Pages

Showing posts with label GSM. Show all posts
Showing posts with label GSM. Show all posts

Sunday, 30 June 2013

Multi-RAT mobile backhaul for Het-Nets

Recently got another opportunity to hear from Andy Sutton, Principal Network Architect, Network Strategy, EE. His earlier presentation from our Cambridge Wireless event is here. There were many interesting bits in this presentation and some of the ones I found interesting is as follows:

Interesting to see in the above that the LTE traffic in the backhaul is separated by the QCI (QoS Class Identifiers - see here) as opposed to the 2G/3G traffic.




This is EE's implementation. As you may notice 2G and 4G use SRAN (Single RAN) while 3G is separate. As I mentioned a few times, I think 3G networks will probably be switched off before the 2G networks, mainly because there are a lot more 2G M2M devices that requires little data to be sent and not consume lots of energy (which is an issue in 3G), so this architecture may be suited well.


Finally, a practical network implementation which looks different from the text book picture and the often touted 'flat' architecture. Andy did mention that they see a ping latency of 30-50ms in the LTE network as opposed to around 100ms in the UMTS networks.


Mark Gilmour was able to prove this point practically.

Here is the complete presentation:



Monday, 17 December 2012

2 Presentations on Mobile technology Security

Tuesday, 16 October 2012

Extended Access Barring (EAB) in Release 11 to avoid MTC overload

M2M is going to be big. With the promise of 50 Billion devices by 2020, the networks are already worried about the overloading due to signalling by millions of devices occurring at any given time. To counter this, they have been working on avoiding overloading of the network for quite some time as blogged about here.

The feature to avoid this overload is known as Extended Access Barring (EAB). For E-UTRAN, in Rel-10, a partial solution was implemented and a much better solution has been implemented in Rel-11. For GERAN a solution was implemented in Rel-10. The following presentation gives a high level overview of EAB for E-UTRAN and GERAN.



In Rel-11, a new System Information Block (SIB 14) has been added that is used specifically for EAB. Whereas in Rel-10, the UE would still send the RRCConnectionRequest, in Rel-11, the UE does not even need to do that, thereby congesting the Random Access messages.

The following is from RRC 36.331 (2012-09)
***

–                SystemInformationBlockType14

The IE SystemInformationBlockType14 contains the EAB parameters.
SystemInformationBlockType14 information element
-- ASN1START

SystemInformationBlockType14-r11 ::= SEQUENCE {
    eab-Param-r11                        CHOICE {
       eab-Common-r11                       EAB-Config-r11,
       eab-PerPLMN-List-r11                 SEQUENCE (SIZE (1..6)) OF EAB-ConfigPLMN-r11
    }                                                  OPTIONAL, -- Need OR
    lateNonCriticalExtension             OCTET STRING          OPTIONAL, -- Need OP
    ...
}

EAB-ConfigPLMN-r11 ::=               SEQUENCE {
    eab-Config-r11                   EAB-Config-r11            OPTIONAL -- Need OR
}

EAB-Config-r11 ::=               SEQUENCE {
    eab-Category-r11                 ENUMERATED {a, b, c, spare},
    eab-BarringBitmap-r11            BIT STRING (SIZE (10))
}

-- ASN1STOP

SystemInformationBlockType14 field descriptions
eab-BarringBitmap
Extended access class barring for AC 0-9. The first/ leftmost bit is for AC 0, the second bit is for AC 1, and so on.
eab-Category
Indicates the category of UEs for which EAB applies. Value a corresponds to all UEs, value b corresponds to the UEs that are neither in their HPLMN nor in a PLMN that is equivalent to it, and value c corresponds to the UEs that are neither in the PLMN listed as most preferred PLMN of the country where the UEs are roaming in the operator-defined PLMN selector list on the USIM, nor in their HPLMN nor in a PLMN that is equivalent to their HPLMN, see TS 22.011 [10].
eab-Common
The EAB parameters applicable for all PLMN(s).
eab-PerPLMN-List
The EAB parameters per PLMN, listed in the same order as the PLMN(s) occur in plmn-IdentityList in SystemInformationBlockType1.

***

Here is my attempt to explain the difference in overload control mechanism in Rel-8, Rel-10 and Rel-11. Please note that not actual message names are used.





As usual, happy to receive feedback, comments, suggestions, etc.

Wednesday, 20 July 2011

NSN Celebrating 20 years of GSM

Its been 20 years since the first GSM call was made and GSM is still as relevant today as it was 10 years back.My earlier post today was about the technology deployment and adoption trends and my guess is that GSM/GPRS will be still relevant for long time to come especially its de-facto fallback for the roaming calls. Some Facts about GSM that would should know:* First network launched in 1991* There are 838 GSM Networks in 234 countries with 4.4 Billion subscribers* In 2010, 1.44 million GSM subscribers were added every day* 545 EDGE networks in 198 countries with 1.5 Billion subscribers* By 2015, 1.5billion GSM M2M subscribers will be present

Here is a presentation from NSN about 20 years of GSM and since they had the privilege of launching the first commercial network I am sure they have a good reason to celebrate.

20 Years of GSM: Past, Present & Future
View more presentations from Nokia Siemens Networks
A new section on 3G4G website on GSM has been added here.

Sunday, 17 July 2011

Network Mode of Operation (NMO)

Picture Source: Tektronix

The Network Mode of Operation (NMO) is also sometimes referred to as Network Operation Mode (NOM). The Network Modes have different values and interpretation in UTRAN and GERAN

In both the cases the Operation modes is decided based on the Gs interface between the CS CN (core network) a.k.a. MSC and the PS CN a.k.a. SGSN

In UTRAN:

Network Operation Mode I (NMO-I) is used when the Gs interface is present. In this case during the registration a Combined Attach (includes GPRS Attach & IMSI Attach procedures) procedure can be performed. A GMM Attach Request message with the attach type set to Combined Attach is used. Upon completion of this procedure, MM Status is IMSI Attached and GMM State is Attached.

In Network Operation Mode II (NMO-II) the GS Interface is not present. So the GMM attach procedure and the IMSI Attach (via Location Update) has to be performed seperately. This causes additional signalling.

Basic air interface signalling in case of NMO2 is shown here.


In GERAN:

Network operation mode 1. A network which has the Gs interface implemented is referred to as being in network operation mode 1. CS and PS paging is coordinated in this mode of operation on either the GPRS or the GSM paging channel. If the mobile device has been assigned a data traffic channel then CS paging will take place over this data channel rather than the paging channel (CS or PS).

Network operation mode 2. The Gs interface is not present and there is no GPRS paging channel present. In this case, paging for CS and PS devices will be transferred over the standard GSM common control channel (CCCH) paging channel. Even if the mobile device has been assigned a packet data channel, CS paging will continue to take place over the CCCH paging channel and thus monitoring of this channel is still required.

Network operation mode 3. The Gs interface is not present. CS paging will be transferred over the CCCH paging channel. PS paging will be transferred over the packet CCCH (PCCCH) paging channel, if it exists in the cell. In this case the mobile device needs to monitor both the paging channels.

The GERAN part above is extract from the book Convergence Technologies for 3G Networks.


The Gs interface, has a number of subtle but important advantages:

During an ongoing GPRS / EDGE data transfer (TBF established), mobiles can't detect incoming voice calls and SMS messages as they are focused on receiving packets and thus can not observe the paging channel. In NMO-1, the circuit switched part of the network forwards the paging message to the packet switched side of the network which then forwards the paging message between the user data blocks while a data transfer is ongoing. Mobiles can thus receive the paging message despite the ongoing data transfer, interrupt the session and accept the voice call or SMS.

Location/Routing area updates when moving to a cell in a different location/routing area are performed much faster as the mobile only communicates with the packet switched part of the network. The packet switched network (the SGSN) then forwards the location update to the circuit switched part of the network (to the MSC) which spares the mobile from doing it itself. This is especially important for ongoing data transfers as these are interrupted for a shorter period of time.

Cell reselections from UMTS to GPRS can be executed much faster due to the same effect as described in the previous bullet. Whithout NOM-1 an Inter RAT (Radio Access Technology) cell reselection with Location and Routing Area update requires around 10 to 12 seconds. With NOM-1 the time is reduced to around 5 to 6 seconds. An important difference as this reduces the chance to miss an incoming call during the change of the radio network. Also, ongoing data transfers are interrupted for a shorter time,an additional benefit that should not be underestimated.


Wednesday, 8 December 2010

SON for reducing Opex in Legacy Networks

Presented by Stéphane Téral, Principal Analyst, Mobile and FMC Infrastructure, Infonetics Research in the 1st Self-Organizing Networks Conference, 30th Nov and 1st Dec. 2010 at the Waldorf Hilton.

Tuesday, 5 October 2010

3GPP Green activities / Energy Saving initiatives


3GPP has been working on Energy saving initiatives for Release-10 and Release-11. Here is a very quick summary of some of these items.

Telecommunication management; Study on Energy Savings Management (ESM)

Most mobile network operators aim at reducing their greenhouse emissions, by several means such as limiting their networks' energy consumption.

In new generation Radio Access Networks such as LTE, Energy Savings Management function takes place especially when mobile network operators want e.g. to reduce Tx power, switch off/on cell, etc. based on measurements made in the network having shown that there is no need to maintain active the full set of NE capabilities.

By initiating this Work Item about Energy Savings Management, 3GPP hopes to contribute to the protection of our environment and the environment of future generations.

The objective of this technical work is to study automated energy savings management features. Usage of existing IRPs is expected as much as possible, e.g. Configuration Management IRP, etc. However, this technical work may identify the need for defining a new IRP.

The following operations may be considered in this study item (but not necessarily limited to):
• Retrieval of energy consumption measurements
• Retrieval of traffic load measurements
• Adjust Network Resources capabilities


OAM aspects of Energy Saving in Radio Networks

There are strong requirements from operators on the management and monitoring of energy saving functions and the evaluation of its impact on the network and service quality. Therefore an efficient and standardized Management of Energy Saving functionality is needed. Coordination with other functionalities like load balancing and optimization functions is also required.

The objectives of this work item are:
• Define Energy Savings Management OAM requirements and solutions for the following use cases,
• eNodeB Overlaid
• Carrier restricted
• Capacity Limited Network
• Define OAM requirements and solutions for coordination of ESM with other functions like
• Self-Optimization
• Self Healing
• Traditional configuration management
• Fault Management
• Select existing measurements which can be used for assessing the impact and effect of Energy Saving actions corresponding to above Energy Saving use cases.
• Define new measurements which are required for assessing the impact and effect of Energy Saving actions, including measurements of the energy consumption corresponding to above Energy Saving use cases.


Study on impacts on UE-Core Network signalling from Energy Saving

Energy Saving (ES) mechanisms are becoming an integral part of radio networks, and consequently, of mobile networks. Strong requirements from operators (for reasons of cost and environmental image) and indirectly from authorities (for the sake of meeting overall international and national targets) have been formulated. With the expected masses of mobile network radio equipment as commodities, in the form of Home NB/eNBs, this aspect becomes even more crucial.

It is necessary to ensure that ES does not lead to service degradation or inefficiencies in the network. In particular:
• the activation status of radio stations (on/off) introduces a new scale of dynamicity for the UE and network;
• mass effects in signalling potentially endanger the network stability and need to be handled properly.

It is unclear whether and how currently defined procedures are able to cope with, and eventually can be optimized for, ES conditions; thus a systematic study is needed.

The study aims, within the defined CT1 work areas, at:
• analysing UE idle mode procedures and UE-Core Network signalling resulting from frequent switch on/off of radio equipment in all 3GPP accesses, including home cell deployment and I-WLAN;
• performing a corresponding analysis for connected mode UEs;
• analysing similar impacts from activation status of non-3GPP access networks;
• documenting limitations, weaknesses and inefficiencies in these procedures, with emphasis on mass effects in the UE-Core Network signalling;
• studying potential optimizations and enhancements to these procedures;

The study shall also evaluate and give recommendations on potential enhancements to 3GPP specifications (whether and where they are seen necessary).


Study on Solutions for Energy Saving within UTRA Node B

Due to the need to reduce energy consumption within operators’ networks, and considering the large amount of UMTS network equipment deployed in the field around the world, the standardisation of methods to save energy in UMTS Node Bs is seen as an important area of study for 3GPP.There has not been a large amount of focus on energy-saving in UMTS networks so far in 3GPP, although some solutions have been agreed in Release 9. Therefore it is proposed to start an initial study phase to identify solutions and perform any initial evaluation, such that a subset of these proposals can be used as the basis for further investigation of their feasibility.

The objective is to do an initial study to identify potential solutions to enable energy saving within UMTS Node-Bs, and do light initial evaluation of the proposed solutions, with the aim that a subset of them can be taken forward for further investigation as part of a more focused study in 3GPP.

The solutions identified in this study item should consider the following aspects:
• Impacts on the time for legacy and new UEs to gain access to service from the Node B
• Impacts on legacy and new terminals (e.g. power consumption, mobility)

Some initial indication of these aspects in relation to the proposed solutions should be provided.


Study on Network Energy Saving for E-UTRAN

The power efficiency in the infrastructure and terminal should be an essential part of the cost-related requirements in LTE-A. There is a strong need to investigate possible network energy saving mechanisms to reduce CO2 emission and OPEX of operators.

Although some solutions have been proposed and part of them have been agreed in Release-9, there has not been a large amount of attention on energy saving for E-UTRAN so far. Many potential solutions are not fully shown and discussed yet. Therefore, it is proposed to start an initial study phase to identify solutions, evaluate their gains and impacts on specifications.

The following use cases will be considered in this study item:
• Intra-eNB energy saving
• Inter-eNB energy saving
• Inter-RAT energy saving

Intra-eNB energy saving, in EUTRAN network, a single cell can operate in energy saving mode when the resource utilization is sufficiently low. In this case, the reduction of energy consumption will be mainly based on traffic monitoring with regard to QoS and coverage assurance.

A lot of work on Inter-eNB energy saving has already been done for both LTE and UTRA in Rel-9. This Study Item will investigate additional aspects (if any) on top of what was already agreed for R9.

Inter-RAT energy saving, in this use case, legacy networks, i.e. GERAN and UTRAN, provide radio coverage together with E-UTRAN. For example E-UTRAN Cell A is totally covered by UTRAN Cell B. Cell B is deployed to provide basic coverage of the voice or medium/low-speed data services in the area, while Cell A enhances the capability of the area to support high-speed data services. Then the energy saving procedure can be enabled based on the interaction of E-UTRAN and UTRAN system.

The objective of this study item is to identify potential solutions for energy saving in E-UTRAN and perform initial evaluation of the proposed solutions, so that a subset of them can be used as the basis for further investigation and standardization.

Energy saving solutions identified in this study item should be justified by valid scenario(s), and based on cell/network load situation. Impacts on legacy and new terminals when introducing an energy saving solution should be carefully considered. The scope of the study item shall be as follows:
• User accessibility should be guaranteed when a cell transfers to energy saving mode
• Backward compatibility shall be ensured and the ability to provide energy saving for Rel-10 network deployment that serves a number of legacy UEs should be considered
• Solutions shall not impact the Uu physical layer
• The solutions should not impact negatively the UE power consumption

RAN2 will focus on the Intra-eNB energy saving, while RAN3 will work on Inter-RAT energy saving and potential additional Inter-eNB energy saving technology.


Study on Solutions for GSM/EDGE BTS Energy Saving

There has not been a large amount of focus on energy-saving in GSM/EDGE networks so far in 3GPP, although some solutions have been agreed in previous Releases, notably MCBTS. Therefore it is proposed to start an initial study phase to identify solutions and perform any initial evaluation, such that a subset of these proposals can be used as the basis for further investigation of their feasibility.

The objective is to study potential solutions to enable energy saving within the BTS (including MCBTS and MSR), and evaluate each proposed solutions in detail. These potential solutions shall focus on the following specific aspects
• Reduction of Power on the BCCH carrier (potentially enabling dynamic adjustment of BCCH power)
• Reduction of power on DL common control channels
• Reduction of power on DL channels in dedicated mode, DTM and packet transfer mode
• Deactivation of cells (e.g. Cell Power Down and Cell DTX like concepts as discussed in RAN)
• Deactivation of other RATs in areas with multi-RAT deployments, for example, where the mobile station could assist the network to suspend/minimise specific in-use RATs at specific times of day
• And any other radio interface impacted power reduction solutions.

The solutions identified in this study item shall also consider the following aspects:
• Impacts on the time for legacy and new mobile stations to gain access to service from the BTS
• Impacts on legacy and new mobile stations to keep the ongoing service (without increasing drop rate)
• Impacts on legacy and new mobile stations implementation and power consumption, e.g. due to reduction in DL power, cell (re-)selection performance, handover performance, etc.
• Impacts on UL/DL coverage balance, especially to CS voice

Solutions shall be considered for both BTS energy saving non-supporting and supporting mobile stations (i.e. solutions that are non-backwards compatible towards legacy mobile stations shall be out of the scope of this study).

Tuesday, 31 August 2010

EDGE evolution to REDHOT


EDGE is more than three times as efficient as GSM/GPRS in handling packet-switched data. Using EDGE, operators can support 3x more subscribers than GPRS, either by increasing the data rate per subscriber to 300 kbps, according to network & device capabilities, or adding voice capacity. EDGE uses the same TDMA frame structure, logic channel and 200 kHz carrier as GSM; existing cell plans remain intact. No change is needed in the core network. Neither new spectrum nor a new operating licence is needed. EDGE is a mature, mainstream global technology which allows operators to compete, to protect investments/assets, and stimulate growth of mobile multimedia services. Upgrading to EDGE is a natural step for operators to offer high performance mobile data services over GSM.

The performance of EDGE has improved steadily since its introduction in the market in 2003, and today offers users the possibility of data speeds up to 250kbps, with a latency of less than 150ms. This is sufficient for any current data service to be attractive to customers. According to GSA’s latest EDGE Fact Sheet (August 19, 2010 and available as a free download from www.gsacom.com) over 80% of GSM/GPRS operators globally have committed to deploying EDGE in their networks. 531 GSM/EDGE networks are in commercial service in 196 countries, and thousands of EDGE-capable user devices are launched.

A key part of the evolution is the opportunity to deploy more than a single RF carrier. Downlink Dual Carrier (DLDC) is the first step in evolving EDGE, doubling data rates to 592 kbps on existing EDGE-capable networks.

Downlink speed quadrupled:
up to 1.2 Mbps per user initially
(the standard enables up to 1.9 Mbps per user)
• Dual Carrier first phase implementation 10 timeslots per user; standard enables up to 16 timeslots per user
• EGPRS-2 DL (REDHOT) level B maximum 118.4 kbps per timeslot

Uplink speed up to 474 kbps per user
(the standard enables up to 947 kbps per user)
• EGPRS-2 UL (HUGE) level B with maximum 118.4 kbps per timeslot
• Peak implementation today 4 timeslots per user (standard enables up to 8 timeslots per user)

The EGPRS-2 feature is expected in the market in 2012.

More information is available in the GSA Report 'EDGE Evolution' released on Aug 23 2010. Available to download from GSACOM here.

Tuesday, 3 August 2010

Double whammy for GSM Security

Via PC World:

A researcher at the Def Con security conference in Las Vegas demonstrated that he could impersonate a GSM cell tower and intercept mobile phone calls using only $1500 worth of equipment. The cost-effective solution brings mobile phone snooping to the masses, and raises some concerns for mobile phone security.

How does the GSM snooping work?

Chris Paget was able to patch together an IMSI (International Mobile Identity Subscriber) catcher device for about $1500. The IMSI catcher can be configured to impersonate a tower from a specific carrier. To GSM-based cell phones in the immediate area--the spoofed cell tower appears to be the strongest signal, so the devices connect to it, enabling the fake tower to intercept outbound calls from the cell phone.

What happens to the calls?

Calls are intercepted, but can be routed to the intended recipient so the attacker can listen in on, and/or record the conversation. To the real carrier, the cell phone appears to no longer be connected to the network, so inbound calls go directly to voicemail. Paget did clarify, though, that it's possible for an attacker to impersonate the intercepted device to the wireless network, enabling inbound calls to be intercepted as well.

But, aren't my calls encrypted?

Generally speaking, yes. However, the hacked IMSI catcher can simply turn the encryption off. According to Paget, the GSM standard specifies that users should be warned when encryption is disabled, but that is not the case for most cell phones. Paget explained "Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers."

What wireless provider networks are affected?

Good news for Sprint and Verizon customers--those networks use CDMA technology rather than GSM, so cell phones on the Sprint or Verizon networks would not connect to a spoofed GSM tower. However, AT&T and T-Mobile--as well as most major carriers outside of the United States--rely on GSM.

Does 3G protect me from this hack?

This IMSI catcher hack will not work on 3G, but Paget explained that the 3G network could be knocked offline with a noise generator and an amplifier--equipment that Paget acquired for less than $1000. With the 3G network out of the way, most cell phones will revert to 2G to find a viable signal to connect to.

Another one from CNET:

A researcher released software at the Black Hat conference on Thursday designed to let people test whether their calls on mobile phones can be eavesdropped on.

The public availability of the software - dubbed Airprobe -- means that anyone with the right hardware can snoop on other peoples' calls unless the target telecom provider has deployed a patch that was standardized about two years ago by the GSMA, the trade association representing GSM (Global System for Mobile Communications) providers, including AT&T and T-Mobile in the U.S.

Most telecom providers have not patched their systems, said cryptography expert Karsten Nohl.

"This talk will be a reminder to this industry to please implement these security measures because now customers can test whether they've patched the system or not," he told CNET in an interview shortly before his presentation. "Now you can listen in on a strangers' phone calls with very little effort."

An earlier incarnation of Airprobe was incomplete so Nohl and others worked to make it usable, he said.

Airprobe offers the ability to record and decode GSM calls. When combined with a set of cryptographic tools called Kraken, which were released last week, "even encrypted calls and text messages can be decoded," he said.

To test phones for interception capability you need: the Airprobe software and a computer; a programmable radio for the computer, which costs about $1,000; access to cryptographic rainbow tables that provide the codes for cracking GSM crypto (another Nohl project); and the Kraken tool for cracking the A5/1 crypto used in GSM, Nohl said.

More information about the tool and the privacy issues is on the Security Research Labs Web site.


Monday, 1 March 2010

GSM-UMTS Network migration towards LTE


Another interesting white-paper from 3G Americas. The following from their press release:

A 3rd Generation Partnership Project (3GPP) specification, LTE will serve to unify the fixed and mobile broadband worlds and will open the door to new converged multimedia services. As an all-IP-based technology, LTE will drive a major network transformation as the traditional circuit-based applications and services migrate to an all-IP environment, though introducing LTE will require support and coordination between a complex ecosystem of application servers, devices/terminals and interaction with existing technologies. The report discusses functionality and steps GSM-UMTS network operators may use to effectively evolve their networks to LTE and identifies potential challenges and solutions for enabling the interaction of LTE with GSM, GPRS and UMTS networks.

“This white paper reveals solutions that facilitate a smooth migration for network operators as they deploy LTE,” stated Chris Pearson, president of 3G Americas. “3GPP has clearly defined the technology standards in Release 9 and Release 10, and this paper explores the implementation of these standards on 3GPP networks.”



A reported
130 operators around the world have written LTE into their technology roadmaps. In December 2009, TeliaSonera launched the world’s first LTE networks in Norway and Sweden and an estimated 17 operators are expected to follow in its footsteps in 2010.

“LTE is receiving widespread support and powerful endorsements from industry leaders around the world, but it is important to keep in mind that the evolution to LTE will require a multi-year effort,” Pearson said. “LTE must efficiently and seamlessly coexist with existing wireless technologies during its rise to becoming the leading next-generation wireless technology.”

Operators planning LTE deployments must consider the implications of utilizing LTE in an ecosystem comprising 2G, 3G and future “4G” wireless technologies. Therefore, operators planning an LTE deployment will need to offer multi-technology devices with networks that allow mobility and service continuity between GSM, EDGE, HSPA and LTE.


Thursday, 11 February 2010

UICC and USIM in 3GPP Release 8 and Release 9


In good old days of GSM, SIM was physical card with GSM "application" (GSM 11.11)

In the brave new world of 3G+, UICC is the physical card with basic logical functionality (based on 3GPP TS 31.101) and USIM is 3G application on a UICC (3GPP TS 31.102). The UICC can contain multiple applications like the SIM (for GSM), USIM and ISIM (for IMS). There is an interesting Telenor presentation on current and future of UICC which may be worth the read. See references below.

UICC was originally known as "UMTS IC card". The incorporation of the ETSI UMTS activities into the more global perspective of 3GPP required a change of this name. As a result this was changed to "Universal Integrated Circuit Card". Similarly USIM (UMTS Subscriber Identity Module) changed to Universal Subscriber Identity Module.

The following is from the 3G Americas Whitepaper on Mobile Broadband:

UICC (3GPP TS 31.101) remains the trusted operator anchor in the user domain for LTE/SAE, leading to evolved applications and security on the UICC. With the completion of Rel-8 features, the UICC now plays significant roles within the network.

Some of the Rel-8 achievements from standards (ETSI, 3GPP) are in the following areas:

USIM (TS 31.102)
With Rel-8, all USIM features have been updated to support LTE and new features to better support non-3GPP access systems, mobility management, and emergency situations have been adopted.

The USIM is mandatory for the authentication and secure access to EPC even for non-3GPP access systems. 3GPP has approved some important features in the USIM to enable efficient network selection mechanisms. With the addition of CDMA2000 and HRPD access technologies into the PLMN, the USIM PLMN lists now enable roaming selection among CDMA, UMTS, and LTE access systems.

Taking advantage of its high security, USIM now stores mobility management parameters for SAE/LTE. Critical information like location information or EPS security context is to be stored in USIM rather than the device.

USIM in LTE networks is not just a matter of digital security but also physical safety. The USIM now stores the ICE (In Case of Emergency) user information, which is now standardized. This feature allows first responders (police, firefighters, and emergency medical staff) to retrieve medical information such as blood type, allergies, and emergency contacts, even if the subscriber lies unconscious.

3GPP has also approved the storage of the eCall parameters in USIM. When activated, the eCall system establishes a voice connection with the emergency services and sends critical data including time, location, and vehicle identification, to speed up response times by emergency services. ECalls can be generated manually by vehicle occupants or automatically by in-vehicle sensors.

TOOLKIT FEATURES IMPROVEMENT (TS 31.111)
New toolkit features have been added in Rel-8 for the support of NFC, M2M, OMA-DS, DM and to enhance coverage information.

The contactless interface has now been completely integrated with the UICC to enable NFC use cases where UICC applications proactively trigger contactless interfaces.

Toolkit features have been updated for terminals with limited capabilities (e.g. datacard or M2M wireless modules). These features will be notably beneficial in the M2M market where terminals often lack a screen or a keyboard.

UICC applications will now be able to trigger OMA-DM and DS sessions to enable easier device support and data synchronization operations, as well as interact in DVB networks.

Toolkit features have been enriched to help operators in their network deployments, particularly with LTE. A toolkit event has been added to inform a UICC application of a network rejection, such as a registration attempt failure. This feature will provide important information to operators about network coverage. Additionally, a UICC proactive command now allows the reporting of the signal strength measurement from an LTE base station.

CONTACT MANAGER
Rel-8 defined a multimedia phone book (3GPP TS 31.220) for the USIM based on OMA-DS and its corresponding JavaCard API (3GPP TS 31.221).

REMOTE MANAGEMENT EVOLUTION (TS 31.115 AND TS 31.116)
With IP sessions becoming prominent, an additional capability to multiplex the remote application and file management over a single CAT_TP link in a BIP session has been completed. Remote sessions to update the UICC now benefit from additional flexibility and security with the latest addition of the AES algorithm rather than a simple DES algorithm.

CONFIDENTIAL APPLICATION MANAGEMENT IN UICC FOR THIRD PARTIES
The security model in the UICC has been improved to allow the hosting of confidential (e.g. third party) applications. This enhancement was necessary to support new business models arising in the marketplace, with third party MVNOs, M-Payment and Mobile TV applications. These new features notably enable UICC memory rental, remote secure management of this memory and its content by the third party vendor, and support new business models supported by the Trusted Service Manager concept.

SECURE CHANNEL BETWEEN THE UICC AND TERMINAL
A secure channel solution has been specified that enables a trusted and secure communication between the UICC and the terminal. The secure channel is also available between two applications residing respectively on the UICC and on the terminal. The secure channel is applicable to both ISO and USB interfaces.

RELEASE 9 ENHANCEMENTS: UICC: ENABLING M2M AND FEMTOCELLS
The role of femtocell USIM is increasing in provisioning information for Home eNodeB, the 3GPP name for femtocell. USIMs inside handsets provide a simple and automatic access to femtocells based on operator and user-controlled Closed Subscriber Group list.

Work is ongoing in 3GPP for the discovery of surrounding femtocells using toolkit commands. Contrarily to macro base stations deployed by network operators, a femtocell location is out of the control of the operator since a subscriber can purchase a Home eNodeB and plug it anywhere at any time. A solution based on USIM toolkit feature will allow the operator to identify the femtocells serving a given subscriber. Operators will be able to adapt their services based on the femtocells available.

The upcoming releases will develop and capitalize on the IP layer for UICC remote application management (RAM) over HTTP or HTTPS. The network can also send a push message to UICC to initiate a communication using TCP protocol.

Additional guidance is also expected from the future releases with regards to the M2M dedicated form factor for the UICC that is currently under discussion to accommodate environments with temperature or mechanical constraints surpassing those currently specified by the 3GPP standard.

Some work is also expected to complete the picture of a full IP UICC integrated in IP-enabled terminal with the migration of services over EEM/USB and the capability for the UICC to register on multicast based services (such as mobile TV).

Further Reading:

Thursday, 17 September 2009

Wireless Subscribers Forecast 2014



Source: Informa Telecoms & Media, WCIS+, June 2009

Via: 3G Americas Whitepaper, HSPA to LTE-Advanced: 3GPP Broadband Evolution to IMT-Advanced (4G)

Thursday, 27 August 2009

Security of Mobiles and Networks to be tested soon


Security researcher Karsten Nohl has issued a hacking challenge that could expose T-Mobile and AT&T cell phone users -- including Gphone and iPhone patrons -- to eavesdropping hacks within six months.

Nohl, a computer science Ph.D/ candidate from the University of Virginia, is calling for the global community of hackers to crack the encryption used on GSM phones. He plans to compile this work into a code book that can be used to decipher encrypted conversations and data that gets transmitted to and from GSM phones.

Nohl’s motive: he wants to compel the telecoms to address a security weakness that has been known for years. He estimates it will take 80 volunteer programmers six months to crunch the data to break the GSM encryption; 160 volunteers could cut that time to six weeks.“It looks like in a matter of months criminals world-wide will be able to intercept mobile phone conversations,” says Simon Bransfield-Garth, CEO of mobile security firm Cellcrypt. “The immediate impact is not just businesses and corporations, but potentially all of us who use mobile phones.”

The Chaos Computer Club has told the FT that in the couple of months it will be releasing code capable of cracking GSM with just a laptop and an antenna.

In comments made to the German edition of the Financial Times, the hacking group claims that governments, and criminals, are already using the technique which can break the encryption used to protect 2G GSM calls in near-real time using existing systems. The group says a public exposure of the technique will take place in the next month or two and allow anyone equipped with a laptop and an antenna to listen in to GSM phone calls.

GSM uses a range of algorithms for key generation, authentication, and encrypting connections. This latest crack is focused on the last element which relies on a range of algorithms known as A5 and numbered from zero to three. A5/0 indicates that no encryption is used, such as in countries still under ITAR* restrictions, A5/1 is the European standard that seems to be the target of this latest breach, A5/2 is used in the USA and generally considered weaker than A5/1, while A5/3 is the strongest of the lot and mandated by the 3G GSM standard.

GSM has been cracked before, the early algorithms used were weak and kept secret (and thus not exposed to public scrutiny), a situation made worse by network operators padding the keys with zeros to reduce the cost of SIM cards. This made a weak algorithm that relied on obscurity even weaker. But since then, the standard has proved surprisingly secure, and even today specialist equipment will take half an hour to break a call, so real-time listening to GSM calls has been restricted to James-Bond types with unlimited budgets.

But the Chaos Computer Club reckons they've found a way to share those super-spy eavesdropping capabilities with anyone, which should have implications for celebrities using mobile phones, but will probably have a more immediate impact on low-level drug dealers who've long relied on the security of GSM for their business.

All encryption breaks eventually, as computing power rises, and systems like GSM are designed with a specific lifetime during which the encryption is expected to remain secure. Changing the encryption is possible, but A5 is managed by the handset rather than the SIM and network operators have to support legacy handsets for long periods even if the latest models could be equipped with better encryption.

But the rest us will probably just hold tight until everyone is using 3G networks, at least in developed countries, where A5/3 is used and should remain secure for another decade or two.

Wednesday, 8 July 2009

Wireless Cellular Security

Arvind, an old colleague recently spoke in ACM, Bangalore on the topic of Security. Here is his presentation:







There are lots of interesting Questions and Answers. One interesting one is:

Does number portability mean that data within an AuC is compromised?

Not really. Number portability does not mean sensitive data from old AuC are transferred to the new AuC. The new operator will issue a new USIM which will have a new IMSI. Number portability only means that MSISDN is kept the same for others to call the mobile. The translation between MSISDN and IMSI is done at a national level register. Such a translation will identify the Home PLMN and the HLR that’s needs to be contacted for an incoming call.
That’s the theory and that’s how it should be done. It will be interesting to know how operators in India do this.

You can read all Q&A's here.

I wrote a tutorial on UMTS security many years back. Its available here.

Thursday, 5 February 2009

GSM: Architecture, Protocols and Services




There is a new book on GSM in the market. Now it makes me wonder that since we are all focussing on 3.6G, 3.75G, 3.9G, 4G, etc., etc. what would be the point of a GSM book?

The following is from the preface of the book:

The GSM family (GSM, GPRS, EDGE) has become one of the most successful technical innovations in history. As of June 2008, more than 2.9 billion subscribers were using GSM, corresponding to a market share of more than 81%, and its story continues, even now, despite the introduction and development of next-generation systems such as IMT-2000 or UMTS (3G) and even systems beyond 3G, dubbed IMT-Advanced.

At the same time, wireless local area networks have substantially expanded the wireless market, sometimes drawing market share from GPRS and 3G (e.g. in public WiFi hotspots), sometimes coexisting (e.g. in UMTS home routers used as a replacement for fixed wire connections). However, these are used typically for low mobility applications. Mobile communication with all of its features and stability has become increasingly important: cellular and GSM technology, plus, of course, lately 3G, GSMs sister technology, so-to-say.

Another impressive trend has emerged since our last edition: the permanent evolution in the handheld market, producing fancy mobile phones with cameras, large memory, MP3 players, Email clients and even satellite navigation. These features enable numerous nonvoice or multimedia applications, from which, of course, only a subset is or will be successful on the market.

In this third edition, we concentrate again on the architecture, protocols and operation of the GSM network and outline and explain the innovations introduced in recent years. The main novelties in this book are the presentation of capacity enhancement methods such as sectorization, the application of adaptive antennas for Spatial Filtering for Interference Reduction (SFIR) and Space Division Multiple Access (SDMA), a detailed introduction to HSCSD and EDGE for higher data rates, and an update of the available GSM services, specifically introducing the Multimedia Messaging Service (MMS).

I think that GSM is going to be the fallback option for most of the new technologies due to its worldwide deployment so now is the time for us to brush up our GSM concepts


Friday, 22 June 2007

2.5 Billion GSM Subscribers Worldwide


Bellevue, WA, June 05, 2007 -
Today, 3G Americas reports that the number of GSM mobile wireless subscribers worldwide has reached 2.5 billion, a stunning 400% increase in GSM subscribers from only six years ago, according to the estimates of Informa's World Cellular Information Service. Every day, there are more than one million new additions to the GSM family of technology users receiving service from one of 700 commercial GSM networks across 218 countries and territories around the world.


“It’s unprecedented for almost any global industry to achieve the growth and success demonstrated by the GSM family of technologies, with an estimated 2.5 billion global customers today,” stated Chris Pearson, President of 3G Americas. “This level of wireless technology growth exceeds that of almost all other lifestyle-changing innovations.”
Looking back, it was almost one hundred years ago when the first so-called "mobile" phone call was made by Lars Ericsson in 1910— although not wireless, as Ericsson attached wires to a telephone pole terminal to make his call while on the road. 2007 marks the 60th anniversary of AT&T and Bell Laboratories' 1947 invention of the cellular phone. Today, it is estimated that more than 37% of the world's 6.6 billion people (US Census Bureau) use GSM technology.


GSM subscribers, including nearly 130 million UMTS/HSDPA subscriptions, currently comprise nearly 85% of the global mobile wireless market. GSM became the dominant Latin American mobile wireless technology in less than a decade since its launch in the region in 1998, acquiring 2 million subscribers by the year 2000, and 200 million by end of year 2006. The GSM family now serves 331 million customers in all the Americas as of 1Q 2007, and is available in every single country. This market leadership is due to the numerous technical and economic benefits of the GSM family of technologies for both operators and their customers.


GSM technologies, including GPRS, EDGE and UMTS/HSPA, offer overwhelming advantages in terms of global scope, scale, international roaming and service that are still unmatched by other mobile wireless technologies. As of May 2007, there are 169 UMTS operators in service across 71 countries, and 117 of those operators in 59 countries have deployed an enhanced version of UMTS called HSDPA. Additionally, nearly all UMTS/HSDPA devices manufactured today include the EDGE technology as the compatible fallback technology, allowing for global roaming and delivery of high-speed wireless data services.
HSPA (HSDPA/HSUPA) technology is poised to be the leading mobile broadband technology for the rest of the decade, outpacing alternative mobile broadband technologies by leveraging on the current installed base of the GSM family of technologies and providing the most efficient solution. It is expected that almost all GSM/EDGE operators will someday migrate to HSPA technology.


Pearson continued, “While other technologies are grabbing attention, HSPA is being rolled out around the world, separating future promise from that which is available today. Building upon the enormous foundation of customers and commercial deployment of GSM, and the broad research and development by vendors, HSPA will continue in its mobile broadband leadership position for years to come.”


For white papers, statistics and more information on the GSM family of technologies, visit http://www.3gamericas.org/.

About 3G Americas: Unifying the Americas through Wireless Technology
The mission of 3G Americas is to promote and facilitate the seamless deployment throughout the Americas of GSM and its evolution to 3G and beyond. The organization fully supports the Third Generation (3G) technology migration strategy to EDGE and UMTS/HSPA adopted by many operators in the Americas. The GSM family of technologies accounts for 85% of wireless mobile customers worldwide. 3G Americas is headquartered in Bellevue, WA with an office for Latin America and the Caribbean in Dallas, TX. For more information, visit our website at http://www.3gamericas.org/.


About Informa Telecoms & Media
Informa Telecoms & Media provides business intelligence and strategic services to the global telecoms and media markets. All of our products and services - from news, trend analysis and forecasting to industry data, face-to-face events and training - are driven by our deep understanding of the markets we serve and by our goal to help our clients make better business decisions. http://www.informatm.com/