3G Mobile Network Security

3G Mobile Network Security White Paper January 2007

Copyright © 2007 iGillottResearch, Inc.

Page 1

Executive Summary

Mobile operators need to recognize their newfound role as internet service providers (ISPs). No longer do they just provide cellular voice services; now they also provide high-speed Internet Protocol-based (IP) data services. So as to offer a wider array of services and content to their data subscribers, mobile operators are opening up their formerly closed networks to numerous other mobile operators, data networks and the public Internet.

As a result, mobile operator’s 3G networks are not only exposed to all the virtual pathogens already in circulation, but also to mobile-specific viruses and Trojans, as well as to direct attacks such as Denial of Service (DoS) on their networks from hackers and/or criminal organizations. These types of attacks employ methods which wired ISPs have been dealing with for a much longer period of time. There are also variations on these attacks which exploit weaknesses in the architecture and some of the protocols used in 2.5G/3G cellular data networks.

To protect their networks and customers, then, mobile operators need to:

Take an architecture approach to implementing security solutions in their network; point solutions are not sufficient

Deploy a variety of products in their networks, such as firewalls, intrusion detection and prevention (IDP) and virtual private networks (VPNs)

Make client-side anti-virus and firewall software readily available to their subscribers who use data devices (e.g., feature phones with data capabilities, smartphones, notebook computers)

Be vigilant and adopt appropriate security policies that reflect the threats in the 2.5/3G world. This has additional ramifications given the widespread use of WiFi and the general evolution toward networks based on the IP Multimedia System (IMS) standard

Be aware that their networks are only as secure as the weakest link. Mobile operators need to work with each other, the ISP community and other telecom providers to ensure that even the minimum amount of security is quite strong.

Vigorously protect signaling as the migration of signaling traffic over IP creates new risks. Mobile operators carry much more signaling traffic than their wired counterparts and signaling is mission critical traffic.

This whitepaper will explore the following topics:

Why 2.5/3G wireless networks are now vulnerable and at what points they are vulnerable

The types of attacks that can be perpetrated against those networks

The types of products that can be deployed to help guard 3G networks

The business implications of a network outage and a revenue impact model to demonstrate the seriousness of such an outage

Future threats to mobile operators, specifically regarding IMS which is being deployed by fixed and mobile carriers around the world.

Finally, this paper also suggests some steps mobile operators can take to minimize the risk to their networks and their customers.


Page 2

The Need for Security

Mobile Networks Are Now More Vulnerable Than Ever Cellular data networks are vulnerable for several reasons:

1) Mobile operators are building out high speed wireless networks that are based on the Internet Protocol (IP) which allow users to do more while connected.

2) Mobile operators have opened up their networks to the public Internet and to other data networks, making their 2.5G/3G networks more vulnerable to attacks.

3) Mobile operators are evolving their networks to IMS, enabling interconnected networks all running on IP.

Broadband Wireless Rollouts

In the past, mobile operators only provided cellular voice service. Their security concerns were limited to cloning and subscription fraud. Mobile data usage began with implementations of CDPD and Mobitex, but widespread adoption really began with the rollout of 2.5G networks (GPRS, EDGE, CDMA 1X) and now with third generation (3G) high-speed wireless networks such as CDMA EV-DO and UMTS/HSDPA. And as Figure 1 shows, the world is increasingly moving toward 2.5/3G networks.

Figure 1: Worldwide Subscribers by Wireless Network Generation (000s)

0

50,000

100,000

150,000

200,000

250,000

300,000

350,000

2004 2005 2006 2007 2008 2009 2010

2.5g and 3G2G1G

Source: iGR, 2006

Since 3G networks are based on IP, mobile operators must address an entirely new set of hazards – viruses, Trojans and denial of service attacks – that until now have primarily impacted wired internet service providers (ISPs). By deploying 3G networks, mobile operators around the world are now ISPs as well as providers of cellular voice service. Moreover, 3G networks are significantly faster than their 2.5G network predecessors: CDMA EV-DO (rev. 0) provides 400-700 Kbps download rate with higher “peak” speeds of up to 2 Mbps; UMTS/HSDPA networks also provide 400-700 Kbps download rate but with potentially higher peak speeds (up to 7 Mbps).

The security implication here is that with more users of varied data-capable devices who are accessing content and communicating with one another across multiple networks, there will be more traffic on the cellular networks. That implies a higher likelihood of attacks occurring from any number of sources. For example, many sophisticated attacks disguise themselves in data flows across sessions and ports – the more traffic there is, the harder it is to identify the threats.

Opening Up

Mobile data networks are being opened up in two senses:


Page 2

1) Interconnection to other networks, such as the public Internet, other mobile operator networks, private networks (including company LANs), content servers, etc.

2) Multiple device types – Symbian smartphones, RIM BlackBerry and Windows Mobile-based, personal data assistants (PDAs), notebook computers and data-capable feature phones.

From a security perspective, this newfound openness is a problem because there are now far more elements which are vulnerable. For example, the majority of 3G mobile equipment:

Supports high-speed connections to the public Internet and private data networks such as corporate networks

Provides multimedia messaging, content downloads, Web browsing, network-based games, office applications, TV and virtual private networking to subscribers. Malware can propagate through many of these mediums.

Are more open to user modification because of storage cards, synching with PCs, Internet connectivity, Bluetooth and Wi-Fi.

Evolving to IMS

On top of the network upgrades from 2.5G to 3G, many mobile and fixed operators are also moving forward with plans to evolve their networks to conform to the IP Multimedia Subsystem (IMS) architecture. IMS uses open standard IP protocols to create communications links between a variety of users – e.g., a multimedia session between two IMS users; between an IMS user and a user on the Internet, or between two users on the Internet. As a result, unprotected IMS services are also vulnerable to a variety of different attacks.

These connections can and will traverse multiple networks – the PSTN, the Internet, the mobile operator’s, a cable operator’s and/or a WiFi provider’s. Each of these vastly different networks has its own unique vulnerabilities which must be protected.

IMS deployments are increasingly widespread. One example of a mobile operator evolving toward IMS services is T-Mobile USA’s @Home service in Seattle, Wash. “HotSpot @Home” is T-Mobile's brand name for its Universal Mobile Access (UMA) service which allows a cell phone to make voice or data calls using pre-approved Wi-Fi hotspot instead of the cellular network. UMA is considered to be an evolutionary step toward full IMS for GSM operators.

Examples of Attacks Exploiting the unprotected holes in IP data networks and the systems connected to those networks has long been the pastime of bored “script kiddies” – bright adolescents and young adults with time on their hands and a knack for coding. In recent years, however, attacking data networks has also become a focus for criminal organizations.

Their motivations are as mercenary as they are varied. Some of these criminals might be trying to defraud the mobile operator of airtime or render the network unusable for a period of time so as to extort money from the operator. Other criminals might be interested in acquiring subscriber information so as to either steal their identities or billing and credit card information.

Hacking Subscriber Information

These types of attacks on mobile operators’ networks have already happened and will continue to happen. Take, for example, the rather significant breach of T-Mobile USA’s subscriber databases in 2004. As reported by SecurityFocus, the hacker was able to access information on any of T-Mobile’s 16.3 million customers, including Social Security numbers and dates of birth. The article also stated that the hacker was able to obtain voicemail PINs and the passwords providing customers with Web access to their T-Mobile email accounts.1

Clearly, this type of security breach could have had a massive impact not only on the operator’s revenues, but also on the subscribers whose identities could have been stolen.


Page 3

Denial of Service Attacks

Other types of attacks on operator networks are also possible. For example, in 2005, two computer science professors at Penn State University published a report detailing how Internet-originated text messages could be used to overwhelm a mobile operator’s short message services center (SMSC) and, potentially, their ability to provide cellular voice services.2 This is an example of how a Denial of Service attack, which has its origins in the IP world, can negatively impact an ostensibly separate service.

The key here is that mobile operators use an inherently scarce resource (wireless spectrum) to provide services. If the available bandwidth is overwhelmed by meaningless data traffic, then subscribers’ ability to use their cell phones will be impaired. This interruption then has real-world implications for both the mobile operator (lost revenue) and for the subscribers (no service).

It is also possible for attackers to launch Denial of Service (DoS) attacks directly against the radio resources by creating radio interference in particular wireless spectrum. Attackers can also launch DoS attacks from other quarters, such as from the public Internet into the operator’s mobile core. That type of attack could essentially deny Internet service to the operator’s customers.

Virus Propagation

A recent Kaspersky Labs article3 described a localized outbreak of a strain of the Cabir mobile virus in Helsinki, Finland, during the 10th World Athletics championship in August 2005. The Cabir worm in that case spread via file transfers over open Bluetooth mobile phone connections. Users unwittingly accepted file transfers and thereby infected their phones. Had the outbreak not been speedily contained, Cabir could have infected many thousands of phones belonging to subscribers from all over the world.

This relatively minor outbreak illustrates how easy it is for mobile malware to propagate. Simply setting a Symbian phone’s Bluetooth connection to “hidden” would have halted the transmission of the worm. Other types of mobile malware, such as the ComWar virus, can spread through multimedia messages (MMS) – which the Kaspersky articles cites as a much more dangerous form of propagation since the malware can spread over any distance. And because MMS can be sent to email addresses, MMS can serve as a cross-platform carrier – e.g., spread mobile malware from a PC to a mobile device or vice versa.

The sheer number of mobile virus families is staggering, as Figure 2 shows. Kaspersky Labs currently tracks 31 families of mobile malware which have 170 variants (Cabir and ComWar are examples of two families).

Figure 2: Increase of Known Mobile Malware Variants

Source: Kaspersky Labs, 2006

Even seemingly “Internet-only” malware can impact a mobile operator’s operations. In 2003, for example, the Slammer/Sapphire worm outbreak cut a wide swath of destruction – 20 percent of global Internet traffic was lost; 13,000 cash machines shut down; emergency services in Washington DC were lost for a short time; and commercial airline flights were delayed. Slammer’s impact was felt as far away as South Korea, where 27 million South Korean wireless subscribers lost their cellular service.


Page 4

Marketing Harassment

Other attacks are targeted directly at subscribers. For example, in February 2006 Verizon Wireless won a permanent injunction against Passport Holidays. The firm sent more than 98,000 unsolicited short text messages to Verizon Wireless customers informing those recipients that they had won a cruise to the Bahamas and asking them to call to claim their prize.

This is a form of a “marketing harassment” attack which inconveniences subscribers, possibly creates extra charges on their monthly bills and could have a negative impact on the operator’s network operations.

Mobile operators are, in large part, aware that these types of attacks can be carried out against their networks. General speaking, however, most carriers refuse to comment publicly about these potential threats and/or any measures they may have put in place to safeguard their networks. Protecting their networks involves a solid understanding of their network’s vulnerable points.

Types of Attacks

As the mobile operators move to 3G services, they are, for the most part, not deploying entirely new networks but instead leveraging their existing 2.5G network infrastructure – GSM/GPRS/EDGE or CDMA/CDMA 1X equipment and backbone networks. For example, most UMTS cell sites can be collocated in GSM cell sites and much of the GSM/GRPS core network can be re-used. The Serving GPRS Support Node (SGSN) needs to be upgraded, but the mobile switching center (MSC) only requires a minor upgrade and the Gateway GPRS Support Node (GGSN) can remain the same.

Because 3G networks were not all built from the ground up, they were not necessarily built with IP data security in mind. Moreover, the world of IP data is relatively new to mobile operators – they are used to dealing with comparatively more mundane voice-centric security threats.

There are numerous attacks that can be perpetrated against a mobile network and they can originate from two primary vectors:

Outside the mobile network: the public Internet, private networks, other operators’ networks

Within the mobile network: from devices such as data-capable handsets and smartphones, notebook computers or even desktop computers connected to the 3G network.

Table 1 summarizes the various types of attacks to which mobile operators are now vulnerable.

Table 1: Types of Attacks against Mobile Networks

Type of Attack Target Purpose

Worm, Virus, Trojan, SMS/MMS spam Other users, network elements (content servers)

Harassment, denial of service / service interruption

Denial of service, SYNflood, application layer attacks (on RADIUS servers, buffer overflows, SIP flooding, RTP flooding)

HLR, AAA, content servers, signaling nodes

Attack ability to provide service

Overbilling attack Operator’s management elements (AAA, HLR, VLR, etc.) Fraud

Spoofed PDP context User sessions Service theft

Signaling-level attacks (SIGTRAN, SIP) which involve modification, interception, DoS Signaling nodes Attack ability to provide

service

Source: Juniper Networks, 2006


Page 5

Denial of Service

Currently one of the most prevalent security threats to wired ISPs is a distributed denial of service (DDoS) attack. Essentially, DDoS attacks use “brute force” methods to overwhelm the target system with data such that the response from the target system is either slowed or stopped. Creating enough traffic to inflict that kind of damage typically requires a network of compromised computers, which are often referred to as “bots” or “zombies” (sometimes collectively referred to as “botnets”).

Essentially, botnets are computers that have been compromised by attackers, generally through the use of Trojans (malware disguised as or embedded within legitimate software), which are then remotely controlled by the organization orchestrating the DDoS attack. Laptops, smartphones, RIM BlackBerries and/or PDAs, connected to the Internet via a mobile broadband connection, could be similarly compromised and used as zombies in a DDoS attack.

Overbilling Attack

Another type of possible attack is called “overbilling.” Overbilling involves a malicious user hijacking a subscriber’s IP address and then using that connection to initiate fee-based downloads or simply use that connection for their own purposes. In either case, the legitimate user is billed for activity which they did not authorize or actually conduct.

Spoofed PDP context

These types of attacks exploit weaknesses in the GTP (GPRS Tunneling Protocol) protocol.

Spoofed “delete PDP context” packets, which would cause service loss or interruption for end users

Spoofed “create PDP context” packets, which would result in unauthorized or illegal access to the Internet or customer data networks

GTP packet floods, which is a type of Denial of Service attack.

More on GTP and PDP follows in the Interfaces to Other Mobile Networks section.

Signaling-level attacks

The Session Initiation Protocol (SIP) is a signaling protocol used in IMS networks to provide voice over IP (VoIP) services. There are several well-known vulnerabilities with SIP-based VoIP systems. For example, there are vulnerabilities in the Call Manager function (which handles call routing and call signaling functions in VoIP systems) that might allow hackers to:

Reconfigure VoIP settings and gain access to individual users' account information

Eavesdrop on VoIP communications

Hijack a user's VoIP subscription and subsequent communications.

Vulnerable Network Points

At a high level, there are numerous vulnerable elements in mobile operators’ data networks:

The mobile equipment (ME) itself, such as laptop computers, cell phones, PDAs, smartphones

The over-the-air wireless link between the ME and the cellular base station (BS) – this is the UMTS/HSDPA or EV-DO connection

Interfaces to other mobile networks – on GPRS/UMTS networks this is the Gp interface


Page 6

Interfaces to the data networks – the Internet or private data networks; on GPRS/UMTS networks this is the Gi interface

Management and service elements such as the Home Location Register (HLR) which stores subscriber data (the Ga interface on GPRS/UMTS networks). In IMS, the HSS (home subscriber server) performs the function of the HLR

Application / content servers

Signaling protocols and/or interfaces within a network and inter-networks.

In mobile networks, there are two primary elements which interface with the “outside world”: the GGSN on GPRS/EDGE/UMTS networks and the PDSN (packet data serving node) in CDMA 1x/EV-DO networks. To take just a UMTS network as an example, a subscriber using that high-speed IP data service connects through the mobile operator’s Serving GPRS Support Node (SGSN) which is connected via the GPRS Tunneling Protocol (GTP) to a GGSN. Figure 3 illustrates the basic structure of this type of network.

Figure 3: Basic Structure of a GPRS/UMTS Network

BSS

Firewall

EIR

HLR / VLR VLR

AUCMSC

SGSN

GGSN

PublicInternet

PublicInternet

Other Mobile

Operator

Other Mobile

Operator

GPRS Backbone: Gn interface between SGSN & GGSN

Gi Interface

Ga Interface

Gp Interface

Source: iGR, 2006

Mobile Equipment

Already discussed to a certain extent, mobile devices are vulnerable to a variety of Internet woes – mobile malware and viruses, as well as the PC-oriented strains. Because many mobile devices are capable of email and/or multimedia messaging services (MMS), devices and messaging systems can act as carriers for viruses even if they themselves are not vulnerable to that particular strain.

Air Interface

The radio link between the ME and the cellular base station is another potential hole in the mobile operator’s armor. Both the GSM and CDMA standards have extensive, built-in encryption and authentication, authorization and accounting (AAA) protocols, making eavesdropping and cloning attacks extremely improbable. Mobile operators also have a great deal of experience in dealing with these types of attacks. Of much greater concern are threats from new quarters – the public Internet, other data networks and, potentially, from compromised mobile equipment itself.


Page 7

Interfaces to Other Mobile Networks

GTP is used for signaling and tunneling between the GGSN and the SGSN. The SGSN uses GTP to activate a session on the subscriber’s behalf – this is called a “PDP context activation.” This PDP context is a data structure which contains information such as the mobile IP address, tunnel identifiers for the GTP session on both the GGSN and the subscriber’s international mobile subscriber identity (IMSI) number.

However, GTP does not implement any kind of authentication, data integrity checking or confidentiality protection, which means that it could be compromised by an attacker. GTP is used in several areas within a GSM-based mobile operator’s network:

The Gn interface: the connection between an operator’s SGSN and GGSN

The Gp interface: connection to another mobile operator

The Gi interface: the connection to an external data network such as the Internet.

Applications & Signaling

Vulnerabilities in the management elements, application and content servers, and signaling protocols can be illustrated by using an IMS example. In short, the 3GPP (and 3GPP2 for CDMA networks) has defined a standards-based overlay network that sits on top of emerging wireless 3G wireless networks, WLANs or other types of broadband networks. IMS equipment does not supplant existing management elements; it supplements them, as Figure 4 shows. The Home Subscriber Service (HSS) provides a similar function to the HLR in IMS implementations.

Telephony in IMS is just another type of IP-based data service (VoIP) and SIP is the protocol used for Voice over IP (VoIP) call control in IMS networks. As previously mentioned, SIP itself is vulnerable to attacks such as buffer overflow. By attacking SIP, the hacker could compromise or disable the operator’s voice services. Other application servers on the IMS networks can also be subjected to Denial of Service-type attacks.

Figure 4: IMS Network Architecture

Source: iGR, 2006

IP Multimedia Subsystem - IMSPacket Switched – PS (‘GPRS’)

Circuit Switched - CS

PSTNPSTNInternetInternet

BSCBTS

Node B RNC

vv

3GPP - Network Architecture

MSC

HLRSignaling& MediaGateways

MRFI/P/S CSCF

GGSNSGSN

App ServerHSS

SIP


Page 8

Securing the Mobile Network

For mobile operators, the first step in defeating attacks on their networks is to recognize their newfound role as an ISP. This means implementing a layered defense for their network that:

Changes security policies and practices to better reflect the new threats

Concentrates, whenever possible, wireless data services into a smaller number of data centers. Many mobile operators in Europe have already taken these types of steps to protect their core networks

Protects end users by implementing technology on their devices and in the network – e.g., anti-virus, firewalls, content scanning – that provides file-level security

Deploys security products such as firewalls, virtual private networks (VPNs) and intrusion detection and prevention (IDP) systems at appropriate points in the network, which provides packet level, session level and application level protection

Table 2: Defenses against Specific Attacks

Type of Attack Target Defense

Worm, Virus, Trojan, SMS/MMS spam Other users, network elements (content servers)

Device & network anti-virus; content scanning

Denial of service, SYNflood, application layer attacks (on RADIUS servers, buffer overflows, SIP flooding, RTP flooding)

HLR, AAA, content servers, signaling nodes

Firewalls, signaling firewalls and IDP

Overbilling attack Operator’s management elements (AAA, HLR, VLR, etc.)

Intrusion detection & prevention (IDP)

Spoofed PDP context User sessions Signaling firewalls

Signaling-level attacks (SIGTRAN, SIP) which involve modification, interception, DoS Signaling nodes Firewalls, signaling

firewalls and IDP


Malware Defenses

The first step in defending against malware is to deploy anti-virus and firewall software on all devices accessing the network. In the wired broadband world, many operators offer such software for free to their subscribers; some offer it for an incremental fee.

Mobile operators have themselves begun rolling out managed security services and/or network-based products with some built-in security. In September 2006, for example, Sprint-Nextel announced Sprint Mobile Security, which protects mobile devices from viruses, worms and Trojans that can infect devices and spread malware via text messages or Bluetooth connectivity. This network-based service will also block Denial of Service attacks and restrict network traffic based on source, destination, IP ports and applications. It will also allow enterprise IT managers to lock and/or delete data on lost or stolen devices.

Mobile operators should also consider deploying content scanning technology in the network. For example, a large European operator is deploying Mobixell’s Rich Media Service Center (RMSC) product. Essentially, the RMSC allows operators to offer a wide range of content -- multimedia messaging (MMS), music and video download, mobile Internet surfing and mobile blogging. However, the RMSC also contains a content security module which will examine all elements of message content and then filter out harmful content such as viruses and spam.

Firewalls & IDP

In securing their networks, mobile operators should consider deploying solutions which provide protection at the:


Page 9

Packet level: Such as stateless firewalls which determine whether a packet is permitted into the network by analyzing basic information in the packet headers

Session level: Such as stateful inspection firewalls which monitor and control the flow of traffic between networks by tracking the state of sessions and dropping packets that are not part of authorized sessions

Application level: Such as intrusion detection and prevention systems (IDP) which monitor and analyze network traffic for signs of attacks.

Figure 5 illustrates where firewalls and intrusion detection and prevention systems are placed in order to protect the operator’s network.

Figure 5: Firewall and IDP Defenses

ID P d e te c ts & d ro p s m a lic io u s p a c k e ts b e fo re th e y im p a c t th e n e tw o rk

V id e o S e rv e rs

S M S , M M S

S e rv e rsW e b

S e rv e r

F ire w a ll

H T T P T ra ffic

C o d e re d

H L R

A u C

A u CP re s e n c e

M o b ile O p e ra to r ’s N e tw o rk

In t ru s io n D e te c t io n & P re v e n t io n S ys te m


Firewalls can help operators control fraudulent activities mitigate threats from hackers and provide added visibility into network operations. In the case of mobile operators using GPRS/UMTS, they would require a product such as Juniper Networks’ Netscreen-500 GPRS which is build to protect infrastructure from attacks across all the main interfaces with external networks (Gp, Gi) and potential internal threats on the Ga and Gn interfaces.

This particular product includes VPN, packet filtering and traffic management features to help protect GPRS/UMTS networks from Internet borne attacks such as DoS. For example, it uses rate limiting to control the rate of GTP signaling and user plane messages so that SGSNs/GGSNs are less likely to be overwhelmed in a DoS attack.

The deployed firewall also needs to be robust enough to handle the traffic which flows through it so that the user’s experience is not negatively affected. Juniper’s Netscreen-500 GPRS, for example, provides the following throughput: 700 Mbps Firewall, 600 Mbps GTP, 250 Mbps VPN. It also supports 150,000 GTP tunnels, 10,000 VPN tunnels and 20,000 policies on the Gn, Gp and Ga interfaces. On the Gi interface, it supports 10,000 VPN tunnels and 20,000 policies.

Intrusion detection and prevention systems complement the role of firewalls in a mobile operator’s network. IDP systems are designed to detect the presence of attacks within the traffic that is permitted to flow into the network. IDP systems perform this function by using:

Stateful signatures: tracks the state of the connection/traffic and scan for attacks based on known patterns


Page 10

Protocol anomaly detection: identifies attacks that are masked by legitimate protocol use

Backdoor detection: detects traffic caused by worms or Trojans

Traffic anomaly detection: compares incoming traffic volume to baseline norms so as to identify attacks that might span multiple connections

Network honey pots: lures potential attackers to services that do not exist

Compound signatures: combines stateful signatures to identify attacks that might span multiple sessions.

Juniper Network’s ISG 2000 GPRS Firewall/VPN product incorporates an IDP module that performs the prior functions. It provides protection against more than 3,600 attacks, supports up to 300,000 GTP tunnels and provides 2 Gbps of IDP performance. These types of features allow operators to protect current services as well as provide room to scale with increasing demand.

IDP is usually placed behind the firewall (as shown in Figure 4) so that the device can inspect the packets entering and exiting the network. Should malicious traffic be detected, the IDP device will sever the connection so that it never enters or leaves the network. Having IDP in place on the egress link is important because it allows an operator to prevent attacks originating within its network from impacting other operators.

VPNs

As Figure 6 shows, mobile operators can overcome the weaknesses in GTP by encrypting that traffic via an IPSec VPN and by deploying firewalls which will block traffic meant to exploit GTP’s vulnerabilities. And since the GGSN connects to external data networks, it is exposed to all types of network traffic and all the attacks (e.g., a DDoS) that can happen to other providers of Internet service.

Mobile operators must secure their networks and points of interconnection, just as wired ISPs do. There are several different and complementary ways for operators to secure the GGSN, such as placing a firewall with IDP capabilities on the link to the public Internet as well as protecting the Gi link.

Figure 6: Use of VPNs on GPRS/UMTS Network

BSS

Firewall &

IDP

EIR

HLR / VLR VLR

AUCMSC

SGSN

GGSN

PublicInternet

PublicInternet

Other Mobile

Operator

Other Mobile

Operator

GPRS Backbone: Gn interface between SGSN & GGSN

Gi Interface

Ga Interface

Gp Interface

Firewall &

IDP

IPSec VPN

IPSec VPN

IPSec VPN

IPSec VPN

IPSec VPN

Source: iGR, 2006


Page 11

A security breach in a mobile operator’s network could have numerous ramifications of which only some are felt by the operator itself. The next section illustrates the revenue impact of a network outage.

Business Implications

The impact of a successful attack on a mobile operator’s network could result in any number of multiple outcomes:

Interrupted voice, data and/or application service

Lost billable minutes

Lost goodwill and increased customer dissatisfaction possibly resulting in increased churn

Increased number of customer service calls

Legal ramifications (e.g., a stolen database of private subscriber information).

Clearly the magnitude of the impact on a mobile operator’s revenues will vary greatly based on numerous factors – type of service affected, extent of service affected, number of subscribers affected, duration of outage, etc. Table 3 illustrates the potential revenue impact of a service outage for a mid-size European mobile operator with 15 million subscribers. This operator provides prepaid mobile voice and text services which can either be paid for per month or per unit.

Table 3: Estimated Loss Associated with Network Outage Impacting 10% of Subscribers

European mobile operator with 15 million subscribers Cost per Hour (USD)

Length of Outage (hours)

Total Loss (USD)

Estimated maximum prepaid voice revenue loss per hour $315,000 3 $945,000

Estimated maximum prepaid SMS revenue loss per hour $77,344 3 $232,031

Estimated customer service cost per hour $187,500 3 $562,500

Total cost of churn (assuming .05% increased churn) NA NA $18,750,000

Total estimated cost of a 3 hour outage $20,489,531

Source: iGR, 2006

The above model assumes the following:

The cost per voice minute is US $0.10

The average subscriber makes 7 calls per 24 hour period with each call lasting 4 minutes (or 28 total prepaid voice minutes per day). If the mobile operator experiences an outage affecting 10 percent of their subscribers, then they would lose an estimated US $315,000 in gross prepaid voice revenue per hour (on average) for as long as the outage persists.

Text messaging is extremely popular among young adults and teens in the U.S. – and much more so among Europeans. This model assumes that the cost per text message is US $0.01. The model further assumes that the typical user sends 33 texts in a 24 hour period, on average. Should the mobile operator experience an outage affecting 10 percent of their text subscribers (who comprise perhaps 75% of their total subscribers), then the operator would lose an estimated US $77,344 in gross SMS revenue per hour (on average) for as long as the outage persists.

The operator would also experience an increase in the number of customer service calls, which would also increase the costs associated with the outage. The above model assume that the cost of a consumer customer service call to the mobile operator is approximately US $12; if only 25


Page 12

percent of those affected call in, the call center costs would be approximately US $187,500 per hour.

The effect of churn would not be felt immediately, but assuming that 0.05 percent of those affected by the outage do churn, then the estimated impact on the operator would be significant – US $18 million in added customer acquisition costs. Clearly, increased churn must be avoided.

And as Table 3 shows, the estimated total impact of a three hour network outage on a prepaid operator’s network is rather significant – US $20.5 million. The cost of even the most robust security architecture for a network this size would be approximately at $1million. A simple ROI calculation of the implementation shows a 2,000% savings, which demonstrates that it is a rather straightforward business decision to invest in security.

Future implications

Protect Against Future Threats

Mobile data networks will likely be the target of an increasing number of attacks for two reasons:

They are now more accessible because they are interconnected with other IP data networks,

Mobile operators possess information that criminals want (e.g., private subscriber information) or the operators themselves are the object of extortion or defrauding.

There is no shortage of tools which attackers can use to penetrate mobile operator networks – e.g., botnet-based denial of service attacks, mobile malware, or attacks which exploit unprotected weaknesses in signaling protocols (SIP) or other protocols such as GTP which are integral to many mobile operators’ networks.

And as this whitepaper has noted, many mobile and fixed operators are evolving their networks to an IMS-based architecture. As this evolution progresses, operators will be able to offer dynamic, multi-dimensional applications – i.e., combinations of content and communication applications – that are beyond their present capabilities. Vulnerabilities exist in many different networks, not just the mobile operator’s. For example, insufficiently protected WiFi networks or even unprotected Bluetooth connections on a user’s handset can compromise not only a user’s or a company’s private data, but a network’s stable operations.

There is a need for strong, multilayered security technologies not only in today’s 3G world, but also in tomorrow’s IMS environment. Building that security begins today – with deploying firewalls, IDP and VPNs. Those deployments can then be leveraged to protect future services.


Page 13

About iGR

iGR is a market strategy consultancy focused on the wireless and mobile communications industry. Founded by Iain Gillott, one of the wireless industry's leading analysts, we research and analyze the impact new wireless and mobile technologies will have on the industry, on vendors' competitive positioning, and on our clients' strategic business plans.

Our clients typically include service providers, equipment vendors, mobile Internet software providers, wireless ASPs, mobile commerce vendors, and billing, provisioning, and back office solution providers. We offer a range of services to help companies improve their position in the marketplace, clearly define their future direction, and, ultimately, improve their bottom line.

A more complete profile of the company can be found at www.iGR-inc.com.

Methodology

The data for this whitepaper was obtained from numerous sources: reports and surveys conducted by iGR; ongoing iGR research in the wireless industry; interviews with several domestic (U.S.) mobile operators and infrastructure vendors; publicly available information such as mobile operator press releases; reports published by researchers/academics and news articles published by independent news agencies:

Disclaimer

The opinions expressed in this white paper are those of iGR and do not reflect the opinions of the companies or organizations referenced in this paper. All research that was conducted exclusively and independently by iGR is so referenced in this paper. This white paper was sponsored by Juniper Networks. Juniper provided some of the tables and figures in this paper as is indicated.

Endnotes

1 Hacker Penetrates T-Mobile Systems, SecurityFocus Online, January 11, 2005 (http://www.securityfocus.com/news/10271) 2 Exploiting Open Functionality in SMS-Capable Cellular Networks, by William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta, Systems and Internet Infrastructure Security (SIIS) Laboratory, Networking and Security Research Center, Department of Computer Science and Engineering, The Pennsylvania State University, September 2, 2005 (http://smsanalysis.org/) 3 Mobile Malware Evolution: An Overview, Part 2, Kaspersky Labs, October 10, 2006, Alexander Gostev, Senior Virus Analyst

Documents

3G Mobile Network Security