3G Mobile Network

Security

White Paper
January 2007
Executive Summary

Mobile operators need to recognize their newfound role as internet service providers
(ISPs). No longer do they just provide cellular voice services; now they also provide high-
speed Internet Protocol-based (IP) data services. So as to offer a wider array of services
and content to their data subscribers, mobile operators are opening up their formerly
closed networks to numerous other mobile operators, data networks and the public
Internet.
As a result, mobile operator’s 3G networks are not only exposed to all the virtual
pathogens already in circulation, but also to mobile-specific viruses and Trojans, as well as
to direct attacks such as Denial of Service (DoS) on their networks from hackers and/or
criminal organizations. These types of attacks employ methods which wired ISPs have
been dealing with for a much longer period of time. There are also variations on these
attacks which exploit weaknesses in the architecture and some of the protocols used in
2.5G/3G cellular data networks.
To protect their networks and customers, then, mobile operators need to:
„ Take an architecture approach to implementing security solutions in their network;
point solutions are not sufficient
„ Deploy a variety of products in their networks, such as firewalls, intrusion
detection and prevention (IDP) and virtual private networks (VPNs)
„ Make client-side anti-virus and firewall software readily available to their
subscribers who use data devices (e.g., feature phones with data capabilities,
smartphones, notebook computers)
„ Be vigilant and adopt appropriate security policies that reflect the threats in the
2.5/3G world. This has additional ramifications given the widespread use of WiFi
and the general evolution toward networks based on the IP Multimedia System
(IMS) standard
„ Be aware that their networks are only as secure as the weakest link. Mobile
operators need to work with each other, the ISP community and other telecom
providers to ensure that even the minimum amount of security is quite strong.
„ Vigorously protect signaling as the migration of signaling traffic over IP creates
new risks. Mobile operators carry much more signaling traffic than their wired
counterparts and signaling is mission critical traffic.
This whitepaper will explore the following topics:
„ Why 2.5/3G wireless networks are now vulnerable and at what points they are
vulnerable
„ The types of attacks that can be perpetrated against those networks
„ The types of products that can be deployed to help guard 3G networks
„ The business implications of a network outage and a revenue impact model to
demonstrate the seriousness of such an outage
„ Future threats to mobile operators, specifically regarding IMS which is being
deployed by fixed and mobile carriers around the world.
Finally, this paper also suggests some steps mobile operators can take to minimize the
risk to their networks and their customers.

Page 1
Copyright © 2007 iGillottResearch, Inc.
 The Need for Security

Mobile Networks Are Now More Vulnerable Than Ever

Cellular data networks are vulnerable for several reasons:
1) Mobile operators are building out high speed wireless networks that are based on the
Internet Protocol (IP) which allow users to do more while connected.
2) Mobile operators have opened up their networks to the public Internet and to other data
networks, making their 2.5G/3G networks more vulnerable to attacks.
3) Mobile operators are evolving their networks to IMS, enabling interconnected networks all
running on IP.
Broadband Wireless Rollouts
In the past, mobile operators only provided cellular voice service. Their security concerns were
limited to cloning and subscription fraud. Mobile data usage began with implementations of CDPD
and Mobitex, but widespread adoption really began with the rollout of 2.5G networks (GPRS,
EDGE, CDMA 1X) and now with third generation (3G) high-speed wireless networks such as
CDMA EV-DO and UMTS/HSDPA. And as Figure 1 shows, the world is increasingly moving
toward 2.5/3G networks.
Figure 1: Worldwide Subscribers by Wireless Network Since 3G networks are based on
Generation (000s) IP, mobile operators must address
an entirely new set of hazards –
350,000 viruses, Trojans and denial of
service attacks – that until now
300,000 have primarily impacted wired
internet service providers (ISPs).
250,000
By deploying 3G networks, mobile
200,000 2.5g and 3G operators around the world are
2G now ISPs as well as providers of
150,000
1G cellular voice service. Moreover,
3G networks are significantly faster
100,000
than their 2.5G network
50,000 predecessors: CDMA EV-DO (rev.
0) provides 400-700 Kbps
0 download rate with higher “peak”
2004 2005 2006 2007 2008 2009 2010 speeds of up to 2 Mbps;
UMTS/HSDPA networks also
Source: iGR, 2006 provide 400-700 Kbps download
rate but with potentially higher peak
speeds (up to 7 Mbps).

The security implication here is that with more users of varied data-capable devices who are
accessing content and communicating with one another across multiple networks, there will be
more traffic on the cellular networks. That implies a higher likelihood of attacks occurring from any
number of sources. For example, many sophisticated attacks disguise themselves in data flows
across sessions and ports – the more traffic there is, the harder it is to identify the threats.
Opening Up
Mobile data networks are being opened up in two senses:

Page 2
Copyright © 2007 iGillottResearch, Inc.
 1) Interconnection to other networks, such as the public Internet, other mobile operator
networks, private networks (including company LANs), content servers, etc.
2) Multiple device types – Symbian smartphones, RIM BlackBerry and Windows Mobile-
based, personal data assistants (PDAs), notebook computers and data-capable feature
phones.
From a security perspective, this newfound openness is a problem because there are now far
more elements which are vulnerable. For example, the majority of 3G mobile equipment:
„ Supports high-speed connections to the public Internet and private data networks such as
corporate networks
„ Provides multimedia messaging, content downloads, Web browsing, network-based
games, office applications, TV and virtual private networking to subscribers. Malware can
propagate through many of these mediums.
„ Are more open to user modification because of storage cards, synching with PCs, Internet
connectivity, Bluetooth and Wi-Fi.
Evolving to IMS
On top of the network upgrades from 2.5G to 3G, many mobile and fixed operators are also
moving forward with plans to evolve their networks to conform to the IP Multimedia Subsystem
(IMS) architecture. IMS uses open standard IP protocols to create communications links between a
variety of users – e.g., a multimedia session between two IMS users; between an IMS user and a
user on the Internet, or between two users on the Internet. As a result, unprotected IMS services
are also vulnerable to a variety of different attacks.
These connections can and will traverse multiple networks – the PSTN, the Internet, the mobile
operator’s, a cable operator’s and/or a WiFi provider’s. Each of these vastly different networks has
its own unique vulnerabilities which must be protected.
IMS deployments are increasingly widespread. One example of a mobile operator evolving toward
IMS services is T-Mobile USA’s @Home service in Seattle, Wash. “HotSpot @Home” is T-Mobile's
brand name for its Universal Mobile Access (UMA) service which allows a cell phone to make
voice or data calls using pre-approved Wi-Fi hotspot instead of the cellular network. UMA is
considered to be an evolutionary step toward full IMS for GSM operators.

Examples of Attacks
Exploiting the unprotected holes in IP data networks and the systems connected to those networks
has long been the pastime of bored “script kiddies” – bright adolescents and young adults with time
on their hands and a knack for coding. In recent years, however, attacking data networks has also
become a focus for criminal organizations.
Their motivations are as mercenary as they are varied. Some of these criminals might be trying to
defraud the mobile operator of airtime or render the network unusable for a period of time so as to
extort money from the operator. Other criminals might be interested in acquiring subscriber
information so as to either steal their identities or billing and credit card information.
Hacking Subscriber Information
These types of attacks on mobile operators’ networks have already happened and will continue to
happen. Take, for example, the rather significant breach of T-Mobile USA’s subscriber databases
in 2004. As reported by SecurityFocus, the hacker was able to access information on any of T-
Mobile’s 16.3 million customers, including Social Security numbers and dates of birth. The article
also stated that the hacker was able to obtain voicemail PINs and the passwords providing
customers with Web access to their T-Mobile email accounts.1
Clearly, this type of security breach could have had a massive impact not only on the operator’s
revenues, but also on the subscribers whose identities could have been stolen.
Page 2
Copyright © 2007 iGillottResearch, Inc.
 Denial of Service Attacks
Other types of attacks on operator networks are also possible. For example, in 2005, two computer
science professors at Penn State University published a report detailing how Internet-originated
text messages could be used to overwhelm a mobile operator’s short message services center
(SMSC) and, potentially, their ability to provide cellular voice services.2 This is an example of how a
Denial of Service attack, which has its origins in the IP world, can negatively impact an ostensibly
separate service.
The key here is that mobile operators use an inherently scarce resource (wireless spectrum) to
provide services. If the available bandwidth is overwhelmed by meaningless data traffic, then
subscribers’ ability to use their cell phones will be impaired. This interruption then has real-world
implications for both the mobile operator (lost revenue) and for the subscribers (no service).
It is also possible for attackers to launch Denial of Service (DoS) attacks directly against the radio
resources by creating radio interference in particular wireless spectrum. Attackers can also launch
DoS attacks from other quarters, such as from the public Internet into the operator’s mobile core.
That type of attack could essentially deny Internet service to the operator’s customers.
Virus Propagation
A recent Kaspersky Labs article3 described a localized outbreak of a strain of the Cabir mobile
virus in Helsinki, Finland, during the 10th World Athletics championship in August 2005. The Cabir
worm in that case spread via file transfers over open Bluetooth mobile phone connections. Users
unwittingly accepted file transfers and thereby infected their phones. Had the outbreak not been
speedily contained, Cabir could have infected many thousands of phones belonging to subscribers
from all over the world.
This relatively minor outbreak illustrates how easy it is for mobile malware to propagate. Simply
setting a Symbian phone’s Bluetooth connection to “hidden” would have halted the transmission of
the worm. Other types of mobile malware, such as the ComWar virus, can spread through
multimedia messages (MMS) – which the Kaspersky articles cites as a much more dangerous
form of propagation since the malware can spread over any distance. And because MMS can be
sent to email addresses, MMS can serve as a cross-platform carrier – e.g., spread mobile malware
from a PC to a mobile device or vice versa.
The sheer number of mobile virus families is staggering, as Figure 2 shows. Kaspersky Labs
currently tracks 31 families of mobile malware which have 170 variants (Cabir and ComWar are
examples of two families).
Figure 2: Increase of Known Mobile Malware Variants Even seemingly “Internet-only”
malware can impact a mobile
operator’s operations. In 2003,
for example, the
Slammer/Sapphire worm
outbreak cut a wide swath of
destruction – 20 percent of
global Internet traffic was lost;
13,000 cash machines shut
down; emergency services in
Washington DC were lost for a
short time; and commercial
airline flights were delayed.
Slammer’s impact was felt as
far away as South Korea, where
27 million South Korean
wireless subscribers lost their
Source: Kaspersky Labs, 2006 cellular service.

Page 3
Copyright © 2007 iGillottResearch, Inc.
 Marketing Harassment
Other attacks are targeted directly at subscribers. For example, in February 2006 Verizon Wireless
won a permanent injunction against Passport Holidays. The firm sent more than 98,000
unsolicited short text messages to Verizon Wireless customers informing those recipients that they
had won a cruise to the Bahamas and asking them to call to claim their prize.
This is a form of a “marketing harassment” attack which inconveniences subscribers, possibly
creates extra charges on their monthly bills and could have a negative impact on the operator’s
network operations.
Mobile operators are, in large part, aware that these types of attacks can be carried out against
their networks. General speaking, however, most carriers refuse to comment publicly about these
potential threats and/or any measures they may have put in place to safeguard their networks.
Protecting their networks involves a solid understanding of their network’s vulnerable points.

Types of Attacks
As the mobile operators move to 3G services, they are, for the most part, not deploying entirely
new networks but instead leveraging their existing 2.5G network infrastructure –
GSM/GPRS/EDGE or CDMA/CDMA 1X equipment and backbone networks. For example, most
UMTS cell sites can be collocated in GSM cell sites and much of the GSM/GRPS core network
can be re-used. The Serving GPRS Support Node (SGSN) needs to be upgraded, but the mobile
switching center (MSC) only requires a minor upgrade and the Gateway GPRS Support Node
(GGSN) can remain the same.
Because 3G networks were not all built from the ground up, they were not necessarily built with IP
data security in mind. Moreover, the world of IP data is relatively new to mobile operators – they
are used to dealing with comparatively more mundane voice-centric security threats.
There are numerous attacks that can be perpetrated against a mobile network and they can
originate from two primary vectors:
„ Outside the mobile network: the public Internet, private networks, other operators’
networks
„ Within the mobile network: from devices such as data-capable handsets and
smartphones, notebook computers or even desktop computers connected to the 3G
network.
Table 1 summarizes the various types of attacks to which mobile operators are now vulnerable.
Table 1: Types of Attacks against Mobile Networks
Type of Attack Target Purpose

Other users, network elements Harassment, denial of service

Worm, Virus, Trojan, SMS/MMS spam
(content servers) / service interruption
Denial of service, SYNflood, application layer attacks (on
HLR, AAA, content servers, Attack ability to provide
RADIUS servers, buffer overflows, SIP flooding, RTP
signaling nodes service
flooding)

Operator’s management
Overbilling attack Fraud
elements (AAA, HLR, VLR, etc.)
Spoofed PDP context User sessions Service theft

Signaling-level attacks (SIGTRAN, SIP) which involve Attack ability to provide

Signaling nodes
modification, interception, DoS service

Source: Juniper Networks, 2006

Page 4
Copyright © 2007 iGillottResearch, Inc.
 Denial of Service
Currently one of the most prevalent security threats to wired ISPs is a distributed denial of service
(DDoS) attack. Essentially, DDoS attacks use “brute force” methods to overwhelm the target
system with data such that the response from the target system is either slowed or stopped.
Creating enough traffic to inflict that kind of damage typically requires a network of compromised
computers, which are often referred to as “bots” or “zombies” (sometimes collectively referred to as
“botnets”).
Essentially, botnets are computers that have been compromised by attackers, generally through
the use of Trojans (malware disguised as or embedded within legitimate software), which are then
remotely controlled by the organization orchestrating the DDoS attack. Laptops, smartphones, RIM
BlackBerries and/or PDAs, connected to the Internet via a mobile broadband connection, could be
similarly compromised and used as zombies in a DDoS attack.
Overbilling Attack
Another type of possible attack is called “overbilling.” Overbilling involves a malicious user
hijacking a subscriber’s IP address and then using that connection to initiate fee-based downloads
or simply use that connection for their own purposes. In either case, the legitimate user is billed for
activity which they did not authorize or actually conduct.
Spoofed PDP context
These types of attacks exploit weaknesses in the GTP (GPRS Tunneling Protocol) protocol.
„ Spoofed “delete PDP context” packets, which would cause service loss or interruption for
end users
„ Spoofed “create PDP context” packets, which would result in unauthorized or illegal
access to the Internet or customer data networks
„ GTP packet floods, which is a type of Denial of Service attack.
More on GTP and PDP follows in the Interfaces to Other Mobile Networks section.
Signaling-level attacks
The Session Initiation Protocol (SIP) is a signaling protocol used in IMS networks to provide voice
over IP (VoIP) services. There are several well-known vulnerabilities with SIP-based VoIP
systems. For example, there are vulnerabilities in the Call Manager function (which handles call
routing and call signaling functions in VoIP systems) that might allow hackers to:
„ Reconfigure VoIP settings and gain access to individual users' account information
„ Eavesdrop on VoIP communications
„ Hijack a user's VoIP subscription and subsequent communications.

Vulnerable Network Points

At a high level, there are numerous vulnerable elements in mobile operators’ data networks:
„ The mobile equipment (ME) itself, such as laptop computers, cell phones, PDAs,
smartphones
„ The over-the-air wireless link between the ME and the cellular base station (BS) – this is
the UMTS/HSDPA or EV-DO connection
„ Interfaces to other mobile networks – on GPRS/UMTS networks this is the Gp interface

Page 5
Copyright © 2007 iGillottResearch, Inc.
 „ Interfaces to the data networks – the Internet or private data networks; on GPRS/UMTS
networks this is the Gi interface
„ Management and service elements such as the Home Location Register (HLR) which
stores subscriber data (the Ga interface on GPRS/UMTS networks). In IMS, the HSS
(home subscriber server) performs the function of the HLR
„ Application / content servers
„ Signaling protocols and/or interfaces within a network and inter-networks.
In mobile networks, there are two primary elements which interface with the “outside world”: the
GGSN on GPRS/EDGE/UMTS networks and the PDSN (packet data serving node) in CDMA
1x/EV-DO networks. To take just a UMTS network as an example, a subscriber using that high-
speed IP data service connects through the mobile operator’s Serving GPRS Support Node
(SGSN) which is connected via the GPRS Tunneling Protocol (GTP) to a GGSN. Figure 3
illustrates the basic structure of this type of network.
Figure 3: Basic Structure of a GPRS/UMTS Network

HLR / VLR VLR

AUC EIR
MSC
BSS
Ga Interface

SGSN

Gp Interface
GPRS Backbone: Gn interface
between SGSN & GGSN
Other
Other Firewall
Mobile
Mobile
Operator
Operator
GGSN

Gi Interface

Public
Public
Internet
Internet

Source: iGR, 2006

Mobile Equipment
Already discussed to a certain extent, mobile devices are vulnerable to a variety of Internet woes –
mobile malware and viruses, as well as the PC-oriented strains. Because many mobile devices
are capable of email and/or multimedia messaging services (MMS), devices and messaging
systems can act as carriers for viruses even if they themselves are not vulnerable to that particular
strain.
Air Interface
The radio link between the ME and the cellular base station is another potential hole in the mobile
operator’s armor. Both the GSM and CDMA standards have extensive, built-in encryption and
authentication, authorization and accounting (AAA) protocols, making eavesdropping and cloning
attacks extremely improbable. Mobile operators also have a great deal of experience in dealing
with these types of attacks. Of much greater concern are threats from new quarters – the public
Internet, other data networks and, potentially, from compromised mobile equipment itself.

Page 6
Copyright © 2007 iGillottResearch, Inc.
Interfaces to Other Mobile Networks
GTP is used for signaling and tunneling between the GGSN and the SGSN. The SGSN uses GTP
to activate a session on the subscriber’s behalf – this is called a “PDP context activation.” This PDP
context is a data structure which contains information such as the mobile IP address, tunnel
identifiers for the GTP session on both the GGSN and the subscriber’s international mobile
subscriber identity (IMSI) number.
However, GTP does not implement any kind of authentication, data integrity checking or
confidentiality protection, which means that it could be compromised by an attacker. GTP is used in
several areas within a GSM-based mobile operator’s network:
„ The Gn interface: the connection between an operator’s SGSN and GGSN
„ The Gp interface: connection to another mobile operator
„ The Gi interface: the connection to an external data network such as the Internet.
Applications & Signaling
Vulnerabilities in the management elements, application and content servers, and signaling
protocols can be illustrated by using an IMS example. In short, the 3GPP (and 3GPP2 for CDMA
networks) has defined a standards-based overlay network that sits on top of emerging wireless 3G
wireless networks, WLANs or other types of broadband networks. IMS equipment does not
supplant existing management elements; it supplements them, as Figure 4 shows. The Home
Subscriber Service (HSS) provides a similar function to the HLR in IMS implementations.
Telephony in IMS is just another type of IP-based data service (VoIP) and SIP is the protocol used
for Voice over IP (VoIP) call control in IMS networks. As previously mentioned, SIP itself is
vulnerable to attacks such as buffer overflow. By attacking SIP, the hacker could compromise or
disable the operator’s voice services. Other application servers on the IMS networks can also be
subjected to Denial of Service-type attacks.
Figure 4: IMS Network Architecture

3GPP - Network Architecture

PSTN
PSTN
Internet
Internet
Circuit Switched - CS

BTS BSC MSC

HSS App Server

HLR
SIP Signaling
& Media
Gateways
SGSN GGSN
vv

MRF
I/P/S CSCF
Node B RNC Packet Switched – PS (‘GPRS’)
IP Multimedia Subsystem - IMS

Source: iGR, 2006

Page 7
Copyright © 2007 iGillottResearch, Inc.
Securing the Mobile Network
For mobile operators, the first step in defeating attacks on their networks is to recognize their
newfound role as an ISP. This means implementing a layered defense for their network that:
„ Changes security policies and practices to better reflect the new threats
„ Concentrates, whenever possible, wireless data services into a smaller number of data
centers. Many mobile operators in Europe have already taken these types of steps to
protect their core networks
„ Protects end users by implementing technology on their devices and in the network – e.g.,
anti-virus, firewalls, content scanning – that provides file-level security
„ Deploys security products such as firewalls, virtual private networks (VPNs) and intrusion
detection and prevention (IDP) systems at appropriate points in the network, which
provides packet level, session level and application level protection
Table 2: Defenses against Specific Attacks
Type of Attack Target Defense

Other users, network elements Device & network anti-

Worm, Virus, Trojan, SMS/MMS spam
(content servers) virus; content scanning
Denial of service, SYNflood, application layer attacks
HLR, AAA, content servers, Firewalls, signaling
(on RADIUS servers, buffer overflows, SIP flooding,
signaling nodes firewalls and IDP
RTP flooding)
Operator’s management Intrusion detection &
Overbilling attack
elements (AAA, HLR, VLR, etc.) prevention (IDP)
Spoofed PDP context User sessions Signaling firewalls
Signaling-level attacks (SIGTRAN, SIP) which involve Firewalls, signaling
Signaling nodes
modification, interception, DoS firewalls and IDP

Source: Juniper Networks, 2006

Malware Defenses
The first step in defending against malware is to deploy anti-virus and firewall software on all
devices accessing the network. In the wired broadband world, many operators offer such software
for free to their subscribers; some offer it for an incremental fee.
Mobile operators have themselves begun rolling out managed security services and/or network-
based products with some built-in security. In September 2006, for example, Sprint-Nextel
announced Sprint Mobile Security, which protects mobile devices from viruses, worms and Trojans
that can infect devices and spread malware via text messages or Bluetooth connectivity. This
network-based service will also block Denial of Service attacks and restrict network traffic based on
source, destination, IP ports and applications. It will also allow enterprise IT managers to lock
and/or delete data on lost or stolen devices.
Mobile operators should also consider deploying content scanning technology in the network. For
example, a large European operator is deploying Mobixell’s Rich Media Service Center (RMSC)
product. Essentially, the RMSC allows operators to offer a wide range of content -- multimedia
messaging (MMS), music and video download, mobile Internet surfing and mobile blogging.
However, the RMSC also contains a content security module which will examine all elements of
message content and then filter out harmful content such as viruses and spam.
Firewalls & IDP
In securing their networks, mobile operators should consider deploying solutions which provide
protection at the:

Page 8
Copyright © 2007 iGillottResearch, Inc.
 „ Packet level: Such as stateless firewalls which determine whether a packet is permitted
into the network by analyzing basic information in the packet headers
„ Session level: Such as stateful inspection firewalls which monitor and control the flow of
traffic between networks by tracking the state of sessions and dropping packets that are
not part of authorized sessions
„ Application level: Such as intrusion detection and prevention systems (IDP) which monitor
and analyze network traffic for signs of attacks.
Figure 5 illustrates where firewalls and intrusion detection and prevention systems are placed in
order to protect the operator’s network.
Figure 5: Firewall and IDP Defenses

M o b ile O p e r a t o r ’s N e t w o r k

H LR

AuC
P re s e n c e
AuC
SMS,
MMS V id e o
S e rv e rs S e rv e rs
W eb
S e rv e r

ff ic
T ra
TP
HT

re d
de
Co

F ir e w a ll In t r u s io n D e t e c t io n & P r e v e n t io n S y s t e m

ID P d e t e c ts & d r o p s m a lic io u s p a c k e ts b e fo r e
th e y im p a c t th e n e t w o r k

Source: Juniper Networks, 2006

Firewalls can help operators control fraudulent activities mitigate threats from hackers and provide
added visibility into network operations. In the case of mobile operators using GPRS/UMTS, they
would require a product such as Juniper Networks’ Netscreen-500 GPRS which is build to protect
infrastructure from attacks across all the main interfaces with external networks (Gp, Gi) and
potential internal threats on the Ga and Gn interfaces.
This particular product includes VPN, packet filtering and traffic management features to help
protect GPRS/UMTS networks from Internet borne attacks such as DoS. For example, it uses rate
limiting to control the rate of GTP signaling and user plane messages so that SGSNs/GGSNs are
less likely to be overwhelmed in a DoS attack.
The deployed firewall also needs to be robust enough to handle the traffic which flows through it so
that the user’s experience is not negatively affected. Juniper’s Netscreen-500 GPRS, for example,
provides the following throughput: 700 Mbps Firewall, 600 Mbps GTP, 250 Mbps VPN. It also
supports 150,000 GTP tunnels, 10,000 VPN tunnels and 20,000 policies on the Gn, Gp and Ga
interfaces. On the Gi interface, it supports 10,000 VPN tunnels and 20,000 policies.
Intrusion detection and prevention systems complement the role of firewalls in a mobile operator’s
network. IDP systems are designed to detect the presence of attacks within the traffic that is
permitted to flow into the network. IDP systems perform this function by using:
„ Stateful signatures: tracks the state of the connection/traffic and scan for attacks based on
known patterns

Page 9
Copyright © 2007 iGillottResearch, Inc.
 „ Protocol anomaly detection: identifies attacks that are masked by legitimate protocol use
„ Backdoor detection: detects traffic caused by worms or Trojans
„ Traffic anomaly detection: compares incoming traffic volume to baseline norms so as to
identify attacks that might span multiple connections
„ Network honey pots: lures potential attackers to services that do not exist
„ Compound signatures: combines stateful signatures to identify attacks that might span
multiple sessions.
Juniper Network’s ISG 2000 GPRS Firewall/VPN product incorporates an IDP module that
performs the prior functions. It provides protection against more than 3,600 attacks, supports up to
300,000 GTP tunnels and provides 2 Gbps of IDP performance. These types of features allow
operators to protect current services as well as provide room to scale with increasing demand.
IDP is usually placed behind the firewall (as shown in Figure 4) so that the device can inspect the
packets entering and exiting the network. Should malicious traffic be detected, the IDP device will
sever the connection so that it never enters or leaves the network. Having IDP in place on the
egress link is important because it allows an operator to prevent attacks originating within its
network from impacting other operators.
VPNs
As Figure 6 shows, mobile operators can overcome the weaknesses in GTP by encrypting that
traffic via an IPSec VPN and by deploying firewalls which will block traffic meant to exploit GTP’s
vulnerabilities. And since the GGSN connects to external data networks, it is exposed to all types of
network traffic and all the attacks (e.g., a DDoS) that can happen to other providers of Internet
service.
Mobile operators must secure their networks and points of interconnection, just as wired ISPs do.
There are several different and complementary ways for operators to secure the GGSN, such as
placing a firewall with IDP capabilities on the link to the public Internet as well as protecting the Gi
link.
Figure 6: Use of VPNs on GPRS/UMTS Network

HLR / VLR VLR

AUC EIR
MSC
BSS
IPSec VPN Ga Interface

SGSN

IPSec VPN
Gp Interface
IPSec VPN GPRS Backbone: Gn interface
between SGSN & GGSN
Firewall
Other &
Other
Mobile IDP IPSec VPN
Mobile
Operator
Operator
GGSN

IPSec VPN Gi Interface

Firewall
&
IDP

Public
Public
Internet
Internet

Source: iGR, 2006

Page 10
Copyright © 2007 iGillottResearch, Inc.
 A security breach in a mobile operator’s network could have numerous ramifications of which only
some are felt by the operator itself. The next section illustrates the revenue impact of a network
outage.

Business Implications
The impact of a successful attack on a mobile operator’s network could result in any number of
multiple outcomes:
„ Interrupted voice, data and/or application service
„ Lost billable minutes
„ Lost goodwill and increased customer dissatisfaction possibly resulting in increased churn
„ Increased number of customer service calls
„ Legal ramifications (e.g., a stolen database of private subscriber information).
Clearly the magnitude of the impact on a mobile operator’s revenues will vary greatly based on
numerous factors – type of service affected, extent of service affected, number of subscribers
affected, duration of outage, etc. Table 3 illustrates the potential revenue impact of a service
outage for a mid-size European mobile operator with 15 million subscribers. This operator provides
prepaid mobile voice and text services which can either be paid for per month or per unit.
Table 3: Estimated Loss Associated with Network Outage Impacting 10% of Subscribers
Length of
Cost per Hour
European mobile operator with 15 million subscribers Outage Total Loss (USD)
(USD)
(hours)
Estimated maximum prepaid voice revenue loss per hour $315,000 3 $945,000

Estimated maximum prepaid SMS revenue loss per hour $77,344 3 $232,031
Estimated customer service cost per hour $187,500 3 $562,500

Total cost of churn (assuming .05% increased churn) NA NA $18,750,000

Total estimated cost of a 3 hour outage $20,489,531

Source: iGR, 2006

The above model assumes the following:

„ The cost per voice minute is US $0.10
„ The average subscriber makes 7 calls per 24 hour period with each call lasting 4 minutes
(or 28 total prepaid voice minutes per day). If the mobile operator experiences an outage
affecting 10 percent of their subscribers, then they would lose an estimated US $315,000
in gross prepaid voice revenue per hour (on average) for as long as the outage persists.
„ Text messaging is extremely popular among young adults and teens in the U.S. – and
much more so among Europeans. This model assumes that the cost per text message is
US $0.01. The model further assumes that the typical user sends 33 texts in a 24 hour
period, on average. Should the mobile operator experience an outage affecting 10 percent
of their text subscribers (who comprise perhaps 75% of their total subscribers), then the
operator would lose an estimated US $77,344 in gross SMS revenue per hour (on
average) for as long as the outage persists.
The operator would also experience an increase in the number of customer service calls, which
would also increase the costs associated with the outage. The above model assume that the cost
of a consumer customer service call to the mobile operator is approximately US $12; if only 25

Page 11
Copyright © 2007 iGillottResearch, Inc.
 percent of those affected call in, the call center costs would be approximately US $187,500 per
hour.
The effect of churn would not be felt immediately, but assuming that 0.05 percent of those affected
by the outage do churn, then the estimated impact on the operator would be significant – US $18
million in added customer acquisition costs. Clearly, increased churn must be avoided.
And as Table 3 shows, the estimated total impact of a three hour network outage on a prepaid
operator’s network is rather significant – US $20.5 million. The cost of even the most robust
security architecture for a network this size would be approximately at $1million. A simple ROI
calculation of the implementation shows a 2,000% savings, which demonstrates that it is a rather
straightforward business decision to invest in security.

Future implications
Protect Against Future Threats
Mobile data networks will likely be the target of an increasing number of attacks for two reasons:
„ They are now more accessible because they are interconnected with other IP data
networks,
„ Mobile operators possess information that criminals want (e.g., private subscriber
information) or the operators themselves are the object of extortion or defrauding.
There is no shortage of tools which attackers can use to penetrate mobile operator networks – e.g.,
botnet-based denial of service attacks, mobile malware, or attacks which exploit unprotected
weaknesses in signaling protocols (SIP) or other protocols such as GTP which are integral to many
mobile operators’ networks.
And as this whitepaper has noted, many mobile and fixed operators are evolving their networks to
an IMS-based architecture. As this evolution progresses, operators will be able to offer dynamic,
multi-dimensional applications – i.e., combinations of content and communication applications –
that are beyond their present capabilities. Vulnerabilities exist in many different networks, not just
the mobile operator’s. For example, insufficiently protected WiFi networks or even unprotected
Bluetooth connections on a user’s handset can compromise not only a user’s or a company’s
private data, but a network’s stable operations.
There is a need for strong, multilayered security technologies not only in today’s 3G world, but also
in tomorrow’s IMS environment. Building that security begins today – with deploying firewalls, IDP
and VPNs. Those deployments can then be leveraged to protect future services.

Page 12
Copyright © 2007 iGillottResearch, Inc.
About iGR
iGR is a market strategy consultancy focused on the wireless and mobile communications
industry. Founded by Iain Gillott, one of the wireless industry's leading analysts, we
research and analyze the impact new wireless and mobile technologies will have on the
industry, on vendors' competitive positioning, and on our clients' strategic business plans.
Our clients typically include service providers, equipment vendors, mobile Internet
software providers, wireless ASPs, mobile commerce vendors, and billing, provisioning,
and back office solution providers. We offer a range of services to help companies
improve their position in the marketplace, clearly define their future direction, and,
ultimately, improve their bottom line.
A more complete profile of the company can be found at www.iGR-inc.com.
Methodology
The data for this whitepaper was obtained from numerous sources: reports and surveys
conducted by iGR; ongoing iGR research in the wireless industry; interviews with several
domestic (U.S.) mobile operators and infrastructure vendors; publicly available information
such as mobile operator press releases; reports published by researchers/academics and
news articles published by independent news agencies:
Disclaimer
The opinions expressed in this white paper are those of iGR and do not reflect the
opinions of the companies or organizations referenced in this paper. All research that was
conducted exclusively and independently by iGR is so referenced in this paper. This white
paper was sponsored by Juniper Networks. Juniper provided some of the tables and
figures in this paper as is indicated.
Endnotes

1
Hacker Penetrates T-Mobile Systems, SecurityFocus Online, January 11, 2005
(http://www.securityfocus.com/news/10271)
2
Exploiting Open Functionality in SMS-Capable Cellular Networks, by William Enck, Patrick Traynor, Patrick
McDaniel, and Thomas La Porta, Systems and Internet Infrastructure Security (SIIS) Laboratory, Networking and
Security Research Center, Department of Computer Science and Engineering, The Pennsylvania State University,
September 2, 2005 (http://smsanalysis.org/)
3
Mobile Malware Evolution: An Overview, Part 2, Kaspersky Labs, October 10, 2006, Alexander Gostev, Senior
Virus Analyst

Page 13
Copyright © 2007 iGillottResearch, Inc.