In an attempt to protect the users against dominant positions, the EU has shocked the telecommunication market with some new initiatives. During the last months we’ve seen the European Union making steps towards the end of mobile roaming fees within the EU territory. We’ve also seen the EU take steps towards defining a Net Neutrality model to avoid operators being able to block OTT traffic. There is a heated debate about how successful those initiatives will be, but also about the potential collateral implications they can carry.
In this post, I would like to share my opinion on why following similar arguments the EU should regulate mobile network operator’s network security. A recent study from Informa Telecoms & Media, details the state of the art of LTE Security in Europe and the result is not likely to make you feel safe.
Juniper Networks recently commissioned a paper on LTE Security. Heavy Reading’s Patrick Donegan writes “As of September 2012, only a third of mobile operator respondents worldwide were convinced of the case for routinely securing all the operator’s LTE cell sites with IPsec”.
Let me start by saying that regulating doesn’t necessarily mean forcing to implement it. One option would be similar to the tobacco, where the manufacturer has the obligation to inform about the dangers of smoking. So, non-secure mobile networks, would carry the warning: “Important: EU regulations inform you that the network you are connected is not secure and your traffic or service can be hijacked”. While providers with secure networks would be able to promote themselves with the phrase: “Network Security approved by EU”.
Why Protect the network?
1 – Protect the user: In 2G and 3G networks user data is encrypted from the device to the operator’s core. In 4G LTE networks, the encryption from the base station to the core, across the backhaul and aggregation networks is not necessarily encrypted, as the standard defines it as optional. The user does not necessary know about the detail, so he is not protected. However, the user has the right to know when he/she is protected.
2 – Protect the Network: The network signaling traffic is not encrypted either. A malicious attack at the network signaling could leave vast areas without mobile service.
3 – Protect the Mobile Operator: a security attack to a mobile network could result in an outage or could expose personal information of its users. By regulating the amount of security across all mobile operators, those implications wouldn’t be perceived as negligence, so there’s no damage to the brand.
4 – LTE Networks are more vulnerable: the number of base stations will increase dramatically, especially due to the use of small-cells to improve the service. There is no defined ratio but some operators believe that for every macro-cell there will be six or seven small cells. With that model, the number of points that could be attacked increases enormously.
5 – To increase security: light regulation that just recommends the use of security, but forces the operators to inform users about it would create healthy competition that would translate to having the majority of networks secure. Users, especially enterprises and government agencies, would be able to select the right network for them.
As a user I would feel more informed about the security of each network but I know this could be controversial.
What do you think ? Should the EU get involved with setting security standards for 4G?