“…in reviewing the 4G LTE architecture, the 3GPP, next generation mobile network (NGMN) alliance and international telecommunications union (ITU) have identified security vulnerabilities and recommended mitigation strategies. Consideration and implementation of these security enhancing measures are discretionary to the many LTE stakeholders including MNOs. As a result, the security of LTE networks and services will vary widely between MNOs, subject to the MNOs knowledge of security risks and impacts, the MNOs risk appetite and wallet size among other factors. Speed to market, tight budgets, profit targets, concerns with network performance, business models, network interoperability, regional regulations and business priorities lead to further inconsistencies in security implementation amongst MNOs.”

We could go on and on… but let me point to one more source, a presentation at the RSA Conference in April, 2015, entitled, “LTE Security — How Good Is It,” by Jeffrey Cichonski and Joshua Franklin, both of NIST. The paper presentation identifies several weak spots (and possible attack vectors) in the end-user device, the tower, the network core, and the IP network (i.e., the Internet).

While our focus here is on the OTA security aspects of the device and tower, vulnerabilities anywhere along the chain can compromise the whole system. That includes radios, mesh networks, packet gateways, signaling systems (i.e., the control plane), crypto, subscriber identity, and more. See slides 25-32, which go into a wide range of possible attacks that would defeat LTE security. Scary stuff.

Cellular Network Security Protocols

There are so many standards, it’s hard to know where to begin. The standards are also embedded within other standards. Let’s take one simple set of protocols: UEA2 and UIA2, which have been around since the early 2000s. UEA2 is an algorithm that defines the confidentiality of communications. Its partner UIA2 specifies algorithms for protecting the integrity of communications. UEA2 and UIA2 are functions used by SNOW 3G, a stream cipher that generates and uses crypto keys – and is used heavily in OTA cellular security.

UEA2, UIA2 and SNOW 3G come from the 3GPP (3rd Generation Partnership Project), a vast international consortium that defined GSM (i.e., 2G cellular), UMTS (i.e., 3G) and LTE (i.e., 4G) and which is spearheading 5G. 3GPP is truly global, and has driven the cellular industry since 1992. Every quarter, 3GPP releases new specifications. Every couple of years 3GPP releases new protocol sets; sometimes they are major, like 4G LTE, and sometimes they are minor, like the new “LTE-Advanced Pro” spec that came out in October, 2015, and which might find its way into the global cellular networks and consumer devices in late 2016 or early 2017. Glacial, remember?

Slow and steady wins the race, but threats evolve quickly. There are threats for service delivery, handling privacy, man-in-the-middle. It’s a complex landscape, and all it takes is one exploit to succeed to allow bad actors into the network. In some cases, as mentioned in the papers mentioned above, the weaknesses are in the security architecture and protocols in 4G and older cellular OTA networks.

I suspect that the biggest threat to cellular security is bugs: flaws in the firmware and operating systems embedded into smartphones and other cellular devices, as well as in towers and other carrier equipment. Given that carriers have direct control over their towers, and can do testing and other QA, my sense is that handset vulnerabilities are the biggest problem facing the industry…. well, other than directed attacks against the physical infrastructure.

The Work of the 3GPP on 5G

The 3GPP specifications are numbered according to their general purpose. Modern cellular radios, for example, are in the 25 Series of specifications. The security work within the 3GPP is broken up into two different series: 33 Series is for general security, and 35 Series is for security algorithms. UAE2 and UAE2 are defined in 35.215, and SNOW 3G is in 35.216. Browse through the 33 Series and 35 Series specifications, and see links to protocols, reports, studies and more. It’s a goldmine of technical information about LTE, much of which, unfortunately, requires a lot of contextual knowledge. Note that some of those links are to industry proposals, some of which were later withdrawn.

The work on 5G is collected in another area called, “Release 14.” Unfortunately, it’s very sketchy, which reflects that 5G is still four years away, perhaps more. The 3GPP says that it is committed to release an initial technology submission by June, 2019, and a more detailed specification by October, 2020. We’ll see; it’s a big job, and a lot of information is not available.