Monday 7 October 2019

Exploiting Possible 5G Vulnerabilities


The standards can try their best to ensure that the next generation of protocols is more secure than the previous one but there is always some way in which the protocols can be exploited. This is where researchers play an important role in finding such vulnerabilities before they can be exploited by hackers. Frankly I am quite sure that only a handful of these vulnerabilities are found and hackers always have something that may never be found.

In the recent HITBSecConf or the Hack In The Box Security Conference Altaf Shaik presented "4G to 5G: New Attacks". He along with Ravishankar Borgaonkar has been working to find out issues with security in cellular networks. In fact in the GSMA Mobile Security Hall of Fame, they both appear twice, individually.

From the talk narrative:

5G raises the security bar a level above 4G. Although IMSI exposure is prevented in 5G, we found new vulnerabilities to attack devices and subscribers. In this talk we expose a set of vulnerabilities in the 5G/4G protocols that are found in network operators equipment and also consumer devices such as phones, routers, latest IoT sensors, and even car modems. Our vulnerabilities affect several commercial applications and use cases that are active in 4G networks and are expected to take off in 5G networks. We developed automated tools to exploit the exposed cellular information and share some of our research traces and data sets to the community. We demonstrate a new class of hijacking, bidding down and battery draining attacks using low cost hardware and software tools. We did a rigorous testing worldwide to estimate the number of affected base stations and are surprised by the results. Finally our interactions with various vendors and standard bodies and easy fixes to prevent our attacks are discussed.

Slides and Video is embedded below






Slides and Whitepaper can be downloaded from here.

Further Reading:

Friday 4 October 2019

CW Seminar: The present, the future & challenges of AR/VR (#CWFDT)


One of my roles is as a SIG champion of the CW (Cambridge Wireless) Future Devices & Technologies Group. We recently organised an event on "The present, the future & challenges of AR/VR". The CW team has kindly even summarised it here. I have also tried to collect all the tweets from the day here.

Why is this important? Most of the posts on this blog is about the mobile technology and I am guessing most of the readers are from that industry too. While we are focussed too much on connectivity, it's the experience that makes the difference for most of the consumers. On the operator watch blog, I wrote recently about South Korea and the operator LG Uplus. Average data usage by 5G users in Korea is as high as 18.3GB, and average 4G users use 9GB in the same period, according to MSIT in May 2019. 5G data is about 2 times than that of 4G. This remarkable traffic growth is driven by UHD and AR/VR contents. According to the operator LG Uplus, new services featuring AR and VR functions are proving popular and already account for 20% of 5G traffic, compared with 5% for 4G.

Coming back to the CW event, some of the presentations were shared and they are available here for a limited time. There were so many learnings for me, it's difficult to remember and add all of them here.

Our newest SIG champ Nadia Aziz covered many different topics (presentation here) including how to quickly start making your own AR/VR apps and how AR apps will be used more and more for social media marketing in future.


Mariano Cigliano, Creative Developer at Unit9 (presentation here) discussed the journey of their company and what they have learned along the way whilst developing their solution to disrupt the design process through integrating immersive technologies.


Aki Jarvinen from Digital Catapult (presentation here) explained about Brown-boxing and Bodystorming. Both very simple techniques but can help get the app designers story straight and save a lot of time, effort and money while creating the app.


James Watson from Immerse (presentation here) talked about VR training. So many possibilities if done correctly and can be more interactive than the online or classroom training's.



Schuyler Simpson, Vice President - Strategic Partnerships & Operations at Playfusion (presentation here) discussed the reality of enhanced reality, diving deep into the challenges about creating an experience that resonates best with audiences. In his own words, "Enhanced Reality blends visual, audio, haptic, and intelligent components to create highly personalized, immersive, and most importantly, valuable experiences for organizations and their audiences."

The most valuable learning of the day was to create an AR/VR app (just in theory), assuming there is no technology limitation. The whole journey consisted of:

  • Brainstorming of the Use Case
  • Key Pain Points
  • Sort the pain points in priority and select top 3 or 5
  • Map customer journey
  • Define persona for which the app is being designed
  • Map their journey
  • Touch points
  • What can be improved on those touch points 
  • Design a VR/AR application for the defined problem 
  • Storyboarding AR/VR use case
  • UX design considerations – spatial, emotional.. 
  • Scribe a prototype 
  • Playback to others.


Thanks to everyone who helped make this whole event possible, from the SIG champs to the CW team and the host & sponsors NTT Data. Special thanks to our newest SIG champ, Nadia Aziz for tirelessly working to make this event a success.

Related Articles:

Tuesday 24 September 2019

When does your 5G NSA Device Show 5G Icon?


After I wrote about the 5G Icon Display back in February, I received lots of other useful and related materials, mostly from 3GPP standards delegates. Based on this updated information, I created a presentation and video called 'The 5G Icon Story'. Only recently did I realize that I didn't add it to the blog. So here it is.

And for people who are impatient and directly want to jump to the main point, it's UpperLayerIndication in SIB 2 as can be seen above.

The slides and video is embedded below.





Related Posts:



Sunday 15 September 2019

Thursday 12 September 2019

How the Addition of 5G Radio Resources Increases the Complexity of LTE Signaling Procedures


While everybody is excited about the growing number of 5G deployments and speed test results it is easy to forget that a highly reliable LTE core and radio access network is the prerequisite for 5G non-standalone (NSA) data transmission.

Indeed, the 5G radio resources are just added to the ongoing LTE connection to provide higher bandwidth that enables in turn higher throughput. In other words: the current 5G deployments are designed for and limited to the needs of enhanced Mobile Broadband (eMBB) traffic.

To boost the user experience a 4G and a 5G base station cooperate and bundle there joint resources in one radio connection. The whole scenario is known as E-UTRA-NR Dual Connectivity (EN-DC) and as a matter of fact this dual connectivity increases the complexity of the RAN signaling tremendously.

The figure below shows the two base stations involved in the radio connection. On the left side is the Master eNodeB (MeNB) that controls the entire signaling connection. On the right side sits the en-gNB, also called Secondary gNodeB (SgNB). The inconsistency of acronyms originates from 3GPP specs. 3GPP 37.340 "E-UTRA and NR Multi-connectivity" can be seen as an umbrella document that originally coined "MeNB" and "SgNB". However, when standarizing more details these acronyms have been replaced with Master Node (MN) and Secondary Node (SN) and the latter is named "en-gNB" when used in EN-DC scenarios. (Sure this spec has a lot more terms to offer an is a must-read for every acroynm enthusiast.)

However, these naming conventions defined in 3GPP 37.340 have not made it into the protocol specs, especially not into 3GPP 36.423 "X2 Application Part" that names its message set for enabling EN-DC consequently "SgNB ...." - as also shown in the figure.

By the way the SgNB should also not be imagined as a single network element. On the 5G side often a virtual RAN architecture is already deployed. In such a VRAN a gNB central unit (CU) controls several gNB distributed units (DUs) and multiple remote radio heads (RRHs) including the 5G antennas can be connected to each DU.



5G Radio Resource Addition in EN-DC Mode

Before 5G radio resources can be added to the connection a LTE RRC connection and at least a default bearer for the user plane including its GTP/IP-Tunnel between S-GW and eNB must have been successfully established.

The trigger for adding 5G resources to this call is mostly an inter-RAT measurement event B1 (not shown in the figure). However, also blind addition of a 5G cells have been observed in some cases where the 5G cell coverage is expected to overlap exactly the footprint of the LTE master cell. 

All in all, there can be a 1:1 mappig between 4G and 5G cells when antennas are mounted very close to each other and pointing into the same direction. However, it is also possible that several 5G small cells (especially when using FR2 frequency bands) are deployed to cover the footprint of a 4G macro cell. 

The end-to-end signaling that adds 5G resources to the connection starts with the X2AP SgNB Addition Request message (1). It contains information about the active E-RABs of the connection, UE NR capabilities and often the singal strenght of the 5G cell as measured before is included as well. The message triggers allocation of 5G radio resources in the SgNB.

Similar to a X2 handover procedure the X2AP SgNB Addition Request Acknowledge message (2) is used to transport a NR RRC CG-Config message (3) back to the MeNB where it is "translated" into NR RRC Connection Reconfiguration and NR RRC Radio Bearer Config messages that are sent to the UE enclosed in a LTE RRC Connection Reconfiguration message. In these messages beside the Cell Group ID the 5G PCI and the absolute SSB frequency (a synonym for NR ARFCN) are found. Both, 5G PCI and SSB frequency in combination represent the identity of a 5G cell "visible" for the UE on the physical 5G radio interface. 

To keep the figure more simple I have spared the "translation" process in MeNB and show instead as next step the combined LTE/NR RRC Connection Reconfiguration Complete (4) that is send by the UE back to the MeNB to confim activation of the 5G radio link. 

After this the UE and the SgNB are ready to the 5G resources for radio transmission. However, one important component is still missing: a new GTP/IP-Tunnel for transporting the payload from the core network's serving gateway (S-GW) to the SgNB. 

The gNB downlink transport layer address (gNB DL TLA) and its appropriate GTP Tunnel Endpoint Identifier (TEID) have been already to the MeNB in step (2). Indeed, there are some more TLAs and TEIDs found in this X2AP message, especially for data forwarding across the X2 user plane interface (not shown in figure).

The MeNB forwards the gNB DL TLA/TEID to the MME (6) where it is forwarded to the S-GW using GTP-C signaling in case the two core network elements are connected over S11 reference point. The uplink TLA/TEID on the S-GW side remain the same as assigned before during establishement of the E-RAB (not shown in figure). So the new tunnel is now ready to be used (7) and transmission of payload packet starts immediately. 

In step (8) the MME confirms the successful tunnel establishment to the MeNB.

To total duration of the entire procedure from step (1) to (8) sums up to slightly more than 100 ms under lab conditions and typically around 300 ms in the live network. 

This delay does not have a direct impact on user plane latency in the initial 5G setup phase. However, the subscriber experience might be different when it comes to inter-MeNB handover, because there is no direct handover between 5G neighbor cells. 

Changing the MeNB due to subscriber mobility means: release all 5G resources on the source (M)eNB side, perform intra-LTE handover to the target (M)eNB and add new 5G resources after handover is successfully completed. 

Thursday 5 September 2019

Opinion: What is "Real 5G" or "True 5G"


I made another opinion piece couple of weeks back. While it was shared already as part of some channels, here is it on the blog with serves as a permanent link. Video and slides below.





As always, I welcome your opinions, comments & suggestions below.


Related Posts:

Thursday 29 August 2019

LTE / 5G Broadcast Evolution


It's been a while since I last wrote about eMBMS. A report by GSA last month identified:
- 41 operators known to have been investing in eMBMS
- 5 operators have now deployed eMBMS or launched some sort of commercial service using eMBMS
- GSA identified 69 chipsets supporting eMBMS, and at least 59 devices that support eMBMS


BBC R&D are testing the use of 4G/5G broadcast technology to deliver live radio services to members of the public as part of 5G RuralFirst - one of 6 projects funded under the UK Government’s 5G Phase 1 testbeds and trials programme (link).

A press release by Samsung Electronics back in May announced that it has signed an expansion contract with KT Corporation (KT) to provide public safety (PS-LTE) network solutions based on 3GPP standard Release 13 for 10 major metropolitan regions in South Korea including Seoul by 2020. One of the features of PS-LTE that the PR listed was LTE Broadcast (eMBMS): A feature which allows real time feeds to hundreds of devices simultaneously. It enables thousands of devices to be connected at once to transfer video, images and voice simultaneously using multicast technology

Dr. Belkacem Mouhouche – Samsung Electronics Chief Standards Engineer  and Technical Manager of 5G projects: 5G-Xcast and 5G-Tours Presented an excellent overview on this topic at IEEE 5G Summit Istanbul, June 2019. His presentation is embedded below.



5G-Xcast is a 5GPPP Phase II project focused on Broadcast and Multicast Communication Enablers For the Fifth Generation of Wireless Systems.

They have a YouTube channel here and this video below is an introduction to project and the problems it looks to address.




Further Reading:

Related posts:

Friday 23 August 2019

The Politics of Standalone vs Non-Standalone 5G & 4G Speeds


A short video (and slides) discussing the operator dilemma of standalone (SA) vs non-standalone (NSA) 5G deployment, frequency refarming and why 4G speeds will start reducing once SA 5G starts to be deployed.

Video




Slides



Related Posts:

Tuesday 13 August 2019

New 3GPP Release-17 Study Item on NR-Lite (a.k.a. NR-Light)

3GPP TSG RAN#84 was held from June 3 – 6, 2019 at Newport Beach, California. Along with a lot of other interesting topics for discussion, one of the new ones for Release-17 was called NR-Lite (not 5G-lite). Here are some of the things that was being discussed for the Study item.
In RP-190831, Nokia proposed:
  • NR-Lite should address new use cases with IoT-type of requirements that cannot be met by eMTC and NB-IoT:
    • Higher data rate & reliability and lower latency than eMTC & NB-IoT
    • Lower cost/complexity and longer battery life than NR eMBB
    • Wider coverage than URLLC
  • Requirements and use cases –
    • Data rates up to 100 Mbps to support e.g. live video feed, visual production control, process automation
    • Latency of around [10-30] ms to support e.g. remote drone operation, cooperative farm machinery, time-critical sensing and feedback, remote vehicle operation
    • Module cost comparable to LTE
    • Coverage enhancement of [10-15]dB compared to URLLC
    • Battery life [2-4X] longer than eMBB
  • Enable single network to serve all uses in industrial environment
    • URLLC, MBB & positioning

The spider chart on the right shows the requirements for different categories of devices like NB-IoT, eMTC (LTE-M), NR-LITE, URLLC and eMBB.
The understanding in the industry is that over the next 5 years, a lot of 4G spectrum, in addition to 2G/3G spectrum, would have been re-farmed for 5G. By introducing NR-Lite, there would be no requirement to maintain multiple RATs. Also, NR-Lite can take advantage of 5G system architecture and features such as slicing, flow-based QoS, etc.
Qualcomm's views in RP-190844 were very similar to those of Nokia's. In their presentation, the existing 5G devices are billed as 'Premium 5G UEs' while NR-Lite devices are described as 'Low tier 5G UEs'. This category is sub-divided into Industrial sensors/video monitoring, Low-end wearables and Relaxed IoT.

The presentation provides more details on PDCCH Design, Co-existence of premium and Low Tier UEs, Peak Power and Battery Life Optimizations, Contention-Based UL for Small Data Transmission, Relaying for Wearable and Mesh for Relaxed IoT
Ericsson's presentation described NR-Lite for Industrial Sensors and Wearables in RP-191047. RP-191048 was submitted as New SID (Study Item Description) on NR-Lite for Industrial Sensors and Wearables. The SID provides the following details:

The usage scenarios that have been identified for 5G are enhanced mobile broadband (eMBB), massive machine-type communication (mMTC), and time critical machine-type communication (cMTC). In particular, mMTC and cMTC are associated with novel IoT use cases that are targeted in vertical industries. 

In the 3GPP study on “self-evaluation towards IMT-2020 submission” it was confirmed that NB IoT and LTE M fulfill the IMT-2020 requirements for mMTC and can be certified as 5G technologies. For cMTC support, URLLC was introduced in Release 15 for both LTE and NR, and NR URLLC is further enhanced in Release 16 within the enhanced URLLC (eURLLC) and Industrial IoT work items.

One important objective of 5G is to enable connected industries. 5G connectivity can serve as catalyst for next wave of industrial transformation and digitalization, which improve flexibility, enhance productivity and efficiency, and improve operational safety. The transformed, digitalized, and connected industry is often referred to as Industry 4.0. Industrial sensors and actuators are prevalently used in many industries, already today. Vast varieties of sensors and actuators are also used in automotive, transport, power grid, logistics, and manufacturing industries. They are deployed for analytics, diagnostics, monitoring, asset tracking, process control, regulatory control, supervisory control, safety control, etc. It is desirable to connect these sensors and actuators to 5G networks. 

The massive industrial wireless sensor network (IWSN) use cases and requirements described in TR 22.804, TS 22.104 and TS 22.261 do include not only cMTC services with very high requirements, but also relatively low-end services with the requirement of small device form factors, and/or being completely wireless with a battery life of several years. 

The most low-end services could already be met by NB-IoT and LTE-M but there are, excluding URLLC, more high-end services that would be challenging. In summary, many industrial sensor requirements fall in-between the well-defined performance objectives which have driven the design of eMBB, URLLC, and mMTC. Thus, many of the industrial sensors have connectivity requirements that are not yet best served by the existing 3GPP NR technology components. Some of the aforementioned requirements of IWSN use cases are also applicable to other wide-area use cases, such as wearables. For example, smart watches or heath-monitoring wearables require small device form factors and wireless operation with weeks, months, or years of battery life, while not requiring the most demanding latency or data rates. 

IWSN and wearable use cases therefore can motivate the introduction of an NR-based solution. Moreover, there are other reasons why it is motivated to introduce a native NR solution for this use case: 
  • It is desired to have a unified NR based solution.
  • An NR solution could provide better coexistence with NR URLLC, e.g., allowing TDD configurations with better URLLC performance than LTE.
  • An NR solution could provide more efficient coexistence with NR URLLC since the same numerology (e.g., SCS) can be adopted for the mMTC part and the URLLC part.
  • An NR solution addresses all IMT-2020 5G frequency bands, including higher bands and TDD bands (in FR1 and FR2).
The intention with this study item is to study a UE feature and parameter list with lower end capabilities, relative to Release 15 eMBB or URLLC NR, and identify the requirements which shall be fulfilled. E.g., requirements on UE battery life, latency, reliability, connection density, data rate, UE complexity and form factor, etc.  If not available, new potential NR features for meeting these requirements should further be studied.

There were other description of the SID from Samsung, ZTE, etc. but I am not detailing them here. The main idea is to provide an insight for people who may be curious about this feature.


Related Posts: