How exposed is your LTE network?

This blog is by Gerald Reddig, Security Marketing Manager at Nokia Networks.
Twitter: @GeraldReddig
New Nokia whitepaper outlines risks of unprotected LTE networks
I’ll get straight to the point. The architecture being deployed in today’s radio transport networks and mobile backhaul networks is inherently open and unprotected. Unless this is addressed, an operator’s core network is vulnerable to various threats such as the risk of eavesdropping and unauthorized access to operator systems – and worst of all, denial of service attacks that can compromise the whole operator network.
For a complete review, I encourage you to read Nokia’s new whitepaper: “LTE Radio Transport Security Vulnerabilities, Threats and Control” prepared together with our partner Check Point.
Examples of typical attacks
A malicious intruder may gain access to the Core or RAN from an Ethernet port at an eNodeB site, for example. This image demonstrates the way hackers read the network topology using a hacker mini PC:

* Man in the middle attack
This refers to when an attacker with access to a backhaul link can proxy the TLS connection via his/her own system with an invalid certificate that the user will be prompted to verify. In many cases, the security warning presented to the end user will be ignored.
* Account hijacking
This means that subscriber e-mails can be intercepted if IPSec is not in place to protect backhaul communications.
* IMSI catching
The International Mobile Subscriber Identity (IMSI) is used to uniquely identify subscribers on a mobile network. It can be used to identify and track subscribers and as such is considered confidential.
* VoLTE eavesdropping
It is possible to capture and replay voice calls if encryption is not implemented on either the LTE backhaul network or within the software on the user's device.
Watch this video to see how a VoLTE call can be intercepted if the network is not protected:
The act of adding encryption is complicated and can take time, delaying the deployment of the network and, ultimately, an operator’s ability to launch a service. In addition, unless implemented well it can lead to significant OPEX uplift. To achieve unambiguous authentication in a highly secure and automated way, Nokia recommends a combination of Public Certificates and encryption keys as the optimal solution.
Benefits of encryptions
Encrypting all communication between base stations and the core network and allowing traffic to reach the core network only after being authenticated and authorized ensures that all security challenges are addressed and mitigated.
Customer example
A large European mobile operator chose Nokia and Check Point to protect its 4G LTE network from unauthorized access, manipulation and other threats. The solution also includes authentication of network elements and cost savings as a result of the automatic rollout and lifecycle management of base station certificates. The operator uses a geo-clustering architecture across different data centers, with sites located hundreds of kilometers apart. All traffic and encryption keys are synced across the Check Point Security Gateway clusters. The carrier chassis acts as a single security gateway aggregating encrypted traffic from thousands of eNBs.
Summary
The risks of LTE radio access transport attacks can be mitigated using a 3GPP-compliant security architecture. This results in an LTE transport security solution offering simplicity, redundancy and ease of scale to operators.
Share your thoughts on this topic by replying below – or join the Twitter discussion with @nokianetworks using #networksperform #mobile broadband #security #LTE.