Sunday 20 August 2017

Enhanced 5G Security via IMSI Encryption


IMSI Catchers can be a real threat. It doesn't generally affect anyone unless someone is out to get them. Nevertheless its a security flaw that is even present in LTE. This presentation here is a good starting point on learning about IMSI Catcher and the one here about privacy and availability attacks.


This article by Ericsson is a good starting point on how 5G will enhance security by IMSI encryption. From the article:
The concept we propose builds on an old idea that the mobile device encrypts its IMSI using home network’s asymmetric key before it is transmitted over the air-interface. By using probabilistic asymmetric encryption scheme – one that uses randomness – the same IMSI encrypted multiple times results in different values of encrypted IMSIs. This makes it infeasible for an active or passive attacker over the air-interface to identify the subscriber. Above is a simplified illustration of how a mobile device encrypts its IMSI. 
Each mobile operator (called the ‘home network’ here) has a public/private pair of asymmetric keys. The home network’s private asymmetric key is kept secret by the home network, while the home network’s public asymmetric key is pre-provisioned in mobile devices along with subscriber-specific IMSIs (Step 0). Note that the home network’s public asymmetric key is not subscriber-specific. 
For every encryption, the mobile device generates a fresh pair of its own public/private asymmetric keys (Step 1). This key pair is used only once, hence called ephemeral, and therefore provide probabilistic property to the encryption scheme. As shown in the figure, the mobile device then generates a new key (Step 2), e.g., using Diffie–Hellman key exchange. This new key is also ephemeral and is used only once to encrypt the mobile device’s IMSI (Step 3) using symmetric algorithm like AES. The use of asymmetric and symmetric crypto primitives as described above is commonly known as integrated/hybrid encryption scheme. The Elliptic Curve Integrated Encryption Scheme (ECIES) is a popular scheme of such kind and is very suitable to the use case of IMSI encryption because of low impact on radio bandwidth and mobile device’s battery. 
The nicest thing about the described concept is that no public key infrastructure is necessary, which significantly reduces deployment complexity, meaning that mobile operators can start deploying IMSI encryption for their subscribers without having to rely on any external party or other mobile operators.

'3GPP TR 33.899: Study on the security aspects of the next generation system' lists one such approach.


The Key steps are as follows:

  1. UE is configured with 5G (e)UICC with ‘K’ key, the Home Network ID, and its associated public key.
  2. SEAF send Identity Request message to NG-UE. NG-UE considers this as an indication to initiate Initial Authentication.
  3. NG-UE performs the following:
    1. Request the (e)UICC application to generate required security material for initial authentication, RANDUE, , COUNTER, KIARenc, and KIARInt.
    2. NG-UE builds IAR as per MASA. In this step NG-UE includes NG-UE Security Capabilities inside the IAR message. It also may include its IMEI. 
    3. NG-UE encrypts the whole IAR including the MAC with the home network public key.
    4. NG-UE sends IAR to SEAF.
  4. Optionally, gNB-CP node adds its Security Capabilities to the transposrt message between the gNB-CP and the SEAF (e.g., inside S1AP message as per 4G).
  5. gNB-CP sends the respective S1AP message that carries the NG-UE IAR message to the SEAF.
  6. SEAF acquirs the gNB-CP security capabilities as per the listed options in clause 5.2.4.12.4.3and save them as part of the temporary context for the NG-UE.
  7. SEAF follows MASA and forward the Authentication and Data Request message to the AUSF/ARPF.
  8. When AUSF/ARPF receives the Authentication and Data Request message, authenticates the NG-UE as per MASA and generates the IAS respective keys. AUSF/ARPF may recover the NG-UE IMSI and validate the NG-UE security capabilities.
  9. AUSF/ARPF sends Authentication and Data Response to the SEAF as per MASA with NG-UE Security Capabilities included.
  10. SEAF recovers the Subscriber IMSI, UE security Capabilities, IAS keys, RANDHN, COUNTER and does the following:
    1. Examine the UE Security Capabilities and decides on the Security parameters.
    2. SEAF may acquire the UP-GW security capabilities at this point after receiving the UP-GW identity from AUSF/ARPF or allocate it dynamically through provisioning and load balancing.
  11. SEAF builds IAS and send to the NG-UE following MASA. In addition, SEAF include the gNB-CP protocol agreed upon security parameters in the S1AP message being sent to the gNB-CP node.
  12. gNB-CP recovers gNB-CP protocol agreed upon security parameters and save it as part of the NG-UE current context.
  13. gNB-CP forwards the IAS message to the NG-UE.
  14. NG-UE validates the authenticity of the IAS and authenticates the network as per MASA. In addition, the UE saves all protocols agreed upon security parameters as part of its context. NG-UE sends the Security and Authentication Complete message to the SEAF.
  15. SEAF communicates the agreed upon UP-GW security parameters to the UP-GW during the NG-UE bearer setup.

ARPF - Authentication Credential Repository and Processing Function 
AUSF - Authentication Server Function 
SCMF - Security Context Management Function
SEAF - Security Anchor Function
NG-UE - NG UE
UP - User Plane 
CP - Control Plane
IAR - Initial Authentication Request 
IAS - Initial Authentication Response
gNB - Next Generation NodeB

You may also want to refer to the 5G Network Architecture presentation by Andy Sutton for details.

See also:

Tuesday 15 August 2017

AT&T Blog: "Providing Connectivity from Inside a Cactus"


A recent AT&T blog post looks at how the fake cactus antennas are manufactured. I also took a closeup of a fake cactus antenna when I went to a Cambridge Wireless Heritage SIG event as can be seen in tweet below.

The blog says:
To make a stealth site look as real as possible, our teams use several layers of putty and paint. Our goal is to get the texture and color just right, but also ensure it can withstand natural elements – from snowy Colorado to blistering Arizona. 
Tower production takes 6-8 weeks and starts with constructing a particular mold. The molds quickly become 30-foot tall saguaro cacti or 80-foot tall redwood trees.But these aren’t just steel giants. 
The materials that cover the stealth antennas, like paint or faux-leaves, must be radio frequency-friendly. Stealth antennas designed to look like church steeples or water towers are mostly made of fiberglass. This lets the signal from the antennas penetrate through the casing. 
These stealth deployments are just one of the many unique ways we provide coverage to our customers. So take a look outside, your connection may be closer than you think—hidden in plain sight!
This videos gives a good idea


If this is a topic of interest, then have a look at this collection of around 100 antennas:



See also:



Thursday 10 August 2017

Mobile can help with United Nations SDGs, only if prices go down

I came across this interesting article in WSJ, courtesy of the Benedict Evans newsletter, which discusses how Indians are using their smartphones even more and consuming far more data than they previously did. Due to low incomes, spending money on mobile top-up is to the detriment of other sectors. To quote the article:
“There was a time when kids would come here and blow their pocket money on chips and chocolate,” said Anup Kapoor, who runs a mom-and-pop grocery shop in New Delhi. These days, “they spend every last rupee on a data recharge instead.”

United Nations have created 17 very ambitious Sustainable Development Goals (SDGs) that universally apply to all, countries will mobilize efforts to end all forms of poverty, fight inequalities and tackle climate change, while ensuring that no one is left behind.
The SDGs, also known as Global Goals, build on the success of the Millennium Development Goals (MDGs) and aim to go further to end all forms of poverty. The new Goals are unique in that they call for action by all countries, poor, rich and middle-income to promote prosperity while protecting the planet. They recognize that ending poverty must go hand-in-hand with strategies that build economic growth and addresses a range of social needs including education, health, social protection, and job opportunities, while tackling climate change and environmental protection.
I have talked about Rural connectivity on this blog and a lot more on small cells blog. In fact the heart touching end user story from Rural England was shared multiple times on different platforms. GSMA has done a good amount of work with the rural communities with their mobile for development team and have some interesting videos showing positive impacts of bringing connectivity to rural communities in Tanzania (see here and here).

While you will always hear about the challenges in bringing connectivity to these rural communities, all technological challenges can be solved. There are many highly ambitious projects using balloons, drones, creating droneways, Helikites, Satellite backhaul, drone based backhaul, mmWave backhaul, etc. The real problem to solve here are the costs (spectrum, infrastructure, etc.) and the end-user pricing.

Coming back to the first story of this post about India, when given an option about selecting mobile data or shampoo, people will probably choose mobile data. What about mobile data vs food? While there are some innovative young companies that can help bring the costs down, there is still a big hurdle to leap in terms of convincing the operators mindsets, bureaucracy, etc.

To help explain my point lets look at an excerpt from this article in Wired:
It’s the kind of problem that Vanu Bose, the founder of the small cell network provider CoverageCo, has been trying to solve with a new, ultra-energy-efficient mobile technology. Bose chose two places to pilot this tech: Vermont and Rwanda. “We picked these two locations because we knew they would be challenging in terrain and population density,” he says. “What we didn’t expect was that many of the problems were the same in Rwanda and Vermont—and in fact the rollout has been much easier in Africa.
The good news is that things are changing. Parallel Wireless (see disclosure at the bottom) is one such company trying to simplify network deployment and at the same time bring the costs down. In a recent deployment with Ice Wireless in Canada, this was one of the benefit to the operator. To quote from MobileSyrup:
A radio access network is one of the key components in the architecture of any wireless network. RANs sit between consumer-facing devices like smartphones and computers and the core network, helping connect those devices to the larger network.  
Essentially where the likes of Nokia and Huawei ask clients to buy an expensive hardware component for their RAN needs, Parallel Wireless offers allows companies like Ice Wireless to use off-the-shelf computer and server components to emulate a RAN. The company also sells wireless base stations like the two pictured above that are smaller than the average cell tower one sees in cities and less remote parts of the country.  
Besides reducing the overall price of a network deployment, Parallel’s components present several other advantages for a company like Ice Wireless.  
For instance, small base stations make it easier for the company to build redundancies into its network, something that’s especially important when a single arctic snowstorm can knock out wireless service for thousands of people.
These kind of benefits allow operators to pass on the cost reduction thereby allowing the price reduction for end users. In case of Ice Wireless, they have already got rid of roaming charges and have started offering unlimited data plans for the communities in Canada's North.

Finally, to quote David Nabarro, Special Adviser of the United Nations Secretary-General on the 2030 Agenda for Sustainable Development from the GSMA 2016 Mobile Industry Impact Report: Sustainable Development Goals:
Achieving the SDGs demands new technologies, innovations, and data collection that can integrate and complement traditional statistics. A driving force behind this data revolution is mobile technology. 
Mobile phone technology has already transformed societies around the globe, even the poorest countries and communities. It is helping to empower women, create jobs, spur financial independence, improve education, boost agriculture production, and promote better health. Mobile phones have enabled communities to monitor elections, hold governments accountable, and save lives in natural disasters. 
As we focus on implementing the Sustainable Development Goals, the mobile industry has a critical role in working with governments and the international community to expand connectivity, to lower barriers to access, and to ensure that tools and applications are developed with vulnerable communities in mind. 

With 5G just round the corner, I hope that the operators and vendors will be able to get their costs down, resulting in lower end-user prices. That would be a win-win for everyone.

*Full Disclosure: I work for Parallel Wireless as a Senior Director, Strategic Marketing. This blog is maintained in my personal capacity and expresses my own views, not the views of my employer or anyone else. Anyone who knows me well would know this.

Tuesday 25 July 2017

5G Security Updates - July 2017


Its been nearly 2 years since I last blogged about ETSI Security workshop. A lot has changed since then, especially as 5G is already in the process of being standardised. This is in addition to NFV / SDN that also applied to 4G networks.

ETSI Security Week (12 - 16 June) covered lot more than 5G, NFV, SDN, etc. Security specialists can follow the link to get all the details (if they were not already aware of).

I want to quickly provide 3 links so people can find all the useful information:

NFV Security Tutorialdesigned to educate attendees on security concerns facing operators and providers as they move forward with implementing NFV. While the topics are focused on security and are technical in nature we believe any individual responsible for designing, implementing or operating a NFV system in an organization will benefit from this session. Slides here.

NFV Security: Network Functions Virtualization (NFV), leveraging cloud computing, is set to radically change the architecture, security, and implementation of telecommunications networks globally. The NFV Security day will have a sharp focus on the NFV security and will bring together the world-wide community of the NFV security leaders from the industry, academia, and regulators. If you want to meet the movers and shakers in this field, get a clear understanding of the NFV security problems, challenges, opportunities, and the state of the art development of security solutions, this day is for you. Slides here.



5G Security: The objectives of this event are to:
  • Gather different actors involved in the development of 5G, not only telecom, and discuss together how all their views will shape together in order to understand the challenges, threats and the security requirements that the 5G scenarios will be bringing.
  • Give an update of what is happening in:
    • 5G security research: Lot of research is on-going on 5G security and several projects exist on the topic.
    • 5G security standards: Standardization bodies have already started working 5G security and their work progress will be reviewed. Also any gap or additional standardization requirements will be discussed.
    • Verticals and business (non-technical) 5G security requirements: 5G is playground where different verticals besides the telecom industry is playing a role and their requirements will be key for the design of 5G security. In addition 5G is where "security" will become the business driver.
  • Debate about hot topics such as: IoT security, Advances in lightweight cryptography, Slicing security. Privacy. Secure storage and processing. Security of the interconnection network (DIAMETER security). Relevance of Quantum Safe Cryptography for 5G, Authorization concepts....
Slides for 5G Security here.

In addition, Jaya Baloo, CISO, KPN Telecom talks about 5G network security at TechXLR8 2017. Embedded is a video of that:


Thursday 20 July 2017

Second thoughts about LTE-U / LAA

Its been a while since I wrote about LTE-U / LAA on this blog. I have written a few posts on the small cells blog but they seem to be dated as well. For anyone needing a quick refresher on LTE-U / LAA, please head over to IoTforAll or ShareTechNote. This post is not about the technology per se but the overall ecosystem with LTE-U / LAA (and even Multefire) being part of that.

Lets recap the market status quickly. T-Mobile US has already got LTE-U active and LAA was tested recently. SK Telecom achieved 1Gbps in LAA trials with Ericsson. AT&T has decided to skip the non-standard LTE-U and go to standards based LAA. MTN & Huawei have trialled LAA for in-building in South Africa. All these sound good and inspires confidence in the technology however some observations are worrying me.


Couple of years back when LTE-U idea was conceived, followed by LAA, the 5GHz channels were relatively empty. Recently I have started to see that they are all filling up.

Any malls, hotels, service stations or even big buildings I go to, they all seem to be occupied. While supplemental downlink channels are 20MHz each, the Wi-Fi channels could be 20MHz, 40MHz, 80MHz or even 160MHz.

On many occasions I had to switch off my Wi-Fi as the speeds were so poor (due to high number of active users) and go back to using 4G. How will it impact the supplemental downlink in LTE-U / LAA? How will it impact the Wi-Fi users?

On my smartphone, most days I get 30/40Mbps download speeds and it works perfectly fine for all my needs. The only reason we would need higher speeds is to do tethering and use laptops for work, listen to music, play games or watch videos. Most people I know or work with dont require gigabit speeds at the moment.

Once a user that is receiving high speeds data on their device using LTE-U / LAA creates a Wi-Fi hotspot, it may use the same 5GHz channels as the ones that the network is using for supplemental downlink. How do you manage this interference? I am looking forward to discussions on technical fora where users will be asking why their download speeds fall as soon as they switch Wi-Fi hotspot on.

The fact is that in non-dense areas (rural, sub-urban or even general built-up areas), operators do not have to worry about the network being overloaded and can use their licensed spectrum. Nobody is planning to deploy LTE-U / LAA in these areas. In dense and ultra-dense areas, there are many users, many Wi-Fi access points, ad-hoc Wi-Fi networks and many other sources of interference. In theory LTE-U / LAA can help significantly but as there are many sources of interference,its uncertain if it would be a win-win for everyone or just more interference for everyone to deal with.

Further reading:

Thursday 13 July 2017

Different types of Mobile Masts



Today's post is inspired by two things. One of them being my most popular answer on Quora. As you can see, its gathered over 19K upvotes.


The other being #EEGoldenSIM competition started by Marc Allera, CEO of UK mobile operator, EE,. The users were required to find a mast, take a picture and share it. This led to a lot of people asking how do masts look like but also generated lots of interesting pictures. You can search #EEGoldenSIM on twitter to see them.

Below is a presentation prepared by my 3G4G colleagues on how different types of antennas and mobile masts look like. Hope you like it.



Friday 7 July 2017

Wireless Smart Ubiquitous Network (Wi-SUN) - Another IoT Standard


While we have been discussing IoT these last few weeks, here is another one that I came across. This picture above from a recent Rethink research shows that Wi-SUN is going to enjoy more growth than LoRaWAN or Sigfox. Another recent report by Mobile Experts also makes a mention of this IoT technology.

I am sure most of the readers have not heard of Wi-SUN, so what exactly is Wi-SUN technology?


From Rethink Research, The Wi-SUN Alliance was formed in 2011 to form an organization to push adoption of the IEEE 802.15.4g standard, which aimed to improve utility networks using a narrowband wireless technology. The peer-to-peer self-healing mesh has moved from its initial grid focus to encompass smart city applications (especially street lighting), and we spoke to its Chairman, Phil Beecher, to learn more.

Beecher explained that the non-profit Alliance set about defining subsets of the open standards, testing for interoperability, and certifying compatible products, and soon developed both a Field Area Network (FAN) and a Home Area Network (HAN), which allowed it to move into Home Energy Management Systems (HEMS) in Japan – a country that is leading the curve in HEMS deployments and developments.


As can be seen in the picture above:

  • Develops technical specifications of Physical Layer (PHY) and Medium Access Control (MAC) layers, with Network layer as required
  • Develop Interoperability test programs to ensure implementations are interoperable
  • Physical layer specification is based on IEEE802.15.4g/4u/4v
  • MAC layer may use different options depending on the application
  • Profile specifications are categorized based on application types

Picture source for the last three pics, Wi-SUN presentation here.


A new whitepaper from Wi-SUN Alliance provides comparison of Wi-SUN, LoRaWAN and NB-IoT.

A recent presentation by Dr. Simon Dunkley in Cambridge Wireless is embedded below:



Further reading:



Tuesday 27 June 2017

Mission Critical Services update from 3GPP - June 2017


3GPP has published an overview of what has been achieved so far in the Mission Critical and also provides an outlook of what can be expected in the near future. A more detailed paper summarizing the use cases and functional aspects of Rel-13, Rel-14 and upcoming Rel-15 will be published later this year.

Mission Critical Services – Detailed List of Rel-13, Rel-14 and Rel-15 Functionalities

Rel-13 MCPTT (completed 2016)
  • User authentication and service authorization
  • Configuration
  • Affiliation and de-affiliation
  • Group calls on-network and off-network (within one system or multiple systems, pre-arranged or chat model, late entry, broadcast group calls, emergency group calls, imminent peril group calls, emergency alerts)
  • Private calls on-network and off-network (automatic or manual commencement modes, emergency private calls)
  • MCPTT security
  • Encryption (media and control signalling)
  • Simultaneous sessions for call
  • Dynamic group management (group regrouping)
  • Floor control in on-network (within one system or across systems) and in off-network
  • Pre-established sessions
  • Resource management (unicast, multicast, modification, shared priority)
  • Multicast/Unicast bearer control, MBMS (Multimedia Broadcast/Multicast Service) bearers
  • Location configuration, reporting and triggering
  • Use of UE-to-network relays
Rel-14 MC Services (completed 2017)
MC Services Common Functionalities:
  • User authentication and service authorization
  • Service configuration
  • Affiliation and de-affiliation
  • Extended Location Features
  • (Dynamic) Group Management
  • Identity management
  • MC Security framework
  • Encryption (media and control signalling)
MCPTT Enhancements:
  • First-to-answer call setup (with and without floor control)
  • Floor control for audio cut-in enabled group
  • Updating the selected MC Service user profile for an MC Service
  • Ambient listening call
  • MCPTT private call-back request
  • Remote change of selected group
MCVideo, Common Functions plus:
  • Group Call (including emergency group calls, imminent peril group calls, emergency alerts)
  • Private Call (off-network)
  • Transmission Control
MCData, Common Functions plus:
  • Short Data Service (SDS)
  • File Distribution (FD) (on-network)
  • Transmission and Reception Control
  • Handling of Disposition Notifications
  • Communication Release
Rel-15 MC Services (in progress)

MC Services Common Functionalities Enhancements:
  • Enhanced MCPTT group call setup procedure with MBMS bearer
  • Enhanced Location management, information and triggers
  • Interconnection between 3GPP defined MC systems
  • Interworking with legacy systems

MCPTT Enhancements:
  • Remotely initiated MCPTT call
  • Enhanced handling of MCPTT Emergency Alerts
  • Enhanced Broadcast group call
  • Updating pre-selected MC Service user profile
  • Temporary group call - user regroup
  • Functional alias identity for user and equipment
  • Multiple simultaneous users
MCVideo Additions:
  • Video push
  • Video pull
  • Private call (on-network)
  • Broadcast Group Call
  • Ambient Viewing Call
  • Capability information sharing
  • Simultaneous Sessions
  • Use of MBMS transmission
  • Emergency and imminent peril private communications
  • Primary and Partner MC system interactions for MCVideo communications
  • Remote video parameters control capabilities

MCData Additions:
  • MCData specific Location
  • Enhanced Status
  • Accessing list of deferred communications
  • Usage of MBMS
  • Emergency Alert
  • Data streaming
  • File Distribution (FD) (off-network)
  • IP connectivity

Release-14 features will be available by end of September 2017 and many Release-15 features, that is being hurried due to 5G will be available by June 2018.

For more details, follow the links below:



Monday 19 June 2017

Network Sharing is becoming more relevant with 5G

5G is becoming a case of 'damned if you do damned if you don't'. Behind the headlines of new achievements and faster speeds lies the reality that many operators are struggling to keep afloat. Indian and Nigerian operators are struggling with heavy debt and it wont be a surprise if some of the operators fold in due course.

With increasing costs and decreasing revenues, its no surprise that operators are looking at ways of keeping costs down. Some operators are postponing their 5G plans in favour of Gigabit LTE. Other die hard operators are pushing ahead with 5G but looking at ways to keep the costs down. In Japan for example, NTT DOCOMO has suggested sharing 5G base stations with its two rivals to trim costs, particularly focusing efforts in urban areas.


In this post, I am looking to summarise an old but brilliant post by Dr. Kim Larsen here. While it is a very well written and in-depth post, I have a feeling that many readers may not have the patience to go through all of it. All pictures in this post are from the original post by Dr. Kim Larsen.


Before embarking on any Network sharing mission, its worthwhile asking the 5W's (Who, Why, What, Where, When) and 2H's (How, How much).

  • Why do you want to share?
  • Who to share with? (your equal, your better or your worse).
  • What to share? (sites, passives, active, frequencies, new sites, old sites, towers, rooftops, organization, ,…).
  • Where to share? (rural, sub-urban, urban, regional, all, etc..).
  • When is a good time to start sharing? During rollout phase, steady phase or modernisation phase. See picture below. For 5G, it would make much more sense that network sharing is done from the beginning, i.e., Rollout Phase


  • How to do sharing?. This may sound like a simple question but it should take account of regulatory complexity in a country. The picture below explains this well:



  • How much will it cost and how much savings can be attained in the long term? This is in-fact a very important question because the end result after a lot of hard work and laying off many people may result in an insignificant amount of cost savings. Dr. Kim provides detailed insight on this topic that I find it difficult to summarise. Best option is to read it on his blog.


An alternative approach to network sharing is national roaming. Many European operators are dead against national roaming as this means the network loses its differentiation compared to rival operators. Having said that, its always worthwhile working out the savings and seeing if this can actually help.

National Roaming can be attractive for relative low traffic scenarios or in case were product of traffic units and national roaming unit cost remains manageable and lower than the Shared Network Cost.

The termination cost or restructuring cost, including write-off of existing telecom assets (i.e., radio nodes, passive site solutions, transmission, aggregation nodes, etc….) is likely to be a substantially financial burden to National Roaming Business Case in an area with existing telecom infrastructure. Certainly above and beyond that of a Network Sharing scenario where assets are being re-used and restructuring cost might be partially shared between the sharing partners.

Obviously, if National Roaming is established in an area that has no network coverage, restructuring and termination cost is not an issue and Network TCO will clearly be avoided, Albeit the above economical logic and P&L trade-offs on cost still applies.

If this has been useful to understand some of the basics of network sharing, I encourage you to read the original blog post as that contains many more details.

Futher Reading: