the people who use their device for business or work-related functions run the risk of devastating business implications, such as divulging sensitive customer and employee information as well as a host of other highly guarded corporate assets.
2. DoS: One of the most dangerous types of attacks is a DoS attack. It has the ability to bring down an entire network infrastructure due to the excessive transmission of data to a network, resulting in users being denied access to network resources.
3. Distributed denial of service (DDoS): It could be hard to launch a large-scale DoS attack from one single or original host. Instead, a large amount of hosts can be used to launch an attack. An attacker tries to make a network resource or machine inaccessible to its anticipated users, with the intention of momentarily or indefinitely disturbing or suspending service. The big differentiation between a DoS and a DDoS attack is that during a DDoS attack, there is more than one, and often thousands, of unique IP addresses involved.
4. Channel jamming: Jamming the wireless channel is a method used by attackers to deny access to any authorized users in the network.
5. Unauthorized access: If the proper authentication method is not deployed, then attackers may gain unrestricted access to a network, using it for services that attackers might not be normally allowed to access.
6. Eavesdropping: This involves listening to the private conversations of others without the conversationalists’ consent. Eavesdropping may also be done over telephone lines, e-mail, and various other methods of private communication. A publicly broadcast message is not considered eavesdropping.
7. Message forgery: When the network channel isn’t secure, attackers can intercept message going and coming from both directions and can modify the message without the users ever being informed.
8. Message replay: Even if the network channel is secure, attackers can intercept an encrypted message and then replay it back at a later time. The victim of the attack may never know that the encrypted message received is not the original one.
9. Phishing: These attacks make use of network communications to mislead users into installing malevolent software that leads the user to provide information that is sensitive or personal. A very common type of phishing on e-mail-enabled mobile devices is e-mail phishing. Other common forms of phishing are referred to as “vishing,” the phishing of voice calls; and “smishing,” the phishing of SMS/MMS messages.
10. Malware: There are always software applications that seem authentic and non volatile. Almost anyone who has the capability and knowledge can create and develop apps for some of the most widely used service providers and mobile OSs. Some service providers provide access to third-party applications that have had no analysis of their safety for the end user. Users can even completely bypass their operating system lockout mechanism by jailbreaking a mobile device. Some quality examples of malware are applications running in the background of the user’s device that can build up long-distance bills, and code that self-propagates and infects devices and then spreads from one device to another through the address book.
When examining the security of cellular networks from a broad perspective, the overall architecture of security should have five important characteristics. The security architecture should be complete, efficient, effective, extensible, and user friendly.
The architecture should be efficient and effective, with security features and functionalities that are independent of their counterparts but still complete their overall purpose. The architecture should be extensible, constructed in such a way that new ideas and technologies can be implemented and built on to the existing architecture in a methodical way. Lastly, the architecture should be friendly to the user. The end users should have to learn about security and how it works. If the user must interact with security, it should be easy for the user to understand.
Worldwide Interoperability for Microwave Access (WiMAX) and LTE are the two leading wireless technologies of the 4G mobile networks. Here, their history, architecture, and security overview are explained.
The demand for broadband wireless access technologies has been growing over recent years due to the increasing request for mobile Internet and wireless multimedia applications. WiMAX is a part of 4G wireless communication technology. Developed under a trademark of the WiMAX forum (a not-for-profit association that certifies and promotes the compatibility and interoperability of broadband wireless products based on the Institute of Electrical and Electronics Engineers IEEE Standard 802.16), WiMAX is based on the IEEE 802.16 standard and was developed to deliver non-line-of-sight (NLoS) connectivity between a subscriber station and a base station. Mobile WiMAX was the first mobile broadband wireless access solution based on the IEEE 802.16e-2005 standard and adopted into the International Telecommunication Union (ITU), and it has become a leading global cellular wireless standard. However, if WiMAX wishes to continue being a leading wireless standard, focusing on security will be extremely important.
WiMAX technology expansion and fruition was due to the cooperation of the WiMAX Forum, the ITU, and the IEEE 802.16 Working Group (Working Group of Broadband Wireless Access Standards). The IEEE 802.16 Working Group develops standards and recommended practices to support the development and deployment of broadband wireless metropolitan area networks and is one of the numerous working groups (WGs) within the LAN/MAN Standards Committee (LMSC). The purpose of the LMSC is to develop and maintain networking standards and recommended practices for local, metropolitan, and other area networks, using an open and accredited process, and it advocates them on a global basis. The IEEE Working Group 802.16, along with the WiMAX Forum, became sector members of ITU-R (radio communications) in 2003. Recognition within the ITU gave WiMAX technology international credibility.
IMT-2000, commonly known as 3G, became the foundation of the personal mobile communications industry due to its availability almost everywhere in the world. In 2011, ITU-R completed the next generation of global broadband technology, International Mobile Telecommunications—Advanced (IMT-Advanced), commonly known as 4G. IEEE 802.16 WG announced the amendment of the previous Mobile WiMAX standard, IEEE 802.16e, to the transition of IEEE 802.16m, which was to meet or surpass the current specifications of IMT-Advanced. Some of the upgrades with IEEE 802.16m included higher bandwidth, from 30 mbps to 100 mbps; extensive wide coverage area, which increased from 1–3 miles to 30–100 km; and interoperability with other technologies. Scalability in both network architecture and radio access technology also allow Mobile WiMAX, IEEE 82.16m, to have a great deal of flexibility with network offerings. Some of the most prominent features with Mobile WiMAX include
■ High data rates and speed: Wireless connectivity can be offered in a very short amount of time for operators while enabling the Mobile WiMAX technology to support 1000 mbps for mobile stations (MS) and 1 Gbps for fixed locations.
■ Mobility: Short latencies allow users to run multiple real-time applications without any interruption in service or quality and allow operators to provide a wide variety of different applications.
■ Quality of service (QoS): IEEE 802.16m supports revisions of service flow QoS parameters. Mobile stations (MS) and base stations (BS) negotiate the possible QoS parameter sets during set up of the service flow (Ahmadi, 2009). UGS, Rtps, Nrtps, Ertps, and BE are all types of QoS that WiMAX supports.
■ Cost: When compared with 3G, 4G is cheaper for cellular carriers to deliver.
■ Deployment opportunities: WiMAX allows operators to design their own networks. This allows them to capitalize on a strong market to receive a high return on investment (ROI).
The mobile WiMAX architecture has four main components. Figure 18.2 displays the basic components of an IP-based WiMAX network architecture.
The MS was added in the 2005 IEEE amendment, IEEE 802.16e standard, instead of a subscriber station. The MS provides wireless connectivity when there is movement between BS through handoff procedures.
Physical and medium access control (MAC) are the main layers of a BS. The BS acts as a connection or gateway point to other networks. Functions such as mobility and tunnel establishment, radio management, and handoffs are all performed through the BS.
Access service network gateway (ASN-GW) acts as the entrance point to the WiMAX network and controls location management, caching, network discovery and selection, and handover. The ASN gateway also acts as a Layer 2 traffic connectivity point with the MS (Figure 18.2).
Connectivity service network (CSN) involves routers, servers, and devices that provide all core network functions to the IP and connectivity to the Internet and various other networks. To add an additional authentication processes for devices and users, an additional authentication and accounting server is added.
The protocol level is divided into two layers, the Media Access Control (MAC) layer and the physical layer (PHY). The MAC layer consists of three sublayers:
1. Service specific convergence sublayer (CS): Classifies and maps MAC service data units (MSDUs).
2. Common part sublayer (CPS): Responsible for bandwidth allocation, connection establishment, and connection maintenance.
3. Security sublayer: Handles authentication, encryption, and exchange issues.
The PHY layer handles physical transportation, transmission, and reception of data as well as power control.
Figure 18.2 IP-based WiMAX network architecture.
WiMAX Security, Threats, and Solutions
Although WiMAX is known for its mobility, attackers do not need to be at a stationary location to make an attack, leaving the network more susceptible to an attack. In WiMAX’s protocol architecture, the security is implemented in the security sublayer, leaving the physical layer exposed and unprotected. Jamming, scrambling, and water-torture attacks cannot be prevented easily. Although many of the amendments focused on securing the MAC layer, threats on the PHY layer remain unresolved. Almost all security issues in a mobile WiMAX network reside in the sublayer. Man-in-the-middle attacks, DoS due to the continuous sending of packets, and threats to the physical layer are the largest threats to WiMAX security.
■ Threats to the physical layer: The two largest threats to the physical layer are blocking and rushing. Blocking triggers a strong frequency to the channel, which creates a DoS to all stations. Although detectable with a radio analyzer device, it is not preventable and can only notify the user of an attack so that the proper recovery steps can be taken.
■ Authentication: WiMAX networks use a privacy key management (PKM) protocol for management (Ahuja and Collier, 2010). PKM provides better privacy for traffic data through authentication and key management. It only allows three types of authentication:
– RSA
– Extensible Authentication Protocol (EAP)
– RSA followed by EAP authentication
■ The authentication mechanism in the PKM protocol can cause a breach leading to man-in-the-middle attacks, which can cause subscribers to have confidentiality attacks. Man-in-the-middle attacks are when an attacker intercepts information being exchanged between two parties and tampers with the data. This makes it seem like the two parties are still communicating with one another. EAPs were amended to IEEE 802.16e to help reduce the chances of attacks.
■ Encryption: Advanced Encryption Standard (AES) is the main encryption tool used by WiMAX, although it does use triple data encryption standard (3DES) as well. Encrypted data can only be exchanged through the WiMAX network after the successful exchange of keys. The AES was brought in by an amendment in IEEE 802.16e allowing the confidentiality of data traffic. Attackers can collect information in the area because standard management frames are not encrypted, allowing the possibility of an attack.
■ Availability: WiMAX uses RF Spectrum, which is a downfall as the higher the frequency, the more the BS range decreases. Legacy management frames effectively used by an attacker can cause legitimate stations to be disconnected. It wouldn’t be too difficult for an attacker to cause a jamming attack on all planned deployments as well.
■ DoS: Using the IP address to overflow the user’s network, DoS attacks are used to block communication and computer resources, making the user’s network unavailable. They are carried out by flooding the user with a large number of messages to authenticate. Although unpreventable, firewalls and other shared authentication information (SAI) protocols can be used to alert the user and resolve the issue as quickly as possible.
Although WiMAX is known to have reliable security, it is not a flawless system. We can expect WiMAX to take extensive measures in the future to clear up its security issues as it has done with its previous standards. When the aforementioned security threats are resolved, the security capabilities of WiMAX will be significantly increased.
4G Long-Term Evolution (4G LTE) is 4G wireless communication technology. The 3rd Generation Partner Project (3GPP) had developed a strong security framework for the 4G LTE network based on five security feature groups. Although the strong outline of the architecture appears to have been put in place, many security vulnerabilities have been identified, particularly with mobile network operators (MNOs). Because of LTE’s open, all IP-based architecture, attackers can target mobile devices and networks with relative ease and attack their networks with a wide variety of options. Although a strong framework has been put in place, MNOs play a critical role in the maintenance and security of their 4G LTE networks.
LTE is the brand name based on the 4G technology development efforts from the 3GPP. In order for LTE to succeed the 3G technology, the 4G technology had to meet a specific high-level requirements, including
■ Higher spectral efficiency
■ Reduced cost per bit
■ Increased service provisioning by lowering the cost and increasing efficiency and experience
■ Open interfaces as opposed to the closed technologies of the past
■ Power consumption efficiency
■ Scalable and flexible usage of frequency bands
The 3GPP was in charge of bringing together technical specifications and developing telecommunications standards for the LTE network. Orthogonal frequency division multiplexing (OFDM) and multiple-input multiple-output (MIMO) were the technical specifications determined by the 3GPP. OFDM was chosen because it makes it possible to extend wireless access across wide systems, and MIMO was chosen because it allows enhanced throughput for given bandwidths. This higher throughput is one of the many advantages for network operators as well as low latency and operating costs. For the user, LTE allows faster data downloads and a vast improvement of the user experience.
The 4G LTE architecture has a few key differences compared with 3G architecture. Figure 18.3 shows the basic LTE system architecture. First, it only contains two types of network components: the eNode B, which incorporates all radio interface tasks in Evolved UMTS Terrestrial Radio Access Network (E-UTRAN); and the Access Gateway, which incorporates all Evolved Packet Core (EPC) functions. The EPC’s task is to connect the user to the IP network. The user equipment (UE) connects through the eNode B, which is located within the E-UTRAN. From there it is connected to the EPC, which connects to the network. This allows LTE to have greater efficiency due to its meshed architecture. All signaling protocols are IP based within the LTE network.
Figure 18.3 The 4G LTE system architecture.
4G LTE Security, Threats, and Solutions
The 3GPP, taking security into deliberation, developed the 4G LTE architecture based on five security features:
1. Network access security, to provide the user with secure access to the service
2. Network domain security, to protect the network elements and secure the signaling and user data exchange
3. User domain security, to control secure access to mobile stations
4. Application domain security, to establish secure communications over the application layer
5. Visibility and configuration of security, bringing the opportunity for the user to check if the security features are in operation
However, as stated earlier in the introduction, security vulnerabilities have been identified because these features are discretionary. These features can only help as much as the MNOs understand about their LTE network security and choose to take action against threats, which causes a large number of inconsistencies in security implementation. These enhancements, although meant to help better protect the system, created the following potential security issues that need to be addressed:
■ Open architecture threats: LTE’s IP-based end-to-end deployment and open architecture configuration causes the MNO to share their security risks to other end users as everyone is interconnected. In order to prevent this from occurring, interoperability standards were set with the agreement that each MNO would secure their network using preventative measures to make sure that any subscriber or user on their network is never compromised.
■ Location tracking and privacy: Although it is not considered a direct security threat, location tracking compromises privacy and security, which could become a direct security threat. Location tracking is caused when there is a UE presence in the network and it is being fed false authentication requests from an attacker. Attackers can further replay the intercepted authentication request and determine the presence of a specific phone in a certain location. When the UE receives a replay of an intercepted authentication request, it will send a synchronization failure request. This attack has the potential to enable location tracking, thus compromising privacy and security.
■ Infrastructure sharing: Due to varying security standards from multiple MNOs interconnecting with one another on a shared network, these types of arrangements pose high security threats. Lack of consistent security measures can increase the chance of an attack.
■ Risk of data loss: 4G LTE UE stores more data on the actual UE than any other generation due to the capabilities of the broadband network, but this can cause severe security issues, as UE lacks management tools. If an MNO allows an unsecure device on their network, access to user data can lead an attacker to have access to the user’s identity. This can lead to financial loss, personal information loss, breach of privacy, and even identity theft.
■ DoS: Perhaps the most serious threat because the entire network could be shut down, the risk of DoS attacks is possible in LTE networks. Each new UE that gets added to the network will increase the complexity of the network. An attacker can enter the system undetected due to interconnectivity and pose a threat to the network if the situation isn’t resolved.
The 3GPP developed a strong architecture for 4G LTE, but it is the responsibility of the MNOs to understand their networks and take proper precautions to maintain their network. Through proper design and deployment, proper protection can minimize the impact of various security threats inside a 4G LTE system network.
The next evolutionary step in the mobile telecommunication standard is known as fifth generation or 5G. Currently, there is much discussion about what is expected of this new network, but much like the previous generations, it is anticipated to roll out 10 years after the previous generation, sometime around 2020.
5G is still in its infancy, and research regarding the architecture is still quite limited. Much of the discussion of 5G in this section will focus on the demands that 5G is anticipated to handle by its introduction, the possibilities of security, network architecture, and spectrum use.
To understand what is expected of 5G, it is important to understand what the network is expected to handle in the coming years. In May 2015, Cisco released its Cisco Visual Networking Index (VNI): forecast and methodology, 2014–2019. The VNI is a forecasted global traffic analysis for a 5-year span, relatively close to the rollout of 5G. All of the data relates to some form of global traffic, but some is directly related to mobile technology. The following are some of the forecasts.
1. Over half of all IP traffic will originate with non-PC devices by 2019. In 2014, only 40% of total IP traffic originated with non-PC devices, but by 2019 the non-PC share of total IP traffic will grow to 67%. PC-originated traffic will grow at a CAGR* of 9%, while TVs, tablets, smartphones, and machine-to-machine (M2M) modules will have traffic growth rates of 17%, 65%, 62%, and 71%, respectively.
2. Traffic from wireless and mobile devices will exceed traffic from wired devices by 2019. By 2019, wired devices will account for 33% of IP traffic, while Wi-Fi and mobile devices will account for 66% of IP traffic. In 2014, wired devices accounted for the majority of IP traffic at 54%.
3. The number of devices connected to IP networks will be three times as high as the global population in 2019. There will be three networked devices per capita by 2019, up from nearly two networked devices per capita in 2014. Accelerated in part by the increase in devices and the capabilities of those devices, IP traffic per capita will reach 22 GB per capita by 2019, up from 8 GB per capita in 2014.
4. Globally, mobile data traffic will increase tenfold between 2014 and 2019. Mobile data traffic will grow at a CAGR of 57% between 2014 and 2019, reaching 24.2 exabytes per month by 2019.
5. Global mobile data traffic will grow three times faster than fixed IP traffic from 2014 to 2019. Global mobile data traffic represented 4% of total IP traffic in 2014 and will make up 14% of total IP traffic by 2019.
Not listed in the VNI is the projected use of wearable technology or the Internet of Things (IoT). The ITU in 2012 defined IoT as a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies. The ITU has two notes regarding IoT: (1) “through the exploitation of identification, data capture, processing and communication capabilities, the IoT makes full use of things to offer services to all kinds of application, while ensuring that security and privacy requirements are fulfilled” and (2) from one perspective, the IoT can be perceived as a vision with technological and societal implications.
Much of the research focuses on not only the mobile demands of 5G but also the demands that IoT will have as well. Communications companies such as BEEcube and Ericsson have all acknowledged that IoT is an important factor of 5G with billions of miscellaneous devices as a contributing factor.
Cisco places the number of IoT devices at around 50 billion by 2020. 5G will also provide wireless connectivity for a wide range of new applications and use cases, including wearables, smart homes, traffic safety/control, and critical infrastructure and industry applications, as well as for very high-speed media delivery. It is quite clear that 5G will have plenty of demanding applications in the near future.
With the anticipated growth in mobile use between now and 2020, much of the research has concluded that 5G will have to achieve higher data throughput and capacity than 4G. Because 5G is still in its infancy, the expected rates of 5G are anticipated to be over 1 Gbps to well over tens of gigabits per second.
Even though security will be one of the top issues for 5G, very little has been published on what is necessary to secure all that data. Unlike the previous generations (2G–4G), 5G will in all likelihood have to establish a new trust model. A trust model is nothing more than the experience we have had with the previous generations. As the usage of mobile devices, wearable technology, and IoT expands, and the need to secure all the data collected with ever-growing privacy concerns, security measures that are put in place for 5G will have to build a new form of trust far beyond that of current generations.
One noted departure from the traditional cryptographic techniques is that physical layer security is identified as a promising strategy, providing secure wireless transmissions by smartly exploiting the imperfections of the communications medium. Two advantages of using physical layer security instead of cryptology are reducing the need for computational complexity and high scalability.
It is suggested that physical layer security regarding computational complexity be utilized based on the assumption that current devices lack the ability to compromise the computational complexity; next-generation devices may have that ability.
Device-to-device (D2D) communication is also an important aspect of security but will be addressed in another portion of this book. With billions of devices expected to rely on 5G, scaling computation security becomes more complex.
We must understand that different services/devices will rely on different network requirements. Monitoring sensor networks (assumed to be connected to 5G) use less bandwidth throughput and require different delay times compared with that of virtual reality. Because of the increased demand and individual requirements for all the expected devices, the computational requirement to address the billions of devices on 5G will become increasingly complex. Physical layer security can be used either to provide direct secure data communication or to facilitate the distribution of cryptographic keys. To illustrate the difficulty in securing data from all of these devices, Cisco VNI forecasts that global IP traffic will surpass 2 ZB (2 billion TB) per year in 2019. This means that IP traffic will only continue to increase and will increase almost three times the original amount during the next five years.
Many companies have begun to aim at the use of heterogeneous networks, or HetNets, for 5G use. HetNets are the provisioning of a cellular network through a combination of different cell types (e.g., macro, pico, femto cells) and different access to technologies using 1G, 2G, 3G, 4G, or Wi-Fi.
Supplementary features of a HetNet are nodes that have different coverage areas, transmitting powers, and radio access technologies that are created for the purpose of forming a multitier hierarchical architecture (Figure 18.4).
Much current research is suggesting that the current network architecture will not be able to handle 5G, and that a multilayered network (HetNet) is a possible solution. The overall aim of HetNet is to deliver an energy-efficient and spectrum-efficient solution that satisfies the dramatic progression in demands for data in future wireless applications. Ericsson has had some success in testing small HetNets to achieve data rates exceeding 5 Gpbs over the air. This was achieved by using new antenna technology for wider bandwidths, higher frequencies, and short transmission time intervals and by building BSs for 5G with baseband and radio units.
D2D will be an important factor in 5G as well as HetNets. Not only will D2D have to address security issues, but it will be an integral part of HetNets as potential providers of data. It has been suggested that D2D communications should not only be considered when developing the architecture of 5G but that direct D2D communication should extend the capabilities and enhance the overall efficiency of the wireless-access network. With the opportunity to transmit data from one device to another, there have been a number of suggestions as to its potential. One note is to use the D2D communication to have one device with better geometry, so that the transmitter device may act as a relay for the receiver device. This would essentially allow network access anywhere, as long as you are within the proximity of another device. The caveat to this is, of course, the significant security protocols that must be addressed to ensure the relaying device isn’t compromised.
Figure 18.4 A heterogeneous cellular network.
Massive multiple-input multiple-output (massive MIMO) is another suggested component of 5G, including the possibility of its use as physical layer security. By deploying a very large number of antennas (e.g., a few hundred) at BSs to serve multiple users at the same time, massive MIMO gains all the benefits provided by conventional MIMO but on a much larger scale.
Massive MIMO relies on the ability to have multiple data paths to multiple devices (Anritsu, 2015), while “the number of antenna arrays at the BSs is much larger, for example, 10 times, than the number of data streams served to all users in a cell.” Comparatively, a current MIMO uses 2 or 4 antennas to transmit (Tx) and receive (Rx), massive MIMO may be using 128 antennas (Figure 18.5).
Low power consumption and artificial noise (AN) are two more benefits of a massive MIMO. Low power consumption allows a reduction in eavesdropping in two ways:
Figure 18.5 Cellular network with the deployment of massive MIMO.
1. Since the transmit power level is cut, the received signal-to-noise ratios (SNRs) at the eavesdroppers are highly reduced. This leads to a significant decrease in the eavesdroppers’ channel capacities.
2. Given the transmit power and expected secrecy rate at the transmitter, the secrecy outage probability can be arbitrarily small when the number of antennas grows unbounded.
AN is currently used in MIMO systems, but the possibility for its use in massive MIMO hasn’t been fully examined. AN proves an effective way to cause interference to the eavesdroppers and degrade their reeved signals. However, researchers have stated that AN signals in a spatial null space may not be practical since the computation complexity of the null space is extremely high for the large-dimensional channel matrix.
Massive MIMO is still being researched, and while many suggest its possibilities, it is not without its technical hurdles. The following is a list of potential concerns:
1. High-order MIMO can have issues with radio interference, so technology is required to help mitigate this problem. This tends to focus on the need for the radio network to adjust its beam to take into account the specific orientation of the antenna at any given time.
2. The digital signal processor (DSP)* processing power required to implement high-order modulation schemes across many antennas and many sectors, as with massive MIMO, is immense. Tens of thousands to hundreds of thousands of multiply-accumulate (MAC)† units will be required, with each running at hundreds of megahertz.
3. Considering wireless signal propagation characteristics, the massive MIMO antenna and millimeter wave communication technologies will obviously reduce cell coverage.
4. To date, the processing power required means that the deployment of massive MIMO is not suitable for portable devices due to its size and power consumption, and so first deployments are focused more on fixed wireless access schemes and the provision of wireless backhaul to a dense deployment of small cells.
5. A significantly more advanced baseband computation is required to meet the complex requirements of new solutions such as mass-scale MIMO.
Currently, OFDM is the multiplexing scheme suggested for 5G, mainly because it is the trusted model currently used with 4G. As previously mentioned, the amount of devices that will rely on 5G may have a significant impact on whether OFDM will be used. Duplexing will also likely have to change for 5G. While frequency division duplexing (FDD) will likely stay for low frequency bands and is currently used for MIMO systems, many have indicated that in a massive MIMO, time division duplexing (TDD) will be a likely solution because the frequencies will be above 10 GHz.
TDD is when the transmitter and receiver transmit at different times but use the same frequency. TDD has many qualities that will give it an important role in 5G, specifically because FDD limits the number of antennas, unlike TDD. TDD is significantly more secure than FDD. TDD not only allows for more dynamic use, but is expected to be employed in dense deployments accessing low-power base-stations deployed both indoors and outdoors at street level.
Figure 18.6 Deployment of mmWave BSs.
The BS with massive antenna arrays obtains the uplink channel state information (CSI) via uplink pilot signals from the users. It then obtains the downlink CSI, relying on the reciprocity between the uplink and downlink. As such, it becomes difficult for eavesdroppers to determine the CSI between themselves and the BS, as well as the CSI from other users to the BS. From TDD, the next consideration has been full-duplex; this means simultaneous transmission and reception on the same carrier frequency, which essentially doubles the capacity of FDD or TDD. Much research still needs to be conducted to determine if full-duplex will be useful for 5G, but the key issue with full-duplex will be to resolve the transmit–receive isolation problem.
Current cellular providers have a limited carrier frequency spectrum of between 700 MHz and 2.6 GHz, and these limits are nearly occupied. Many have suggested that to overcome the frequency allocations, research needs to be done into the mmWave spectrums, which occupy range frequencies from 30–300 GHz. One of the most noted benefits of mmWave currently is not only the expansion of bandwidth channels but also higher data transfer. Much like massive MIMOs, mmWave isn’t without its problems. Besides the need for further research into the development and distribution of mmWave, its technological and regulatory challenges are yet to be addressed, including its limited transmission range (Figure 18.6).
Understanding the evolution of wireless security is important as we look at the fourth and fifth generations. It becomes clear that security in the generations has been reactive to threats. 4G saw significant strides in design, capacity, security, and efficiency. Although these improvements were made, new security threats and risks are created and developed with each new wireless network. Also, with new designs come new expectations and innovations.
The IoT will come with security procedures and solutions that can only currently be speculated about as we look toward the unknown 5G. Just as the previous generations have shaped the ones that follow, 4G is providing insight into the dynamic requirements needed to launch the 5G network. For the next few years, securing 4G communication should remain a top priority while the research and development of 5G continues.
While capacity, security, and connectivity are sure to increase, there are still a lot of questions that are yet to be answered about 5G. Security for 5G should be proactive and should be established prior to its official launch in efforts to secure data and reduce attacks. Regulatory issues regarding spectrum use and security should also be addressed in efforts to ensure that 5G is more successful and dynamic than the previous generations. This is especially important if this generation is to be the final evolution.
QUESTIONS
1. WiMAX is based on which IEEE standard?
a. IEEE 802.17
b. IEEE 802.16
c. IEEE 802.18
d. IEEE 802.15
2. Which cellular generation brought with it the use of graphics, video, and audio applications?
a. 1G
b. 2G
c. 3G
d. 4G
3. What type of security threat has the ability to bring down the entire network infrastructure?
a. DoS
b. Channel jamming
c. Theft
d. Message forgery
4. What is not an AKA protocol stage?
a. Initiation
b. Transfer of credentials
c. Strong encryption
d. Challenge response exchange
5. Which cellular generation is known as the analog generation?
a. 1G
b. 2G
c. 3G
d. 4G
6. By the year 2019, the non-PC share of IP traffic is estimated to grow by how much?
a. 45%
b. 90%
c. 67%
d. 52%
7. Which architecture component acts as a connection or gateway point in mobile WiMAX networks?
a. Mobile station (MS)
b. Base station (BS)
c. Access service network gateway (ASN-GW)
d. Connectivity service network (CSN)
8. Which was not a specification that 4G LTE needed to meet in order to succeed 3G?
a. Higher spectral efficiency
b. Power consumption efficiency
c. Scalable and flexible usage of frequency bands
d. Packet-switched network implementation
9. Which 5G communication method could allow network access anywhere within the proximity of another device?
a. Device to device (D2D)
b. Massive multiple-input multiple-output (MIMO)
c. Artificial noise (AN)
d. Frequency division duplexing (FDD)
10. Which multiplexing scheme is currently being suggested for 5G?
a. Code division multiplexing (CDM)
b. Orthogonal frequency division multiplexing (OFDM)
c. Polarization-division multiplexing (PDM)
d. Time division multiplexing (TDM).
MS is a mobile station in a GSM mobile system that contains a USIM application module. USIM is Universal Subscriber Identity Module, a software application for UMTS mobile telephony, which runs on a UICC and is inserted in a 3G mobile phone. |
|
An international mobile subscriber identity (IMSI) is a unique number, usually 15 digits, associated with Global System for Mobile Communications (GSM) and Universal Mobile Telecommunications System (UMTS) network mobile phone users. The IMSI is a unique number identifying a GSM subscriber. MSI is a local country mobile subscriber number. |
|
A UMAC is a fast and secure message and authentication system using message authentication code that employs universal hashing. |
|
User identity modules (UIM), particularly R-UIM, i.e., removable user identity modules, are cards in phones that allow them to connect to both CDMA wireless networks and GSM wireless networks. |
|
CK and IK are session keys for confidentiality (CK) and for integrity (IK). |
|
IMEI is an international mobile station equipment identity, which is a number to identify 3GPP, GSM, UMTS, LTE, and iDEN mobile phones, as well as some satellite phones. |
|
CAGR is the compound annual growth rate for global mobile units and global mobile data traffic. |
|
A DSP is a specialized microprocessor with its architecture optimized for digital signal processing. The goal of DSPs is to measure, filter, and/or compress continuous real-world analog signals. |
|
In networking, media access control (MAC) and MAC addresses are commonly described since all wire or fiber networks connect directly to a MAC unit, which is the unit that directly attaches the device to the media whether it be wire or fiber transport media. However, in wireless networks, the MAC acronym is reused to indicate multiply-accumulate units, once again MAC. A multiply-accumulate unit (MAC) is the main computational kernel in DSP architectures. The MAC unit determines the power and the speed of the overall system; it always lies in the critical path. Developing high-speed and low-power MAC is crucial to using DSP. |