4G hype leading to LTE security shortcuts

Many mobile operators are deploying LTE networks without installing the full IPSec security architecture specified by 3GPP to ensure all communications and signalling remain encrypted across the network.

Many mobile operators are deploying LTE networks without deploying the full IPSec security architecture specified by 3GPP to ensure all communications and signalling links remain encrypted across the network.

In 3G there is native encryption of the path all the way through from the handset to the base station to the RNC. LTE flattens that architecture, so that RNC functionality sits in the eNodeB, meaning that native encryption terminates at the base station. That means the backhaul interfaces, the S1-U and S1-MME interconnection from the eNodeB to the serving gateway and Mobility Management Entity (MME) respectively, as well as the X2 interconnections between eNodeBs, are unprotected.

3GPP dealt with this issue by prescribing IPsec, with instantiation of IPSec tunnels from the eNodeB back to the EPC (Evolved Packet Core) and the termination of those tunnels in a Security Gateway (SEG). However, with a full IPSec rollout costing tens of millions of dollars, as well as time to design and integrate, many operators are preferring instead to deploy now and think about security later, according to Richard Peachey, Technical Managing Consultant at Praesidum , the consulting arm of revenue assurance software provider WeDo Technologies.

Peachey said that although many of the international Group operators are mandating IPSec, many national operators and Tier 2 players are deciding against the cost of installing security architecture to support LTE rollouts.

T-Mobile for instance, has made it public that it mandates full IPSec implementation in its LTE network in Germany. Other group operators are thought to have mandated IPSec for the signalling link, but not for the user data itself.

However, many more operators are deploying LTE without installing the 3GPP-defined architecture in support. Peachey identified operators in the Middle East as some of those likely to be by-passing IPSec.

Patrick Donegan, Senior Analyst, Heavy Reading, said, “A lot of operators are still rolling out LTE without IPsec, either because they think they don’t need it, think it’s too costly, or they lack the confidence that they can minimise any impact on network performance.”

Donegan added that other operators were going down the IPSec path. “We are seeing the adoption rate of IPsec with LTE increasing, particularly in Europe”, he said.

What it comes down to is it costs tens of millions of dollars to do this across the whole network and that is making people ask why they need to do it

Praesidum’s Peachey outlined a few main reasons for operators bypassing full IPSec based implementations:
1. Cost: tens of millions he said for full network investment without a visible ‘ROI’
2, Need to get to market as speedily as possible: deploy first, worry about security later.
3. Concerns about performance: Often the equipment that operators purchase can support IPSec but it is not enabled because the kit providers don’t want to see the resulting impact on performance.
4. Cultural/Political: The security budget sits with IT/IP teams, rather than network teams, and they’re not sure they want to spend it within/ or don’t understand the mobile network.

Peachey said that marketing pressures to be first to market often leaves security as an afterthought. “There’s hype driving LTE, everyone wants to say they have 4G and behind that is the rush to be the first to market. That is causing, in my view, operators going to vendors and looking for quick solutions and making their decision based on cost and a proof of concept. Then they roll out and they are not taking the security requirement into the equation. There’s a big gap between those companies with defined policies and smaller operators and those with no group function, who are following this turnkey solution model where they rely on the vendor for the configuration.”

“Part of the issue is that 3GPP terminology talks about ‘trusted environments’ and the need for IPSec outside of those. Well in some cases the eNodeB might be in the same pyhsical location as the core network, that might therefore be a ‘trusted environment’ as far as the operator’s concerned.”

“What it comes down to is it costs tens of millions of dollars to do this across the whole network and that is making people ask why they need to do it,” Peachey added.

So what are the risks? Peachey said that they are more likely to be long term. Unencrypted customer traffic might be exposed but that is not a “big issue” Peachey said, as users are likely to be using sites with SSL for secure information. There are risks on the signalling side, but “people are not familiar with how to break it yet,” he added. There is also the potential for hackers to directly access components in the CSPs core network as an entry point to the IP layer, with all the risks that can bring.

“Operators may get away with it in the short term, but it will matter in the long term. You can’t bury your head in the sand forever,” Peachey said.