Functional Elements of a Mobile Network

Mobile networks consist of several functional elements or sub-networks that connect and interface with each other to form the overall network architecture. Each of these functional

55_{3GPP TS 23.401,}

elements or sub-networks have certain logical or physical interfaces that allows the various interactions between them to occur.

The interactions between these functional elements, however, means that there are certain security implications that must be considered in order to provide guaranteed end-to-end security for the network.

The radio access, core, and backhaul networks are the key functional elements considered in this work. The key security vulnerabilities that have been identified in each sub-network or network interface are provided. The security threats and attacks that have been demonstrated in each sub-network are highlighted. As a way of mitigating against the highlighted threats, the built-in security features and capabilities in each of these sub-networks are also discussed in the subsequent sections of this report.

5.3.1. Radio Access Network (RAN)

The Radio Access Network (RAN), in most cases, forms the largest component of the overall mobile network. It typically comprises of the Base Transceiver Station and the associated BSCs. The RAN is used to implement the radio access technology, using radio signals to connect subscribers (i.e., the mobile devices) to the Core Network.

UEs, the mobile devices, primarily connect to the RAN through the BTS, which means that the interface between the RAN and the BTS, starting from the Subscriber Identity Module (SIM) card that is embedded in the mobile devices, forms part of the RAN from a mobile security perspective.

RAN technology has evolved over the years since the first generations of mobile networks from GSM. RAN uses a mixture of General Packet Radio Service (GPRS) and Enhanced Data rates for Global Evolution (EDGE), and data networks as well as circuit-switched voice. 3G improved data speeds with UMTS, with Circuit Switched Voice and High-Speed Downlink Packet Access (HSPDA) technology. 4G/LTE and recently upgraded to LTE-A (LTE Advanced) which is truly packet based and offers high data rates and low latency, as well as voice service though Voice Over LTE (VOLTE), supported by an Internet Protocol (IP) Multimedia Subsystem (IMS) platform in the core, this allows us to support Wi-Fi calling for an authenticated device.

Each generation has also brought in better security measures and capabilities to mitigate the known security vulnerabilities of the preceding generation. For example, in earlier 1G mobile networks, it was possible to capture the radio signals using a transceiver, due to the lack of security against eavesdropping between the mobile devices and base station. It was also possible to use ‘cloning', either of the mobile subscriber to use services without paying, or of the base stations, in order to deceive the UE into connecting to a false base station and gain unauthorised access to user information. These security threats have been reduced in second generation networks onwards; for example, with the introduction of better security features and capabilities such as encryption and mutual authentication techniques.

5.3.2. Core Network (CN), the EPC

The core network (CN), i.e. the EPC, forms the central part of the mobile network, providing access to the required services for users connected through the RAN. It comprises of entities such as the Mobile Switching Centre (MSC), the Home and Visitor Location Registers (HLR and VLR), known collectively as the HSS, the Equipment Identity Register (EIR), the Authentication Centre (AuC), the Serving Gateway (SGW) and the Packet Gateway (PGW) that interfaces with external data networks and the internet.

The core network provides the circuit-switched and packet-switched functionalities required for mobile users to access mobile voice, SMS and data services as well as directing calls over the PSTN. To ensure that only the mobile users entitled to a service can have access and are accurately billed for it, the core network provides the authentication and charging capabilities of the network. It is also responsible for mobility management functions such as providing handover assistance between the mobile devices and BTS as well as managing paging, access, handover, and the location update process.

Earlier generations of mobile networks such as 2G and 3G, used a set of protocols, namely the Signalling System number 7 (SS7), which were designed many years ago for the communication between networks and the coordination of activities such as authentication, voice and data switching and location updates. SS7 has an identified possible design flaw that, if not correctly managed, might introduce security threats by allowing messages to be altered, deleted or injected into the networks, leading to possible compromising data integrity and security of the network. This was mostly mitigated by the introduction and use of a newer and improved signalling system called ‘Diameter’ in 4G mobile technology.

5.3.3. Transport Network (Backhaul)

The backhaul of a mobile network connects the core network with the other subnetworks. It is typically used to transport data from the base station to the central elements of the core network such as the Serving Gateway (S-GW) and Mobility Management Entity (MME) in an LTE network for example.

Figure 12: 4G Network Architecture showing backhaul subnetwork elements

The backhaul network usually comprises of three nodes: Access or last mile,

preaggregation and aggregation nodes. The access and preaggregation networks can both be implemented through wireless media such as microwave technology or wired networking with the use of copper or fibre optic cables. The aggregation network requires a very high capacity and is therefore usually implemented using fibre technology. The access network links the edge of the mobile network (i.e. base station) to the preaggregation nodes. The aggregation node groups the data from all preaggregation nodes and is then responsible for aggregating all traffic and forwarding it to the core network.

Earlier generations of mobile networks implemented backhaul technologies using standards such as Asynchronous Transfer Mode (ATM) and Time-Division Multiplexing (TDM). These protocols were less understood by hackers and were therefore less attacked. However, current 4G backhaul technology is based on a flat All-Internet Protocol (All-IP) architecture that is well understood by many and therefore presents a larger surface area for attacks including traditional Internet security threats such as malware-based trojan attacks, jamming-based Denial-of-Service (DoS) attacks, IP Spoofing attacks (masquerading), eavesdropping and Man in the Middle (MitM) attacks.

Some of the security threats and vulnerabilities in the backhaul network can be mitigated by using security gateways, Layer 3 IPsec tunnels and implementation of certificate

authorities. The threats, vulnerabilities and capabilities of all the mobile network

components introduced in this section are discussed in detail in the subsequent sections of this report, particularly as relate to CAV security.

While the Internet is not a security issue per se for the mobile network, its connection to the mobile network may introduce large scale security threats, with a lot of Internet-based attacks occurring from this entry point. It should be noted that the modelling of any security threat outside the mobile network, such as external networks like the Internet or PSTN is outside the scope of this report.