Small Cells and security – tackling operator concerns and protecting subscribers

6th Aug 2014

For anyone in the mobile industry, security will always be a concern and it is something that the small cell community has been taking seriously ever since the first femtocells made it out of the labs. The Small Cell Forum has tackled security as part of its release programme and keeps up to date on the latest applications and any risks that could arise.

While many measures are specified by 3GPP standards on Small Cell Security (TS 33.320 & TR 33.820) and understood by the industry at large as good industry practices, here are some of the main areas that have previously been of concern and the measures taken by the Forum and wider industry to address them.

  • Privacy
    User privacy is an incredibly sensitive topic and one that consumers are much more aware of thanks to recent news stories and developments. As a technology designed to carry data, it’s important that small cells can be trusted by both operators and subscribers.
    On the Radio Interface, Small Cells use the same Radio Interface as the Macro base stations and are therefore just as secure. Specifically, the Radio Interfaces are specified by 3GPP standards and do not, in general, reveal the User identity in any form. On the backhaul, all traffic from Small Cells is transported within an encrypted IPSec tunnel, which secures User Identities against any eavesdropper on an open backhaul network (such as the public Internet).
    This also applies to issues with service fraud – since users are authenticated by the Core Network and not by the Small Cell itself, which provides for access control and prevention of service fraud, in measures identical to the Macro Cellular network. Furthermore, Small Cells may also operate in ‘Closed Access Mode’, which provides an additional layer of access control security.
  • DoS
    DoS attacks are becoming more common for websites and companies and this is something that the small cell industry has worked hard to protect against.
    As per Small Cell Network architectures standardized by 3GPP, access to the Core Network from Small Cells over untrusted networks such as the public Internet is protected by Security Gateways – which are designed to provide protection against DoS attacks from the public Internet itself.
    Regarding the question of DOS attacks from the Small Cells themselves, it is to be noted that the traffic from the Small Cells towards the Operator Core Network consists mainly of traffic from the user devices and a small amount of management traffic originating from the Small Cell itself This traffic is also limited by various parameters such as QoS policies such as maximum bandwidth etc., thereby greatly limiting the amount to traffic to cause denial of service.
    Finally, for malevolent users to inject data into the Small Cell, they would need to gain access to the unencrypted data in the Small Cell, which is typically made difficult by hardening of the small cell, detection & disablement of compromised units and other approaches.
  • Operation Malfunctioning attacks
    OAM traffic from the Small Cells is encrypted within IPSec tunnel, so that it is not possible to spoof it from open untrusted backhaul networks or from the Small Cell itself (for reasons explained in the previous commentary on DOS).
  • Physical access to small cells
    When small cells started to be used and are within the potential reach of the public, this presented a range of new challenges, from making boxes weather resistant, tamper-proof or even bullet proof.
    When Small Cells are physically accessible to hostile parties, a number of good industry practices have been developed and are typically followed to minimize such risks. The practices include making physical access difficult, making the boxes tamper-evident and/or tamper resistant, etc. More advanced features such as tamper detection and reporting to the Operator Network or disabling the device are also possible and are starting to be used.
  • Location Verification
    Location verification is another aspect of Small Cells of ensuring that Small Cells are deployed only in locations authorized by the Operator. This functionality has been addressed in great detail by the Small Cell industry and is realized by one or more of several features including GPS and ‘sniffing’ the macro cellular network environment to confirm location.

Security is a topic that is never going to go away and it’s one that will always form a key part of the work of the Small Cell Forum. More information is available in a detailed topic brief here.

Prabhakar Chitrapu, Chair, Security Task Force at Small Cell Forum