The two-day Network Security Conference in May 2013 covered several topics related to mobile network and device security. Key discussions included the importance of securing user data in the cloud rather than on devices, making users aware of background functions and security risks, and challenges for operators in providing security while controlling costs. Presentations also addressed security issues for emerging technologies like LTE, M2M/IoT, and small cells. Attendees discussed the need for continued user education on security best practices as threats evolve with new mobile applications and connectivity.
2. The only secure mobile is one that is switched
off with battery removed - Charles Brookson,
GSMA/ETSI at #NetworkSecurity
3. Professor Ed Candy, Technology Strategist, 3 Group: Diversity
in devices is great. It allows no collective threats to be posed
due to their diversity of make models, OS’s, apps, etc.
Firewalls in the networks are good too but too many of them
can slow the network down. In the beginning when ‘3’ UK
rolled out 3G, 14 seconds were being lost due to them.
Charles Brookson mentioned that he turns off 3G and uses
GSM/GPRS to save battery life
Apps should store data on the cloud and not the device so if
the device is lost or compromised then the user data is not
lost to the third parties
Users should be made aware of the background functions and
services on the device and also the threat/safety level of
these.
Interesting comments, questions, etc. - #1
4. The operators can provide more security but it costs them to
do this. They have to work out a way to pass this on to the
users.
Very little malware on google play. Risk is v.low. Android
malware hits countries where 3rd party appstores are the
norm
Consumer education is key. Good to not be complacent about
malware, generally unnecessary to have mob antivirus.
Mobile network should not be the only technology for critical
access. There should be other means as well
A5/3 (security algorithm for GSM/GPRS) was standardised in
2001 and is more secure than the previous algorithms but
was not available widely till quite late because it was not IOT
tested and mandated by operators.
Interesting comments, questions, etc. - #2
6. Day 1 began with a Panel Discussion moderated by Charles Brookson from GSMA with
some of the points I have already mentioned earlier
7. David Rogers from Copper Horse spoke on Incident Management for Mobile Malware and
on Responsible Disclosure. He also distributed a leaflet prepared for the UK police
regarding phone security. More details on that here.
8. Eric Gauthier, Head of Technical Fraud and Revenue Assurance, Orange gave an
Introduction on LTE and how Security was handled all the way from 0G (pre-cellular) to
4G/LTE.
9. Talal Faroug, Quality Assurance Manager, MTN, SUDAN gave a talk on Understanding the
Business Case for Network Security. His main focus was on SIM Box Fraud.
10. Telecom Concepts Blog has a nice write-up on this topic here -
http://telecomconcepts.wordpress.com/2010/02/01/simbox-fraud-detection-and-billing/
Another useful writeup on this topic here.
11. See Also GSMA press release: Raids on SIM box/GSM gateway fraudsters save mobile
operators millions
12. Feride Cetin, Group Strategy & Innovation Security & Intelligence, Swisscom focussed her
presentation on some of the initiatives taken by Swisscom on Apps Security and Rating
13. There were some good examples on how developers manage to ignore basic security
guidelines while making excellent apps. The result is they have to go back and fix the issues
at a much later stage and at the same time get a lots of negative publicity that can be
sometimes harmful for the business.
14. 5 Rating Criteria to understand how apps behave; Permission, Privacy, Data Traffic, Data
Storage and Man in the Middle
16. David Rogers from Copper Horse Solutions Limited chaired the second day proceedings. I
think his main message is as shown in the slide above and is self explanatory.
Ps: In case you are not from the UK, the above picture highlights beef (horsemeat) scandal
17. Dr. Christoph Peylo, VP Deutsche Telekom Innovation Laboratories started the day with an
interesting presentation on "Remote Control and Device Security: How Cyber-Attacks Can
Impact M2M"
18. The talk was so interesting that I should put up the slides or more detailed presentation on
this topic sometime later
20. Gert Pauwels, M2M Marketing Director, Mobistar spoke on the operator Orange’s position
on M2M. The key takeaway was the GMA Certification Program as shown in the slide
above.
21. Carlos Olea, Network Security Manager, Telefonica International focussed on DDoS
(distributed denial-of-service) and how Telefonica handled the Spamhaus and other Ddos
attacks and what they have learnt from this.
22.
23. Adrian Drury, Lead analyst, Ovum spoke about RTB. I don’t remember him mentioning what
RTB is but my understanding it stands for Real Time Bidding -
http://en.wikipedia.org/wiki/Real-time_bidding
24.
25. Raj Samani, Vice President, EMEA CTO, McAfee spoke about how connected devices have
changed our lifestle and the security issues that we are facing in this connected world.
26. Raj had some very interesting bits that he mentioned but the slides let him
a bit down. Here are some that were mentioned on twitter during the
event:
• In Germany, the smart meters polling interval was reduced to 2 sec and
it can tell the name of movie being watched. This is because each movie
has its own unique energy consumption pattern.
• Privacy a big issue for smart meters. Easy to analyse usage; what is being
used and when.
• In USA in some new buildings, connected devices are even being put in
the bricks to track humidity, etc.
• Everyone has a price when it comes to giving up private data
• A powergrid in US said that they face 10K cyber attacks per month as per
@Raj_Samani
27. Jon Howes, Technology Director, Beecham Research spoke on "M2M Solution Security“. A
whitepaper on this topic is also available on their website here.
28. Reinder Wolthuis, Project Manager Information Security, TNO spoke on "M2M Security"
and gave us the results of the etis M2M security survey
29. Personally I am a bit surprised that M2M devices would move to UMTS. The biggest issue
for M2M devices using UMTS is the battery power consumption. Its better to stay on
GSM/GPRS is the amount of data transfer is low or move to LTE if the amount of data
transfer required is high.
30. “Dutch research found that network operators worry about physical tampering but don't
do anything about it”
31.
32.
33. The final talk of the day was by Ravishankar Borgaonkar, Researcher, Deutsche Telekom on
the topic of “Small Cells in Hostile Environment“. I have covered earlier presentations by
Ravi on the blog here and here. One of the issue highlighted above and by others as well is
that a security feature may be asked by the operator but may not be supplied by vendor.
35. Additional Reading
• Small Cells and the City – My presentation from Small
Cells Global Congress 2012
• Rel-11/12 3GPP Security Update – 3GPP
• Present and future Standards for mobile internet and
smart phone information security - ETSI
• Evolution of 3GPP Security
• Femto Hacking in UMTS and LTE