Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Sunday, 20 August 2017

Enhanced 5G Security via IMSI Encryption


IMSI Catchers can be a real threat. It doesn't generally affect anyone unless someone is out to get them. Nevertheless its a security flaw that is even present in LTE. This presentation here is a good starting point on learning about IMSI Catcher and the one here about privacy and availability attacks.


This article by Ericsson is a good starting point on how 5G will enhance security by IMSI encryption. From the article:
The concept we propose builds on an old idea that the mobile device encrypts its IMSI using home network’s asymmetric key before it is transmitted over the air-interface. By using probabilistic asymmetric encryption scheme – one that uses randomness – the same IMSI encrypted multiple times results in different values of encrypted IMSIs. This makes it infeasible for an active or passive attacker over the air-interface to identify the subscriber. Above is a simplified illustration of how a mobile device encrypts its IMSI. 
Each mobile operator (called the ‘home network’ here) has a public/private pair of asymmetric keys. The home network’s private asymmetric key is kept secret by the home network, while the home network’s public asymmetric key is pre-provisioned in mobile devices along with subscriber-specific IMSIs (Step 0). Note that the home network’s public asymmetric key is not subscriber-specific. 
For every encryption, the mobile device generates a fresh pair of its own public/private asymmetric keys (Step 1). This key pair is used only once, hence called ephemeral, and therefore provide probabilistic property to the encryption scheme. As shown in the figure, the mobile device then generates a new key (Step 2), e.g., using Diffie–Hellman key exchange. This new key is also ephemeral and is used only once to encrypt the mobile device’s IMSI (Step 3) using symmetric algorithm like AES. The use of asymmetric and symmetric crypto primitives as described above is commonly known as integrated/hybrid encryption scheme. The Elliptic Curve Integrated Encryption Scheme (ECIES) is a popular scheme of such kind and is very suitable to the use case of IMSI encryption because of low impact on radio bandwidth and mobile device’s battery. 
The nicest thing about the described concept is that no public key infrastructure is necessary, which significantly reduces deployment complexity, meaning that mobile operators can start deploying IMSI encryption for their subscribers without having to rely on any external party or other mobile operators.

'3GPP TR 33.899: Study on the security aspects of the next generation system' lists one such approach.


The Key steps are as follows:

  1. UE is configured with 5G (e)UICC with ‘K’ key, the Home Network ID, and its associated public key.
  2. SEAF send Identity Request message to NG-UE. NG-UE considers this as an indication to initiate Initial Authentication.
  3. NG-UE performs the following:
    1. Request the (e)UICC application to generate required security material for initial authentication, RANDUE, , COUNTER, KIARenc, and KIARInt.
    2. NG-UE builds IAR as per MASA. In this step NG-UE includes NG-UE Security Capabilities inside the IAR message. It also may include its IMEI. 
    3. NG-UE encrypts the whole IAR including the MAC with the home network public key.
    4. NG-UE sends IAR to SEAF.
  4. Optionally, gNB-CP node adds its Security Capabilities to the transposrt message between the gNB-CP and the SEAF (e.g., inside S1AP message as per 4G).
  5. gNB-CP sends the respective S1AP message that carries the NG-UE IAR message to the SEAF.
  6. SEAF acquirs the gNB-CP security capabilities as per the listed options in clause 5.2.4.12.4.3and save them as part of the temporary context for the NG-UE.
  7. SEAF follows MASA and forward the Authentication and Data Request message to the AUSF/ARPF.
  8. When AUSF/ARPF receives the Authentication and Data Request message, authenticates the NG-UE as per MASA and generates the IAS respective keys. AUSF/ARPF may recover the NG-UE IMSI and validate the NG-UE security capabilities.
  9. AUSF/ARPF sends Authentication and Data Response to the SEAF as per MASA with NG-UE Security Capabilities included.
  10. SEAF recovers the Subscriber IMSI, UE security Capabilities, IAS keys, RANDHN, COUNTER and does the following:
    1. Examine the UE Security Capabilities and decides on the Security parameters.
    2. SEAF may acquire the UP-GW security capabilities at this point after receiving the UP-GW identity from AUSF/ARPF or allocate it dynamically through provisioning and load balancing.
  11. SEAF builds IAS and send to the NG-UE following MASA. In addition, SEAF include the gNB-CP protocol agreed upon security parameters in the S1AP message being sent to the gNB-CP node.
  12. gNB-CP recovers gNB-CP protocol agreed upon security parameters and save it as part of the NG-UE current context.
  13. gNB-CP forwards the IAS message to the NG-UE.
  14. NG-UE validates the authenticity of the IAS and authenticates the network as per MASA. In addition, the UE saves all protocols agreed upon security parameters as part of its context. NG-UE sends the Security and Authentication Complete message to the SEAF.
  15. SEAF communicates the agreed upon UP-GW security parameters to the UP-GW during the NG-UE bearer setup.

ARPF - Authentication Credential Repository and Processing Function 
AUSF - Authentication Server Function 
SCMF - Security Context Management Function
SEAF - Security Anchor Function
NG-UE - NG UE
UP - User Plane 
CP - Control Plane
IAR - Initial Authentication Request 
IAS - Initial Authentication Response
gNB - Next Generation NodeB

You may also want to refer to the 5G Network Architecture presentation by Andy Sutton for details.

See also:

Tuesday, 25 July 2017

5G Security Updates - July 2017


Its been nearly 2 years since I last blogged about ETSI Security workshop. A lot has changed since then, especially as 5G is already in the process of being standardised. This is in addition to NFV / SDN that also applied to 4G networks.

ETSI Security Week (12 - 16 June) covered lot more than 5G, NFV, SDN, etc. Security specialists can follow the link to get all the details (if they were not already aware of).

I want to quickly provide 3 links so people can find all the useful information:

NFV Security Tutorialdesigned to educate attendees on security concerns facing operators and providers as they move forward with implementing NFV. While the topics are focused on security and are technical in nature we believe any individual responsible for designing, implementing or operating a NFV system in an organization will benefit from this session. Slides here.

NFV Security: Network Functions Virtualization (NFV), leveraging cloud computing, is set to radically change the architecture, security, and implementation of telecommunications networks globally. The NFV Security day will have a sharp focus on the NFV security and will bring together the world-wide community of the NFV security leaders from the industry, academia, and regulators. If you want to meet the movers and shakers in this field, get a clear understanding of the NFV security problems, challenges, opportunities, and the state of the art development of security solutions, this day is for you. Slides here.



5G Security: The objectives of this event are to:
  • Gather different actors involved in the development of 5G, not only telecom, and discuss together how all their views will shape together in order to understand the challenges, threats and the security requirements that the 5G scenarios will be bringing.
  • Give an update of what is happening in:
    • 5G security research: Lot of research is on-going on 5G security and several projects exist on the topic.
    • 5G security standards: Standardization bodies have already started working 5G security and their work progress will be reviewed. Also any gap or additional standardization requirements will be discussed.
    • Verticals and business (non-technical) 5G security requirements: 5G is playground where different verticals besides the telecom industry is playing a role and their requirements will be key for the design of 5G security. In addition 5G is where "security" will become the business driver.
  • Debate about hot topics such as: IoT security, Advances in lightweight cryptography, Slicing security. Privacy. Secure storage and processing. Security of the interconnection network (DIAMETER security). Relevance of Quantum Safe Cryptography for 5G, Authorization concepts....
Slides for 5G Security here.

In addition, Jaya Baloo, CISO, KPN Telecom talks about 5G network security at TechXLR8 2017. Embedded is a video of that:


Sunday, 4 December 2016

5G, Hacking & Security


It looks like devices that are not manufactures with security and privacy in mind are going to be the weakest link in future network security problems. I am sure you have probably read about how hacked cameras and routers enabled a Mirai botnet to take out major websites in October. Since then, there has been no shortage of how IoT devices could be hacked. In fact the one I really liked was 'Researchers hack Philips Hue lights via a drone; IoT worm could cause city blackout' 😏.


Enter 5G and the problem could be be made much worse. With high speed data transfer and signalling, these devices can create an instantaneous attack on a very large scale and generating signalling storm that can take a network down in no time.

Giuseppe TARGIA, Nokia presented an excellent summary of some of these issues at the iDate Digiworld Summit 2016. His talk is embedded below:



You can check out many interesting presentations from the iDate Digiworld Summit 2016 on Youtube and Slideshare.

Related posts:


Friday, 30 September 2016

Quantum Technology and Future Telecommunications

Last year I posted an excerpt from an article in FT which implied that Quantum technology will play a big role in post-5G world. Earlier this month CW held their annual Technology & Engineering Conference (CW TEC). The topic was "The Quantum Revolution is coming". I have to admit that I knew next to nothing before the conference, however now I hope I know just enough to dabble in quantum technology related discussions.

The main question that I had before the conference was 'when will quantum technology be here?'. While there were different answers, depending on what you think Quantum is, I think the answer I feel comfortable is more like 2030 (just in time for 6G?)


There are already some great write-ups of the conference by others, please see links at the bottom of the post. However I have tried to create a story based on the tweets and embedded the links to presentations for each speaker where available. Hopefully you will enjoy my story.




Blog posts and summaries of CW TEC 'The Quantum Revolution is Coming' conference:

Sunday, 26 June 2016

Three Presentations on 5G Security


Here are three presentations from the 5G Huddle in April, looking at 5G security aspects. As I have repeatedly mentioned, 5G is in process of being defined so these presentations are just presenting the view from what we know about 5G today.



Monday, 24 August 2015

Some interesting presentations from ETSI Security workshop


ETSI held their security week from 22-26 June 2015 at their headquarters. There are lots of interesting presentations (see agenda [PDF]); I am embedding some here.


This is a good presentation providing a summary of the reasons for IoT security issues and some of the vulnerabilities that have been seen as a result of that.




The next one is The Threat landscape of connected vehicles and ITS (Intelligent Transportation Systems) integration in general



This presentation provides a good summary of the threats in the connected cars/vehicles which is only going to become more common. Some of these issues will have to be solved now before we move on to the autonomous vehicles in future. Security issues there will be catastrophic and many lives can be lost.

The final presentation is from 3GPP SA3 that provides a quick summary of security related work in 3GPP.



Monday, 29 December 2014

The SS7 flaws that allows hackers to snoop on your calls and SMS

By now I am aware that most people have heard of the flaws in SS7 networks that allow hackers to snoop, re-route calls and read text messages. For anyone who is not aware of these things, can read some excellent news articles here:

Our trusted security expert, Ravi Borgaonkar, informs us that all these flaws have already been discussed back in May, as part of Positive Hack Days (PHDays).

The presentation is embedded below and can be downloaded from Slideshare:



xoxoxo Added this new information on the 4th Jan 2015 oxoxox

The following is this presentation and video by Tobias Engel from the 31st Chaos Communication Congress



Saturday, 1 November 2014

4G Security and EPC Threats for LTE

This one is from the LTE World Summit 2014. Even though I was not there for this, I think this has some useful information about the 4G/LTE Security. Presentation as follows:


Tuesday, 9 September 2014

LTE Device-to-device (D2D) Use Cases

Device-to-device is a popular topic. I wrote a post, back in March on LTE-Radar (another name) which has already had 10K+ views. Another post in Jan, last year has had over 13K views. In the LTE World Summit, Thomas Henze from Deutsche Telekom AG presented some use cases of 'proximity services via LTE device broadcast'


While there are some interesting use cases in his presentation (embedded below), I am not sure that they will necessarily achieve success overnight. While it would be great to have a standardised solution for applications that rely on proximity services, the apps have already come up with their own solutions in the meantime.

Image iTunes

The dating app Tinder, for example, finds a date near where you are. It relies on GPS and I agree that some people would say that GPS consumes more power but its already available today.



Another example is "Nearby Friends" from Facebook that allows to find your friends if they are nearby, perfect for a day when you have nothing better to do.

With an App, I can be sure that my location is being shared only for one App. With a standardised solution, all my Apps have info about location that I may not necessarily want. There are pros and cons, not sure which will win here.

Anyway, the complete presentation is embedded below:



For anyone interested in going a bit more in detail about D2D, please check this excellent article by Dr. Alastair Bryon, titled "Opportunities and threats from LTE Device-to-Device (D2D) communication"

Do let me know what you think about the use cases.

Saturday, 14 June 2014

AT&T on Mobile Security


Nice presentation from Ed Amoroso from AT&T outlining how the security is evolving to cope with the new technologies and threats. He points to encryption, containerization, proxy & virtualization as the four key pillars of technology for enabling operators to protect the network in a mobility era where the perimeter can no longer do the job it used to do.

Here is the video:

If you cant see the video, click on this link to watch it on Light Reading's website.

Wednesday, 21 May 2014

Connected and Autonomous Car Revolution

Last week we had the Automotive and Transport SIG event in Cambridge Wireless. There is already some good writeup on that event here and here. In this post my interest in looking at the technologies discussed.

R&S (who were the sponsors) gave their introduction presentation quite well highlighting the need and approaches for the connected car. He also introduced the IEEE 802.11p to the group.

As per Wikipedia, "IEEE 802.11p is an approved amendment to the IEEE 802.11 standard to add wireless access in vehicular environments (WAVE), a vehicular communication system. It defines enhancements to 802.11 (the basis of products marketed as Wi-Fi) required to support Intelligent Transportation Systems (ITS) applications. This includes data exchange between high-speed vehicles and between the vehicles and the roadside infrastructure in the licensed ITS band of 5.9 GHz (5.85-5.925 GHz). IEEE 1609 is a higher layer standard based on the IEEE 802.11p."

Back in December, Dr. Paul Martin did an equally useful presentation in the Mobile Broadband SIG and his presentation is equally relevant here as he introduced the different terms live V2X, V2i, V2V, V2P, etc. I have embedded his presentation below:



Roger Lanctot from Strategy Analytics, gave us some interesting facts and figures. Being based in the US, he was able to give us the view of both US as well as Europe. According to him, “LTE is the greatest source of change in value proposition and user experience for the customer and car maker. Bluetooth, Wi-Fi, NFC and satellite connectivity are all playing a role, but LTE deployment is the biggest wave sweeping the connected car, creating opportunities for new technologies and applications.” His officially released presentation is embedded below (which is much smaller than his presentation on that day.



There were also interesting presentations that I have not embedded but other may find useful. One was from Mike Short, VP of Telefonica and the other was from Dr. Ireri Ibarra of MIRA.


The final presentation by Martin Green of Visteon highlighted some interesting discussions regarding handovers that may be required when the vehicle (and the passengers inside) is moving between different access networks. I for one believe that this will not be an issue as there may be ways to work the priorities of access networks out. Anyway, his presentation included some useful nuggets and its embedded below:


Sunday, 23 March 2014

Securing the backhaul with the help of LTE Security Gateway


An excellent presentation from the LTE World Summit last year, that is embedded below. The slide(s) that caught my attention was the overhead involved when using the different protocols. As can be seen in the picture above, the Ethernet MTU is 1500 bytes but after removing all the overheads, 1320 bytes are left for data. In case you were wondering, MTU stands for 'maximum transmission unit' and is the largest size packet or frame, specified in octets (8-bit bytes), that can be sent in a packet or frame based network such as the Internet.

Anyway, the presentation is embedded below:


Saturday, 25 January 2014

Security and other development on the Embedded SIM


Its no surprise that GSMA has started working on Embedded SIM specifications. With M2M getting more popular every day, it would make sense to have the SIM (or UICC) embedded in them during the manufacturing process. The GSMA website states:

The GSMA’s Embedded SIM delivers a technical specification to enable the remote provisioning and management of Embedded SIMs to allow the “over the air” provisioning of an initial operator subscription and the subsequent change of subscription from one operator to another.
The Embedded SIM is a vital enabler for Machine to Machine (M2M) connections including the simple and seamless mobile connection of all types of connected vehicles. In the M2M market the SIM may not easily be changed via physical access to the device or may be used in an environment that requires a soldered connection, thus there is a need for ‘over the air’ provisioning of the SIM with the same level of security as achieved today with traditional “pluggable” SIM. It is not the intention for the Embedded SIM to replace the removable SIM currently used as the removable SIM still offers many benefits to users and operators in a number of different ways – for example, the familiarity of the form factor, easy of portability, an established ecosystem and proven security model.
















The last time I talked about embedded SIM was couple of years back, after the ETSI security workshop here. Well, there was another of these workshops recently and an update to these information.


The ETSI presentation is not embedded here but is available on Slideshare here. As the slide says:

An embedded UICC is a “UICC which is not easily accessible or replaceable, is not intended to be removed or replaced in the terminal, and enables the secure changing of subscriptions” (ETSI TS 103 383)


Finally, Embedded SIM should not be confused with Soft-SIM. My last post on Soft-SIM, some couple of years back here, has over 15K views which shows how much interest is there in the soft SIM. As the slide says:

Soft or Virtual SIM is a completely different concept that does not use existing SIM hardware form factors and it raises a number of strong security issues:

  • Soft SIM would store the Operator secret credentials in software within the Mobile device operating system - the same system that is often attacked to modify the handset IMEI, perform SIM-Lock hacking and ‘jail-break’ mobile OS’s
  • Operators are very concerned about the reduction in security of their credentials through the use of Soft SIM. Any SIM approach not based on a certified hardware secure element will be subject to continual attack by the hacking community and if compromised result in a serious loss of customer confidence in the security of Operator systems
  • Multiple Soft SIM platforms carrying credentials in differing physical platforms, all requiring security certification and accreditation would become an unmanageable overhead – both in terms of resource, and proving their security in a non-standardised virtual environment

The complete GSMA presentation is as follows:



You may also like my old paper:

Thursday, 16 January 2014

3GPP Rel-12 and Future Security Work


Here is the 3GPP presentation from the 9th ETSI Security workshop. Quite a few bits on IMS and IMS Services and also good to see new Authentication algorithm TUAK as an alternative to the widely used Milenage algorithm.



Friday, 23 August 2013

How Cyber-Attacks Can Impact M2M Infrastructure


An Interesting presentation from Deutsche Telekom in the Network Security Conference which highlights some of the issues faced by the M2M infrastructure. With 500 Billion devices being predicted, security will have to be stepped up for the M2M infrastructures to work as expected. Complete presentation embedded below:


Thursday, 8 August 2013

2 Factor and 3 Factor Authentication (2FA / 3FA)

Found an interesting slide showing 2 Factor Authentication in picture from a presentation in LTE World Summit


You can also read more about this and Multi-factor Authentication (MFA) on Wikipedia here.

Monday, 29 July 2013

Big Data and Vulnerability of Cellular Systems

I am sure most of you are aware of Big Data, if not watch this video on my old post here. Moray Rumney from Agilent recently gave a talk in #FWIC on how Big Data techniques can be used to exploit the vulnerabilities in a cellular system. Though the talk focussed on GSM and 3G, it is always a good intro. The presentation embedded below:



You can also listen to the audio of his presentation here.

Sunday, 2 June 2013

Everything you wanted to know on Cloud Encryption

Cloud has been in the news recently for not the right reasons. The main worry with cloud is not just where your data is located and who can have access to it but also if some rogue person or institution gets access what they will do with your data. Then there is also an issue of which third party programs are allowed to access your data and they may not be as strict in complying with the security requiremenys as the original cloud platform.

I like Dropbox (even though I am still a free user) but it is used as an example in many case studies for security related to cloud. A quick search on Google and some useful links summarising the issues with Dropbox security here, here and here.

A user on slideshare recently uploaded many presentations from the Cloud Asia 2013 in Singapore here. One of the presentations that I really liked is embedded below.

The two main things from the presentation that I really want to highlight is the Worldwide compliance which can be a bit of an issue once you want to offer your service universally and the other is the different level of encryption that is required to keep the data secure. Pictures of both as follows:



Enjoy the presentation: