Mobile Broadband Title Presentation Securityof 3G, 4G, and Beyond

Mike Danseglio, CISSP Avril Salter, Ph. D. l l h Next Direction Technologies

Session ID: NMS-201 Session Classification: Advanced

Insertpresenterlogo hereonslidemaster

Agenda
Historical Perspective p Data Services Cryptography C t h Countermeasures
2

Historical Perspective

The First Mobile Phone

CourtesyofRichHoward

Source:www.nmscommunications.com

Why did people pay extra for a mobile call? ll?

Mobile data has been around since the early 90s y

The grey area of SMS eavesdropping

3000% increase in data traffic

Acceptance of lower quality video q y

Host-based Host based security critical to emerging broadband traffic models

No restrictions on data use

Attacks Based on Traffic Metering

Metered and unmetered broadband traffic both allow attacks attacks. However, However they are very different attacks attacks.

Emergence of cloud computing

Whos Responsible For Cloud Security?

GPS in >90% of smart phones

Threat of GPS
Data collection, storage, and use

You are here.

Services that follow you

Roaming Between Cellular and Wi-Fi

3G and 4G a d G Wireless Technologies

19

Evolution to 4G
LTE Advanced LTE HSPA WCDMA EGPRS GSM
2G 2.5G 3G 3.5G 4G

IMT 2000 IMT-2000

IMT Advanced

3G Uses Codes to Spread the Signal

User data Spreading code Transmitted Signal
+1 -1 +1+1 -1

1 bit
+1

1 bit
-1

1 chip
+1+1+1 -1-1-1 +1 -1 +1+1 -1

+1+1+1 -1-1-1

+1 -1

+1+1 -1

+1+1+1 -1-1-1 -1

+1 -1-1

+1 -1-1-1

+1+1+1

[code * data]

Spreading code User Data

+1 -1

+1+1 -1

+1+1+1 -1-1-1

+1 -1

+1+1 -1

+1+1+1 -1-1-1

+1

[code [ d * signal] i l]

-1

Illustration show 802.11b Direct Sequence Spread Spectrum

Codes used to Spread and Scramble the Signal

Downlink
Data Codingand interleaving Multiplexing

Uplink
DTCH Codingand interleaving DPDCH(s) Multiplexing

Control

OVSF Modulation DataOSFV generator Cntl OSFV generator Scrambling generator Offset

001101010010

S P

OSFV generator

Scrambling generator Offset

Q

Control

Eaves dropping requires 5 MHz receiver knowledge and application of the codes
Illustration shows the Downlink Physical Data Channel

Modulat tion

Understanding Codes
Short Code
Purpose DownlinkUsage UplinkUsage Length L th Channelization

LongCode
Scrambling

Distinguishestransmissions Distinguishesdifferent todifferentusers to different users cells/sectors Distinguishesbetween DataandControltraffic 4to256chipslong 4 t 256 hi l Distinguishesbetween differentUsers 242 1 Codeperiod10ms=38,400 chips Gold d * G ld code* No

CodeFamily C d F il Spreading

OVSF Yes

* Specifications also define short code can be used with advanced receivers

4G Transitions to OFDM

12 Subc carriers = 180 kHz 0

Resource Block (RB)

0.5 ms = 7 OFDM symbols y

Eaves dropping requires frequency and time slot allocations

Transmission on Multiple Radio

Layer mapping r
S1

Increased data rate

S1 S2

S2

Resource Mapping

Lay mapping yer

S1 S2

Improved reliability

S1 S2

-S2*S1*

Resource Mapping

Eaves dropping will require pp g q multi antennae and sophisticated signal processing

Multi User MIMO

Virtual antenna array

Maximizes data rate

Maximizes throughput

Eaves dropping will require Ability to distinguish between users using same frequency

4G Uses Multiple Channels

Contiguous intra-band aggregation (5 x 20 MHz) Non contiguous intra band intra-band aggregation (4 x 20 MHz)

20 MHz

20 MHz

Inter-band aggregation (3 x 20 MHz)

Band A

Band B

Over-the-air eaves dropping requires pp g q multi band multi channel receiver

Transitioning to an All IP Network

Mobile voice GSM
1992

Packet data GPRS/EDGE

2000

IP services IMS
2004

All IP Network EPC

2008

IP PSTN PSTN IP PSTN IMS CS BSS CS BSS PS CS RAN PS

PSTN IMS PS

IP

eNodeB

Circuit switched is going away All traffic will be IP packets

Flatter IP Architecture
3G architecture
Radio Controller Node B SGSN GGSN

Internet

4G architecture
Serving Gateway Mobility Mgmt Packet data GW

Internet

eNode B N d

User plane Control plane

4G Shifts Ciphering to Base Station

UMTS
SGSN PacketRouting

LTE
Serving GW PacketRouting

Compression(PDCP) Ciphering(RLC) RNC ARQ(RLC) RLC packets Iub

Core Network Radio Access Network

Compression(PDCP) Ciphering(RLC)

eNodeB

IP Packets

Node B

RLC packets ARQ(RLC) HARQ(MAC) HARQ (MAC) HARQ(MAC) HARQ (MAC)

Note: Illustration shows user plane

Mobile Broadband Cryptography

31

Wi-Fi Refresher

WEP,WPA,WPA2, RADIUS,802.1X, allthatkindofthing!

3G Security
User Services Identity Module (USIM) for identity assertion and verification KASUMI cryptography Data integrity with f9 Data confidentiality with f8

3G Threats
Roaming S Spoofing fi Denial of Service

4G Security
No standards H t Heterogeneous services and t h l i i d technologies

4G Threats
Gaps

Examples of 4G Compromises
Ikee D h Duh

Countermeasures

38

Countermeasures
Let 4G bake a little longer C Consider 3G partially secure id ti ll Develop and enforce policy
Hosts H t Data transmission and storage Carrier standards Acceptable use

Attribution
All images licensed under Creative Commons Attribution 2.0 license 20

The End!
41