Security analysis of wireless mesh backhauls for mobile networks

https://doi.org/10.1016/j.jnca.2010.03.029Get rights and content

Abstract

Radio links are used to provide backhaul connectivity for base stations of mobile networks, in cases in which cable-based alternatives are not available and cannot be deployed in an economic or timely manner. While such wireless backhauls have been predominantly used in redundant tree and ring topologies in the past, mobile network operators have become increasingly interested in meshed topologies for carrier-grade wireless backhauls. However, wireless mesh backhauls are potentially more susceptible to security vulnerabilities, given that radio links are more exposed to tampering and given their higher system complexity.

This article extends prior security threat analyses of 3rd generation mobile network architectures for the case of wireless mesh backhauls. It presents a description of the security model for the considered architecture and provides a list of the basic assumptions, security objectives, assets to be protected and actors of the analysis. On this foundation, potential security threats are analyzed and discussed and then assessed for their corresponding risk. The result of this risk assessment is then used to define a set of security requirements. Finally, we give some recommendations for wireless mesh backhaul designs and implementations following these requirements.

Introduction

Radio links are used to provide backhaul connectivity for base stations of mobile networks, in cases in which cable-based alternatives are not available and cannot be deployed in an economic or timely manner. To ensure high availability, such wireless backhauls have been predominantly used in redundant tree and ring topologies. Yet, following the success of WiFi-based wireless mesh networks in recent years, mobile network operators have become increasingly interested in meshed topologies for carrier-grade wireless backhauls as well.1 Mesh topologies may provide availability levels comparable to redundant trees and rings, while being more flexible and using capacity more efficiently.

However, radio links are also more exposed, and thus easier to tap and to interfere with, than their wired counterparts. This makes wireless backhauls, and in particular multi-hop ones like in wireless meshes, potentially more susceptible to security vulnerabilities. For carrier-grade wireless mesh backhaul solutions security therefore becomes a high priority non-functional requirement.

Mobile network operators have high security demands in order to protect their business assets. Assets not only include the mobile network infrastructure and services, which must be protected from unauthorized use and from attacks on their availability or quality, but an important asset requiring protection is furthermore an operator's reputation with current and potential customers. They thus need to ensure that their customers’ data that is transported via their networks is protected against misappropriation. In some legislation, this is even an obligation of carriers as part of their due diligence.

Architectural design issues can quickly compromise these security goals. A prominent example is GSM's security architecture that only requires user authentication towards the network. In contrast, the network itself is not authenticated to its users. This design flaw has subsequently been exploited to mount “false base station attacks”: An attacker uses a device popularly called “IMSI-catcher”, which pretends to be a legal base station with a superior signal quality. This causes mobile phones in the vicinity to associate themselves with the false base station, which then signals the mobile phones to switch off encryption, as investigated by Adoba et al. (2004). Similar attacks have been reported for Universal Mobile Telecommunication System (UMTS) networks by exploiting Global System for Mobile Communications (GSM) backward compatibility, as stated in Adoba et al. (2008).

Although security attacks are well studied in 3G networks (the reader is referred e.g. to (iGillott Research, 2007) for a study of security in 3G networks including some statistics on attacks in the past), the multihop nature of Wireless Mesh Backhauls (WMBs) exposes the network to new security threats which require additional measures to counteract. This article therefore extends the security threat analysis of 3G network architectures by 3GPP (2001) for the case of WMBs.

The following section provides an overview of related work. Section 3 starts with a description of the security model for the considered architecture. It then provides a list of the basic assumptions made for the subsequent security analysis and introduces the security objectives, the assets to be protected and the actors of this analysis. On this foundation, potential security threats are analyzed and discussed in Section 4. They are classified both by the security objective under attack and the point of attack. Not all identified security threats are equally likely, as they require various levels of sophistication of an attacker. Also, the impact of a successful attack on the mobile network operator can vary. Thus, Section 5 performs a risk assessment of the identified security threats. The result of this risk assessment is then used to define a set of security requirements for wireless mesh backhauls. These requirements are outlined in Section 5.5. Section 6 then provides a list of general recommendations to meet these requirements for the design of wireless mesh backhaul architectures and protocols. Finally, Section 7 provides a short summary of the findings in this analysis.

Section snippets

Related work

Over the last years, a number of security architectures and mechanisms have been devised for Wireless Mesh Networks (WMNs).

Some of these works address user authentication in WMNs. For example, Zhang and Fang (2006) propose ARSA, a security architecture that allows users to access and roam between a multitude of WMNs belonging to different administrative domains based on a “pass” of a third-party provider. This is supposed to resolve the problem of establishing pair-wise trust relationships

System model and security model

As stated in the introduction, before describing the potential security threats of a WMB a detailed system description is necessary to provide a reasonable understanding of the considered network architecture. Hence, this section presents the system model, the assumptions, the security objectives, the assets and the actors considered in the following threat analysis.

Identification of potential security threats

This section analyses the system under test with respect to the potential security threats it may be subject to. As argued in Section 3.1, one can assume that the wireless mesh backbone is embedded into a full mobile network architecture that provides its own security features. The following analysis therefore does not cover security threats targeted at the wireless access link (data and signaling), the core network (data and signaling) or the end-to-end user data protection.4

Risk assessment of security threats

After defining all investigated security threats in the previous section all threats will be assessed regarding their risks to the security of the WMB. The main goal of the risk assessment activity is to evaluate the identified potential threats and assign risks to them. They thus become comparable with each other. Furthermore, this allows major risks to be identified.

For the risk assessment, we adopt the methodology defined by European Telecommunications Standards Institute (ETSI)'s Security

Recommendations for the architectural design

For some of the security requirements identified in Section 5.5, namely R1–R5, standard security solutions exist that can be employed to fulfill these requirements. For requirements R6–R10, in contrast, no standard security solutions exist. These need to be dealt with by “security by design”, which means to design both architecture and implementation in a way that precludes the respective threats from the beginning. This section provides some general recommendations on how to achieve these

Conclusions

The objective of this security analysis has been to identify potential security threats to a WMB architecture and to provide recommendations on how to resolve the underlying security issues for the cases that standard security solutions do not exist. The analysis started with delimiting the scope of the system under study. The context of carrier-grade WMBs helped to focus the scope, because it makes it reasonable to assume that several security features are already in place and that furthermore

Acknowledgements

This work was partially funded by the European Commission within the 7th Framework Program in the context of the ICT project CARMEN (2008) under Grant Agreement no. 214994. The views and conclusions contained here are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Carrier Grade Mesh Networks (CARMEN) project or the European Commission.

References (14)

  • 3GPP. Security threats and requirements. 3GPP TS 21.133 (V4.1.0);...
  • 3GPP. Access security review. 3GPP TR 33.801 (V1.0.0);...
  • Adoba B, Blunk L, Vollbrecht J, Carlson J, Levkowetz H. Extensible authentication protocol (EAP). IETF RFC 3748;...
  • Adoba B, Simon D, Eronen P. Certificate management messages over CMS (CMC): Compliance requirements. IETF RFC 5247;...
  • Borodin A, Kleinberg J, Raghavan P, Sudan M, Williamson DP. Adversarial queuing theory. In: 28th ACM Symposium on...
  • CARMEN. CARrier grade MEsh Networks. In: ICT Project of the EC's 7th Framework Programme;...
  • iGillott Research. 3G mobile network security. White Paper;...
There are more references available in the full text version of this article.

Cited by (8)

  • Survey on sybil attack defense mechanisms in wireless ad hoc networks

    2018, Journal of Network and Computer Applications
    Citation Excerpt :

    Specifically, unattended WSNs deployed in remote or hostile military environments are more sensitive to security attacks (Zhou et al., 2008; Di Pietro et al., 2009). WMNs are also receptive to security threats due to their features such as open wireless medium, non-dependency upon infrastructure, lack of central authentication system, self-healing, and auto-configuration (Avula et al., 2014; Wan et al., 2010; Khan et al., 2010; Zdarsky et al., 2011). The Hybrid Wireless Mesh Protocol (HWMP) (Conner et al., 2006) used in 802.11s-based WMNs involves each intermediate mesh router altering the routing message before forwarding it.

  • Project finance risk evaluation of the Electric power industry of Serbia

    2011, Energy Policy
    Citation Excerpt :

    Su and Chou (2008) show an approach to create critical Six Sigma projects that combine AHP and FMEA. The methodology, based on FMEA, was adopted for the risk assessment in the security threat analyses of wireless mesh backhauls (Zdarsky et al., 2011). The structure of the paper is as follows.

  • A study of research trends and issues in wireless ad hoc networks

    2015, Mobile Computing and Wireless Networks: Concepts, Methodologies, Tools, and Applications
View all citing articles on Scopus
View full text