Double whammy for GSM Security

Via PC World:

A researcher at the Def Con security conference in Las Vegas demonstrated that he could impersonate a GSM cell tower and intercept mobile phone calls using only $1500 worth of equipment. The cost-effective solution brings mobile phone snooping to the masses, and raises some concerns for mobile phone security.

How does the GSM snooping work?

Chris Paget was able to patch together an IMSI (International Mobile Identity Subscriber) catcher device for about $1500. The IMSI catcher can be configured to impersonate a tower from a specific carrier. To GSM-based cell phones in the immediate area--the spoofed cell tower appears to be the strongest signal, so the devices connect to it, enabling the fake tower to intercept outbound calls from the cell phone.

What happens to the calls?

Calls are intercepted, but can be routed to the intended recipient so the attacker can listen in on, and/or record the conversation. To the real carrier, the cell phone appears to no longer be connected to the network, so inbound calls go directly to voicemail. Paget did clarify, though, that it's possible for an attacker to impersonate the intercepted device to the wireless network, enabling inbound calls to be intercepted as well.

But, aren't my calls encrypted?

Generally speaking, yes. However, the hacked IMSI catcher can simply turn the encryption off. According to Paget, the GSM standard specifies that users should be warned when encryption is disabled, but that is not the case for most cell phones. Paget explained "Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers."

What wireless provider networks are affected?

Good news for Sprint and Verizon customers--those networks use CDMA technology rather than GSM, so cell phones on the Sprint or Verizon networks would not connect to a spoofed GSM tower. However, AT&T and T-Mobile--as well as most major carriers outside of the United States--rely on GSM.

Does 3G protect me from this hack?

This IMSI catcher hack will not work on 3G, but Paget explained that the 3G network could be knocked offline with a noise generator and an amplifier--equipment that Paget acquired for less than $1000. With the 3G network out of the way, most cell phones will revert to 2G to find a viable signal to connect to.

Another one from CNET:

A researcher released software at the Black Hat conference on Thursday designed to let people test whether their calls on mobile phones can be eavesdropped on.

The public availability of the software - dubbed Airprobe -- means that anyone with the right hardware can snoop on other peoples' calls unless the target telecom provider has deployed a patch that was standardized about two years ago by the GSMA, the trade association representing GSM (Global System for Mobile Communications) providers, including AT&T and T-Mobile in the U.S.

Most telecom providers have not patched their systems, said cryptography expert Karsten Nohl.

"This talk will be a reminder to this industry to please implement these security measures because now customers can test whether they've patched the system or not," he told CNET in an interview shortly before his presentation. "Now you can listen in on a strangers' phone calls with very little effort."

An earlier incarnation of Airprobe was incomplete so Nohl and others worked to make it usable, he said.

Airprobe offers the ability to record and decode GSM calls. When combined with a set of cryptographic tools called Kraken, which were released last week, "even encrypted calls and text messages can be decoded," he said.

To test phones for interception capability you need: the Airprobe software and a computer; a programmable radio for the computer, which costs about $1,000; access to cryptographic rainbow tables that provide the codes for cracking GSM crypto (another Nohl project); and the Kraken tool for cracking the A5/1 crypto used in GSM, Nohl said.

More information about the tool and the privacy issues is on the Security Research Labs Web site.

UMTS/HSPA State Transition Problems to be solved with LTE

The way UMTS/HSPA is designed is that the Mobile (UE) is always in IDLE state. If there is some data that needs to be transferred then the UE moves to CELL_DCH. If the amount of data is very less then the UE could move to CELL_FACH state. The UE can also move to CELL_PCH and URA PCH if required but may not necessarily do so if the operator has not configured those states.

The problem in UMTS/HSPA is that these state transitions take quite some time (in mobile terms) and can slow down the browsing experience. Martin has blogged about the state transition problems because of the keep alive messages used by the Apps. These small data transfers dont let the UE go in the IDLE state. If they do then whole raft of signalling has to occur again for the UE to go to CELL_FACH or CELL_DCH. In another post Martin also pointed out the sluggishness caused by the UE in CELL_FACH state.


Mike Thelander of the Signals Research Group presented similar story in the recently concluded LTE World Summit. It can be seen from the figure above that moving from IDLE to CELL_DCH is 1-3secs whereas FACH to DCH is 500ms.

In case if some Apps are running in the background, they can be using these keep alive messages or background messages which may be very useful on the PC but for the Mobiles, these could cause unnecessary state transitions which means lots of signalling overhead.

The Apps creators have realised this problem and are working with the Phone manufacturers to optimise their messaging. For example in case of some Apps on mobiles the keep alive message has been changed from 20 seconds to 5 mins.

3GPP also realised this problem quite a while back and for this reason in Release-7 two new features were added in HSPA+. One was Continuous Packet Connectivity (CPC) and the other was Enhanced CELL_FACH. In Release-8 for HSPA+, these features were added in UL direction as well. The sole aim of these features were to reduce the time it would take to transit to CELL_DCH. Since CPC increases the cell capacity as well, more users can now be put in CELL_FACH instead of being sent to IDLE.

An interesting thing in case of LTE is that the RRC states have been simplified to just two states as shown here. The states are IDLE and CONNECTED. The intention for LTE is that all the users can be left in the CONNECTED state and so unnecessary signalling and time spent on transitioning can be reduced.

The preliminary results from the trials (as can also be seen from here) that were discussed in the LTE World Summit clearly show that LTE leads to a capacity increase by 4 times (in the same BW) and also allow very low latency. I am sure that enough tests with real life applications like Skype, Fring and Yahoo IM have not been done but I am hopeful of the positive outcome.

GSM-UMTS Network migration towards LTE

Another interesting white-paper from 3G Americas. The following from their press release:

A 3rd Generation Partnership Project (3GPP) specification, LTE will serve to unify the fixed and mobile broadband worlds and will open the door to new converged multimedia services. As an all-IP-based technology, LTE will drive a major network transformation as the traditional circuit-based applications and services migrate to an all-IP environment, though introducing LTE will require support and coordination between a complex ecosystem of application servers, devices/terminals and interaction with existing technologies. The report discusses functionality and steps GSM-UMTS network operators may use to effectively evolve their networks to LTE and identifies potential challenges and solutions for enabling the interaction of LTE with GSM, GPRS and UMTS networks.

“This white paper reveals solutions that facilitate a smooth migration for network operators as they deploy LTE,” stated Chris Pearson, president of 3G Americas. “3GPP has clearly defined the technology standards in Release 9 and Release 10, and this paper explores the implementation of these standards on 3GPP networks.”

A reported 130 operators around the world have written LTE into their technology roadmaps. In December 2009, TeliaSonera launched the world’s first LTE networks in Norway and Sweden and an estimated 17 operators are expected to follow in its footsteps in 2010.

“LTE is receiving widespread support and powerful endorsements from industry leaders around the world, but it is important to keep in mind that the evolution to LTE will require a multi-year effort,” Pearson said. “LTE must efficiently and seamlessly coexist with existing wireless technologies during its rise to becoming the leading next-generation wireless technology.”

Operators planning LTE deployments must consider the implications of utilizing LTE in an ecosystem comprising 2G, 3G and future “4G” wireless technologies. Therefore, operators planning an LTE deployment will need to offer multi-technology devices with networks that allow mobility and service continuity between GSM, EDGE, HSPA and LTE.

UICC and USIM in 3GPP Release 8 and Release 9

In good old days of GSM, SIM was physical card with GSM "application" (GSM 11.11)

In the brave new world of 3G+, UICC is the physical card with basic logical functionality (based on 3GPP TS 31.101) and USIM is 3G application on a UICC (3GPP TS 31.102). The UICC can contain multiple applications like the SIM (for GSM), USIM and ISIM (for IMS). There is an interesting Telenor presentation on current and future of UICC which may be worth the read. See references below.

UICC was originally known as "UMTS IC card". The incorporation of the ETSI UMTS activities into the more global perspective of 3GPP required a change of this name. As a result this was changed to "Universal Integrated Circuit Card". Similarly USIM (UMTS Subscriber Identity Module) changed to Universal Subscriber Identity Module.

The following is from the 3G Americas Whitepaper on Mobile Broadband:

UICC (3GPP TS 31.101) remains the trusted operator anchor in the user domain for LTE/SAE, leading to evolved applications and security on the UICC. With the completion of Rel-8 features, the UICC now plays significant roles within the network.

Some of the Rel-8 achievements from standards (ETSI, 3GPP) are in the following areas:

USIM (TS 31.102)
With Rel-8, all USIM features have been updated to support LTE and new features to better support non-3GPP access systems, mobility management, and emergency situations have been adopted.

The USIM is mandatory for the authentication and secure access to EPC even for non-3GPP access systems. 3GPP has approved some important features in the USIM to enable efficient network selection mechanisms. With the addition of CDMA2000 and HRPD access technologies into the PLMN, the USIM PLMN lists now enable roaming selection among CDMA, UMTS, and LTE access systems.

Taking advantage of its high security, USIM now stores mobility management parameters for SAE/LTE. Critical information like location information or EPS security context is to be stored in USIM rather than the device.

USIM in LTE networks is not just a matter of digital security but also physical safety. The USIM now stores the ICE (In Case of Emergency) user information, which is now standardized. This feature allows first responders (police, firefighters, and emergency medical staff) to retrieve medical information such as blood type, allergies, and emergency contacts, even if the subscriber lies unconscious.

3GPP has also approved the storage of the eCall parameters in USIM. When activated, the eCall system establishes a voice connection with the emergency services and sends critical data including time, location, and vehicle identification, to speed up response times by emergency services. ECalls can be generated manually by vehicle occupants or automatically by in-vehicle sensors.

TOOLKIT FEATURES IMPROVEMENT (TS 31.111)
New toolkit features have been added in Rel-8 for the support of NFC, M2M, OMA-DS, DM and to enhance coverage information.

The contactless interface has now been completely integrated with the UICC to enable NFC use cases where UICC applications proactively trigger contactless interfaces.

Toolkit features have been updated for terminals with limited capabilities (e.g. datacard or M2M wireless modules). These features will be notably beneficial in the M2M market where terminals often lack a screen or a keyboard.

UICC applications will now be able to trigger OMA-DM and DS sessions to enable easier device support and data synchronization operations, as well as interact in DVB networks.

Toolkit features have been enriched to help operators in their network deployments, particularly with LTE. A toolkit event has been added to inform a UICC application of a network rejection, such as a registration attempt failure. This feature will provide important information to operators about network coverage. Additionally, a UICC proactive command now allows the reporting of the signal strength measurement from an LTE base station.

CONTACT MANAGER
Rel-8 defined a multimedia phone book (3GPP TS 31.220) for the USIM based on OMA-DS and its corresponding JavaCard API (3GPP TS 31.221).

REMOTE MANAGEMENT EVOLUTION (TS 31.115 AND TS 31.116)
With IP sessions becoming prominent, an additional capability to multiplex the remote application and file management over a single CAT_TP link in a BIP session has been completed. Remote sessions to update the UICC now benefit from additional flexibility and security with the latest addition of the AES algorithm rather than a simple DES algorithm.

CONFIDENTIAL APPLICATION MANAGEMENT IN UICC FOR THIRD PARTIES
The security model in the UICC has been improved to allow the hosting of confidential (e.g. third party) applications. This enhancement was necessary to support new business models arising in the marketplace, with third party MVNOs, M-Payment and Mobile TV applications. These new features notably enable UICC memory rental, remote secure management of this memory and its content by the third party vendor, and support new business models supported by the Trusted Service Manager concept.

SECURE CHANNEL BETWEEN THE UICC AND TERMINAL
A secure channel solution has been specified that enables a trusted and secure communication between the UICC and the terminal. The secure channel is also available between two applications residing respectively on the UICC and on the terminal. The secure channel is applicable to both ISO and USB interfaces.

RELEASE 9 ENHANCEMENTS: UICC: ENABLING M2M AND FEMTOCELLS
The role of femtocell USIM is increasing in provisioning information for Home eNodeB, the 3GPP name for femtocell. USIMs inside handsets provide a simple and automatic access to femtocells based on operator and user-controlled Closed Subscriber Group list.

Work is ongoing in 3GPP for the discovery of surrounding femtocells using toolkit commands. Contrarily to macro base stations deployed by network operators, a femtocell location is out of the control of the operator since a subscriber can purchase a Home eNodeB and plug it anywhere at any time. A solution based on USIM toolkit feature will allow the operator to identify the femtocells serving a given subscriber. Operators will be able to adapt their services based on the femtocells available.

The upcoming releases will develop and capitalize on the IP layer for UICC remote application management (RAM) over HTTP or HTTPS. The network can also send a push message to UICC to initiate a communication using TCP protocol.

Additional guidance is also expected from the future releases with regards to the M2M dedicated form factor for the UICC that is currently under discussion to accommodate environments with temperature or mechanical constraints surpassing those currently specified by the 3GPP standard.

Some work is also expected to complete the picture of a full IP UICC integrated in IP-enabled terminal with the migration of services over EEM/USB and the capability for the UICC to register on multicast based services (such as mobile TV).

Further Reading:

• Business perspective and Mobile service offer through Future SIM - Telenor (http://www.ux.uis.no/atc08/workshop/Larsen.pdf)
• The role of the UICC in Long Term Evolution all IP networks - Gemalto (http://www.gemalto.com/telecom/download/lte_gemalto_whitepaper.pdf)
• Technical White Paper: Smart Card in IMS - 3G Americas (http://www.3gamericas.org/documents/GEM_WP_IMS.pdf)
• 3GPP TS 31.101: UICC-terminal interface; Physical and logical characteristics (http://www.3gpp.org/ftp/Specs/archive/31_series/31.101/)
• 3GPP TS 31.102: Universal Subscriber Identity Module (USIM) application (http://www.3gpp.org/ftp/Specs/archive/31_series/31.102/)
• 3GPP TS 31.111: Universal Subscriber Identity Module (USIM) Application Toolkit (USAT) (http://www.3gpp.org/ftp/Specs/archive/31_series/31.111/)
• 3GPP TS 31.115: Secured packet structure for (Universal) Subscriber Identity Module (U)SIM Toolkit applications (http://www.3gpp.org/ftp/Specs/archive/31_series/31.115/)
• 3GPP TS 31.116: Remote APDU Structure for (U)SIM Toolkit applications (http://www.3gpp.org/ftp/Specs/archive/31_series/31.116/)
• 3GPP TS 31.220: Characteristics of the Contact Manager for 3GPP UICC applications (http://www.3gpp.org/ftp/Specs/archive/31_series/31.220/)
• 3GPP TS 31.221: Contact Manager Application Programming Interface (API); Contact Manager API for Java Card™ (http://www.3gpp.org/ftp/Specs/archive/31_series/31.221/)

TD-SCDMA, TDD and FDD

After my posting on TD-SCDMA so many people asked me about what TD-SCDMA is. I am surprised that so many people are not aware of TD-SCDMA. So here is a quick posting on that.

TDD and FDD Mode of Operation

Basically most of the UMTS networks in operation are Frequency Division Duplex (FDD) based. There is also another variant called the Time Division Duplex or TDD. In reality there is more than one variant of TDD, so the normal 5MHz bandwidth TDD is called Wideband TDD of WTDD. There is also another name for WTDD to confuse people, called the High Chip Rate TDD (HCR-TDD). There is another variant of TDD as would have guessed known as the Narrowband TDD (NTDD). NTDD is also known as Low Chip Rate TDD (LCR-TDD) and most popularly its known as TD-SCDMA or Time Division Synchronous CDMA.

"Synchronous" implies that uplink signals are synchronized at the base station receiver, achieved by continuous timing adjustments. This reduces the interference between users of the same timeslot using different codes by improving the orthogonality between the codes, therefore increasing system capacity, at the cost of some hardware complexity in achieving uplink synchronization.

The normal bandwidth of FDD or TDD mode of operation is 5 MHz. This gives a chip rate of 3.84 Mcps (Mega chips per second). The corresponding figure for TD-SCDMA is 1.66 Mhz and 1.28 Mcps.

Assymetric operation in TDD mode

The advantage of TDD over FDD are:

• Does not require paired spectrum because FDD uses different frequencies for UL and DL whereas TDD uses the same frequency hence its more easy to deploy
• Channel charachteristics is the same in both directions due to same band
• You can dynamically change the UL and the DL bandwidth allocation depending on the traffic.
  

The dis-advantage of TDD over FDD are:

• Switching between transmission directions requires time, and the switching transients must be controlled. To avoid corrupted transmission, the uplink and downlink transmissions require a common means of agreeing on transmission direction and allowed time to transmit. Corruption of transmission is avoided by allocating a guard period which allows uncorrupted propagation to counter the propagation delay. Discontinuous transmission may also cause audible interference to audio equipment that does not comply with electromagnetic susceptibility requirements.
• Base stations need to be synchronised with respect to the uplink and downlink transmission times. If neighbouring base stations use different uplink and downlink assignments and share the same channel, then interference may occur between cells. This can increase the complexity of the system and the cost.
• Also it does not support soft/softer handovers

Timing Synchronisation between different terminals

By the way, in Release 7 a new TDD mode of operation with 10 MHz bandwidth (7.86 Mcps) has been added. Unfortunately I dont know much about it.

You can read more about TD-SCDMA in whitepaper 'TD-SCDMA: the Solution for TDD bands'

You can find more information on TD-SCDMA at: http://www.td-forum.org/en/

UK: Ofcom releases 3G coverage maps

Ofcom has just released (or as The Register puts it; found under the sofa) 3G coverage maps for UK. Its useful for people who dont live in big towns but planning to take out contracts on dongles/data services. They can now quickly check which operator to go for.

These 3G coverage maps by mobile operator were prepared in January 2009. They represent the area where we have assessed the mobile operators met a minimum coverage threshold set by Ofcom (see technical notes below). The shaded areas on the maps indicate areas where customers have the possibility of making and receiving a call outside over a 3G network (but with no guarantee of being able to do so). They do not indicate areas where customers are able to access higher data rate services.

All operators produce their own coverage indicators on their websites which are likely to provide more reliable guidance to network availability in any given area. The accuracy and detail of the maps are not to the same level as the mobile operators publish. These maps show UK-wide general coverage and are not suitable for zooming in to see specific locations i.e. a particular house or street. Also they are not suitable for assessing the quality or depth of coverage within the indicated areas (e.g. different operators may be able to offer better or worse data rate services or support a smaller or greater number of users).

You can see the PDF of the coverage maps here.

Wireless Cellular Security

Arvind, an old colleague recently spoke in ACM, Bangalore on the topic of Security. Here is his presentation:

Securing Wireless Cellular Systems

View more documents from ACMBangalore.

There are lots of interesting Questions and Answers. One interesting one is:

Does number portability mean that data within an AuC is compromised?

Not really. Number portability does not mean sensitive data from old AuC are transferred to the new AuC. The new operator will issue a new USIM which will have a new IMSI. Number portability only means that MSISDN is kept the same for others to call the mobile. The translation between MSISDN and IMSI is done at a national level register. Such a translation will identify the Home PLMN and the HLR that’s needs to be contacted for an incoming call.
That’s the theory and that’s how it should be done. It will be interesting to know how operators in India do this.

You can read all Q&A's here.

I wrote a tutorial on UMTS security many years back. Its available here.

Testing UMTS protocols

Testing UMTS by Dan Fox, Anritsu

Its nearly three years since I wrote an FAQ on UMTS Testing. So when I got my hands on this book the other day, I so wanted to read it. It would be a while before I manage to go through the book in detail but my initial impression is that this book looks quite good.

Since the book deals with Protocol Testing, the testing has been grouped into three categories:

1. Integration Testing
2. Conformance Testing
3. Interoperability Testing

There is a chapter explaining each of these. The Conformance testing is of interest to me as I have been involved directly and indirectly with this for quite some years now. The book explains the process, standards required and submission of tests to GCF/PTCRB.

For those whom testing does not hold much charm, they can gain greater understanding of the concepts by reading Part II of the book. One thing I really liked in this book is that the diagrams explain the concepts very well. Rather than copying them straight from the 3GPP specifications, they have been improved and re-done by the author. Basic things like 'Dynamic TFCI selection' and 'Layer 2 transport channel processing flow for the 12.2 kbps RMC' are explained clearly using the diagrams.

There is just the right amount of detail in the chapters for Physical Layer, Layer 2 (MAC, RLC, PDCP) and Layer 3 (RRC, NAS). Further chapters show message flow sequence charts explaining things like 'setting up of speech call' and 'location updating procedure'. I have some basic sequence diagrams for message flow in the Tutorial section but the ones in the book are comparatively more detailed.

The book mainly covers UMTS, with an introduction to HSPA. It would be worthwhile to have the next edition covering LTE in detail. The main reason being that there are lots of changes in the case of LTE. The Air Interface has changed, the channels are different. The NAS messages and entities are different. UMTS (and HSPA) use TTCN-2 for testing but LTE uses TTCN-3. UMTS does not use MIMO (MIMO available for HSPA from Release 7 onwards) but LTE would generally always use MIMO.

Overall, this seems to be a useful book and I am looking forward to reading it in detail.

Orthogonality and non orthogonality

Multiple access (MA) is a basic function in wireless cellular systems. Generally speaking, MA techniques can be classified into orthogonal and non-orthogonal approaches. In orthogonal approaches, signals from different users are orthogonal to each other, i.e., their cross correlation is zero, which can be achieved by time division multiple-access (TDMA), frequency-division multiple-access (FDMA) and orthogonal-frequency division multiple-access (OFDMA). Non-orthogonal schemes allow non-zero cross correlation among the signals from different users, such as in random waveform code-division multiple-access (CDMA), trellis-coded multiple-access (TCMA) and interleave-division multiple-access (IDMA).

First and second generation cellular systems are dominated by orthogonal MA approaches. The main advantage of these approaches is the avoidance of intra-cell interference. However, careful cell planning is necessary in these systems to curtail cross-cell interference. In particular, sufficient distance must exist between re-used channels, resulting in reduced cellular spectral efficiency.

Non-orthogonal CDMA techniques have been adopted in second and third generation cellular systems (e.g. CDMA2000 and uplink WCDMA). Compared with its orthogonal counterparts, CDMA is more robust against fading and cross-cell interference, but is prone to intracell interference. Due to its spread-spectrum nature, CDMA is inconvenient for data services (e.g., wireless local area networks (WLANs) and 3GPP high speed uplink/downlink packet access (HSUPA/HSDPA) standard) that require high single-user rates.

Communication services can be classified into delay sensitive and insensitive ones. A typical example of a delay-insensitive service is email. Typical examples of delay-sensitive services include speech and video applications. For delay insensitive services, rate constraints are relatively relaxed for individual users and maximizing the throughput by orthogonal methods is a common strategy. The maximum throughput can be achieved by a one-user transmission policy, where only the user with the largest channel gain is allowed to transmit. This implies time domain orthogonality as adopted in many WLANs. For delay-sensitive services, on the other hand, each user must transmit a certain amount of information within a certain period and maximizing the throughput is no longer an appropriate strategy. Rate constraints must be considered in this case.

CDMA is the most well known non-orthogonal technique. The main advantages of CDMA are its robustness against fading and cross-cell interference, and its flexibility in asynchronous transmission environments.

An uplink data transfer mechanism in the HSUPA is provided by physical HSUPA channels, such as an Enhanced Dedicated Physical Data Channel (E-DPDCH), implemented on top of Wideband Code Division Multiple Access (WCDMA) uplink physical data channels such as a Dedicated Physical Control Channel (DPCCH) and a Dedicated Physical Data Channel (DPDCH), thus sharing radio resources, such as power resources, with the WCDMA uplink physical data channels. The sharing of the radio resources results in inflexibility in radio resource allocation to the physical HSUPA channels and the WCDMA physical data channels. In CDMA, which is a non-orthogonal multiple access scheme, the signals from different users within the same cell interfere with one another. This type of interference is known as the intra-cell interference. In addition, the base station also receives the interference from the users transmitting in neighbouring cells. This is known as the inter-cell interference.

Uplink power control is typically intended to control the received signal power from the active user equipments (UEs) to the base as well as the rise-over-thermal (RoT), which is a measure of the total interference (intra- and inter-cell) relative to the thermal noise. In systems such as HSUPA, fast power control is required due to the fast fluctuation in multi-user (intra-cell) interference. This fast fluctuation will otherwise result in the well-known near-far problem. Moreover, as uplink transmission in an HSUPA system is not orthogonal, the signal from each transmitting UE is subject to interference from another transmitting UE. If the signal strength of UEs varies substantially, a stronger UE (for example, a UE in favourable channel conditions experiencing a power boost due to constructive short term channel fading such as Rayleigh fading) may completely overwhelm the signal of a weaker UE (with signal experiencing attenuation due to short term fading). To mitigate this problem, fast power control has been considered previously in the art where fast power control commands are transmitted from a base station to each UE to set the power of uplink transmission.

When an orthogonal multiple access scheme such as Single-Carrier Frequency Division Multiple Access (SC-FDMA), which includes interleaved and localized Frequency Division Multiple Access (FDMA) or Orthogonal Frequency Division Multiple Access (OFDMA), is used, multi-user interference is not present for low mobility and small for moderate mobility. This is the case for the next generation UMTS i.e. LTE system. LTE system employs SC-FDMA in uplink and OFDMA in downlink. As a result in the case of LTE, the fluctuation in the total interference only comes from inter-cell interference and thermal noise which tends to be slower. While fast power control can be utilized, it can be argued that its advantage is minimal. Hence, only slow power control is needed for orthogonal multiple access schemes.