As the use of mobile and connected devices continues to skyrocket so do the ways in which we look to enhance security.
Roger Piqueras Jover, a security research scientist at Bloomberg, began conducting industry-wide research a few years ago (prior to his joining Bloomberg) which identifies and prevents potential vulnerabilities in the LTE protocols. The Long Term Evolution (LTE) is the newest global standard for mobile communications and is generally considered secure given its mutual authentication and strong encryption scheme.
However, according to Roger, before the authentication and encryption steps of an LTE connection are executed, a mobile device engages in a substantial exchange of unencrypted messages with *any* LTE base station (legitimate or rogue) that advertises itself with the right broadcast information. As a result, LTE rogue base stations can be implemented using low-cost software-radio tools.
To find out more about his research on mobile security, we sat down with Roger for a QA.
Q: What was the most surprising thing you found when conducting the research?
A: Lots of things. Probably the most interesting thing, and essentially the root of all the vulnerabilities I find, is the large amount of messages transmitted without encryption and authentication. For example, initial connection messages, base station configuration messages and paging messages. The latter are used to let your phone know that there is an incoming connection for you. If I know your TMSI (a mobile network identifier that is very easy to obtain) and I am in the same NYC neighborhood as you, I can see when you have an incoming call, even in LTE. There was a very interesting paper a couple of years ago showing how, in the paging message sniffing scenario, I can also answer a phone call or receive a text message that was intended for you, though this trick only works in GSM.
Q:. What are you most excited about in terms of the advancement of mobile security throughout the last five years?
A: The first generation of mobile networks (1G) did not even have support for encryption, and in 2G there was no mutual authentication, which opened the doors for all types of threats. So we were not off for a good start. However, security has been substantially increased in both 3G and LTE and, in parallel, over the last few years there has been really interesting work in security research. I am very excited to see the field of mobile security become so relevant and important that now there are entire research groups devoted to this area both in industry and academia which work in really interesting projects. Mobile security is also now one of the most popular areas being discussed at security conferences.
Q: Do you think the open source community will play a larger role when it comes to mobile security in the future?
A: Definitively. A few years ago the source code of the GSM stack became available in diverse forms (openBTS, osmocomBB, etc), which resulted in very interesting research work. Although GSM is a legacy technology, not many of us were working on security research of the newest mobile standards (LTE). Now there are a few open source implementations of the LTE stack (openLTE, srsLTE, gr-lte, etc), so I expect to start seeing very interesting LTE security work in both industry and academia in the near future. Actually, a team in TU Berlin and Aalto University just published a very good paper identifying LTE vulnerabilities very similar to my work. I am very excited about this area and I think that it will increase the security of future mobile networks.
Q: In your opinion, do you think mobile networks will eventually drift away from the current implementation, which provides all IP-based mobile services over a circuit-switched mobile architecture? If so, what will this mean?
A: It is difficult to say. Mobile operators have very large investments and network deployments that cannot just be dumped and replaced by a new core infrastructure, but they are actively embracing network virtualization as a step towards a much more efficient mobile architecture. In my opinion, this will not be sufficient in the long run and, at some point, the mobile core architecture will have to be completely redesigned. This is likely to happen when 5G mobile networks are deployed. The work in the 5G community has mainly focused on a tremendously improved radio interface, but efforts are already starting to redesign the mobile core as well. After all, one of the main pillars for 5G is providing connectivity for billions of IoT devices, and this is only possible if we move away from a circuit-switched architecture. Essentially, mobile networks will not look much different, from an architecture perspective, than a WiFi network where the “access points” are the mobile base stations on top of buildings and the core network is fully IP-based
(For more on the impact of IOT on mobile networks, read Roger’s chapter in upcoming book by Fei Hu in Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Implementations.)