Paolini: Malicious attacks can threaten mobile networks

By Monica Paolini, Senza Fili Consulting

   Monica Paolini

When the issue of mobile security comes up, most of the time it is about the mobile devices--or subscribers downloading applications from dodgy sites, or granting applications unrestricted access to their devices. With malware and other security threats to mobile devices spreading quickly, mobile devices become more attractive targets because of the wide spread adoption. And as subscribers download more and more applications, this is fast becoming a hot topic. Yet, there is another side to mobile security.

It is the mobile network itself. I have looked at this topic as I was working on a white paper sponsored by F5. Malware and other attacks to mobile devices may target personal or corporate data on the mobile device, or they may use the device to launch an attack on websites or corporate sites. In these cases, the mobile network itself--radio access network (RAN), backhaul and core--is largely unaffected. But the same tools that are used to attack third-party sites can be used to direct attacks to the mobile network itself.

Mobile devices are not the only entry points. Malicious attacks can be launched from the edge of the network--the RAN. Breaking into a macro base station on a tower is challenging, but gaining physical access to a femto cell, small cell or Wi-Fi access point is much easier. All the equipment is, of course, protected, so physical access is necessary but not sufficient to launch an attack. In addition, in LTE networks, traffic in the RAN is secured, but not in the backhaul, where operators have the option, but not the requirement, to implement IPsec. (In 3G networks, backhaul traffic is encrypted.)

The increased porosity of mobile networks makes them more susceptible to malicious attacks, but it is the adoption of LTE, with its flatter IP-based architecture and the prevalence of data traffic over voice traffic that are changing the security environment in mobile networks more profoundly.

In LTE networks, the move to the IP architecture makes mobile networks easier targets to hit, because this is the environment in which hackers operate already. The introduction of new interfaces--such as the X2 interface that connects base stations--creates additional control plane traffic that may be leveraged for malicious activity. Within the core network, the introduction of Diameter signaling, the flatter architecture, and, more conspicuously, the sheer increase in application-based data traffic both on the control and on the user plane have increased the amount of signaling traffic. As operators move to manage traffic more actively and more heavily rely on policy and QoS to provide more personalized and attractive services and use their network resources more efficiently, signaling traffic will increase further.

In turn, the increase in the volume of signaling traffic makes it harder for operators to identify threats and effectively control them in real time. At this early stage in the rollout of LTE networks and advanced functionality, everybody in the industry is still on a steep learning curve to learn how to recognize and respond to them, and to understand how the security landscape is evolving--as hackers and hacktivists are also becoming more familiar with mobile networks and learning how to infiltrate them.

Signaling floods are the most commonly encountered result of either distributed denial of service (DDoS) attacks or arising from accidental traffic spikes that cause congestion in the network and may limit service availability, slow down network access or crash the network entirely. In Japan, NTT DoCoMo experienced a signaling flood of this type that disrupted network access in January, caused by a VoIP OTT application running on Android phones.

As operators move to LTE and traffic volume grows, signaling overloads are likely to become more widespread, either as the result of malicious activity or accidentally caused by upgrades, applications or errors in configuration.

In addition, mobile networks are increasingly attractive targets for hacktivists who aim to promote a political or social agenda through disruption. As mobile networks become more central to our work and personal life, they become a new and very attractive high-profile target that fits well with the hacktivists' goal to reach a wide audience.

Does this mean that mobile networks will crumble under unmanageable signaling traffic loads and attacks from hacktivists looking for easy notoriety? Mobile networks have been built with security in mind--more so than fixed networks, because as a more recent creation, mobile networks and devices incorporate the lessons learned in the fixed world--and they have a very good track record in protecting mobile traffic. Yet, the transition from voice to data, from practically proprietary interfaces to IP, and to a much higher number of devices, applications and signaling traffic is creating an extended set of new vulnerabilities in mobile networks that need to be preemptively addressed to protect mobile networks, subscribers and their devices and to retain the trust in the operators.

Monica Paolini, PhD, is the founder and president of Senza Fili Consulting and can be contacted at [email protected]. Senza Fili Consulting is an analyst and consulting firm that provides advisory services on wireless data technologies and services.