4G LTE: Architecture and Security Concerns

imagensecforcepost.png

4G is the fourth generation of mobile communication standards and it is very well underway to succeed the 3G technology and offer broadband performance, voice-video multimedia applications, significant increases in data rates and even better security(?).

The main difference about 4G wireless networks is that they operate entirely on TCP/IP architecture. Only packet-switched communication is supported for improved performance and all signaling and control network protocols are IP-based, thus, making the standard cost-effective and compatible across heterogeneous technologies.

The Architecture on a high-level:

Network-diagram.jpg

The components:

E-UTRAN:

The eNodeB (eNB) is the only network element in LTE with the task of establishing radio communication with the User Equipment (UE – a 4G capable mobile device) and respectively with the EPC (MME, S-GW) over the transport layer. eNodeBs can be considered the equivalent of an enhanced Base Station. An alternative to the eNodeB, the HeNB (Femtocell) functions as a low-power base station which is owned by the network provider and is designed to provide coverage and capacity solutions in indoors spaces.

EPC:

The MME (Mobile Management Entity) is a key element of LTE as far as control operations are concerned. The MME unit, similarly to the VLR in 3G, is responsible for signaling, tracking the location of idle UEs, user authentication and the selection of the most optimal S-GW for the UE based on network topology and the location of the UE within the network.

The HSS (Home Subscriber Service) is a component of the UE’s home network and, very much like the Home location register (HLR) in 3G, works as a central database containing subscription-related information, service and mobility data. Moreover, it keeps track of the user’s current MME address and holds pre-shared key material used to generate session authentication data which serves authentication purposes. The authentication method in LTE is again a challenge-response protocol which is completed between the UE and the MME based on the information that the HSS has generated and provided.

The main responsibility of the S-GW is to relay data between the eNodeB and the PDN gateway. S-GW acts as a router. Among others, the serving gateway will handle the redirection of data flow to a new eNodeB in case of a handover.

The PDN communicates user data to and from external data networks (service operator’s wireline network, Internet) and as a result, operates very similarly to the GPRS support node (GGSN) in UMTS and GSM. In other words, it allows the UE to communicate with entities outside the service provider’s main IP network. The most important functions of this LTE component are as follow: IP allocation to the UE, maintaining connection the network while moving from one place to another, billing – charging support, Quality-of-service (QoS) functions, packet filtering.

The Policy and Charging Rule Function (PCRF) is a software node which is responsible for policy enforcement, as well as for controlling the flow-based charging functionalities which reside in the P-GW. The PCRF will provide QoS information to the PDN, determine charging policy for data packets and dynamically manage data sessions.

Many of the new features work as improvements compared to 4G’s predecessors and one can identify many advantages in terms of performance, speed and security (higher-strength encryption, IP based configuration as opposed to 3G radio, etc.)

However, the question remains; how well are we prepared for this new wave of technology, how ahead and to what extent have we planned for this?

Location Tracking

One of the most important requirements of LTE is seamless mobility support across eNBs. Handovers are to be handled fast and transparently without causing any disruption to the communication flow.

When our UE currently associated with eNB1 moves closer to the coverage area of eNB2, the former sends coupling information to the latter. Then, eNB1 commands the UE to change the radio bearer to eNB2 and for that purpose forwards the handover command which contains connection specific information (C-RNTI, RACH Random Access Channel preamble, expiry date). The handover is complete after the UE forwards the identifier C-RNTI to the new eNB (like an ACK/confirmation message) and the eNB2 notifies the MME of the handover.

The UE sends this temporary identifier (C-RNTI) optionally in cleartext making it possible for a passive attacker to determine whether the UE has moved to a different cell. Having said that, an attacker is able to link the new and the old C-RNTIs and eventually track the UE over different cells.

Femtocells

When a femtocell provides better signal over a regular tower it is preferred by nearby UE devices. The problem is that connection to a femtocell can be transparent, meaning that a user does not often know he is connected to one, therefore, enabling an attacker who controls a tampered device to intercept user data in transit. Latest demonstrations of compromised and enhanced in power femtocell units show that this concern is not unfounded at all, as an attacker suitably positioned in crowded, public spaces could potentially track the activities of all nearby 4G devices.

Open Architecture

The 4g LTE network is an all-IP network with millions of very diverse components. Additionally, its development is coupled with a necessity for moving from the older, proprietary operating systems for handheld devices to open, standardized ones. Since all these devices will be operating on the network layer they become dynamically susceptible to all the existing attack techniques and methods present on the Internet (or any other IP based network) today. For instance, downloading malicious content can now affect the network on a larger scale and to a greater extent. This might signify a shift of security concerns towards the end user’s technology (smartphones, laptops, dongles etc.) rather than the network protocols in place.

It is also very likely that new issues will arise or become more common due to the untried nature of the 4G standard. For example, instances of attacks associated with VoIP (DoS, SPIT spam over Internet Telephony, Voice Service Theft, Registration Hijacking) are likely to increase exponentially due to the immense expansion of the attack surface. Finally, an availability concern is how the newly introduced encryption schemes will affect the performance of this IP-based infrastructure.

Other 4G related attacks can be found in academic literature:

–    Scrambling – Interference attacks

–    Denial of Service – Bandwidth stealing attacks

Finally, we need to keep in mind that as 4G LTE is not backwards compatible with 3G and, therefore, there is no fallback position in this case. Consequently, it becomes clear that security is of paramount importance to its success.

You may also be interested in...

imagensecforcepost.png
Dec. 5, 2012

Bring your own device (BYOD) security challenges

BYOD is a business policy which encourages employees to bring their personal devices (laptops, tablets, mobile phones) to the corporate environment and perform business tasks with them.

See more
imagensecforcepost.png
Dec. 14, 2012

Is traditional penetration testing effective at identifying risk?

The challenge for many board members is how to ascertain the validity of what they are being told in relation to the health of their defences. What unknown risks are being carried? There is a high risk of false assurance from internal departments reporting up the chain.

See more