NIST SP 800-187 Guide to LTE Security

Status: Published
Published Date: December 2017
Region: United States
Document: Link

Background

The SP 800-187 standard from the NIST is focusing solely on 4G LTE. It outlines the capabilities, benefits, and challenges of deploying LTE cellular technologies with the subsequent standards developed after the 3GPP.
Contrary to traditional cellular technologies, LTE introduced packet switching (referring to data compression and processing), as opposed to circuit switching for previous cellular implementations. The use cases are not, however, described in the SP 800-187. Rather, the document focuses on covering the core technological documentation and description of LTE, followed by top-level intelligence, which can be used as the basis for every single LTE-enabled IoT project.

Summary

Harnessing Internet Protocol (IP) through LTE: The document places great emphasis on another key technology enabled by LTE networks: the IP. The power of IP-enabled technologies is a great bargaining chip used by Mobile Network Operators (MNOs) to solidify their presence across the IoT and became the basis for the development of Voice over LTE (VoLTE), similar to Voice over IP (VoIP), with North America currently enjoying widespread adoption. Additionally, LTE networks can consistently enable IP communication, enabling data network services between connected devices and MNOs, and maintaining connectivity in different points in the cellular infrastructure (i.e., communication towers). The use of IP technologies, however, has introduced a host of new dangers for cellular implementations.

Cyberattacks Analysis: Perhaps unsurprisingly, malware threats, eavesdropping, specific network or IP attacks (e.g., replay attack), and radio jamming attacks are some of the key threats outlined. Malware
threats mainly refer to infected devices and a corrupted Operating System (OS) or firmware in end devices, but also expand to malware present in MNOs’ network infrastructure, as well as the possibility that infected devices or MNO systems can be leveraged to launch sophisticated Distributed Denial of Service (DDoS) attacks. Additionally, the creation of rogue base stations is a fairly inexpensive process because they operate mainly on 2G. However, these stations can leverage the mechanics of cellular communication, exploiting devices that connect automatically to said base stations due to geographical proximity and certain protocols’ backwards cellular compatibility in favor of user mobility (i.e., allowing users to always stay within cellular connection, even with older communication protocols).

The connected car and transportation segments are two of the key IoT markets that can fall prey to the
aforementioned attacks and a host of other vulnerabilities including:

• Malware installed by insecure infotainment apps or services
• Higher chance of intercepted communications by rogue base stations due to constant mobility
• User and car geolocation tracking (can even be enabled by any smartphone present or
  connected to the vehicle)
• LTE-based attacks by compromised femtocells
• Theft or compromise of encryption keys allowing attackers to impersonate a victim’s device in the network and decrypt any information received

Additionally, another important section outlined in the document is several forms of damage control
and mitigation for IP, network and authentication threats and attacks versus LTE-enabled devices. The SP 800-187 does not go in great lengths investigating these threats but even the top-level perspective offered is quite useful.

Maintaining Data Integrity and Data Confidentiality for OTA Communication: The document states that Non-Access Stratum (NAS) and Radio Resource Control (RRC) protocols are now mandatory in 4G communication. The function of these two protocols is relatively similar. They both refer to functional and security layers present in 3G and 4G communication focusing on network and IP security, including establishing connection to control stations, broadcasting or withholding system information, continuous user mobility, and network migration. However, encrypting the air interface is left up to the MNOs’ choice. The SP 800-187 makes the case that operators investing in such encryption methods can prevent certain types of attacks and eavesdropping, albeit with a sizable network latency. Therefore, the document suggests that operators are left to make their own choice between: a) confidentiality protection and b) communication latency (depends on their needs or security threshold required).

Encryption, Confidentiality, Integrity, Identity: This document makes some minor suggestions
regarding all previously mentioned topics with regard to LTE communication and network security. These include the following:

• An additional indication that informs the user regarding the confidentiality protection of
  their devices and the encryption status of the OTA communication. These will require either
  the OEM or chip vendor (e.g., Samsung, Intel, Qualcomm) to enable those options or
  perhaps new firmware updates from system operators and software developers (e.g., Apple,
  Google, Microsoft).
• OTA updates and patch management, identity management, and Intrusion Detection and
  Prevention Systems (IDPS) should be implemented by MNOs across the LTE infrastructure.
• Data confidentiality can be ensured by protecting the IP communication with cryptographic
  measures and securing the S1 interface. The S1 is a piece of hardware used to enable wireless
  communication with mobile LTE handsets.

Note

It is important to note that the SP 800-187 does not expand upon each and every market segment
regarding its respective LTE advantages or implementation hurdles. However, it does provide architecture, authentication, and network documentation featuring the key elements of LTE deployments, which are the backbone of every LTE cellular application across the entire IoT. In short, this is an important document outlining mitigation techniques, cryptography, and digital security intelligence for implementers interested in the security revolving around the cellular tech migration and even future-looking visionaries in preparation for future 5th Generation (5G) cellular technologies.