3. What is 4G
4G is the fourth generation of mobile phone mobile
communications standard
Offers mobile ultra-broadband Internet access, for example to
laptops with USB wireless modems, to smartphones, and to
other mobile devices
Two 4G candidate systems are commercially deployed:
- the Mobile WiMAX standard (at first in South Korea in 2006),
- the first-release Long Term Evolution(LTE) standard (in Oslo,
Norway since 2009).
4. 4G vs 3G
4G wireless communications allow for significant increases in data rates
over 2G (second generation), 3G (third generation) and 3.5G wireless
technologies.
4G wireless networks is based on the TCP/IP architecture
By moving to an open set of communication protocols (TCP/IP suite)
there is an anticipated increase in security issues compared previous
generations
Intended to drive costs down since other type of networks used IP for
networking as well.
5. LTE
Standard for wireless communication of high-speed
data for mobile phones and data terminals
Based on the GSM/EDGE and UMTS/HSPA network
technologies
Increases the capacity and speed using a different
radio interface together with core network
improvement
Developed by the 3GPP (3rd Generation Partnership
Project)
6. LTE Architecture
• Smart phones or laptops connect to the wireless network through the eNodeB within the
Evolved UMTS Terrestrial Radio Access Network (E-UTRAN).
• The E-UTRAN connects to the Evolved Packet Core (EPC) which is IP-based.
• The EPC connects to the provider wire line IP network.
• Mobility Management Entity (MME) does all the control and security related tasks such
as authentication and integrity protection
• PDN Gateway (PGW) allows the user to connect to external data networks.
• Home Subscriber Server (HSS) contains all the information regarding the static
subscriber for authentication purposes
8. LTE Security Design
4 main elements:
•Key Security: generates key that allows the E-UTRAN and EPS to communicate each
other as well as protecting the traffic between different components of the E-UTRAN and
EPS. The keys are generated by the Key Derivation Function.
•Authorization: authentication vectors are generated based on sequence numbers that
are retrieved between the messages. The authentication vector is then passed into
security algorithms for further processing with ciphering
•Key Management: Key establishment, key distribution, and key generation done via
the EPS procedure.
•Unique Identifiers: Every user has unique id to prevent confusion.
9. WiMAX
Refers to interoperable implementations of
the IEEE 802.16 family of wireless-networks
standards ratified by the WiMAX Forum
WiMAX can provide at-home or mobile Internet
access across whole cities or countries.
Wireless communications standard designed to
provide 30 to 40 megabit-per-second data rates
10. WI Max Architecture
• Authentication, Authorization, and Accounting (AAA) server
located in the Connectivity Service Network (CSN) processes
control signals from the Access Service Network (ASN-GW) to
authenticate the Mobile Station (MS) against the MS’s profile
stored in the AAA server’s database.
• Once authenticated, the AAA server sends the MS’s profile to
the ASN-GW.
• The Home Agent (HA) processes control signals from the
ASN-GW and assigns a Mobile IP address to the MS and
anchors the IP payload.
• The HA server provides connectivity to the Internet for data
traffic
12. WiMax Security Design
• The IEEE 802.16 standard defines the medium access control
(MAC) layer for the wireless link between a BS and a MS.
• The MAC layer is the security layer.
• This security layer handles
(i) authentication and authorization
(ii) key management/distribution
(iii) encryption.
14. Interference
• Inserting man-made interference onto a
medium, a communication system can stop
functioning due to a high signal-to-noise ratio.
• Interference attacks can be easily carried out as
the equipment and knowledge to carry out such
attacks are widely available
• Interference is easy to detect using radio
spectrum monitoring equipments.
15. Scrambling Attacks
• Scrambling is a form of interference which is activated for short intervals
of time.
• It is targeted against a specific frame or parts of frames.
• The attacker may target management or control information of a particular
user to disrupt service.
• However, the attacker has to be sophisticated and knowledgeable since
specific frames and time slots must be identified for the attack to be
successful.
• Difficult to implement successfully
16. Signal Jamming
• High-speed wireless data networks are vulnerable to a simple jamming
technique that could block service across much of a city
• Radio frequency can be blocked, or “jammed,” if a transmitter sends a
signal at the same frequency,
• The LTE signal is very complex, made up of many subsystems, and in
each case, if you take out one subsystem, you take out the entire base
station.
• All that is required is a laptop and an inexpensive software-defined radio
unit and battery power.
17. Location tracking
• Tracking the UE presence in a particular cell or across multiple
cells.
• Location tracking is made possible by tracking a combination
of the Cell Radio Network Temporary Identifier (C-RNTI) with
handover signals or with packet sequence numbers
• C-RNTI is transmitted in clear text, an attacker can determine
whether the UE using the C-RNTI is still in the same cell or
not.
• An attacker can link the new C-RNTI from the Handover
Command message and the old C-RNTI
18. Key Management
• Key management for WiMAX at the MS has been designed to safeguard it
from replay attacks.
• The MS can determine if a Key Reply message is new or old. This is
possible since the old Traffic Encryption Key (TEK) and new TEK are
included in the Key Reply message.
• However, if an attacker replays Key Request messages to the BS, it can
trigger frequent exchange of keying materials.
• This will cause confusion at the MS and exhaust resources at the BS
19. Bandwidth Stealing
• Leech the bandwidth from the user's device.
• Buffer status reports are used as input information for
packet scheduling, load balancing, and admission
control.
• Due to the nature of the packet scheduling algorithm,
by sending a false buffer report the eNodeB will think
that the user's device has nothing to send.
20. Denial of service attacks
Denial of Service (DoS) attacks are a concern for WiMAX networks.
A DoS attack can be initiated via simple flooding, attacking
unauthenticated management frames.
The MS authenticates the BS using RSA authentication.
The BS has to sign and reply with its public key. Processing of public key
encryption and signature is CPU intensive.
If flooded with false requests, the BS will be very busy computing and
evaluating digital signatures and will be unable to serve any other
requests
21. Open Nature
• Departure from proprietary operating systems for hand held devices to
open and standardized operating systems
• Open nature of the network architecture and protocols (IP-based).
• With this move to open protocols and standards, 4G wireless networks
are now susceptible to computer attack techniques present on the
Internet.
• Such networks will be increasingly vulnerable to a range of security
attacks including for example Malware, Trojans and Viruses
22. Conclusion
• 4G is still relatively new technology that
provides high speed data rates to mobile
devices.
• 4G consists of the LTE and WiMAX networks
• 4G network are prone to many security threats
due to the open nature of the architecture and
standards.
23. References
[1] A. Bikos, “LTE/SAE Security Issues on 4G Wireless Networks”, Security & Privacy, IEEE,
vol. PP, issue 99, pp. 1, Oct. 2012.
[2] N. Seddigh et al., “Security advances and challenges in 4G wireless networks”, in Privacy
Security and Trust (PST), 2010 Eighth Annual International Conf., Ottawa., ON, 2010, pp. 62
- 71.
[3] Chan-Kyu Han, Hyoung-Kee Choi, "Security Analysis of Handover Key Management in
4G LTE/SAE Network," IEEE Transactions on Mobile Computing, vol. PP, issue 99, pp. 1,
Nov. 2012.
[4] D. Talbot, "One Simple Trick Could Disable a City’s 4G Phone Network," blog, 14 Nov.
2012; http://www.technologyreview.com/news/507381/one-simple-trick-could-disable-a-
citys-4g-phone-network.
[5] Krio Media, “Security in 4G and Other Mobile Networks”, blog,
http://www.krio.me/security-in-4g-and-other-mobile-networks.