Monday, December 29, 2014

The SS7 flaws that allows hackers to snoop on your calls and SMS

By now I am aware that most people have heard of the flaws in SS7 networks that allow hackers to snoop, re-route calls and read text messages. For anyone who is not aware of these things, can read some excellent news articles here:

Our trusted security expert, Ravi Borgaonkar, informs us that all these flaws have already been discussed back in May, as part of Positive Hack Days (PHDays).

The presentation is embedded below and can be downloaded from Slideshare:



xoxoxo Added this new information on the 4th Jan 2015 oxoxox

The following is this presentation and video by Tobias Engel from the 31st Chaos Communication Congress



Tuesday, December 23, 2014

M2M embedded UICC (eSIM) Architecture and Use Cases

Machine-to-Machine UICC, also known as M2M Form Factor (MFF) and is often referred to as embedded SIM (eSIM) is a necessity for the low data rate M2M devices that are generally small, single contained unit that is also sealed. The intention is that once this M2M device is deployed, then there is no need to remove the UICC from it. There may be a necessity to change the operator for some or the other reason. This gives rise to the need of multi-operator UICC (SIM) cards.


The GSMA has Embedded SIM specifications available for anyone interested in implementing this. There are various documents available on the GSMA page for those interested in this topic further.

While the complete article is embedded below, here is an extract of the basic working from the document:

A eUICC is a SIM card with a Remote Provisioning function, and is designed not to be removed or changed. It is able to store multiple communication profiles, one of which is enabled (recognized by the device and used for communication). The network of the MNO in the enabled profile is used for communication. Profiles other than the enabled profile are disabled (not recognized by the device). With conventional SIM cards, the ICCID is used as the unique key to identify the SIM card, but with eUICC, the ICCID is the key used to identify profiles, and a new ID is defined, called the eUICCID, which is used as the unique key for the eSIM

GSMA defines two main types of profile.
1) Provisioning Profile: This is the communication profile initially stored in the eUICC when it is shipped. It is a limited-application communication profile used only for downloading and switching Operational Profiles, described next.
2) Operational Profile: This is a communication profile for connecting to enterprise servers or the Internet. It can also perform the roles provided by a Provisioning profile

An eSIM does not perform profile switching as a simple IC card function, but rather switches profiles based on instructions from equipment called a Subscription Manager. A Subscription Manager is maintained and managed by an MNO. The overall eSIM architecture, centering on the Subscription Manager, is shown in Figure 3, using the example of switching profiles within the eUICC.

An eUICC must have at least one profile stored in it to enable OTA functionality, and one of the stored profiles must be enabled. The enabled profile uses the network of MNO A for communication. When the user switches profiles, a switch instruction is sent to the Subscription Manager. At that time, if the profile to switch to is not stored in the eUICC, the profile is first downloaded. When it receives a switch instruction, the eUICC performs a switch of the enabled profile as an internal process.

After the switch is completed, it uses the network of MNO B to send notification that the switch has completed to the Subscription Manager, completing the process. The same procedure is used to switch back to the original MNO A, or to some other MNO C.

Anyway, here is the complete paper on NTT Docomo website.

Friday, December 12, 2014

5G Spectrum and challenges

I was looking at the proposed spectrum for 5G last week. Anyone who follows me on Twitter would have seen the tweets from last weekend already. I think there is more to discuss then just tweet them so here it is.




Metis has the most comprehensive list of all the bands identified from 6GHz, all the way to 86GHz. I am not exactly sure but the slide also identifies who/what is currently occupying these bands in different parts of the world.


The FCC in the USA has opened a Notice of Inquiry (NoI) for using the bands above 24GHz for mobile broadband. The frequency bands above have a potential as there is a big contiguous chunk of spectrum available in each band.



Finally, the slides from ETRI, South Korea show that they want to have 500MHz bandwidth in frequencies above 6GHz.

As I am sure we all know, the higher the frequency, the lower the cell size and penetration indoors. The advantage on the other hand is smaller cell sizes, leading to higher data rates. The antennas also become smaller at higher frequencies thereby making it easier to have higher order MIMO (and massive MIMO). The only way to reliably be able to do mobile broadband is to use beamforming. The tricky part with that is the beam has to track the mobile user which may be an issue at higher speeds.

The ITU working party 5D, recently released a draft report on 'The technical feasibility of IMT in the bands above 6 GHz'. The document is embedded below.




xoxoxo Added Later (13/12/2014) xoxoxo
Here are some links on the related topic:


xoxoxo Added Later (18/12/2014) xoxoxo
Moray Rumney from Keysight (Agilent) gave a presentation on this topic in the Cambridge Wireless Mobile Broadband SIG event yesterday, his presentation is embedded below.



Monday, December 1, 2014

Bringing Network Function Virtualization (NFV) to LTE

SDN and NFV have gained immense popularity recently. Not only are they considered important for reducing the Capex and Opex but are being touted as an important cog in the 4.5G/5G network. See here for instance.


I introduced NFV to the blog nearly a year back here. ETSI had just published their first specs around then. When I talked about SDN/NFV back in May, these ETSI standards were evolving into a significant reference documents. This is a reason 4G Americas recently published this whitepaper (embedded below), for the operators to start migrating to NFV architecture to reap long term benefits. The following is from the whitepaper:

The strategies and solutions explored in the 4G Americas report on NFV aim to address these issues and others by leveraging IT virtualization technology to consolidate many network equipment types onto industry standard high volume servers, networking and storage. NFV is about separating network functions from proprietary hardware and then consolidating and running those functions as virtualized applications on a commodity server. Broadly speaking, NFV will enable carriers to virtualize network functions and run them as software applications within their networks. NFV focuses on virtualizing network functions such as firewalls, Wide-Area Network (WAN) acceleration, network routers, border controllers (used in Voice over IP (VoIP) networks), Content Delivery Networks (CDNs) and other specialized network applications. NFV is applicable to a wide variety of networking functions in both fixed and mobile networks.
“NFV is making great progress throughout the world as operators work with their vendor partners to address the opportunities of increasing efficiency within their network infrastructure elements,” stated Chris Pearson, President of 4G Americas. “There is a great deal of collaborative innovation and cooperation between wireless carriers, IT vendors, networking companies and wireless infrastructure vendors making NFV for LTE possible.”
Global communication service providers, along with many leading vendors, are participating in the European Telecommunications Standards Institute’s (ETSI) Industry Specification Group for Network Functions Virtualization (NFV ISG) to address challenges such as:
  • An increasing variety of proprietary hardware appliances like routers, firewalls and switches
  • Space and power to accommodate these appliances
  • Capital investment challenges
  • Short lifespan
  • A long procure-design-integrate-deploy lifecycle
  • Increasing complexity and diversity of network traffic
  • Network capacity limitations
Three main benefits of NFV outlined in the 4G Americas paper include:
  • Improved capital efficiency: Provisioning capacity for all functions versus each individual function, providing more granular capacity, exploiting the larger economies of scale associated with Commercial Off-the-Shelf (COTS) hardware, centralizing Virtual Network Functions (VNFs) in data centers where latency requirements allow, and separately and dynamically scaling VNFs residing in the user (or data or forwarding) plane designed for execution in the cloud, control and user-plane functions as needed.
  • Operational efficiencies: Deploying VNFs as software using cloud management techniques which enables scalable automation at the click of an operator’s (or customer’s) mouse or in response to stimulus from network analytics. The ability to automate onboarding, provisioning and in-service activation of new virtualized network functions can yield significant savings. 
  • Service agility, innovation and differentiation: In deploying these new VNFs, time-to-market for new network services can be significantly reduced, increasing the operator’s ability to capture market share and develop market-differentiating services.
In particular, mobile operators can take advantage of NFV as new services are introduced. Evolved Packet Core (EPC), Voice over LTE (VoLTE), IP Multimedia System (IMS) and enhanced messaging services, among others, are examples of opportunities to use virtualized solutions. Some operators started deploying elements of NFV in 2013 with an expectation that many service areas could be mostly virtualized in the next decade.

The whitepaper as follows: