SECURITY : Third Generation Security Threats

author-image
Voice&Data Bureau
New Update

The advent of any new fangled technology is marked by new promises and
challenges. Be it the customer, operator or investor, everyone aims to pocket
huge profits through these technologies. However, there are certain fraudsters
and cyberpunks using the same technologies for illegal purposes. And sadly,
despite the increasing level of cyber crime in India, security of information is
mired in a slough of ignorance.

Advertisment

There is no denying that the mass adoption of wireless technologies such as
WiMax and 3G among enterprises will have plenty of advantages like cost savings.
However, given ease of accessibility of IT networks and thus data-from a meeting
room to hotel, café or a parking zone-the concerns of corporates cannot be taken
lightly.

Sophistication Magnified

In the past couple of years there has been a substantial addition in the
usage of smartphones in the corporate sector. This has been largely driven by
anytime, anywhere connectivity and access to various other online services.
According to industry experts and estimates, the number of malwares targeting
smartphones has increased significantly since the last few years.

“The data-centric approach of 3G and other associated services persuades us
to think whether the attacks experienced by data networks over many years are
also applicable to 3G networks. The answer could be affirmative in some cases,”
says Ajay Masur, CIO, Hirco.

Advertisment

Imagine the consequences if a hacker parcels out a malware infected version,
in a widely used application, on to a 3G/WiMax-based device and uses the
infected device to launch (DoS) Denial of Service attack against any target
area. Or start spreading the malware using P2P protocols?

“Are 3G users ready for the attacks/breaches? The answer is no. Many users
still do not believe that their phones can be targeted. For broadband
connectivity, we still prefer leased lines because of the reliability, speed and
time-proven architecture,” added Masur.

Get Ready for More

The recent terrorist attacks demonstrated the kind of threat unsecured
wireless networks can produce. Also, there are concerns from industry bodies
that if we fail to build a strong security mechanism, the country could face a
new level of cyber war where the entire corporate and business development could
be null and void in a fraction of a second.

Advertisment

Elucidating his concerns, Vikas Desai, lead technology consultant, India &
SAARC, RSA says, “After RBI's plans for inclusion of the bottom of the pyramid
for banking, more and more money-related transactions will happen over the
mobile. And except for how the compromise is done for these networks, the
threats are exactly the same-identity theft, fraudulent transactions, malware
distribution, etc.”

Security appliances and software sold to service providers to protect their
mobile networks will reach $889 mn in worldwide sales by 2011, says a recent
report by Infonetics. The report further states that the emerging adoption of
smartphones, iPhones and Windows mobile phones would be driven by consolidation
in the OS market, becoming a large target for hackers.

By adopting new breeds of technologies enterprises benefit by connecting
every branch, partner and customer at a very low cost.  Also, as employees'
laptops and smartphones are connected using high speed wireless broadband, it
enables them to create a virtual office. In addition, experts believe that it's
also possible to deploy 3G as an alternate backup link to the existing high
speed links. However, a comprehensive security policy and effective safeguards
should be the key priority of enterprises.

Advertisment

“The situation is complicated by the fact that 3G is backward compatible with
GSM. Thus, even if 3G has its own security features, a customer who leaves a 3G
network and travels into a GSM network is exposed to the same security threats
of the GSM networks,” says Avi Basu, founder and CEO, Connectiva Systems.

Third generation networks use KASUMI block crypto rather than the older A5/1
stream cipher. However, a number of concerns in the KASUMI cipher have been
identified in the past few years. KASUMI is basically a block cipher being used
to maintain the privacy and integrity of algorithms.

With more and more
usage of technology, the probability of e-hafta is also likely to develop

Pavan Duggal, practicising
advocate and cyber law expert, Supreme Court

of India

WiMax is a network
based on Internet protocol, and is subject to the vulnerabilities of any IP
network

Vikas Desai,
lead, technology consultant, India & SAARC, RSA,

a security division

of EMC

Advertisment

In addition, attacks possible on the telecom network, including DDOS, BOTS,
virus, worms, etc, are also possible on the mobile handsets. And it is therefore
important to implement the security on mobile handsets.

In the case of WiMax networks, the Privacy and Key Management (PKM) protocol
in authenticity mechanism is weak (where there is no base station or service
provider authentication) which makes it susceptible to cyber attacks. Some
industry experts also show concerns about the possibility of attackers using
legacy management frames to forcibly disconnect legitimate stations.

“While comparing with traditional 802.11x networks, 3G networks certainly
perform better on the security front. However, by intentional capacity overload
for a particular cell site, and possible DoS attack can be achieved using some
sophisticated devices,” says Dhiren Savla, CIO, Kuoni Travel Group, India.

Advertisment

One of the key security issue in WiMax network is the 'man-in-the-middle'
where impersonation of the base station or a two-way imitation between the
subscriber and base station is possible. Also, operators need to adopt proper
security measures over concerns such as theft of service, physical denial of
evidence and protocol denial of evidence. If we compare both these technologies,
data encryption used by 3G seems to be highly advanced with relatively lesser
chance for intruders to sniff or steal data.

“WiMax is a network based on the Internet protocol, and is subject to the
vulnerabilities of any IP network,” says Vikas Desai, lead technology
consultant, India & SAARC, RSA, a security division of EMC.

Commenting on the adoption of the technology, Shirish Patwardhwan, CIO, KPIT
Cummins Infosystems says, “WiMax is better suited for campus application which
has large coverage but is still limited to a boundary and its investments
upfront are cheaper than 3G. Also, we don't know whether we can install the 3G
equipment and use the band as private.”

Advertisment

Data Threatened

In this present milieu, where every second day there is a new virus attack
coming into the picture, enterprise and business users need to take a step
forward in the security domain. Security issues revolve around authentication,
encryption, user confidentiality, data integrity and lawful intercepts.

“The GSM or 2G networks were not built with data security in mind, and in
many cases simple encryption may not be operational. As the network will now
necessarily connect to other networks, potential threats multiply similar to a
device connected to the Internet,” says Arun Gupta, group chief technology
officer, Shoppers Stop.

As the adoption of 3G and WiMax gains traction in India, hacking into these
networks will become more lucrative and frequent. Also, it has been identified
that threats like DDOS, Trojans, etc, already loom large.

With the proliferation of wireless communications and m-commerce, information
is going to be more and more susceptible to attacks. Earlier, telecom networks
were more service-centric, closed and had a proprietary architecture approach.
Customer control and external exposure also existed to a lesser extent. However,
with 3G the network is going to be more open.

More Finesse

“The combination of users spending more time online than ever before and the
increased utilization of various media applications means corporate networks are
continually being opened up to new vulnerabilities. The increasing mobility of
work-force with enhanced usage of hand-held devices is also increasing the
complexity of corporate network security. This will be one of the key growth
areas for service providers,” says Sanjay Wig, CEO, Orange Business Services,
India.

Though most operators declined to comment on 3G security issues, Kuldip
Singh, director, technical, MTNL says, “As far as the security matters are
concerned there is not much of a difference vis-a-vis 2G and 3G. Issues like
data theft, spying, etc bug 2G network subscribers too. We have a similar
security infrastructure for 3G as for 2G. As services providers, our duty is to
make our network secured.”

Key
WiMax Security Concerns
  • Imitation of base station to subscriber,
    or a two-way imitation between subscriber and base station is possible
  • User and/or management traffic traveling
    over wireless/wireline links can be detected
  • Cyberpunks can access broadband services
    without proper authorization
  • Physical denial of evidence by perturbing
    the physical medium (jamming, etc)
  • Protocol denial of service by injecting
    new or modifying existing user and control traffic
3G
Security Concerns
  • Most of the security gaps which were there
    in GSM implementation are addressed by the 3G standards. But security is
    not full proof
  • IMEI transmission is not protected
  • Number of grievous concerns in the KASUMI
    cipher have been identified
  • User can be lured to camp on a false base
    station
  • Hapless security features of 3G-based
    devices and phones
  • Possible to hijack outgoing/incoming calls
    in networks with disabled encryption.

The issues related to radio interface or unauthorized access can be a big
concern regarding 3G technology. Also, one of the differences in the
third-generation networks is that the Serving General Packet Radio Service (GPRS),
Support Node (SGSN), Gateway GPRS Support Node (GGSN), and Packet Data Serving
Node (PDSN) for CDMA2000 are used to manage and control all wireless data.

“Since all data traffic passes through these controllers, any attack on these
systems will cause network-wide service outages. It is therefore imperative to
defend these network elements,” says Rama Subramanian, head systems engineering,
Juniper Networks, India.

“Service providers should opt for cryptographic authentication which verifies
the subscription with the home network when service is requested,” says Rana
Gupta, business head, India & SAARC, Safenet.

Furthermore, the legal system should be able to provide the essential support
in order to curb cyber criminals and hackers. Presently, the country is far from
tackling the issue of cyber crime. The existing laws also don't match up to
international standards.

“It is really shocking to find that offenses of hacking, as defined under
Section 66 of the existing IT Act 2000 have been entirely removed from the law
book. Also, in these circumstances, with more and more technology usage, the
probability of e-hafta is also likely to developed” says Pavan Duggal,
practicing advocate and cyber law expert, Supreme Court of India.

Notably, the Parliament of India has recently passed the amendments to the IT
Act 2000, which failed to meet the expectations of the corporate world and was
criticized by majority of the legal fraternity.

One pressing issue that enterprises face today is that of unplanned
expansion. Considering this, it is imperative to adopt solicitous strategy which
should be information-centric and focus on the risks involved in adoption of any
technology. Despite the risks, technologies like 3G and WiMax offer great
potential. The decision on the relevance and eventually the use of these
technologies should depend on core research and practical analysis by
enterprises. In addition, rather than just counting the subscriber base and
revenue, service providers and handset manufacturers should work to furnish
comprehensive security measures to make these technologies a big sensation in
the market.

Jatinder Singh and Prasoon Srivastva

jatinders@cybermedia.co.in