February 2015: Demystifying the small-cell security challenge
In recent years, mobile service providers have been deploying small-cells to address network capacity and coverage
demands. These small-cells are being deployed in several theatres, including residential homes, enterprises and public
areas where there is high traffic demand.
Small-cells commonly use insecure backhaul connections that pass over the public Internet. This contrasts macro-cells,
which are generally deployed in secure locations with private backhaul connectivity. In recent years, the
vulnerabilities of small-cells have been demonstrated by high-profile hackers, to the embarrassment of several well-known
Tier 1 service providers and their technology vendors. Several notable security vulnerabilities include the following:
- Snooping on unencrypted backhaul traffic.
- Using exposed OA&M ports and SQL injection techniques to erase subscriber records and bring down the mobile
- Capitalizing on open X2 interfaces and “flat” LTE architectures to deploy distributed denial of service
(DDoS) attacks, and;
- Compromising small-cell software to launch man-in-the-middle (MITM) attacks to enable a variety of vulnerabilities
including, traffic re-routing, device cloning and malware distribution, to name a few.
The mobile industry has developed solutions to address small-cell security vulnerabilities, with the support of
standardization bodies including the 3GPP, ETSI and the Broadband Forum. These solutions are focused primarily
- Strategies to protect subscribers and service providers’ core networks from attack vectors that emanate from
- Solutions to protect the hardware and software integrity of small-cells, and;
- Ensuring the robustness of the security and small-cell management solutions that are used, such as TLS/SSL, TR069 and IPsec.
Exhibit 1 illustrates the primary components for a secure small-cell network implementation. In this implementation,
User Equipment (UE) connect over 2G/3G, 4G or Wi-Fi wireless links to (e)Node-B small-cells. The small-cells commonly
connect to core networks via untrusted environments, such as residential and commercial broadband networks. Since these
untrusted environments are vulnerable to intrusion, small-cells connections and interfaces must be secured using security
gateways. Furthermore, large scale small-cell deployments fundamentally change network architectures and create the
potential for core network element failures as a consequence of excessive signaling traffic. This signaling traffic
might be created maliciously, such as via a distributed denial of service (DDoS) attack, or without malicious intent in
cases where small-cells generate excessive signaling traffic in their normal operations, such as for mobility management,
location update requests and authentication.
To be effective, small-cell security gateways must fulfill several roles, which include the following:
- Encryption and authentication techniques to protect the integrity and privacy of connections amongst small-cells
(i.e. the X2 interfaces in LTE), between small-cells and service providers’ core networks, for operations and
maintenance (OA&M) functions, and for other local IP interfaces from the small-cells. This is commonly achieved using
IPsec. When IPsec is used, the content is encrypted. Security gateways that are deployed at the edge of mobile core
networks terminate the IPsec tunnels and provide protection between the small-cells and a service provider’s core
Deep packet inspection techniques to protect signaling interfaces from overload and distributed storm (or denial of
service) attacks. These DPI techniques protect vulnerable interfaces, such as those connecting to Mobility Management
Entities (MME) and DIAMETER/RADIUS platforms for access, mobility and subscription management.
When service providers implement IPsec, they must pay careful attention to ensure that it meets their security
objectives, without creating excessive network latency and poor network performance. Although IPsec has a variety of
flavors, the most common configuration for small-cell backhaul connections is IPsec (ESP) in tunnel mode with IKEv2 D-H
key exchange and 128 bit AES symmetric key encryption.
In some cases, small-cells support remote OA&M functionality for provisioning and configuration management. This might
involve connecting to the small-cell directly or over a wireless connection, such as Bluetooth, or via a physical port
on the small-cell. Remote access security on these OA&M connections is crucial in protecting small-cells and more
importantly to mitigate core network vulnerabilities.
Exhibit 1 Secure small-cell architecture illustration
Source: Tolaga Research, 2015
In the past, small-cells and particularly femto-cells have suffered from a variety of security vulnerabilities that
have emanated from the interrogation and tampering of the small cell software and hardware, with devastating effect.
Several approaches have been used to overcome these challenges, with varying degrees of success. In particular some
small-cell vendors have used:
- Hardware tamper-detection technologies. However, many of the solutions that have been developed can be
bypassed with relative ease once the configuration of the alarming system is understood by the hacker.
- Solutions for secure small-cell provisioning and configuration management. The TR069 standard has been
widely adopted for this purpose. This standard is touted as being secure, however recently hackers have demonstrated
that while TR069 has the capabilities of being secure, it is not always the case. In particular, while TR069 supports
TLS/SSL encryption, it is not mandated and when implemented it has the risk of being compromised due to poor certificate
authority (CA) management. In addition, earlier versions of TR069, such as TR069-amendment 2 use SSL 3.0/TLS 1.0, which
are no longer regarded as sufficiently secure. The TR069- Amendment 5, which was published in November 2013, recommends
TLS1.2, or a later version.
- Software code-signing to ensure the integrity of small-cell software loads. To achieve this, the small-cell software
code is signed with a cryptographic hash, such as MD5 (which is not recommended), SHA-1 or SHA-2 and encrypted using
public key cryptography, such as RSA. The TR069 standard has an optional feature for code signing software using SHA-1
(32 bit) with RSA based content encryption.
- Protected boot software. A common trick that is used for malicious attacks is to access and manipulate the
boot-software on small-cell devices. This can have the effect of bypassing other security mechanisms to create numerous
potential attack vectors. To mitigate this threat, small-cells must operate their boot software from within trusted
- Small-cell physical location monitoring. Small-cells are vulnerable to being relocated without service provider
permission. This is particularly the case for residential femto-cells, and can create a variety of challenges, such
as negatively impacting frequency planning and emergency services such as E911, and compromising special service offers
such as home-zone rates. This threat can be mitigated by a location locking mechanism, such as binding the small-cell’s
geo-location with its crypto-graphically based identity.
Small-cell security is of paramount importance to mobile service providers, particularly as hackers target the
network vulnerabilities that small-cells create. Even with the best available security technologies, small-cell security
efforts are commonly foiled by non-compliance on the part of service providers. Several notable areas of non-compliance
include the following:
- Insecure backhaul and interface connections.
- Weak passwords and poor certificate authorization regimes.
- Insecure OA&M interfaces, and;
- Obsolete TR069 implementations, which in many cases lack the security features that are optional in the TR069
Continuous vigilance is needed on the part of service providers to ensure that their small-cell implementations are
compliant with the intended security standards and the underlying security algorithms and techniques have not been