Over the last several decades, the sharing of information has drastically evolved, impacting the criticality of security in the communication landscape.
Not only has the type of information being exchanged evolved, but so have the platforms where information is exchanged, such as online banking, as more individuals move toward digital communication methods. That’s resulted in growing security concerns over transferred information.
Communication services providers (CSPs), through the deployment and improvement of fixed and mobile telephony networks, play an integral role in ensuring there is not only the availability of information, but also integrity and confidentiality – bringing security concerns to the front of their priorities.
Authenticating sources largely rely on mobile network authentication capabilities and telecom equipment vendors work jointly with CSPs to ensure the security of customer data.
To access an online newspaper, for instance, there are already several IT mechanisms, such as SSL/HTTPS protocols, in place to certify that the website is providing the expected information. Additionally, security certificates are now widely used by websites to prove their identity to end-user devices.
A long journey… with a burdened history
Users rely on mobile networks to access and log in to their favorite applications. This involves the security mechanism of mobile network elements.
With technologies gaining rapid progression over the last decade, each network element (in mobile networks) must authenticate itself so that its adjacent network elements can trust each other. This minimizes threats such as man-in-the-middle attacks (MITM) or spoofing.
When it came to network security, the evolution of the usage of networks highlighted limitations in previous generations of standards. Due to security design weaknesses in early versions of 3GPP mobile standards, 2G (GSM) networks and their SS7 protocol were not secured enough. This led to spoofing attacks on network elements and MITM attacks with the ability to intercept an SMS and even ‘redirect’ them to the attacker’s device.
When an SMS is intercepted, it can weaken the “two-factor authentication” by potentially letting hackers access information websites or applications. It puts the authenticity of content (information websites or applications) at risk by an attacker – which is still a universal challenge for many today.
4G LTE (News - Alert ) technology and 5G have introduced much stronger mutual authentication aiming to prevent such attacks. However, as long as 2G remains active on networks, it brings security threats by forcing some unsecured behavior of services and devices relying on 2G.
While 4G LTE and 5G have stronger security than 2G, the Diameter protocol in use in 4G LTE and 5G non-standalone (NSA) faces security weaknesses that must be addressed. Fortunately, technical solutions exist to protect against such risks, such as SS7 firewalls or even public key infrastructure. It is the responsibility of the CSP (News - Alert ) to ensure the deployment of such security solutions and proper configuration of network elements, even though they’re not foolproof.
Mobile telephony relies on one of the strongest technologies for user authentication, which is extremely important as many individuals share information through social networks. Mobile phones have to authenticate with the network when connecting to it – meaning that if you receive information from a user device on the same network, you can trust its identity.
This approach is a cornerstone of user authentication and, thanks to the encryption and keys hosted in the SIM card (now also evolving with integrated eSIM), this enables the authentication process of the device into the network to identify the owner. Since the development of the 3G network, the primary CSP (“home network”) must also prove its identity to the user’s device.
A digital world with physical controls
When a user receives information from another user’s device, they can trust that it comes from a specific device using a SIM card. Of course, this does not allow the user to make sure that the device is used by a specific person or entity. For instance, someone could have stolen the phone or the SIM card. Some security attacks, such as SIMJacking or SIMcloning, exist but, fortunately, CSPs in western countries have established strong controls on SIM cards, network behaviors and subscriber registration.
Since mobile networks can ensure the authentication of user devices, they can also guarantee the device’s owner and bring trust that the information is coming from the right source. Without stringent controls, the risk of fake identities could rise drastically – especially by malicious individual actors, organized underground groups or state actors who exploit information for personal or organizational gain.
In general, Wi-Fi networks are perceived as less secure due to higher risks of misconfigurations or vulnerable equipment (old or from unsafe suppliers). Because of this, the identity of the user’s device is at risk (even a MAC address can be fake). Thanks to heavy regulations and industrialized processes, CSPs are pushed to have better control over the security level of the equipment they purchase and the robustness of the operational processes they execute.
Another way to improve security in Wi-Fi networks is through the use of SIM cards. Proposed by the 3GPP, Wi-Fi networks can be secured through identification using SIM cards (through EAP-SIMS/AKA) or by enabling interworking between Wi-Fi networks and mobile networks, especially in 5G.
In the world of media, identifying a source is critical but locating the source is also very useful, whether it is to bring extra trust to the identification of a source or to understand where content comes from. From this angle, mobile networks can play a great role in providing evidence of the location of the source of information.
Even if the checking is not available to end-users, authorities can request from CSPs details on the location of the user service when the source shares information. At a time when fake news becomes a threat and it’s so easy to even build fake images and videos or even tweak GPS coordinates reported in a picture or video, such a possibility becomes important in the process of approving news from various sources.
The headache of misconfigurations
It’s clear that CSPs play an important role in ensuring the proper transmission of information by following 3GPP standards, which define mobile telephony technology as helping to identify, formalize and standardize safety measures – always improving the degree of security from 2G to 5G.
CSPs will have to be careful of which configurations and security settings they apply, since many standards are flagged as mandatory but only strongly recommended. Unknowingly, CSPs may open the door to attackers due to misconfigurations, which can result in information leakage or changes.
As indicated by NCTA , it is estimated that over 60% of data security breaches in 5G are due to misconfigurations, leaving a clear challenge on CSPs to harden network configurations. Many CSPs should identify a trusted partner in helping them to define configurations with the best balance between security and performance.
In the 5G era, CSPs will host more B2B and B2B2C applications on their 5G networks than ever before. If the applications include information sharing, then CSPs will need to become deeply engaged in the securitization of these apps within their network and not just ensure the safe transmission of information through their network.
About the author: Eric Laboure is the Head of Business Operations, Managed Security Services at Nokia . He has 20 years of experience in industry and telecommunications, aiming at improving efficiency of operational setup and pushing innovation.
Edited by
Erik Linask
