Why network intelligence is vital in addressing RAN threats
Strategic Product Manager, Security solutions
Strategic Product Manager, Ericsson Security Solutions
Strategic Product Manager
Strategic Product Manager, Security solutions
Strategic Product Manager, Ericsson Security Solutions
Strategic Product Manager
Strategic Product Manager, Security solutions
Strategic Product Manager, Ericsson Security Solutions
Strategic Product Manager
Press play on photo to watch the video and discover more about why network intelligence is vital in addressing RAN threats.
Do you want to listen to this video post instead? Play the audio only.
The cybersecurity threat landscape is always evolving, with increasing volume and types of breaches annually. This means CSPs ( Communications Service Providers )need to stay on top of these evolving threats to be better prepared for attackers lurking in the shadows. While every organization will experience some version of a breach, it is important to be prepared for when it happens, despite the fact that mobile networks are well protected against intrusions. To reduce the impact of an attack, it is critical to detect a security incident as soon as it occurs, before it gets a foothold and spreads around in an uncontrolled manner.
In this blog, we will unveil a novel way to detect false base station attacks and finally counter the threat.
What’s new with false base stations?
With telecommunication networks playing an increasingly vital part in our lives, they’ve become an obvious target for malicious actors to launch high-impact attacks. In the RAN domain, which is the most physically accessible part of mobile networks, the limited awareness of the scale and sophistication of the false base station (FBS) threat makes it attractive to malicious actors. Without adequate detection capabilities these threats will remain unknown to service providers. The malicious use of FBSs can have a high impact through techniques such as eavesdropping, tracking, identity spoofing, data and traffic modification, or denial-of-service (DoS) attacks.
The main challenges with detecting false base stations include:
Limited awareness of the scale of the threat
Current methods to detect false base stations are insufficient to understand and quantify the scale of the threat. Examples methods include user equipment (UE)-based detectors, UE applications, crowd-sourced detectors, network-based detectors not using UE measurements, and drive-test based detectors.
Lack of timely and precise detection
Manual threat detection is resource-intensive, limited in coverage (time and place), and prone to human errors and false positives. Even with specialized equipment or sophisticated software, it is hard to do timely and precise threat detection today.
Easy to perform
FBS attacks are relatively easy to perform with relatively inexpensive, off-the-shelf equipment and open-source software. FBS devices are small and lightweight that can be carried around in cars or even backpacks. Older generation networks offer more opportunities for successful FBS attacks than later generation networks.
While 3GPP networks offer comprehensive inbuilt protections, with even more security controls and preventative measures in 5G, there are still risks. For example, some of these protections are optional and need to be turned on. The attacker may also try to lure a subscriber device to switch to an earlier generation with less protection.
Network intelligence to the rescue
To complement what has been standardized in the 3GPP releases for 4G and 5G, we are launching new capabilities in both the Ericsson Security Manager (ESM) and Ericsson basebands (RBS components) to improve our customers’ security posture even further. In addition to existing features, these capabilities make it possible to reduce risks by better protecting the network and detecting RAN-specific threats.
The two new capabilities are:
- In baseband products, we are adding the Advanced RAN Defense software, which provides the new security-related capabilities that enable ESM to detect FBS-specific attacks.
- In ESM, we are adding the RAN Detection Logic software, which supports the detection of false base stations.
These two features, working with the Ericsson Network Management (ENM) system, collectively comprise the Ericsson RAN Security Threat Detection solution.
How it works
Ericsson RAN Security Threat Detection is built on common data flows - measurement reports - between the user equipment (UE), typically mobile phones, and base stations in the service provider’s network. Since we know the network topology around a specific UE, we know what these measurement reports should look like. We then use smart algorithms in the ESM software to find any discrepancies between the topology ENM knows to be correct, and the topology information reported by the UEs. Any incremental differences indicate the possible presence of false base stations.
How it is implemented
First, security operations (SOC) personnel work with network operations (NOC) personnel to decide where and when to activate the detection solution and which frequencies to monitor. Threat detection is typically deployed in sensitive areas such as military installations, near police stations and political neighborhoods. The solution can as well be deployed for the entire network if so desired.
How false base station detection works
Detection of potential false RBSs is based on radio measurement reports from UEs in the field and continuous analysis by Ericsson Security Manager
The Advanced RAN Defense software in the basebands provides enhanced measurements performed by the UE in the cell area. The measurements provide network intelligence of the neighboring base stations, both legitimate and false. The basebands then send this data to the Ericsson Network Manager, which collects and transfers them to Ericsson Security Manager. The ESM RAN Detection Logic software then analyzes the reports using Ericsson-patented algorithms - this is where the comparison with the topology information is done. If a false base station is detected, ESM then alerts security operations (the SOC) for further response processes and activities to be initiated.
Benefits of false base station threat detection
We found three key reasons to use Ericsson RAN Security Threat Detection for identifying false base stations:
- No need for additional hardware
Ericsson RAN Security Threat Detection is a software-only, automated solution. As such, it takes away the need for a lot of equipment and manual processes that have traditionally made it costly and inefficient to scale to cover a large percentage of the RAN. With this solution, service providers don’t need any additional RAN equipment, field-based measuring equipment, new UE software or extra end-user permissions. Instead, it uses standardized measurements that are commonly used in mobile networks - the network intelligence-based approach. - Lower OPEX through automated detection with precise alerts
Together with Ericsson Security Manager, the Ericsson RAN Security Threat Detection software offers timely detection with efficient detection algorithms. Automated detection can be activated in selected areas with precise alerting, reducing manual probing and testing, and freeing up security operations resources for other purposes. False base station alerts are highly precise (very few false positives), with details of the attacker’s location and timeline of the attack. - Brand and customer protection
With improved visibility and continuous threat monitoring, service providers can take action to avoid potential service loss, regulatory fines and reputational (brand) damage that could result from a successful attack. Additionally, investing in security improves end-user perception, and can strengthen a service provider’s brand.
Don’t leave RAN threat detection to chance
Our deep radio expertise and proprietary algorithms make the RAN Security Threat Detection truly unique - a software-only, automated solution using network-centric intelligence and smart algorithms, producing nearly 100% precision in detections reported.
And it doesn’t stop there - as technologies and the threat landscape continue to evolve, Ericsson will continue to evolve its RAN Security Threat Detection to address additional threats and attack vectors. We are currently running several detection studies and research and development (R&D) activities in, for example, the detection of DoS attacks from the transport network to base stations, endpoint detection capabilities in network nodes (across our Ericsson portfolio) and much more. Stay tuned for further updates and announcements!