DeepSec 2021 Training: Mobile Network Operations and Security – David Burgess
This workshop describes security risks in mobile networks, both in the core network and in the radio network, based on case studies reported in the press. For each case, we will dig into the technical elements of what actually happened. The workshop will be especially useful for IT security people who are responsible for mobile devices but are not yet familiar with mobile network technology. The material will also be useful for anyone who works with individuals who have special security concerns, or who report on telecom security topics.
The workshop will start with an overview of cellular technology in general and types of security flaws common to all mobile networks, and then proceed to specific examples for different network segments and technology types. The workshop will include demonstrations of some security failures and deeper analysis of specific events reported in the popular press. The goal of the workshop is to give attendees a good grasp of key concepts in mobile network operation and the security implications, while avoiding unnecessary or confusing details. Questions and discussion are welcome and encouraged.
This workshop covers the mobile network, handset baseband, and SIM only, and does not address Android, iOS or application-layer security. (There is plenty of other material available from others in those areas.)
- Day 1 – Mobile Network Technology
- Core networks
- Radio access networks
- SS7 and Roaming
- Inside the phone
- Organization of the industry
- Day 2 – Security Risks
- Active false basestation attacks – and there are many
- SMS attacks and leaks
- Passive collection and information leaks
- SS7 attacks
- NSO’s Pegasus
We asked David a few more questions about his training.
1) Please tell us the top 5 facts about your talk.
- IMSI-catchers can do a lot more than eavesdrop, especially as part of an ecosystem.
- The move away from 2G will improve security a lot, but will not completely eliminate IMSI-catchers, especially for state actors.
- Efforts by the cellular industry to monetize SMS access have eroded the trustworthiness of the service.
- IMS and VoLTE will offer a new and exciting attack surface on mobile devices, for those with the resources to reach it.
- The security of cellular core networks is based on assumptions that are no longer valid. The shift away from SS7 will not change that.
2) How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
In my work as an expert witness, I was surprised at how little people understand about how mobile network technology really works, even though it is ubiquitous today.
3) Why do you think this is an important topic?
Mobile devices present a much greater security risk than desktop systems, because of the volume of highly personal information they store and are capable of collecting, and because they offer more attack vectors. But most IT security specialists have very little training in mobile technology and the associated security risks. A typical “mobile device security” conference/training/ is basically an Android or iOS. Also, today, we are in a transition away from circuit-switched networks toward all-packet networks, IMS, VoLTE, etc. In this transition, our mobile devices are at greater risk because they carry all of the attack surfaces of both generations of technology.
4) Is there something you want everybody to know – some good advice for our readers maybe?
It may be impossible to completely secure anything with a modern web browser on it. Mobile device security is a matter of “opsec”, not technology.
5) A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
The wise man of baseball, Yogi Berra, once said, “It’s hard to make predictions, especially about the future.” That said, I think GSM will still be with us for several more years, along with its serious security flaws, and handsets supporting GSM will continue to be in use for several more years after that.
David Burgess has worked in telecommunications since 1998, first in signals intelligence and then in commercial network equipment. He is probably best known as the primary author of OpenBTS, but has written complete stacks for other cellular radio protocols as well. David’s company, Legba, provides mobile network equipment and test equipment for small network operators, embedded systems developers, and special applications. Prior to his commercial work, David worked on tactical SIGINT systems used by US military forces. He also writes about telecommunications and does occasional work as an expert in legal cases.