Hackers to the Wireless Industry: We’re Heeere…
By Barry Manz, Mouser Electronics
Thanks to the revelations from ex-NSA contractor Edward Snowden, we all now know that absolutely nothing we communicate electronically is safe from snooping by financially well-endowed government agencies such the NSA or England’s GHCQ. However, the recent security breaches at major retailers have shown that astute hackers with comparatively modest resources can find their way inside a wired enterprise network even when massive security measures are in place. With an abundance of such “low-hanging fruit”, these miscreants have only recently turned their attention to the wireless environment and its treasure trove of personal information…and they’re rapidly increasing in number.
So how secure is data communication via the wireless networks of the major carriers? At the “personal” level, the phone itself, a reasonable answer is “as secure as we choose to make it.” Over the air and through circuitous wireless and wired paths, the answer is basically “it depends”. That is, there are many factors that must be examined to arrive at an answer, such as which operating system and applications you’re using, whether or not data is encrypted over the entire signal path, and whether you’ve hopped off the carrier network onto a Wi-Fi hotspot. But in reality we have little control over any of these things. All things considered, mobile communications has thus far been spared many of the issues that have long plagued the wired world.
Predators Hiding in the Apps
It’s now a quarter-century since Tim Berners-Lee wrote the proposal that would ultimately become the World Wide Web, which has transformed the lives of billions of people--and a criminal subculture determined to subvert it. Although the “wireless revolution“ appeared at about the same time, its high-speed data communications component is less than a decade old, so hackers, hacktivists, and outright criminals have had a lot less time to adapt their craft from the wired to wireless domain.
Most people recognize the inherent insecurity of the Web and use one of the many excellent free or paid anti-virus programs on their desktops and laptops, but we haven’t yet collectively realized that this security applies to wireless devices as well. We tend to assume that as nothing has yet happened to us, phones are somehow inherently immune from malware and other attacks. It’s a dangerous assumption. For example, Google’s Android operating system emerged in 2008 as an “open” environment, which many considered refreshing compared to Apple’s traditional “our way or the highway” walled-garden approach to hardware and software design.
However, the Android applications environment was also a playground for malware developers slipping malicious apps into Android Market (now the Google Play Store) and Google has long been criticized for inadequately verifying the security of applications placed there (which the company has repeatedly and vociferously denied). The alleged vulnerability of the Android environment has created big opportunities for the security software community, whose products have continuously been improved but are still criticized for being far less formidable than Windows-based versions.
That said, Google has made dramatic improvements to the security of its operating system, especially since Android 4.2 (Jelly Bean), including: the Google Bouncer malware scanner that monitors apps whether installed from inside or outside the Play Store, data encryption, and a “remote wipe and lock-out” feature. There are security apps from the Play Store that also offer device location, remote wipe and backup, and suspicious URL-blocking along with anti-virus and malware scanning functions.
In contrast, Apple subjects every application on the iTunes Store to intense scrutiny, and as a result the amount of reported iOS malware is a tiny fraction of the amount reported for Android. This is not to say that iOS applications are immune from malware, as researchers at the Georgia Tech Information Security Center (GTISC) have determined that malware can be installed on Apple devices via seemingly benign applications using a Trojan horse. The researchers used the well-known Jekyll proof-of-concept attack and published a malicious application that could remotely launch attacks that would not be detected when reviewed by Apple, and thus would have received the company’s approval.
iOS 7, Apple’s latest operating system, has an impressive array of security features designed to thwart threats at the user level, such as “Find My iPhone,” that in addition to helping to locate a missing phone allows the user to remotely lock it, send a message to it, and erase all of the data on it if necessary. Earlier versions of iOS allowed this feature to be turned off, which thieves promptly did. So in iOS 7 Apple requires the user to enter the owner’s Apple ID password to disable it. Data and applications in iOS 7 are also encrypted by default, and users can enable a password “10 tries-and-you’re-out” option that disables the phone – if the user chooses to set that option. The problem is that many security features in either operating system must be either downloaded from the app store, or installed manually if part of the operating system. The more that security is left to the user to either enable or install, the greater the risk that people will remain exposed.
That is, people are the weakest link in wireless security as many and perhaps most people ignore even the simplest security measures for the sake of convenience. Some don’t password-protect their devices and even if they do, passwords like ‘ABCD’, ‘1234’, and common words are the norm and they are rarely changed. Such simple passwords can be broken in minutes, so someone who absconds with your phone can almost immediately access the contents within it and perhaps the information stored on cloud services as well. An even fewer number of people take advantage of the growing number of services that offer two-tier authentication, such as Google, Outlook, and Facebook, so that once the phone is accessed, all of the personal information and other data are immediately available.
All the Way to the Bank
For obvious reasons, mobile banking application security is crucial. Every major bank now offers account access via an app developed by or for the bank, and an increasing number provide the ability to make deposits in addition to the usual withdrawals, transfers, payments, and other transactions. As banks and other financial institutions spend enormous sums on security, banking applications are generally considered to be more secure because they were created by the bank, rely on its formidable internal security systems, and incorporate multiple forms of authentication and other security features. Nevertheless, studies have shown that even these applications in some cases do not take full advantage of security, and users have no way of knowing if they do.
Security and Wireless Standards
Wireless standards were at first only moderately secure, but as the encryption algorithms of each new standard have been broken they have become much more robust. The wireless industry is rapidly deploying LTE and soon LTE Advanced, both of which take extraordinary measures to ensure security on five levels. LTE networks authenticate users while the phone itself authenticates the network’s credentials, protecting against attacks from rogue base stations. LTE also has a longer key length of 128 bits, integrity protection that determines whether signaling has been modified over the radio-access interface, and that the origin of signaling data is accurate. LTE networks also initiate multiple encryption options between the network and user equipment before communications take place.
The five levels on which security is enabled are at the network access level that provides secure access to the Evolved Packet Core or EPC, and protects it from attacks on the radio links. Network domain security protects against attacks on the wireline network, and user domain security provides mutual authentication between the subscriber identity module (SIM) and the Mobile Management Entity (MME). Domain security enables applications in the phone and carrier domain to securely exchange messages. Non-3GPP domain security enables phones to securely access to the EPC via non-3GPP networks and provides security in the radio access link.
Nevertheless, LTE and LTE Advanced also have known vulnerabilities. Its “flat” IP-based architecture is susceptible to injection, modification, eavesdropping attacks, IP address spoofing, Denial of Service (DoS) attacks, viruses, worms, and other nefarious schemes. In addition, as the MME manages many base stations and LTE is an all-IP network, there is a direct path to the base station. And now base stations are a fraction of the cost of their predecessors, so deploying rogue sites is not beyond the means of criminals. Fortunately, these and other issues are being actively addressed. Nevertheless, greater security is possible, likely to be implemented in the form of Internet Protocol Security (IPsec).
The Importance of IPsec
IPsec operates in the deeper, Internet layer of the IP suite, and is a highly secure technology widely used in wired networks throughout the world, especially in Virtual Private Networks (VPNs) -- but not yet universally by the wireless industry. Although IPsec is generally regarded as devilishly complex, new users might find it relatively easy to understand and use. But once they delve into the details, they are immersed in a world of complex mathematics, cryptography, and network protocol design. This is in part because IPsec is not a single encryption protocol, but an entire stack of protocols including those for negotiation, authentication, network access, tunneling, key availability routing, and cryptography.
IPsec differs from Internet security systems such as the ubiquitous Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), as the latter three operate only at upper (application) layers of the TCP/IP model. In contrast, IPsec operates at the IP level and protects traffic across an entire IP network. There has been considerable resistance to IPsec deployment by the wireless industry in the U.S. because of its complexity and high implementation cost, seemingly endless standards evolution, and alleged potential for system performance degradation (although this issue is increasingly disputed). In the future, it is very likely that IPsec will be part of all LTE networks as carriers are driven by increasing threats and competitive pressures, since the high security enabled by IPsec can be promoted as a differentiator between carriers.
Beyond the Base Station
As stated earlier, the paths the data takes in a wireless network range from bidirectional communication between the user and base station, as well as with Wi-Fi hotspots, Distributed Antenna Systems (DAS), and the backhaul path between the base station and the public network. The backhaul path from the base station to the public network is a major weak spot because although backhaul traffic was encrypted in 3G networks from the base station to the IP core, this is not so in many LTE implementations. As a result, the user, control, and management planes all are unencrypted, so this may be another major driver for the implementation of IPsec.
If there is any certainty concerning the future of mobile device and network security, it is that the cat-and-mouse game between wireless carriers and those who wish to defeat them will continue as long as there are vulnerabilities to exploit. However, we have the ability to invoke all possible security features on the products we own, we can use longer and unrecognizable passwords, and in the case of products based on the Android operating system, we can employ the best security suites. That’s about as far as we can go, however, since the security of wireless standards, the carrier network, Wi-Fi hotspots, backhaul path, and other vulnerable points are beyond our personal control. Nevertheless, as in the world of wired data communications, paying attention to security can keep wireless devices remarkably secure. Network security will also become more robust as standards bodies and wireless carriers have a vested interest in “making it so”.
Barry Manz is president of Manz Communications, Inc. He has worked with over 100 companies in RF, microwave, defense, test and measurement, semiconductor, embedded systems, lightwave, and other markets. He edits for the Journal of Electronic Defense, Military Microwave Digest, and was chief editor of Microwaves & RF magazine.