Cover
Title Page
About the Author
Preface
Acknowledgements
Abbreviations
1 Introduction
1. 1.1 Introduction
2. 1.2 Wireless Security
3. 1.3 Standardization
4. 1.4 Wireless Security Principles
5. 1.5 Focus and Contents of the Book
6. References
2 Security of Wireless Systems
1. 2.1 Overview
2. 2.2 Effects of Broadband Mobile Data
3. 2.3 GSM
4. 2.4 UMTS/HSPA
5. 2.5 Long Term Evolution
6. 2.6 Security Aspects of Other Networks
7. 2.7 Interoperability
8. References
3 Internet of Things
1. 3.1 Overview
2. 3.2 Foundation
3. 3.3 Development of IoT
4. 3.4 Technical Description of IoT
5. References
4 Smartcards and Secure Elements
1. 4.1 Overview
2. 4.2 Role of Smartcards and SEs
3. 4.3 Contact Cards
4. 4.4 The SIM/UICC
5. 4.5 Contents of the SIM
6. 4.6 Embedded SEs
7. 4.7 Other Card Types
8. 4.8 Contactless Cards
9. 4.9 Electromechanical Characteristics of Smartcards
10. 4.10 Smartcard SW
11. 4.11 UICC Communications
12. References
5 Wireless Payment and Access Systems
1. 5.1 Overview
2. 5.2 Wireless Connectivity as a Base for Payment and Access
3. 5.3 E‐commerce
4. 5.4 Transport
5. 5.5 Other Secure Systems
6. References
6 Wireless Security Platforms and Functionality
1. 6.1 Overview
2. 6.2 Forming the Base
3. 6.3 Remote Subscription Management
4. 6.4 Tokenization
5. 6.5 Other Solutions
6. References
7 Mobile Subscription Management
1. 7.1 Overview
2. 7.2 Subscription Management
3. 7.3 OTA Platforms
4. 7.4 Evolved Subscription Management
5. References
8 Security Risks in the Wireless Environment
1. 8.1 Overview
2. 8.2 Wireless Attack Types
3. 8.3 Security Flaws on Mobile Networks
4. 8.4 Protection Methods
5. 8.5 Errors in Equipment Manufacturing
6. 8.6 Self‐Organizing Network Techniques for Test and Measurement
7. References
9 Monitoring and Protection Techniques
1. 9.1 Overview
2. 9.2 Personal Devices
3. 9.3 IP Core Protection Techniques
4. 9.4 HW Fault and Performance Monitoring
5. 9.5 Security Analysis
6. 9.6 Virus Protection
7. 9.7 Legal Interception
8. 9.8 Personal Safety and Privacy
9. References
10 Future of Wireless Solutions and Security
1. 10.1 Overview
2. 10.2 IoT as a Driving Force
3. 10.3 Evolution of 4G
4. 10.4 Development of Devices
5. 10.5 5G Mobile Communications
6. References
Index
End User License Agreement

List of Tables

Chapter 01
1. Table 1.1 OMA DM specifications as of December 2015
2. Table 1.2 ISO/IEC 7816 standard definitions
3. Table 1.3 Some of the most important IEEE standards related to encryption
4. Table 1.4 Some of the key 3GPP security specifications
5. Table 1.5 The complete list of 3GPP security‐related 33‐series documents
6. Table 1.6 The EAL classes of CC
7. Table 1.7 Comparison of ciphering techniques relevant for mobile communications
Chapter 02
1. Table 2.1 Variables used by AKA in UMTS
2. Table 2.2 Comparison of MBMS security solutions
3. Table 2.3 Current security solutions for Wi‐Fi/WLAN connectivity
Chapter 03
1. Table 3.1 The key WLAN IEEE 802 standards
2. Table 3.2 The theoretical distances of Bluetooth devices per class
Chapter 04
1. Table 4.1 The ISO/IEC 7816‐2 ICC contacts
2. Table 4.2 Consumer‐grade SIM FF
3. Table 4.3 The environmental classification; the main categories for M2M UICCs
4. Table 4.4 UICC environmental classes and required values
5. Table 4.5 File types of smartcards
6. Table 4.6 Some of the key commands of the SIM/UICC
7. Table 4.7 An example of the SIM/UICC card response messages. The complete list can be found in ISO/IEC 7816‐4 documentation
Chapter 06
1. Table 6.1 Comparison of SE, TEE and HCE
2. Table 6.2 Comparison of mobile security solutions
Chapter 07
1. Table 7.1 The options for the NAA as defined in Ref. [21]
Chapter 09
1. Table 9.1 Key roles of DPI

List of Illustrations

Chapter 01
1. Figure 1.1 The contents of this handbook
Chapter 02
1. Figure 2.1 The statistics of data consumption of mobile laptop and smartphone users
2. Figure 2.2 The general trends of 3G and 4G data rates. The planned 5G will offer considerably higher speeds
3. Figure 2.3 The app ecosystem depends on the available technologies and services
4. Figure 2.4 The development procedure for Android app development
5. Figure 2.5 The main elements of 3GPP networks. The evolution of LTE brings new elements for, e.g., eMBMS, as well as cell extensions like relay nodes and Home eNB elements, while LTE also extends to unlicensed bands (LTE‐U) and is optimized for IoT/M2M environment (LTE‐M)
6. Figure 2.6 The signalling chart for the delivery of triplets from the AuC/HLR to VLR
7. Figure 2.7 The subscriber‐specific Ki, as well as the A3 and A8 algorithms are stored in the SIM and the AuC for the authentication, authorization and session key creation. The A5 algorithm is stored, in turn, in the HW of the Mobile Terminal (MT) and in the Base Transceiver Station (BTS) equipment for protecting the radio interface
8. Figure 2.8 By utilizing Ki, A3 and A8, the AuC calculates the triplet, i.e., values for the Kc, RAND and SRES. The triplet is stored in the VLR
9. Figure 2.9 The authentication and authorization is done by A3, RAND and Ki
10. Figure 2.10 Kc is calculated with the A8 algorithm, based on Ki stored permanently within SIM, and RAND produced in the AuC/VLR
11. Figure 2.11 The encryption of the GSM radio interface takes place via the A5 algorithm
12. Figure 2.12 The 3GPP security architecture. The symbols of the figure refer to the following: (A) network access security; (B) provider domain security; (C) user domain security; and (D) application security
13. Figure 2.13 The role of the UMTS interfaces in 3GPP security procedures.
14. Figure 2.14 The principle of the 3G authentication vector generation as described in 3GPP TS 33.102
15. Figure 2.15 The principle of the vendor certificate process
16. Figure 2.16 The eNB protocol stacks with embedded IPSec layer
17. Figure 2.17 LTE Key hierarchy concept
18. Figure 2.18 Key handling procedure in handover
19. Figure 2.19 The mutual authentication procedure of LTE
20. Figure 2.20 The architecture of the combined IPSec and PKI. The light dotted line indicates signalling, and solid line represents user plane data flow. The thick dotted line symbolizes the IPSec tunnel. The communication between SecGW as well as Operations Administration and Maintenance (OAM) can be done via Transport Layer Security (TLS) or Secure HTTP (HTTPS)
21. Figure 2.21 The PKI design with the architecture and interfaces
22. Figure 2.22 An integration example for the gateway attached to the access router
23. Figure 2.23 The security zone principle
24. Figure 2.24 The MBMS reference architecture.
25. Figure 2.25 The eMBMS reference architecture.
26. Figure 2.26 The elements and key management procedures for ME‐based eMBMS security as described in 3GPP TS 33.246. The events in the radio interface are the following: (1) HTTP Digest authentication with the MRK key; (2) MIKEY MSK key distribution which is protected with the MUK key; (3) MIKEY MTK key distribution which is protected by the MSK key; and (4) user data which is protected via the MTK key.
27. Figure 2.27 The protocol layers of FLUTE
28. Figure 2.28 The flowchart of successful EAP authentication
29. Figure 2.29 The LTE‐UE states and the inter‐RAT mobility procedures with the GSM network as interpreted from Ref. [38].
30. Figure 2.30 The LTE‐UE states and the inter‐RAT mobility procedures with the UMTS network as interpreted from Ref. [38].
31. Figure 2.31 Mobility procedures between E‐UTRA and CDMA2000 as interpreted from Ref. [38].
32. Figure 2.32 Enhanced Packet System (EPS) architecture for CSFB and SMS over SGs interface
33. Figure 2.33 Wi‐Fi Offload architecture
34. Figure 2.34 Femtocell architecture
Chapter 03
1. Figure 3.1 IoT consists of devices that are able to perform functions such as measurements and data processing, as stated in Refs. [1,2]. The connectivity can be based on all known data transfer techniques, including mobile communications networks, local wireless and wired networks, and even direct connectivity. IoT may have communications with other consumer devices, and furthermore, part of the devices can act as hubs to connect the local equipment to the Internet
2. Figure 3.2 Individuals using the Internet [16]
3. Figure 3.3 The main components of IoT
4. Figure 3.4 The IoT environment is developing along with the technological enablers, each phase or wave influencing the further planning of the enablers in an iterative way
5. Figure 3.5 An example of the potential LTE spectrum plans of Latin America
6. Figure 3.6 Typical LTE/LTE‐A band scenarios and potential carrier aggregation deployment in the rest of the world
7. Figure 3.7 High‐level examples of wireless connectivity solutions with respective coverage and data rate
8. Figure 3.8 The RFID system architecture
9. Figure 3.9 The principle of the TSM
10. Figure 3.10 The principle of the SD
11. Figure 3.11 SG model as interpreted from the IEEE 2030‐2011
Chapter 04
1. Figure 4.1 The physical connections of the UICC
2. Figure 4.2 Physical interfaces of the 8‐PIN UICC based on ISO, SWP and USB
3. Figure 4.3 The 1FF of SIM cards (dimensions in mm), which is also called ID‐1. The thickness is 0.76 mm. The ID‐1 is used in practice only for delivering the plug‐in units which are further snapped out from the card body when inserting them to mobile devices
4. Figure 4.4 SIM card’s 2FF, 3FF and 4FF plug‐in units (dimensions in mm)
5. Figure 4.5 The plug‐in units of 2FF or 3FF can be delivered within a single ID‐1 card body. This eases the logistics and enhances user experience upon inserting the plug‐in units into mobile devices.
6. Figure 4.6 The physical building blocks of a smartcard. The ID‐1 card body can be of plastics or recyclable materials, while the frame material of the plug‐in needs to comply with typically stricter mechanical and environmental requirements making plastics the most feasible material
7. Figure 4.7 An example of the system level building blocks of a multi‐application card based on the UICC. The applications may also include other subscription containers like RUIM for CDMA systems, and applets for many areas such as transit access and payments
8. Figure 4.8 The eUICC logical architecture as interpreted from ETSI TS 103 383
9. Figure 4.9 Some ETSI eUICC use cases for redundant subscription management
10. Figure 4.10 The embedded UICC architecture of GSMA as interpreted from Ref. [33]
11. Figure 4.11 Some examples of the physically embedded SEs. At present, the MFF2 is the only standardized variant of embedded UICC. The smallest ones are typically based on wafer‐level which can be very small in volume, such as the WLCSP which can measure, e.g., 2.7 × 2.5 × 0.4 mm³, depending on each chip manufacturer’s own specifications
12. Figure 4.12 Typical use cases for NFC
13. Figure 4.13 The block diagram of the UICC
14. Figure 4.14 The overall principle of the file structure of the smartcard
15. Figure 4.15 The principle of ADFs
16. Figure 4.16 The format of the Command and Response APDU
Chapter 05
1. Figure 5.1 The development of mobile payment
2. Figure 5.2 An example of the QR code with embedded web link leading to further information about this Wireless Security book
3. Figure 5.3 Example of the architecture of an NFC device. The NFC radio interface is connected to payment associations such as Visa, MasterCard, AmEx and Discover via the merchant processor
4. Figure 5.4 The NFC architecture as defined by the NFC Forum
5. Figure 5.5 NFC device based on SE in microSD form and NFC chip residing within the device
6. Figure 5.6 Device without NFC functionality can be used with microSD that is equipped with NFC antenna, NFC chip and SE
7. Figure 5.7 Some options for mobile payment solutions
Chapter 06
1. Figure 6.1 An example of the utilization of the UICC or eUICC as a part of the mobile payment service
2. Figure 6.2 The NFC payment architecture based on the SE or eSE
3. Figure 6.3 Examples of the TSM models
4. Figure 6.4 An example of the TEE architecture based on ARM TrustZone t‐Base. The TEE is connected to the external world via communications protocols designed between the TEE and REE which provide the means for the safe execution of the trustlets
5. Figure 6.5 An example of the t‐Base ecosystem
6. Figure 6.6 An example of the TEE secured application OTA lifecycle management
7. Figure 6.7 The payment application of the cloud service can be, in its basic form, within the SW‐based OS located outside of the SE
8. Figure 6.8 Example of HCE‐based payment architecture
9. Figure 6.9 Comparison of selected protection mechanisms
Chapter 07
1. Figure 7.1 An example of ODA as described in Ref. [17]
2. Figure 7.2 The high‐level signalling flow of the real‐time provisioning procedure as applied in the SmartTrust SmartAct solution
3. Figure 7.3 An example of the UICC activation, i.e., provisioning by utilizing a POS card reader
4. Figure 7.4 The principle of SIM OTA messaging
5. Figure 7.5 Data exchange as defined in ETSI TS 102 124
6. Figure 7.6 The OMA DM philosophy
7. Figure 7.7 OMA Lightweight M2M architecture. The LWM2M communications between the client and the server is optimized via efficient payload, and is able to support interfaces for bootstrapping, registration, object/source access and reporting for very low‐cost devices
8. Figure 7.8 Remote eUICC provisioning architecture for M2M environment as defined by GSMA (version 2.1).
9. Figure 7.9 The contents of eUICC in GSMA remote provisioning systems.
10. Figure 7.10 The contents of a GSMA profile.
11. Figure 7.11 The mapping of the card entities with the provisioning system.
12. Figure 7.12 The ISD‐P stages of GSMA remote provisioning eUICC. The transitions may be triggered by ISD‐R or ISD‐P itself. There also is a fall‐back (FB) mechanism
13. Figure 7.13 The evolved GSMA subscription management architecture (version 4) that includes the consumer environment
14. Figure 7.14 The GSMA RSP V1 architecture
Chapter 08
1. Figure 8.1 The principle of CEIR. Each of the connected operator‐specific EIRs is synchronized upon the reporting of devices in their black lists
2. Figure 8.2 The original Phase 1 GSM system’s protocol stack from the 1990s, added by the GPRS functionality of Release 97 from the early 2000s
3. Figure 8.3 The principle of the spoof GSM BTS may be based on the minimum set of the radio interface protocol stack as well as the essential protocols in connectivity and mobility management layers. In this way, all the additional functionality like encryption, frequency hopping etc. can be eliminated from the connection while the interception and relaying of the clear‐code call can be done, e.g., via a separate VoIP call
4. Figure 8.4 The LTE/SAE security chain includes various aspects
5. Figure 8.5 The C‐plane security principle of LTE/SAE
6. Figure 8.6 The U‐plane security principle of LTE/SAE
7. Figure 8.7 The M‐plane security principle of LTE/SAE
8. Figure 8.8 The S‐plane security principle of LTE/SAE
9. Figure 8.9 The correct timing for the equipment ordering has impact on the RoI
10. Figure 8.10 General principles of equipment manufacturing
11. Figure 8.11 An example of a real‐world scenario which sometimes may experience delays in commercial market entrance due to issues that are identified too late prior to launch
12. Figure 8.12 Issues resulting in delayed market entrance can be minimized via preliminary testing activities as soon as the equipment prototypes are ready
13. Figure 8.13 Process for the error ticket opening applicable to LTE/LTE‐A UE and network elements. The optimal way is to assess deeply the background information prior to the error ticket opening in order to speed up corrections
Chapter 09
1. Figure 9.1 An example of CGN firewall deployment based on Check Point
2. Figure 9.2 An example of Check Point deployment in an IPSec gateway mode, delivering the S1‐MME signalling (SCTP) and S1‐U traffic (GTP‐U over UDP)
3. Figure 9.3 An example of Check Point acting as a roaming gateway
4. Figure 9.4 An example of Check Point protecting roaming networks
5. Figure 9.5 The configuration for the MME intercept
6. Figure 9.6 The configuration for the HSS intercept
7. Figure 9.7 The configuration for the S‐GW and P‐GW intercept
8. Figure 9.8 Write‐Replace warning procedure
9. Figure 9.9 Kill procedure
Chapter 10
1. Figure 10.1 LTE‐A and WiMAX2 are the result of their own evolution paths, but can be used in a cooperative environment via data offloading and inter‐working

Pages

iv
xii
xiii
xiv
xv
xvi
xvii
xviii
xix
xx
xxi
xxii
xxiii
xxiv
xxv
xxvi
xxvii
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305

This edition first published 2017
© 2017 John Wiley & Sons, Ltd

Registered Office
John Wiley & Sons, Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, United Kingdom

For details of our global editorial offices, for customer services and for information about how to apply for permission to reuse the copyright material in this book please see our website at www.wiley.com.

The right of the author to be identified as the author of this work has been asserted in accordance with the Copyright, Designs and Patents Act 1988.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by the UK Copyright, Designs and Patents Act 1988, without the prior permission of the publisher.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners. The publisher is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. It is sold on the understanding that the publisher is not engaged in rendering professional services and neither the publisher nor the author shall be liable for damages arising herefrom. If professional advice or other expert assistance is required, the services of a competent professional should be sought.

The advice and strategies contained herein may not be suitable for every situation. In view of ongoing research, equipment modifications, changes in governmental regulations, and the constant flow of information relating to the use of experimental reagents, equipment, and devices, the reader is urged to review and evaluate the information provided in the package insert or instructions for each chemical, piece of equipment, reagent, or device for, among other things, any changes in the instructions or indication of usage and for added warnings and precautions. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware that Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read. No warranty may be created or extended by any promotional statements for this work. Neither the publisher nor the author shall be liable for any damages arising herefrom.

Library of Congress Cataloging‐in‐Publication data applied for

ISBN: 9781119084396

A catalogue record for this book is available from the British Library.

Preface

This Wireless Communications Security book summarizes key aspects related to radio access network security solutions and protection against malicious attempts. As such a large number of services depend on the Internet and its increasingly important wireless access methods now and in the future, proper shielding is of the utmost importance. Along with the popularization of wireless communications systems such as Wi‐Fi and cellular networks, the utilization of the services often takes place via wireless equipment such as smartphones and laptops supporting short and long range radio access technologies. Threats against these services and devices are increasing, one of the motivations of the attackers being the exploitation of user credentials and other secrets to achieve monetary benefits. There are also plenty of other reasons for criminals to attack wireless systems which thus require increasingly sophisticated protection methods by users, operators, service providers, equipment manufacturers, standardization bodies and other stakeholders.

Along with the overall development of IT and communications technologies, the environment has changed drastically over the years. In the 1980s, threats against mobile communications were merely related to the cloning of a user’s telephone number to make free phone calls and eavesdropping on voice calls on the unprotected radio interface. From the experiences with the relatively poorly protected first‐generation mobile networks, modern wireless communications systems have gradually taken into account security threats in a much more advanced way while the attacks are becoming more sophisticated and involve more diversified motivations such as deliberate destruction of the services and ransom‐type threats. In addition to all these dangers against end‐users, security breaches against the operators, service providers and other stakeholder are on the rise, too. In other words, we are entering a cyber‐world, and the communications services are an elemental part of this new era.

The Internet has such an integral role in our daily life that the consequences of a major breakdown in its services would result in chaos. Proper shielding against malicious attempts requires a complete and updated cyber‐security to protect the essential functions of societies such as bank institutes, energy distribution and telecommunications infrastructures. The trend related to the Internet of Things (IoT), with estimations of tens of billions of devices being taken into use within a short time period, means that the environment is becoming even more challenging due to the huge proportion of the cheaper IoT devices that may often lack their own protection mechanisms. These innocent‐looking always‐connected devices such as intelligent household appliances – if deployed and set up improperly – may expose doors deeper into the home network, its services and information containers, and open security holes even further into the business networks. This is one of the key areas in modern wireless security preparation.

www.tlt.fiWireless Communications Securityjyrki.penttinen@hotmail.com

Jyrki T. J. Penttinen
Morristown, NJ, USA

WIRELESS COMMUNICATIONS SECURITY

SOLUTIONS FOR THE INTERNET OF THINGS

About the Author

Preface