Anticipating security threats: The MWC14 security demonstrations
Security is hotter than ever. Ericsson Research is looking at ways to anticipate and counter emerging security threats, and just last month in Barcelona, demonstrated proofs of concept for research done into innovative security functions.
Security Monitoring & Protection was one of these Ericsson Research demos at the Mobile World Congress.
In the security area in Ericsson Research, we work on a broad range of security topics:
- Network security- network-level attacks and unwanted traffic
- Platform security -including trusted execution environments, virtualization, cloud
- Software security -formal methods, development/analysis tools and testing
- Service security -including identity management and key management mechanisms
- Applied cryptography and privacy
Out of these we showcased a couple of specific examples related to network security and protecting the service provider’s infrastructure.
One of the necessary components in protecting the network is to have visibility into what is going on, to be able to discover incidents and to react to them. From what we have seen, the vast majority of currently commercially available tools for this purpose target Enterprise IT. Thus, lately we have been studying possible technical gaps in monitoring and security functions for mobile network infrastructure.
Clearly, differences in this case include some of the types of assets monitored, such as mobile network nodes as opposed to enterprise servers, use of different protocols, such as mobile network signaling protocols, etc. in a mobile network environment.
One aspect of this is demonstrated through a security dashboard built by making some adaptations to an open source Security Information and Event Management (SIEM) system, used to collect, correlate, and present information on the network’s security status. Another aspect is showing a Proof-of-Concept for a new mobile network-specific security function, connected to the monitoring system, for protecting the control plane from malicious signaling over the air interface in a flexible manner. The “control plane” carries information to control the different parts of the network, while the “user plane” carries the actual user traffic.
As shown in the picture below, there are two distinct scenarios in the demonstration, and they relate to two different objectives with the research. One objective is to look at emerging threats and try to be one step ahead in terms of exploring new possible layers of protection. The second objective is to see if we can leverage information in the network to improve detection of existing threats.
The first scenario involves emerging threats in the form of modified terminals, for instance, using open source baseband software in combination with Software Defined Radio hardware that can generate malicious signaling to attempt Denial-of-Service-types of attacks against the network. This is the scenario where the PoC signaling protection function, which we have been tentatively calling a “Radio Firewall”, comes into play to detect and block or mitigate attacks. Hence, the demonstration shows a couple of simulated attacks and how new protection rules can be deployed to handle them.
The second scenario relates to existing threats in the form of smartphone malware for premium service fraud, such as creating unwanted cost to the user by sending premium SMS, and shows correlation of information from user plane traffic monitoring, external security intelligence, and information about charging.
Discussions with visitors to the station indicate a fairly broad range of security concerns among operators, from concerns with signaling load from misbehaving apps, problems in some markets with unsolicited communications-variations of spam, malware, and general concerns around transitioning to all-IP networks using more accessible technology.
While there was nothing immediately surprising, all of these observations are good food for thought, as we keep working on further developments and new topics.