1. Security Issues in Mobile
Communications
By Brian Ellis, Melvin Jackson, Jessica Lobianco, James Simeon, and Daniel Francois
Abstract
Recent years have witnessed the rapid growth of mobile
computing environments. One of the major concerns in such
environments is security, especially in the context of wireless
communications. We describe some of the important issues
which need to be addressed in designinga security schemefor a
mobile communications provider. These include autonomy of
communicatingentities, mobility of the users, and limitationsof
the hardware and software. We describe a scheme which
addresses the above issues,and provides a correctand efficient
mechanism to establish secure communications. Our scheme
provides authentication of the communicatingentities, location
privacy, and secure messaging.
The Typical Profile of a Mobile Provider
The main purpose of a mobile communications provider is to
provide cellular and data communications infrastructure for its
customers. A typical provider will employee thousands of
people in positions such as Customer Support Representatives,
Telecommunications Technicians, and Communications
Engineers. Although most clients only deal with the above
mentioned representatives on a daily basis,there arenumerous
processes going on behind the scenes as well. Thousands of
technicians supporttheequipment used by these organizations.
A mobile provider procures,installs,and maintainsa plethora of
IT Equipment. Some of this equipment includes MobileDevices,
Mobile Applications and Software, Base Stations, Cellular
Towers, and even Fiber Optics Infrastructure as seen recently
with Verizon FiOS. However, of all the equipment, the most
important are the servers used to store all of the data that is
transmitted by users.
Mobile providers have large servers that store astronomical
amounts of data. Most public data from the provider is stored
on non-secure web servers housed by the organization or
contracted out to a third party. Private information from
customers and the provider is stored on secure web servers
requiringlogin credentials. Sincethereis a lotof data beingsent
and stored by these providers, there must be regulations in
place as well regarding the transfer and storage of this data.
Most contracts between mobileproviders and their clients state
that user accountinformation will only beaccessibleby the user
and the provider’s customer support representatives.
This is clearly putin placeto protect both parties and their data.
On a federal level, user information is protected under the
Telephone Consumer Protection Act (TCPA) and regulated by
the Federal Communications Commission (FCC) and the Federal
Trade Commission (FTC). Unwanted messages are addressed
under the Controllingthe Assaultof Non-Solicited Pornography
and Marketing (CAN-SPAM) Act of 2003. [1] Each of these acts
are paramount in the regulation, management, and protection
of consumer data and information.
Threats to the Provider and Customers
Many threats target mobile communications because of the
sheer number of users. Some of those threats can be prevented
and some must be mitigated after the fact. [3] Although there
area myriad of threats out there, some of the most common are
as follows.
Information Extortion:
Phishingscams useemail,textmessages, Facebook, and Twitter
to send you links to websites that are designed to trick you into
providinginformation likepasswords or accountnumbers.Often
these messages and sites are very different to distinguish from
those of your bank or other legitimate sources. Basically the
biggest defense for this type of attack, is common sense. Users
must be educated in the tactics that these scammers use and
must be ableto recognize and delete the messages immediately.
There is no software that will protect users against phishing
scams.
Deliberate Attack Software:
Spyware is designed to collector use private data without your
knowledge or approval. Data commonly targeted by spyware
includes phone call history, text messages, user location,
browser history, contact list, email, and private photos. This
stolen information could be used for identity theft or financial
fraud. Unfortunately, most users do not install any typeof anti-
virus or spy/adware blocker on their mobile devices. Therefore,
each time they are surfing the internet from their device, they
are susceptible to this type of spyware.
Theft:
The probability of a phone/device being stolen, leading to the
loss of data stored on that device as well as access into the
provider’s network. If an individual was able to steal a device
from a user, they would have access to all of their personal
information.
2. This could resultin identity theft or financial fraud. Fortunately
many manufacturers now offer location services to track the
device if itis stolen as well as the capability to remote wipe the
device. Remote wipe allows the user to wipe the hard drive of
the device clean from a remote location.
Technical Hardware/Software Failures or Errors:
Who could forget the recent release of the new iPhone, and all
the drama that was involved with its “bending phones”? With
the onslaught of new technology, we see phones and mobile
devices being phased in and phased out on a yearly and
sometimes monthly basis. Due to the demand to keep up with
the market, many manufacturers are not testing these devices
as they should. This leads to failures of the hardware and
software. The only cure for this is better testing of the products
by the manufacturers before releasing the products. Also,
manufacturers constantly update the OS’s for these devices to
ensure that users are up-to-date.
Risk Identification, Assessment, and Control
In order to control the risks involved in mobilecommunications,
one must firstidentify and assess therisks. This paper will look
at the two highest risks based on the above mentioned threats.
Using the chart below [1], you can find out which threats pose
the greatest risk to the organization.
You can see that Mobile Devices seem to have the largest
number of threats to them, and MobileApplications and
Servers are tied for second. This doesn’t necessarily mean that
these items have the highest risk though. In order to truly value
the risk to the asset,we must useanother chartin the risk
assessmentportion of this research.
Using the next chart, you can see the amount of loss that each
asset could incur if a threat were realized.
In this section, you can see that by looking a little deeper at the
impact an attack would have on an asset that the two largest
risks are to Mobile Devices and Customer Data.
Now that we have identified the threats, and assessed the risks,
we need to see what controls are available to put in place to
defend against the threats and thereby reduce the risk.
The followingchartshows the control measures that can be put
in place for each risk.
As you can see there are many controls that can be used to
reduce the amount of risk to each asset.
So, as we discovered, the two highest risk assets are Mobile
Devices and Customer Data. Now we must look more in-depth
at the threats to these assets and what controls we can put in
place to protect them.
Mobile Device Threats and Controls
Information Extortion:This would most likely bea phishingscam
or possibly a shoulder surfer looking at your mobile device. [2]
Control: To defend againstthis,common sense and being aware
of one’s surroundings will go a long way. However, if
information is extorted, then mitigation will be used to change
the user information.
DeliberateAttack Software: This is mostlikely goingto bea virus
that you get on your mobile device from downloading
something you shouldn’t have. [2]
Control: Many manufacturers are now making anti-virus
software for mobile devices. However, many people choose to
accept the risk and download that app anyway.
Theft: Basically asitstates,this isthephysical theftof the mobile
device. [3]
Control: The main control here again is common sense. Treat a
mobile device as if it were cash. However, if mitigation is
required, many devices have built in LoJack to track them, and
some have a remote wipe feature for the hard drive.
Technical Hardware/Software Failures: Manufacturers
sometimes build defect products and programs.
Control: Mitigation is really the only control here. If there is a
hardwarefailure, replacement or redesign is the best option. A
software failure can be patched through the manufacturer.
Customer Data Threats and Controls
Information Extortion: Again this could be a phishingscamor an
insider at the cellular provider stealing customer data.
Control: Common sense on the part of the user is the best
defense against phishing scams, and physical security by the
cellular provider is the best defense against and insider.
3. Theft: This could be someone on the inside physically stealing
the information from the server or this could beassociated with
web applications such as SQL Injection or Cross Site Scripting.
Control: Mitigation is the major control for this. If the
information is stolen by an insider, the customer must be
notified and changes must be made to their information. If it
involves a website,the customer again mustbe notified,and the
cellular provider should take measures to correct the
vulnerabilities on the web pages.
Defense and Contingency Planning
Thus far we haveidentified the major threats,assessed risks,and
put controls in placeto protect assets. However, the controls do
not just magically appear. That is where defense and
contingency planning come into place. Defense incorporates
three sections: Policy, Design, and Education.
Continuing with the pattern, we will now look at defense and
contingency planning for the two high risk assets that we
identified previously, Mobile Devices and Customer Data.
Mobile Device Defense and Contingency Planning
Policy:
Since the Cellular Provider provides services for paying
customers, it is hard to put restrictions on those customers and
even harder to enforce them. However, we can implement a
terms of use policy for the service that we provide. This policy
would most likely fall under the ISSP umbrella. In this policy we
would outline the terms of using us as a provider and what
actions will end a customer’s contractwith us. For example, if a
customer uses our serviceas a Wi-Fi hotspotand charges others
to use it, they can be cancelled as a client.
As a cellular provider, we could not regulate Wi-Fi connection
activity of the customers. They will be connecting at their own
risk,and as a cellular provider we will notbe responsiblefor any
unsecure activity they perform that is not on our network.
Many cellular providers aregoingto a contract now that allows
a client to rent their phone rather than buy it. With this, we
could implement a SySP [1] that protects us from having to
replace a client’s device if they download some malware while
using an unsecure connection.
Design:
In order to prevent software attacks on clients, we could work
with cell phone manufacturers to ensure the integrity of data
transferred on each device. This would prevent many of the
malwareissues thatare currently involved with mobile devices.
In order to prevent phishing scams, we could route suspicious
messages to a junk folder on the email server that clients useto
access their email over mobile devices. This would quarantine
the suspicious messages in a separate area. Also, our email
server must have a physical firewall incoming, and outgoing to
protect the client from harmful attacks. [3]
Education:
In the caseof software attacks, customers must be educated on
the use of only encrypted Wi-Fi connections, and downloading
suspicious applications to their mobile devices.
As for phishing,awareness is key in preventing customers from
opening suspicious emails and sending their information to
unauthorized personnel.
Contingency Planning:
In most of the cases with mobile devices, we are going to be
addressing incident response. Mobile devices are not like
computers that are networked together all the time, so most
issues will only affect the individual user. In this case, we will
not need to address a Business Continuity Plan. Disaster
recovery, however should be addressed. Not on the level of an
organization,but on the level of each user. If a user’s deviceis
attacked they could lose all of their data. In this case, the
disaster recovery plan involves havingtheuser’s data backed up
to a computer hard drive, or to a cloud service. This is very
popular with Apple iPhones. They back up a user’s data to their
cloud service on a regular basis.
Customer Data Defense and Contingency Planning
Policy:
For the customer data that is stored on the cellular provider’s
servers, we must put into place a System Specific Policy and an
Issue Specific Security Policy. The ISSP will direct users to
addressing the servers that contain customer data. It will also
regulate who has access to what on the server. The SySP will
address the server itself and how the information is to bestored
and encrypted on the server.
Design:
In the design phase of the protection of customer data, we will
use many layers of protection. First and foremost, the
information must be encrypted. Secondly, we will have to put
access controlsin placeto ensureonly authorized individualsare
accessing the data. Then we will create backups of all of the
data. Next, we will put firewalls into the server, and out from
the server. And lastly, we will monitor the systems to ensure
that no unauthorized breaches have taken place.
Education:
As with mobiledevices, we again will have educate everyone on
the proper useof the system. Most of the lower level agents will
receive annual awareness training to address specific attacks
and trends that hackers areusing. Upper level management will
be sent to trainingon a regular basisand will be required to get
information security certifications. The highest level
administratorswill berequired to get a Master’s degree in cyber
security which will be paid for by the company.
Contingency Planning:
In the contingency plan for customer data compromise, we will
spend a lot of time doing Incident Response. If we put a
monitoring system in place for the data, we can mitigate
4. incidents that arise on a daily basis. Disaster recovery for this
will be addressing natural disasters, in which we will have to
move everything to another location, as well as backups of
information in caseall islostor stolen. The Business Continuity
Plan will provideinformation on alternate locations to operate
from as well as how to recover the data through backups.
Network Security Measures
Another important aspect when it comes to securing data as a
mobile communications provider, is securing the network that
the data travels over.
One of the biggest threats to our organization, as we have
identified earlier, is the theft of customer data. In order to
prevent this from happening we must put security measures in
place on the network. The first diagram below is the network
diagram for our organization with no security components in
place. The second diagramwill showthe security components
that we have selected as well as an explanation of those
components.
CELL SITES CELL-SITE AGGREGATION DATA CENTER
2G/3G/4G
2G/3G/4G
2G/3G/4G 2G/3G/4G
2G/3G/4G
Fiber Optic
Microwave
Fiber Optic
Microwave
Microwave
Switch
Router
Router
Router
Switch
Switch
Switch
Switch
Switch
Switch
Switch
File Server
Email Server
Web Server
Data Store
Data Store
Host
Host
Host
As you can see above, this is a simple diagram of a typical
network for a mobile communications provider. This diagram
contains no security measures on the network.
The next diagram is a carbon copy of the first, but it contains
numerous security measures to protectthe data thatis traveling
over the network. Note that the measures shown in this
diagram are only some of the controls that a typical mobile
communication provider may use to protect its network. There
are countless other protocols that can be employed as well.
Keep in mind that the security controls that we show here are
incorporated using software and hardware. For example, the
firewalls that are put in place will most likely be done using
hardwaresuch as routers,and softwareinstalled with operating
systems on the servers and each host. The Network-Based IDPS
will be integrated using software and most likely a third party
monitoringsystem. Take a look at the diagramand you can see
what we mean.
CELL SITES CELL-SITE AGGREGATION DATA CENTER
2G/3G/4G
2G/3G/4G
2G/3G/4G 2G/3G/4G
2G/3G/4G
Microwave
Microwave
Microwave
Switch
Router
Router
Router
Switch
Switch
Switch
Switch
Switch
Switch
Switch
File Server
Email Server
Web Server
Data Store
Data Store
Host
Host
Host
DMZNIDPS Server
NIDPS
NIDPS
NIDPS
NIDPS
NIDPS
Fiber OpticFiber Optic
HP
Application
Firewall
Inbound
Outbound MAC
Filter
Inbound Packet Filter
In this diagram, you can see there are quite a few security
measures in place. Here we will explain each component.
1. We used a Network-Based IDPS to examine packets on the
network before they reach the aggregate switches and
routers. This will ensure that we are alerted to suspicious
activity prior to it reaching the internal network.
2. We used a firewall in front of the primary switch into the
DMZ which will filter packets. This will add another layer of
security to our internal components.
3. We set up a Honeypot to detour would be data thieves from
actually reaching our servers. We hope that they are lured
by the easy target rather than hitting valuable data.
4. We put all of our servers into a DMZ which so that we have
that extra layer of defense in placeto protect sensitivedata.
5. Lastly, we put in an application firewall to our internal
machines, and an outbound firewall which filters MAC
addresses so that we know only authorized machines are
sending out information.
6. Rules we would use are as follows:
a. Any, Any, Email Server, 25, Allow (Allows only SMTP
mail to the email server)
b. Any, Any, Web Server, 80, Allow (Allows all traffic to
web server)
c. Any, Any, File Server, 20, Allow (Allows only FTP
transfer on file server)
d. Any, Any, File Server, 21, Allow (Same as above)
As mentioned before, the components highlighted here areonly
a sample of the available protective components that could be
and are applied to data networks throughout the various mobile
provider’s infrastructures.
Physical Security
Lastly,we will look atphysical security controlsthatcan beputin
place in our organization to protect our assets. Unfortunately,
the subject of physical security is a vast one, and we will not be
able to address every aspect of those physical security controls
our organization will integrate. However we will touch on some
of the broader issues thatneed to be dissected and look at why
those controls are in place.
5. Physical Access Controls
The first physical security issue we will look at are access
controls. Since our mobile communications provider stores
sensitive data in their data storage center, only authorized
personnel must be admitted to this area. This can be controlled
by using Identification Badges and Scanners. Each employee
who is authorized to enter a specific area mustscan their badge
to gain entry.
In order to protect against unauthorized access, we will put
Mantraps [1] in placein these sensitiveareas. This will trap the
unauthorized person in a corridor leading to the secure area
where they will remain until security personnel can escort them
out of the building. During this time the unauthorized person
will have no access to the data storage area, nor will they have
an exit from the corridor.
Fire Security and Safety
As with all organizations,fireis a concern and a viablethreat to
assets. In order to prevent fire from destroying our company,
we will put fire suppression systems in place throughout the
facility. These suppression systems will differ depending on the
area of the building that they are in. For example, in the data
storage and server areas, the fire suppression system will be a
Class C system. A Class C systemis used for electrical fires which
will mostlikely bethe causein these areas. In the general office
areas,we can use a Class Asprinkler system. A Class Asystemis
for simplecombustibles. Thesprinkler systemwill automatically
spray water over the area if they are activated by flames.
Mobile and Portable Systems Security
The lastissuewewill addresswith physical security is themobile
and portable systems security. There are many things that
mobile users can do to protect their devices from being lost or
stolen. One such thing is a GPS type software. Many
manufacturers offer a type of location softwareon their devices.
This software will allow a user to track where their phone is in
the event that it is lost or stolen.
A second mobile security tool is having a passcode lock on the
device itself. With a passcodelock in place,a user must inputa
PIN to unlock their device. Your phone will not allowa thief to
see your information unless they know this PIN. [4]
The third tool is something called a remote wipe. The remote
wipe feature is installed on many mobile devices and allows a
user to remotely erase their device’s hard drive in the case of
the device being stolen or lost. Once the hard driveis wiped,no
one will haveaccess to the data that was onceon this device.[4]
Conclusion
The explosivedemand for mobilecommunications is drivingthe
development of wireless technology at an unprecedented pace.
Unfortunately, this exceptional growth is also giving rise to a
myriad of security issues at all levels—from subscriber to
network operator to service provider.
Here we have addressed some of the threats to mobile
communications providers. We discovered that as the
technology increases,so do the threats. We also looked at how
to identify, assess, and control risks that arise from those
threats. It is imperative to do a complete assessment of each
threat to discover the amount of damage it can cause your
organization if it is realized.
Next we looked at defense and contingency planningwhich has
four elements. Those elements are policy creation, logical and
physical design, education of users, and contingency planning.
The last two things we looked at were network security and
physical security of the storage and transmission infrastructure
of the organization.
Hopefully after reading this research paper, you have a better
understanding of all of the components that are in place to
protect you and your data when usingwireless communications.
References
[1]Whitman, M. E., & Mattord, H. J. (2012). Principles of Information
Security. Boston: Cengage Learning.
[2]Ruggiero, P., & Foote, J. (2011). Cyber Threats to Mobile Phones.
Retrieved April 02, 2015, from US-CERT.
[3]Swords, T. (n.d.). The New Target for Security Threats: Your Cell
Phone. Retrieved April 02, 2015, from Norton.
[4]TechTarget. (2014). Learning Guide: Mobile Device Protection.
Retrieved April 02, 2015, from TechTarget.