Monday, 29 December 2014

The SS7 flaws that allows hackers to snoop on your calls and SMS

By now I am aware that most people have heard of the flaws in SS7 networks that allow hackers to snoop, re-route calls and read text messages. For anyone who is not aware of these things, can read some excellent news articles here:

Our trusted security expert, Ravi Borgaonkar, informs us that all these flaws have already been discussed back in May, as part of Positive Hack Days (PHDays).

The presentation is embedded below and can be downloaded from Slideshare:



xoxoxo Added this new information on the 4th Jan 2015 oxoxox

The following is this presentation and video by Tobias Engel from the 31st Chaos Communication Congress



Tuesday, 23 December 2014

M2M embedded UICC (eSIM) Architecture and Use Cases

Machine-to-Machine UICC, also known as M2M Form Factor (MFF) and is often referred to as embedded SIM (eSIM) is a necessity for the low data rate M2M devices that are generally small, single contained unit that is also sealed. The intention is that once this M2M device is deployed, then there is no need to remove the UICC from it. There may be a necessity to change the operator for some or the other reason. This gives rise to the need of multi-operator UICC (SIM) cards.


The GSMA has Embedded SIM specifications available for anyone interested in implementing this. There are various documents available on the GSMA page for those interested in this topic further.

While the complete article is embedded below, here is an extract of the basic working from the document:

A eUICC is a SIM card with a Remote Provisioning function, and is designed not to be removed or changed. It is able to store multiple communication profiles, one of which is enabled (recognized by the device and used for communication). The network of the MNO in the enabled profile is used for communication. Profiles other than the enabled profile are disabled (not recognized by the device). With conventional SIM cards, the ICCID is used as the unique key to identify the SIM card, but with eUICC, the ICCID is the key used to identify profiles, and a new ID is defined, called the eUICCID, which is used as the unique key for the eSIM

GSMA defines two main types of profile.
1) Provisioning Profile: This is the communication profile initially stored in the eUICC when it is shipped. It is a limited-application communication profile used only for downloading and switching Operational Profiles, described next.
2) Operational Profile: This is a communication profile for connecting to enterprise servers or the Internet. It can also perform the roles provided by a Provisioning profile

An eSIM does not perform profile switching as a simple IC card function, but rather switches profiles based on instructions from equipment called a Subscription Manager. A Subscription Manager is maintained and managed by an MNO. The overall eSIM architecture, centering on the Subscription Manager, is shown in Figure 3, using the example of switching profiles within the eUICC.

An eUICC must have at least one profile stored in it to enable OTA functionality, and one of the stored profiles must be enabled. The enabled profile uses the network of MNO A for communication. When the user switches profiles, a switch instruction is sent to the Subscription Manager. At that time, if the profile to switch to is not stored in the eUICC, the profile is first downloaded. When it receives a switch instruction, the eUICC performs a switch of the enabled profile as an internal process.

After the switch is completed, it uses the network of MNO B to send notification that the switch has completed to the Subscription Manager, completing the process. The same procedure is used to switch back to the original MNO A, or to some other MNO C.

Anyway, here is the complete paper:




Friday, 12 December 2014

5G Spectrum and challenges

I was looking at the proposed spectrum for 5G last week. Anyone who follows me on Twitter would have seen the tweets from last weekend already. I think there is more to discuss then just tweet them so here it is.




Metis has the most comprehensive list of all the bands identified from 6GHz, all the way to 86GHz. I am not exactly sure but the slide also identifies who/what is currently occupying these bands in different parts of the world.


The FCC in the USA has opened a Notice of Inquiry (NoI) for using the bands above 24GHz for mobile broadband. The frequency bands above have a potential as there is a big contiguous chunk of spectrum available in each band.



Finally, the slides from ETRI, South Korea show that they want to have 500MHz bandwidth in frequencies above 6GHz.

As I am sure we all know, the higher the frequency, the lower the cell size and penetration indoors. The advantage on the other hand is smaller cell sizes, leading to higher data rates. The antennas also become smaller at higher frequencies thereby making it easier to have higher order MIMO (and massive MIMO). The only way to reliably be able to do mobile broadband is to use beamforming. The tricky part with that is the beam has to track the mobile user which may be an issue at higher speeds.

The ITU working party 5D, recently released a draft report on 'The technical feasibility of IMT in the bands above 6 GHz'. The document is embedded below.




xoxoxo Added Later (13/12/2014) xoxoxo
Here are some links on the related topic:


xoxoxo Added Later (18/12/2014) xoxoxo
Moray Rumney from Keysight (Agilent) gave a presentation on this topic in the Cambridge Wireless Mobile Broadband SIG event yesterday, his presentation is embedded below.



Monday, 1 December 2014

Bringing Network Function Virtualization (NFV) to LTE

SDN and NFV have gained immense popularity recently. Not only are they considered important for reducing the Capex and Opex but are being touted as an important cog in the 4.5G/5G network. See here for instance.


I introduced NFV to the blog nearly a year back here. ETSI had just published their first specs around then. When I talked about SDN/NFV back in May, these ETSI standards were evolving into a significant reference documents. This is a reason 4G Americas recently published this whitepaper (embedded below), for the operators to start migrating to NFV architecture to reap long term benefits. The following is from the whitepaper:

The strategies and solutions explored in the 4G Americas report on NFV aim to address these issues and others by leveraging IT virtualization technology to consolidate many network equipment types onto industry standard high volume servers, networking and storage. NFV is about separating network functions from proprietary hardware and then consolidating and running those functions as virtualized applications on a commodity server. Broadly speaking, NFV will enable carriers to virtualize network functions and run them as software applications within their networks. NFV focuses on virtualizing network functions such as firewalls, Wide-Area Network (WAN) acceleration, network routers, border controllers (used in Voice over IP (VoIP) networks), Content Delivery Networks (CDNs) and other specialized network applications. NFV is applicable to a wide variety of networking functions in both fixed and mobile networks.
“NFV is making great progress throughout the world as operators work with their vendor partners to address the opportunities of increasing efficiency within their network infrastructure elements,” stated Chris Pearson, President of 4G Americas. “There is a great deal of collaborative innovation and cooperation between wireless carriers, IT vendors, networking companies and wireless infrastructure vendors making NFV for LTE possible.”
Global communication service providers, along with many leading vendors, are participating in the European Telecommunications Standards Institute’s (ETSI) Industry Specification Group for Network Functions Virtualization (NFV ISG) to address challenges such as:
  • An increasing variety of proprietary hardware appliances like routers, firewalls and switches
  • Space and power to accommodate these appliances
  • Capital investment challenges
  • Short lifespan
  • A long procure-design-integrate-deploy lifecycle
  • Increasing complexity and diversity of network traffic
  • Network capacity limitations
Three main benefits of NFV outlined in the 4G Americas paper include:
  • Improved capital efficiency: Provisioning capacity for all functions versus each individual function, providing more granular capacity, exploiting the larger economies of scale associated with Commercial Off-the-Shelf (COTS) hardware, centralizing Virtual Network Functions (VNFs) in data centers where latency requirements allow, and separately and dynamically scaling VNFs residing in the user (or data or forwarding) plane designed for execution in the cloud, control and user-plane functions as needed.
  • Operational efficiencies: Deploying VNFs as software using cloud management techniques which enables scalable automation at the click of an operator’s (or customer’s) mouse or in response to stimulus from network analytics. The ability to automate onboarding, provisioning and in-service activation of new virtualized network functions can yield significant savings. 
  • Service agility, innovation and differentiation: In deploying these new VNFs, time-to-market for new network services can be significantly reduced, increasing the operator’s ability to capture market share and develop market-differentiating services.
In particular, mobile operators can take advantage of NFV as new services are introduced. Evolved Packet Core (EPC), Voice over LTE (VoLTE), IP Multimedia System (IMS) and enhanced messaging services, among others, are examples of opportunities to use virtualized solutions. Some operators started deploying elements of NFV in 2013 with an expectation that many service areas could be mostly virtualized in the next decade.

The whitepaper as follows:


Friday, 21 November 2014

In-flight broadband connectivity service with speeds up to 75Mbps


Came across the following Inmarsat press release:

The new network represents two world-beating achievements for Inmarsat and its partners. It will be the world’s first truly hybrid aviation network, consisting of an S-band satellite (Europasat), constructed by Thales Alenia Space, and a Europe-wide S-band ground network. Over the integrated network, based on state-of-the-art LTE technology and access to sufficient spectrum resources, Inmarsat will be offering airlines the world’s fastest in-flight broadband connectivity service with speeds up to 75Mbps, far in excess of the limited capabilities of North American ATG systems.
Alcatel-Lucent and Inmarsat will work together to develop the ground infrastructure component of the new Europe-wide network. Alcatel-Lucent has proven expertise in the development of 4G LTE-based air-to-ground technology and was the world’s first company to field trial this technology in 2011. The initial contract awarded to Alcatel-Lucent will see the global telecommunications equipment company adapting their existing 4G LTE technology to support the S-band spectrum.
Recently Christophe WILHELM, Senior VP Strategy & Innovation, Thales Alenia Space gave a presentation in the Digiworld Summit 2014.



His presentation is above and the video is as follows. Please forward to 1:36:00 to watch his part



Tuesday, 18 November 2014

SON Update from 3GPP SA5

Below is a presentation from Christian Toche, 3GPP SA5 chairman in the SON Conference last month. I also blogged about his presentation last year which is available here.



Sunday, 16 November 2014

Is mobile eating the world?

Another interesting and thought provoking presentation by Ben Evans. His earlier presentation which was very popular as well, is here. The video and slides are embedded below.


How Mobile is Enabling Tech to Outgrow the Tech Industry from Andreessen Horowitz on Vimeo.




And a recent interview by Benedict Evans with Bloomberg TV on the same topic as follows:


Tuesday, 11 November 2014

New Spectrum Usage Paradigms for 5G

Sometime back I wrote a post that talked about Dynamic Spectrum Access (DSA) techniques for Small Cells and WiFi to work together in a fair way. The Small Cells would be using the ISM bands and Wi-Fi AP's would also be contending for the same spectrum. For those who may not know, this is commonly referred to as LTE-U but the correct term that is being used in standards is LA-LTE, see here for details.

IEEE Comsoc has just published a whitepaper that details how the spectrum should be handled in 5G to make sure of efficient utilisation. The whitepaper covers the following:

Chapter 2 – Introduction, the traditional approach of repurposing spectrum and allocating it to Cellular Wireless systems is reaching its limits, at least below the 6GHz threshold. For this reason, novel approaches are required which are detailed in the sequel of this White Paper.

Chapter 3 - Spectrum Scarcity - an Alternate View provides a generic view on the spectrum scarcity issue and discusses key technologies which may help to alleviate the problem, including Dynamic Spectrum Management, Cognitive Radios, Cognitive Networks, Relaying, etc. 

Chapter 4 – mmWave Communications in 5G addresses a first key solution. While spectrum opportunities are running out at below 6 GHz, an abundance of spectrum is available in mmWave bands and the related technology is becoming mature. This chapter addresses in particular the heterogeneous approach in which legacy wireless systems are operated jointly with mmWave systems which allows to combine the advantages of both technologies. 

Chapter 5 – Dynamic Spectrum Access and Cognitive Radio: A Current Snapshot gives a detailed overview on state-of-the-art dynamic spectrum sharing technology and related standards activities. The approach is indeed complementary to the upper mmWave approach, the idea focuses on identifying unused spectrum in time, space and frequency. This technology is expected to substantially improve the usage efficiency of spectrum, in particular below the 6GHz range. 

Chapter 6 – Licensed Shared Access (LSA) enables coordinated sharing of spectrum for a given time period, a given geographic area and a given spectrum band under a license agreement. In contract to sporadic usage of spectrum on a secondary basis, the LSA approach will guarantee Quality-of-Service levels to both Incumbents and Spectrum Licensees. Also, a clear business model is available through a straightforward license transfer from relevant incumbents to licensees operating a Cellular Wireless network in the concerned frequency bands. 

Chapter 7 – Radio Environment Map details a technology which allows to gather the relevant (radio) context information which feed related decision making engines in the Network Infrastructure and/or Mobile Equipment. Indeed, tools for acquiring context information is critical for next generation Wireless Communication systems, since they are expected to be highly versatile and to constantly adapt. 

Chapter 8 – D2DWRAN: A 5G Network Proposal based on IEEE 802.22 and TVWS discusses the efficient exploitation of TV White Space spectrum bands building on the available IEEE 802.22 standard. TV White Spaces are indeed located in highly appealing spectrum bands below 1 GHz with propagation characteristics that are perfectly suited to the need of Wireless Communication systems. 

Chapter 9 – Conclusion presents some final thoughts. 

The paper is embedded as follows:



Wednesday, 5 November 2014

2015 will finally be the year of Voice over LTE (VoLTE)


On 4th Nov. 2009, the One Voice initiative was published by 12 companies including AT&T, Orange, Telefonica, TeliaSonera, Verizon, Vodafone, Alcatel-Lucent, Ericsson, Nokia Siemens Networks, Nokia, Samsung and Sony Ericsson. These all agreed that the IMS based solution, as defined by 3GPP, is the most applicable approach to meet their consumers expectations for service quality, reliability and availability when moving from existing CS based voice services to IP based LTE services.

On 15th Feb 2010, GSMA announced that it has adopted the work of the One Voice initiative to drive the global mobile industry towards a standard way of delivering voice and messaging services for LTE. The GSMA’s VoLTE initiative was supported by more than 40 organisations from across the mobile ecosystem, including many of the world’s leading mobile communication service providers, handset manufacturers and equipment vendors, all of whom support the principle of a single, IMS-based voice solution for next-generation mobile broadband networks. This announcement was also supported by 3GPP, Next Generation Mobile Networks alliance (NGMN) and the International Multimedia Teleconferencing Consortium (IMTC).

GSMA has produces various reference documents that map to the 3GPP standards documents as can be seen above.



As per GSA71 operators are investing in VoLTE studies, trials or deployments, including 11 that have commercially launched HD voice service. The number of HD voice launches enabled by VoLTE is forecast to reach 19 by end-2014 and then double in 2015. In July 2014 GSA confirmed 92 smartphones (including carrier and frequency variants) support VoLTE, including products by Asus, Huawei, LG, Pantech, Samsung and Sony Mobile. The newly-announced Apple iPhone 6 & 6 Plus models support VoLTE.

Things are also moving quickly with many operators who have announced VoLTE launches and are getting more confident day by day. Du, Dubai recently announced Nokia as VoLTE partner. KDDI, Japan is launching au VoLTE in December. Telstra, Australia has already been doing trials and plans to launch VoLTE network in 2015. Finally, Verizon and AT&T will have interoperable VoLTE calls in 2015.

Below is my summary from the LTE Voice Summit 2014. Let me know if you like it.


Saturday, 1 November 2014

4G Security and EPC Threats for LTE

This one is from the LTE World Summit 2014. Even though I was not there for this, I think this has some useful information about the 4G/LTE Security. Presentation as follows: