security in lte and volte - universitetet i oslothe rnc and move its functions out to the evolved...
TRANSCRIPT
Security in LTE and VoLTE
INF3510
Candidate #35108-05-2015
Contents1 Introduction 2
2 Theoretical background 3
3 Security issues 43.1 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43.2 Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2.1 IP and signaling based . . . . . . . . . . . . . . . . . . 73.2.2 Radio based . . . . . . . . . . . . . . . . . . . . . . . . 9
3.3 Cell compromising . . . . . . . . . . . . . . . . . . . . . . . . 10
4 VoLTE Quality of Service problems 12
5 Conclusion 12
1
1 Introduction
Modern cellular networks provide internet and voice access to billions of usersworldwide and we see a growing trend of a new type of traffic prevailingin modern mobile networks, data. The usage of what was intended as awireless voice service has changed drastically over the last five years. Formany users wireless radio communication based on the mobile network hasbecome their primary internet access at home, or on vacations[1]. We arealso seeing the importance of access under natural disasters or national crises- users expect 100% uptime. The newest standard that the 3rd generationpartnership project (3GPP) has developed is named Long Term Evolution(LTE) and will be the leading technology all operators will use within the nextdecade. The 3GPP is a collaboration between telecommunications groups.They are working together to standardise mobile communications. They havestandardized GSM, UMTS and now LTE.
Today many operators are running three networks based on different tech-nologies - like GSM 2G, UMTS 3G and now the newer LTE. Since radiofrequencies are physical limited assets and the demand for high-volume datastreams is growing at a fast pace operators must soon shut down legacy net-works based on 2G and 3G in order to better utilize the frequencies they’veallocated. LTE provides more bits per second per Herz (bps/HZ) and isoptimized to transport data. Users still expects to call with their phones,but LTE does not support circuit switched voice channels as previous stan-dards did. To solve this Voice over LTE (VoLTE) has been standardized.VoLTE uses works like IP-telephony by transferring voice over small datapackets. Now that voice over LTE (VoLTE) has become standardized andfully operated in many countries[2] only old terminals where Machine 2 ma-chine (M2M) devices are strongly represented is standing in the way of aoperator to deploying LTE on frequencies currently used for 2G and 3G net-works. LTE brings cost-saving and revenue-generating features for operatorsby providing more bandwidth and lower latency. Both subscribers and thirdparty developers are happy for more bandwidth available to phones. NTTDoCoMo, the predominant mobile phone operator in japan introduced, asthe first operator in the world, 3G already back in 2001. In 2011 they shutdown their 2G network, and offered the remaining subscribers incentives tojump to 3G[3] supporting UE. When their 2G network was shut down, theyhad provided LTE for some months.
Some expect that there will be over 50 billion non-personal data-only devicesin near future[4] this combined with human owned devices is estimated to
2
generate over 24EB data per month in 2019. In 2014 global mobile trafficreached 2.5 EB per month[5].
With this in mind, the fact that LTE based Radio Access Network (RAN)can be completely taken down in a city, or a local node is a matter of concern.Mobile networks has always been exposed to attacks[6] and with LTEs band-width new services will come, and data transfered it will be more interestingfor criminals and hactivists.
2 Theoretical background
LTE is a standard for wireless communication of high speed data for mobilephones and data terminals. It is developed by the 3rd Generation PartnershipProject (3GPP) which also developed Universal Mobile TelecommunicationsSystem (UMTS commonly know as 3G). The latest version of LTE is LTEAdvanced and was introduced in 3GPP Release 10 in 2011, only this latestversion fulfils ITU requirements for 4th generation wireless systems (4G).The first LTE (3GPP Release 8) is also commonly known as 4G.
With the release of LTE the whole cellular core system was redesigned toprovide lower latency for both users and signaling systems. The new standardis based on packet switching instead of circuit switching that are used in 2Gand 3G networks. The new core has fully IPv4 and IPv6 support[7], theynamed it the Evolved Packet Core (EPC).
In the EPC all access nodes (radio towers) are called evolved NodeB (eN-odeB), the area they cover are called a cell. All the eNodeBs are connectedto the Mobile Management Entity (MME), it handles most control functions(traffic known as signaling) between the EPC and User Equipment (UE) likemobile phones or wireless radios for computers. It handles activation and de-activation, choosing witch Serving Gateway (SGW) to use, it is responsiblefor authenticating the user. Home Subscriber Server (HSS) actually holdsthe information about the subscriber so the MME talks to HSS. The SGWroutes packets from UE as soon as the MME has established a connection[8].The architecture is flat and all nodes has a way of talking with the othersvia IPv4 or IPv6. This is very different from the 3G architecture where therewas a hierarchical structure.
The LTE standard opens up for roaming between LTE networks and WiFihotspots so customers can use their own broadband connection to do callsand SMS services. In the US WiFi calling has been in use since 2007, and
3
with LTE this becomes much more easy. At the same time this increases thepossibility of eavesdropping happening.
3 Security issues
In the last few decades cellular networks has rapidly evolved and becomerather huge and complex systems as the number of UE increases and theirusers expectations are high.
The wide spread and fast migration to LTE in world wide operators networkopens the door to many threats. The new EPC for example has a flat datanetwork and open architecture based on IP with direct links to the packetcore. Older systems like 3G were closed and have their own physical infras-tructure with dedicated lines, proprietary and hierarchical thus difficult topenetrate and easy to protect. Older networks was based on low frequenciesand it could be many kilometers between each nodeB. LTE on the other handneeds high frequencies to offer the high data rate needed, the network existsof many small cells thus increases the number of access points for hackers,as I will discuss later on; some nodes will be very easy to get physical accessto.
Furthermore we are seeing huge amounts of third-party applications runningon user devices. Many third-party developers are having a hard time securingtheir application and over the last few years the malware seen on AndroidUE are growing tremendously fast![9]. The growth in business users connect-ing their phones to the workplace networks and the huge flow of personalinformation can tempt criminals to work on this newer platform.
There is actually many vulnerabilities in the LTE network, some that didn’teven exist in the 2G and 3G cellular networks.
3.1 Encryption
When 3GPP introduced LTE and the new EPC, fundamentally changes inboth the RAN and backhaul was done. One of the big optimizations in-troduced in the LTE backhaul was the elimination of the Radio networkcontroller (RNC) used in 3G and 2G networks. It controlled all the basestations (NodeB) and connected UE via a circuit switched network to boththe internet and voice networks. In 3G networks the traffic is encryptedfrom the UE through the NodeB, and all the way to the RNC. By removing
4
the RNC and move its functions out to the Evolved NodeB (eNodeB) theoverall latency in the network would be lowered. The LTE network aimsfor a 20 - 30 ms end-to end latency. Unfortunately by removing the RNCit also means that the full encryption that was between the UE and RNCdeep in the backhaul is gone. In LTE the encryption in the wireless link isterminated on the eNodeB, thus leaving the traffic from the eNodeB going toMMEs and other eNodeBs unprotected and in clear text. To solve this the3GPP had two proposals, but these are optional for operators to implement.The first is to encrypt all signaling traffic between eNodeBs and EPC withIPsec, the second proposal is to implement full IPsec encryption for bothsignaling traffic and user traffic between all nodes.
Early in 2014 only around 20%[10] of worldwide operators had implementedIPsec in their network. I believe that this is might be due to the additionalcost and complexity associated with IPsec. EPC nodes must be powerful tohandle future load, and the additional load when using IPsec will give oper-ators extra cost. Also the fact that IPsec overhead will consume bandwidthalso adds a extra cost for operators is not embracing IPsec.
As LTE networks and UE supporting the network grows the importance of asecure network gateway increases. The 3GPP has already made the interfacesbetween nodes ready to support IPsec tunnels to achieve secure transmissionof data and voice. Luckily more and more operators is today choosing toimplement LTE with IPsec but there are still many networks being launchedwithout any forms of IPsec.
In 2010 and 2012 Heavy Reading asked several qualified mobile operators thesame questions about security measures in LTE adoption[11]. The results areshowing that only 20% of the operators in 2010 answered that all cell siteswould need IPsec implemented. In September 2012, 21 months later 32% ofthe asked operators answered the same. Heavy reading also asked operatorsif IPsec was needed in the backhaul, in 2010 17% said it would probably notbe needed, but in 2012 4% said the same. Heavy reading also says that in2010 18% of the operators said that IPsec would not be needed at all, andin 2012 only 7% said the same. As we see from table 1 the trend is in favorof implementing IPsec.
The heavy reading article has asked the operators that choose not to adaptIPsec in their network why, they have sorted out all the arguments they gotand found and highlighted the flaws in their argumentations.
Some of the operators are pointing out that privacy for their customers arenot a priority as many of them don’t have any critical digital information.
5
Dec 2010 Sep 2012All cell sites will need IPsec implemented 20% 32%At least half of all cell sites will need IPsec implemented 13% 13%A subset of cell sites will need IPsec implemented 19% 23%IPsec will probably not be needed in the backhaul 17% 4%IPsec will definitely not be needed in the backhaul 1% 3%It’s still unclear at this stage 29% 14%Don’t know Option not offered 10%
Table 1: Mobile Operator Outlook on requirements for IPsec[11].
No online bank accounts, no credit cards, they might not even have a streetaddress. Valid points for now in my opinion, but I believe that this justpostpones the problem some years. Implementing IPsec in an operative net-work will be an extensive process and require more work than deploying thenetwork with IPsec natively from the start.
Other operators are saying that there are better ways of attacking theirnetworks, they see the risk of data leakage of their backbone traffic as low.In my opinion this is a bad argument even though we have not seen any largemobile network outages caused by hackers or criminals. All reported outageshas been caused by glitches and software bugs[12]. I believe that now that weare seeing LTE networks pop up everywhere and with the subscriber growth,together with the amount of sensitive data traveling over these network,hacking can be even more profitable than before. I believe that we canexpect more attacks on mobile networks in the coming years.
Some operators said that they are waiting for IPv6 to be fully deployed intheir as IPv6 natively supports IPsec. The only and big downside with thisapproach is that this could potentially take long time as all of the operatorsequipment would need to fully satisfy the IPv6 standard. In the meantime,all traffic is clear text.
On the other hand Heavy Reading also talked to the operators that alreadyhave adopted IPsec in their network. They point out several risks whenchoosing to adapt IPsec. If an attacker is able to get access to the interfacesbetween eNodeBs and MME he could potentially get access to the clear textstream, and with this information get access to other important nodes inthe EPC. If the operator has no redundancy MMEs to take the load if onegets shut down or compromised, their whole network could suffer from anoutage, a very critical event for the operator. The hackers could also interceptand listen to customer traffic, including VoLTE which is deployed in many
6
countries today. Many operators are also offering femtocells that customerscan install in their offices or homes, connected to their own IP based internetconnection. A new potential security hole and entry point to the EPC. Moreabout this matter in section 3.3.
The operators that mentioned these potential problems to Heavy Reading hasconcluded that the risks of clear text traveling in their networks is too highand needs mitigation. They are considering the cost of crediting customerswith free services for compensation for an outage, and also emphasize the factthat if there were to be an outage, or data leakage of customer informationand privacy the reputation damage for the company would be terrible andtake many years to build up again.
3.2 Denial of Service
The flat topology that LTE and EPC introduced is fantastic for latency anddata capacity for subscribers and operators, the down side is that the newarchitecture gives many new entry points to the core network. Small cells,femtocells, WiFi hotspots are new physical base stations that are cheap andeasy to get hold of. In 2G and 3G networks there where no reports of largeattacks on RAN and backhaul networks like the EPC in LTE, but I believethat this new architecture with so many entry points will make it much moreeasy to plan and carry out attacks.
3.2.1 IP and signaling based
Denial of service (DoS) and Distributed DoS (DDoS) attacks has been apopular method of attacking network infrastructure and services over the lastdecade. One of the best companies that deal with this threat, Arbor networksyearly writes a report on DDoS attacks. They report a tremendous increasein bandwidth used for a DDoS attack. In 2013 they highest reported attackwas 309Gbit/sec[13]. These attacks flood the victim with massive amountsof requests so the service don’t have the resources to handle the traffic andthe service will effectively seen as shut down.
There are several DDoS scenarios that could disrupt and/or completely takedown service for many cellular subscribers. As I mentioned earlier, theamount of 3rd party applications built for mobile devices has seen a massivegrowth the last few years, and malware on mobile platforms is a increas-ingly becoming an issue. The amount of Android malware almost tripled
7
from 2012 to 2013[14]. The possibility that there are (multiple) botnet ofinfected cellphones is almost 100 percent certain. This is plausible becauseof the much higher bandwidth that LTE networks provide, and that peoplehas sensitive information on their device. The fact that many application ispoorly programmed [15], and hackers would want to exploit this.
This infected UE can operate in different types of attacks. The "regular"attacks that we have seen the last decade on the internet where remotecontrolled computers working together producing high amounts of bandwidthto target a specific node is one method. Typically the attacker aims for aweb-page or other important infrastructure in a company or organisation[16].Even though this attack is not aimed for the cellular network it self it couldhave a huge impact on the cellular network. Infected UE taking part of theattack could disrupt service for all adjacent subscribers, but I believe that theprobability of total communication blocking for all connected UE to a eNodeBtoday is very low. Most subscribers has a data rate cap, and the number ofinfected UE on the same eNodeB will statistically not be high enough toblock all communication today but it could impact the performance of themobile network or become a problem later.
Infected UE can also participate in more effective attacks on equipment in theEPC by targeting weak points of the LTE protocol. An DDoS attacks againstthe EPC has a much higher effect, and can potentially take down the networkin whole cities or whole countries. LTE networks and cells are physical limitedand shared between all UE, normally there is enough bandwidth to handlenormal peak traffic in a cell. To efficiently use the available capacity in a cell,LTE assigns radio resources to each UE, and dictates when they can sendand receive so other US signals are not interrupted. The Radio Resourcecontroller (RCC) holds this function. When a UE goes idle for some time,the radio resources are reassigned to a new UE by the RCC. Similarly whena UE wants to send it has to ask the RCC for resources. All these controlsignals (signaling) to set up, and disconnect the wireless connection takes uptime and resources on the eNodeB and RCC. Infected UE could abuse thissignaling to build a DDoS attack on the eNodeB and RCC resulting in a cellbeing unaccessible for adjacent subscribers.
The heart of LTE and EPC is the HSS, it is a master database that supportsthe EPC and preforms authentication an authorization of UE. It holds amongother information; billing info, account info and the last know location forthe UE. In 3G networks the node with similar functions was named theHome Location Register (HLR). There has been conducted research that hasexplored the possibility of taking down this node using cellular botnets[17].
8
The authors of [17] found that a botnet as small as 11,750 compromisedphones can cause reduction of throughput on legitimate signaling traffic ofmore than 93% on a MySQL based HLR with 1 million subscribers connected.Better database systems like SolidDB managed the load better and with141,000 compromised devices the authors managed a reduction on legitimatesignaling traffic by approximately 75%. The authors says that these numberis less than 2% and 15% of phones assigned to one HLR respectively and it isthis percentage of infected devices is realistic due to the much bigger numberon desktop machines. They concluded that this kind of attack on the HLRis highly doable.
The HSS node is involved in a lot of signaling traffic on the same way as theHLR node, and one could assume that an attack on this node is possible andthe result could be that a whole operators network could be made inoperablefor subscribers.
We can learn a lot from this study together with the massive and fast growthin number of malware application seen on Android as discussed in this paperbefore. There is a strong possibility that these kind of attacks can happenin near future on LTE networks. Operators should be concerned about theseresults, and make sure that mitigating efforts is in place or that theirs HSSsand core links are strong enough to handle massive signaling. Signaling hasbecome a rather large issue for operators the last decade[18].
3.2.2 Radio based
In 2G and 3G networks, and all other radio based communication radiojamming has been a issue that has been hard to prevent. Releasing a newstandard could not completely solve these issues jamming creates. The prob-lem follows the physical limitations of the specification. Unfortunately thisform of DoS is also applied for LTE networks, and the LTE specification alsoopens up for a new smarter method that can do much more damage thantraditional (dumb) radio jamming.
Traditionally jamming was done by a criminal with a radio transmitter thatcould send radio signal on the same frequencies as the RAN used. The at-tacker typically wants to decrease the signal to noise ratio for UE in thenearby area such that communication is blocked. One way to stop this at-tack is to locate the device and stop it, or one could increase the power ofthe legitimate radio sender, in the LTE networks case the eNodeB. For aeffective attack using this method one would require a lot of power on the
9
jamming device. Typically equipment to around 500 US dollars could blockcommunication in a radius of 40 meters[19]. This kind of jamming is calledBarrage Jamming and can easily be used without any detailed knowledge ofthe network.
In LTE a smarter jamming method could be used to locally interrupt servicefor all UE connected to a eNodeB without leaving traces such that the eN-odeB or the operator would be suspicious. In LTE there are many controlchannels required by all UE to access the local spectrum. If one of thesecontrol channels is not fully working the whole protocol will fail and no onecould send or receive data. An attack on these control channels would re-quire much less power than a barrage jamming attack does since they radiobands that are going to be jammed are much narrower. Mitigation for thissmart attack is difficult since its harder to notice. While attacking the net-work it will appear unresponsive but that could also indicate that there isno UE connected to the eNodeB. A well organized group of attackers couldsimultaneous activate their jammers in a larger area and potentially disruptservice for a lot of subscribers. In a public event or a crisis situation, in forexample a terror attack, this could be very effective to stop information flowto people affected by the terror attack or other events as well as governmentofficers.
In this article [20], David Talbot states that there are eight possible attacksthat could make a whole eNodeB unaccessible for all UE. The equipmentneeded is cheap and easy to acquire, some technical understanding of LTEis needed but all information needed is publicly known since LTE is an openstandard.
3.3 Cell compromising
LTE network is using high frequencies, thus giving more physical bandwidthand being able to transport more bits. The downside is that these frequenciesmakes cell radius smaller, and that the need for more eNodeBs is extensivein high populated areas. Another issue with high frequencies is their abilityto penetrate walls and isolated glass. Offices, and homes are having issueswith coverage and capacity even in the middle of a city. To solve this, LTEoperators offers femtocells also known as Home Evolved Node B (HeNB).
Femtocells are small cellular base stations that can be placed in your home,or at your office to provide better coverage and higher data rates. Theyare connected to the providers backhaul network via the already established
10
internet broadband connection. They are cheap, easy to install and bothoperators and subscribers seems to love the use of these. Operators offloadsand frees capacity on their regular eNodeBs thus avoiding expensive backhaulnetwork upgrades. Users get better coverage and speed on their equipment.There is though some vulnerabilities associated with HeNBs. They providea whole new access point to the EPC, and is easy to get physical accessto. Criminals can order one and reverse engineer them. Making rogue basestations, the attacker can impersonate as a genuine base station and foollegitimate user to intercept traffic. Again, when an attacker first has accessto one eNodeB or HeNB, it is possible to gain access to all others because ofthe IP structure used in LTE networks.
Another issue with femtocells is that since they are using the internet asan uplink to the EPC they will also be available from the whole internet, aDoS attack against a company femtocell can disrupt service for many busi-ness subscribers. In the 3GPP specification for femtocells (HeNBs) thereis some security vulnerabilities defined that arise from the insecure wirelesslinks between the UE, HeNB, via the internet and to the EPC[21]. Theselinks are vulnerable to many kinds of attacks. The current HeNB securitymechanism cannot prevent man in the middle attack, eavesdropping attacksand compromising subscriber access lists.
The 3GPP are defining multiple threats to HeNBs[22] in the specification,many of them with the probability being rated as possible in the threatmatrix[22]. One of the other threats they list is modification of the soft-ware running on the HeNB. The 3GPP says that it is very likely that theboot code on a HeNB can be replaced to boot custom firmwares to get ex-tended functions of the HeNB. The HeNB can then be used to eavesdropcommunication for users connected. Further, the 3GPP are discussing thatthe HeNBs should be able to receive updates from a centralised server, as ofnow they are looking at the risk if this server is compromised. This is listedas extremely harmful as a large number of HeNBs can be compromised andrun modified code to perform eavesdropping and impersonation. They couldalso become a part of a large botnet and be used to perform DDoS on theHSS for example.
In 2013 there where actually found security holes in one of Verizons HeNBs.Security experts from the firm iSEC found a way of utilizing this security holeto get illegal access to any Verizon subscriber connected to it. They whereable to eavesdrop on traffic sent and received on this HeNB[23]. Verizonadmitted the security hole and said they patched as soon as they wheremade aware of it.
11
4 VoLTE Quality of Service problems
In the coming years more and more subscribers will be moved to VoLTEas legacy networks as 2G and 3G will be shut down or down prioritized byUE and operators. UE will choose 4G where it is available and VoLTE willbe preferred. Today VoLTE is a new feature to the cellular world, the firstcommercial VoLTE network was deployed in South Korea by the operatorsLGU+ and SK Telecom in the beginning of August 2012[24]. Not manyoperators worldwide has true experience with these kind of networks and asof today I could not find any reports of spam calls on VoLTE. The authorof [25] found that spam over internet telephony (SPIT), a new form of VoIPspam could be a serious problem, just like email spam is today. Spam attackson VoIP gateways can consume so much bandwidth that quality of service(QoS) for VoLTE would be degraded. The author states that the open natureof VoIP makes it easy to broadcast SPIT as the case of spam emails[25].
VoLTE connections requires connections that has low latency and are jitterfree to operate with a quality that the users expects. Most of the deployedLTE networks are optimized with a median packet size of 512 bytes. VoLTEpackets are 64kB and the audio codec used has a bitrate of 23Kbps. Withthis data optimization, most networks are not optimized to handle the QoSrequirements for VoLTE. The need of securing QoS for VoLTE is essentialfor operators before they can fully switch to LTE and VoLTE[12]. Due toalways-on applications on mobile phones the signaling load has increaseddrastically. Since operators worldwide has little experience with VoLTE op-erators has limited experience with the signaling load. To secure the QoSrequirements for VoLTE a guaranteed bitrate bearer has to be set up, thisinvolves signaling. The authors of[12] writes that it could be significant dueto the events IMS-based VoLTE architecture generates." IMS stands for theIP Multimedia System which is the framework used to deliver multimediaservices over LTE. VoLTE is one of these services.
5 Conclusion
In this paper I have discussed and given an overview of current vulnerabilitiesin LTE and EPC networks. I’ve focused mostly on encryption of signalingan user data that travels through the EPC, and DoS attacks that can causelocal outages or the whole network to be inoperable by attacking eNodeB orimportant nodes in the EPC like the HSS. Together with the fast growing
12
malware trend on UE it is likely that a huge attack that could result in awhole network to dysfunction will occurs in the coming years. The growth ofdeployments of HeNBs and more and more private and sensitive informationtraveling through the network are making the network attractive for crimi-nals. I have also looked at the flat architecture and the fact that a successfulattack on one node could give the hacker much access in the backhaul. Thehuman race will dependence on cellular networks will increase and the im-portance of having secure and reliable communication will expand. There isstill little resource on LTE security compared to 3G, but in the coming yearsI think that many of the issues will be addressed and solved for the nextgeneration of mobile networks.
References
[1] Stewert Mitchell, PC PRO, Users switching to 4G for home broadbandMars 2014
[2] Wikipedia, Wikipedia, VoLTEApril 2015, http://en.wikipedia.org/wiki/VoLTE#Deployment
[3] NTT DoCoMo, NTT DoCoMo, DoCoMo brings forward 2G shutdown;confirms end-2010 LTE dateNovember, 2009
[4] Ericsson, Ericsson White Paper, More than 50 billion connected devicesFebruary 2011, http://goo.gl/lXvzDY
[5] Cisco, Cisco White Paper, Global Mobile Data Traffic Forecast UpdateFebruary 2015, http://goo.gl/AqJ3Yj
[6] Emmanuel Gadaix, Black Hat Asia 2001, GSM and 3G SecurityApril 2001, http://goo.gl/mEqYiy
[7] Frédéric Firmin, 3GPP MCC, The Evolved Packet CoreRead May 2015, http://goo.gl/pRDMtb
[8] Motorola, Motorola White Paper, LTE: An technical overviewJune 2007, http://goo.gl/59wpdC
[9] Trend Micro, Trend Labs 3Q 2012 Security roundup, Android UnderSiege: Popularly Comes at a Price2012, http://goo.gl/qLiQf0
13
[10] Fred Donovan, Firence IT Security, LTE: The need for speed opens upsecurity potholesApril 2014, http://goo.gl/l4XITE
[11] Patrick Donegan, Heavy Reading White paper, The security vulnerabil-ities of LTEOctober 2013
[12] Stéphane Téral, Infonetics Research Inc, Security at the Speed of VoLTEFebruary 2014
[13] Arbor Networks, Arbor Networks, Worldwide Infrastructure report 20132014
[14] McAfee Labs, McAfee Labs, McAfee mobile security reportFebruary 2014
[15] Amy Lee, The Huffington Post, Quality Of Android Market Apps Is’Pathetically Low’: DeveloperJune 2011
[16] Peter Giannoulis, SANS Technology Institute, Denial of Service attacks
[17] Patrick Traynor with others, Georgia Institute of Technology, On cellu-lar botnets: Measuring the impact of malicious devices on a cellular core2009
[18] Martin Pineiro, LTE World Summit 2012, Signaling issues in telecompersonalMay 2012
[19] cell-jammers.com, cell-jammers.com, 12 Band GSM CDMA 3G 4GWIMAX Jammer2015, http://goo.gl/EuuwZw
[20] David Talbot, MIT Technology Review, One Simple Trick Could Disablea City’s 4G Phone NetworkNovember 2012, http://goo.gl/dErI86
[21] The 3GPP, Technical Specification Group Services and System Aspects;Security of Home NodeB (Rel 11)TS 33.320 V11.6.0 June 2011
[22] The 3GPP, Security of Home Node B (HNB) / Home evolved Node B(HeNB) TR 33.820 V8.3.0 December 2009
14
[23] Dan Nosowitz, Popular Science, A hacked mobile antenna in backpackscould spy on cellphone conversationsJuly, 2013
[24] Ericsson, Ericcson, Ericsson Mobile Evolution with VoLTERead May 2015, http://goo.gl/NTwQ0a
[25] Yongsuk Park, IEEE, A Survey of Security threats on 4G networksNovember 2007
15