B E R O U , A p p l e K a r e s s a B .

P a g e | 1

LTE Wireless Network Security
Technology nowadays have become very useful especially in line with
communication aspect. As years go by, the growth of wireless broadband technology had
increasingly influenced huge number of end-users. There have been a lot of people
nowadays who uses devices which are mostly handheld for almost all activities daily. With
the goal of increasing the capacity and as well as the speed of wireless data networks, LTE
which stands for Long-Term Evolution turned into reality. With the rapid growth of
wireless broadband, the rate of device attacks as well arises. Considering this, LTE is
actually seen as a unique opportunity or as a great challenge for the exposure of
vulnerabilities of the technology which must be addressed. Imperfections exist for all
technologies including LTE which is needed to be fully addressed by the standardization
bodies. The goal of this paper is to collect and further discuss information with regards to
the wireless network security of LTE.
LTE Networks
Referred to as fourth generation (4G) technology, LTE is a wireless broadband
technology designed to support roaming Internet access via cell phones and handheld
devices. LTE can theoretically support downloads at 300 Megabits per second (Mbps) or
more based on experimental trials [Mutabaizi, 2013]. In the mobile network technology
tree, LTE is the latest standard. It is closely mixed with the GPRS/UMTS networks and it
also stands for the development of radio access technologies and networks for UMTS. It
brings important development to the experience it gives to the user with full mobility. It
rely on physical layer technologies such as OFDM (Orthogonal Frequency Division
Multiplexing) and MIMO (Multiple-Input Multiple-Output) systems. Service providers such
as the telecommunications companies have been expanding the services of LTE even
though it is only available in a limited areas.
LTEs simplified network architecture offers the features and capabilities such as
Evolved UMTS Radio Access Network (EUTRAN) and Evolved Packet Core (EPC). To spread
data over many sub-carriers which provides greater immunity to fading, the former feature
that was mentioned uses OFDM-based radio design and techniques. The latter feature is
actually a simplified data centric and new core network which features improved
redundancy and collapsed architecture as well. EPC had main logical nodes:
Policy Control and Charging Rules Function (PCRF) which is accountable with the
policymaking as well as policy control.
Home Subscriber Server (HSS) which holds the PDNs information and the
subscription data of the users.
PDN Gateway (P-GW) is concerned with the enforcement of QoS for bit rate bearers
which are assured, allocation of IP addresses to the UE, and as well as sifting the
downlink user packets into various QoS-based bearers.
Serving Gateway (S-GW) deals with administrative functions
B E R O U , A p p l e K a r e s s a B . P a g e | 2

Mobility Management Entity (MME) manages the signalling among the CN and UE
and referred to as the control node.
Bearing the family of networks which is known as GSM is the Third Generation
Partnership Project (3GPP). It had set the ground of the LTE. The development of LTE
started from deciding with the architecture of the network as well as a method of multiple
access. After deliberations, the LTE standard requirements or descriptions were finally
given approval by the 3GPP in the first month of year 2007. It is now under control of
change. The specifications concluded but it was not fully completed until the late quarter of
year 2008.
The deployment of LTE network gives a number of benefits among the other
wireless broadband technologies. There are a lot of plus from utilizing the LTE technology,
one is with regards to the speed of the connection or in terms of the data rates and the
latency which is low that falls under the upsurge with the performance attributes.
Furthermore, it gives immense competencies in the wireless range. Through this
advantages, the wireless carriers will be given an opportunity using the fourth generation
and LTE technology to advance with quality services and products which have higher level
for their clients.
Specifically, LTE technology has the following advantages or benefits such as it gives
a global ecosystem with a mobility that is inherent. There is also an assurance with the
ones privacy and as well as security. LTE is seen to improve the general latency of network
and it as well enhances the speed. In line with multimedia, LTE has enhanced the real-time
video to give an overall better experience of the user. It also enables high-performance
mobile computing. Due to low latency, LTE assists applications that are real-time. Platform
is also created to implement and as well create the products of the present and for the
future. And lastly, through enhanced spectral efficiency, there is a reduction with the cost
per bit [Verizon, 2013].
There are a number of benefits that an LTE network can offer especially how it can
improve the emergency communications from where it plays a significant role. When it
comes to real-time video, there is a great improvement with the face recognition and
scanning for quick verification from any location against facial recognition databases that
are centralized. Since there is no fixed connection to some areas, video surveillance become
better in security and lastly, LTE gives visual emergency assessments immediately. As for
the E-mail, LTE delivers the data with reliability and the delivery is considered fast. The
third benefit is with regards to recorded communications from where there is
interrogation of database, there is fast approach to finding information of suspect from
almost anywhere, and it retrieves the information needing during an emergency very fast.
LTE also gives higher-quality voice transmissions as well as transcriptions [JDSU, 2012].
Security Framework
B E R O U , A p p l e K a r e s s a B . P a g e | 3

Security had always been the issue with the latest technologies. Standard
development organizations addressed many different levels with regards to security. Since
many levels are to be dealt in with regards to security, as to where the observers would
apply and what are the requirements, it became confusing. There have been five (5)
different functional segments with regards to the architecture of security of 3GPP. These
segments are:
1. Network Access Security
The first security level provides the UEs with secure access to the EPC and
protect against various attacks on the radio link and it is a set of security features
that simply includes privacy features as well as mutual authentication. Abbreviated
as NAC, it enables the network resources availability be restricted to any endpoint
devices that definitely strengthens the proprietary networks security. Other than
restriction of network resources availability, NAC also provides restriction with
data that each particular user can access. Implementation of applications that are
anti-threat is also considered by the NAC which includes programs that detects
spyware as well as software that detects virus and it also includes firewalls. This
security is considered ideal for agencies as well as for corporations where there is a
strict control with the environment of the user. But there are a number of
administrations that had expressed doubt that the nature of NAC deployment
constantly changes with large numbers of various devices and the users.
2. Network Domain Security
In the security of the Network Domain, the exchange of signalling data and
user data are enabled to the nodes in a secure manner. It also defends the network
against the wire line network attacks. Simply speaking, with this security there is a
secure communication that evolves between the EPS/EPC or Evolved Packet
System/Evolved Packet Core nodes to defend the network from threats. There are
three (3) types of protection in the Network Domain Security:
a) Data origin authentication
This provides protection to a node from the possibility of receiving
packet injection from an unidentified unit. The entities are able to verify
that a data has been created by a specific object without being modified
right after. Simply speaking, it involves the identification of the original
root or source of a message. With this protection, an intruder could
assume as a genuine sender and send an altered or modified messages.
The receiver of the message should validate that the received message is
from the real user.
An existing security protection was provided which is called
authentication from which it is initially granted through key exchange
B E R O U , A p p l e K a r e s s a B . P a g e | 4

that is secure and mutual authentication between security gateways and
network entity.
b) Data integrity
It provides protection to the data in transit from being altered or
known as man-in-the-middle scheme. It had been stated in some
literatures that without data integrity, it will be difficult to attain the
security goal.
With regards to security protection, integrity is provided through
cryptographic packet hashing mechanisms. There are security features
with respect to the network access links integrity of data. One is the
integrity algorithm agreement which refers to the property that the SN
and MS can confer safely the integrity algorithm that they will use.
Another is the integrity key agreement which represents the property
that the SN and MS agree with regards to the key integrity that they will
use. And lastly is the data integrity and origin authentication of signalling
data from which the receiving entity which could be SN or MS will be able
to validate the signalling data was not altered in without authorization
given that it was sent by the sending entity which can be MS or SN.
c) Data Confidentiality
This provides protection against eavesdropping or information
theft. The confidentiality security protection is provided through
cryptographic packet encapsulation.
3. User Domain Security
In this segment, it is referred to as the set of security features from which it
grants a mutual authentication between Universal Subscriber Identity Module
(USIM) and the Mobile Equipment (ME) before the USIM access to the ME. To put it
simply, its goal is to control the access to mobile stations securely.
There are two features under this segment which are the following:
User-to-USIM authentication

It gives the property that allows accessibility to the USIM which is
limited or is confined until the user has been authenticated by the USIM.
With this, it gives assurance that the accessibility to the USIM can be
confined to the genuine user or to a particular number of users who are
authorised. To be able to achieve or complete this feature, both the USIM
and user must be able to share a secret with themselves, for instance a
B E R O U , A p p l e K a r e s s a B . P a g e | 5

PIN number that is safely kept in the USIM. The USIM can only be
accessed by the user if he knows the PIN or the secret.

USIM Terminal Link

The accessibility to a user equipment or to a terminal can be
confined to a USIM that is authorised with this feature. The terminal and
USIM should be able to share a secret code that is safely kept in to the
terminal and as well as the USIM with this. Whenever the USIM cannot
spill the secret, the terminal will deny the access.

4. Application Domain Security
The applications in the UE and in the provider domain are able to securely
exchange messages. The main function of this segment is to secure messaging
among the network and the USIM. There exist an application toolkit of USIM which
gives ability to the providers and operators to develop USIM resident applications. It
is needed to provide security with the messages which are transmitted over the
networks which are included in the USIM with the security level selected by the
application provider.
5. Visibility and Configurability of Security
The UEs are able to gain access to the Evolve Packet Core (EPC) securely
through non-3GPP access networks and it as well grants security protection on the
radio access link. It also gives chance to the user to check if the security features are
in operation or not.
Security Mechanisms
The security mechanisms of LTE is focused on five (5) aspects of the LTE security at
the network access security level which are as follows:
1. LTE cellular security
With regards to the security in a LTE Cellular System, the most considered
significant security system is a shared authentication among the EPC and the UE. In the
cellular system, the Authentication Key Agreement (AKA) procedure is to attain the
shared authentication among the EPC and the UE. An integrity key (IK) and ciphering
key (CK) are generated to be used to get various session keys for the integrity
protection as well as for the encryption. The Mobility Management Entity (MME) serves
as the EPC to carry out a shard authentication with the UE by the EPS AKA. There are
various procedures of AKA that are carried out for non-3GPP access.
Under this cellular security, various outstanding features are identified in terms
of user access security. To prevent attacks such as false base station and redirection
B E R O U , A p p l e K a r e s s a B . P a g e | 6

attacks, Serving Network Identity (SNID) is added to the procedure of EPS AKA. To
defend the user data traffic as well as signalling security, a new key hierarchy is
initiated.
Another feature which is also considered outstanding is that among the AAA
server and UE supports the non-3GPP access authentication. The AAA server and UE
shall carry out the Extensible Authentication Protocol-AKA (EAP-AKA) to be able to
complete the access authentication.
2. LTE handover security
The security in handover processes involves mobility of Intra E-UTRAN from
where the MME manages the target eNB and the current eNB. Under this feature, a
mechanism of key management is patterned with various ways to come up with the
eNB keys which are based on key derivations horizontally or vertically. There is a new
session key that is being used among the target eNB and the UE.
Another involvement in handover processes is the mobility among the E-UTRAN
and UTRAN/GERAN and among the E-UTRAN and non-3GPP access networks. Among
the heterogeneous access systems of the LTE Networks, various mobility situation
exists which involves handovers from untrusted or trusted non-3GPP access networks
to the E-UTRAN and the handovers from the E-UTRAN to trusted or untrusted non-
3GPP access networks.
3. IMS security
IP Multimedia Subsystem (IMS) introduces a whole new world of mobile with
new features and services. IMS gives variety of applications to the users such as audio,
and any other multimedia services. The IMS access security indicates that the
authorization as well as the authentication of a user to a network. Different security
threats had seen to exists to IMS system, one is illegal access to the services. Misusing
network services is also considered as a threat together illegal access to data that are all
sensitive which is leading to service denial. Sensitive or important data or information
are accessed by unauthorised person which falls under confidentiality violation. And
lastly is illegal modification of some important data which is considered as a violation of
integrity. There are various ways to attain the protection to an IMS System. One is
access security which covers the end-user access to the IMS and its services.
4. HeNB security
An HeNB is considered as Home Node B which is the 3G femtocell for the 3GPP.
It is an access point from which it installed by a subscriber either in residence or small
office to be able to expand the coverage of indoor for high speed data service and even
voice.
5. MTC security
B E R O U , A p p l e K a r e s s a B . P a g e | 7

Considered as M2M (Machine-to-Machine) communication, MTC is a data
communication form among the objects without considering any interaction from
human. From here, the MTC devices are able to communicate with MTC servers through
the LTE networks and they can also form communication openly with one another
without even contacting with the MTC servers. There are three (3) security areas that
are included in the security architecture of MTC. One of them is among the 3GPP
network and MTC devices security for the MTC. Then between the 3GPP network and
the MTC server/MTC user, as well as MTC application for the security of MTC and lastly
is the MTC security among the MTC application, device and server/user. In MTC, in
order to protect communication, the MME will act as the network to carry out shared
authentication with the MTC device by the EPS AKA.
Vulnerabilities
There are six (6) aspects that vulnerability existed on the LTE security framework
which are mainly vulnerability in LTE System Architecture, LTE Access Procedure, LTE
Handover Procedure, IMS Security Mechanism, HeNB Security Mechanism, and MTC
Security Architecture.
The first vulnerability is with regards to the architecture of the system. This
includes the 3GPP LTE networks flat IP-based architecture from which there is an increase
with the risks in security. A path directed towards the base stations are provided by the all-
IP network for attackers who are harmful. There is also an existence of another risks
because of various mobility scenarios when eNB/HeNB are move away to move away the
UE to another or new HeNB/eNB. Among the SN and the HN, a possibility of authentication
signalling overhead as well as bandwidth consumption will arise.
With regards to the access procedures vulnerability, there is no online
authentications ability that will be handed to EPS-AKA protocol. There are also inadequacy
that a EAP-AKA protocol have which are the vulnerability to MitM attacks, user identity
disclosure, synchronization of sequence number (SQN) as well as additional bandwidth
consumption. EPS-AKA protocol does not have the capability of doing authentications
online and other than that, various number of inadequacy has been identified with the EAP-
AKA.
The handover procedures vulnerability involves insufficient backward security.
There is also desynchronization attacks from were through an eNB that is rogue, it is
believe that an assailant can disturbed refreshing of the value of the NCC by controlling the
request message which is handover among the S1 path message from an MME and the
eNBs to another eNB which is a target. It also includes the replay attacks from which the
security connection among the target eNB as well as the UE will not be able to be
established and the UE will have another handover procedure to be launched.
Increased with regards to the consumption of energy of system complexity and a UE
is one of the vulnerability in IMS security. With this, there is a need for an IMS UE to carry
B E R O U , A p p l e K a r e s s a B . P a g e | 8

out two AKA protocols which are considered as the EPS AKA in the LTE access
authentication and in the IMS authentication involves the IMS AKA. From the IMS securitys
vulnerability, the IMS AKA is considered as vulnerable to the MitM attacks, extra
consumption of bandwidth as well as lack of SQN synchronization. IMS Security is also
considered vulnerable to several types of DoS attacks.
With regards to the HeNB securitys vulnerability, it is considered that due to the
insecure wireless links, most vulnerability comes. It can also be seen that there is
insufficiency with regards to robust shared authentication among the HeNB and the UE and
the HeNB is said to be not adequately a trust party. The same with the IMS, HeNB security
is also vulnerable to several types of DoS attacks which is because of the disclosure of the
entrance points of core network to the internet in public.
One of the vulnerability in MTS security is that MTC lacks security schemes that are
actually good for the interaction among the ePDG and as well as the MTC device. It is
considered that the MTC devices are very vulnerable to various malicious attacks which
includes compromise of credentials, attacks to the core network, physical attacks and such.
Existing Solutions
To overcome the vulnerability in LTE security framework, solutions were identified
which mainly includes the solutions to the security in access procedure, security in
handover procedure, IMS security, HeNB security, and MTC security.
Access procedure solutions

It involves network access procedure security provisioning. This would
mainly help address key management and an effective authentication. A series of
research works have been identified that have proposed solutions to access
procedure. One is an authentication and key agreement scheme which is based upon
self-certified public key (SPAKA) by Zheng et. al [2005] from which in order to
identify the real BS to carry out the inadequacy of 3G AKA, a public key broadcast
protocol for a UE is used. Another solution proposed by Vintilla et. al [2011] is the
use of authentication key password which is exchanged by Juggling (J-PAKE)
protocol in the process of authentication instead of the other protocol which is the
EPS-AKA protocol. To provide zero-knowledge proof using a key that is shared that
is not sent through any transmission medium is what basically the intention of J-
PAKE is which is a password authentication keying agreement protocol. To enhance
the confidentiality of the user, EC-AKA was proposed by Abdo et. al. [2012] which
stands for ensured confidentiality authentication and key agreement. Through this,
the AKA messages are fully defended by encryption on the integrity which is
believed to avoid the exposure of the users identity and as well as the users being
tracked. These are just few of the researches that had a proposal with regards to the
solutions to access procedure.

B E R O U , A p p l e K a r e s s a B . P a g e | 9

Handover Procedure Solutions

Effective authentication among HeNBs or eNBs with less overhead are to be
addressed by handover procedure security provisioning. Among the researches that
pointed out solutions to handover procedure, one of them is a proposal by Zheng et
al. [2005] which aims to support globe mobility with secure communications and as
well as low computational power which is a scheme of hybrid authentication and
key agreement.

IMS Security Solutions

Limited researches were found that were able to propose a solution for IMS
security. Ntantogian et. al. [2007] presented an improved one-pass AKA procedure.
The scheme can reduce drastically the overhead authentication compared to the
multi-pass authentication without settling with the services of security.
Gu and Gregory [2011] have addressed an improved AKA (I-AKA)
authentication protocol to reduce energy consumption. Through this, to avoid the
AKA protocols double execution, a protected network layer binding and the IM S
layer authentication is utilized.

HeNB Security Solutions
A proposal presented in Bilogrevic et. al [2010] is a solution with regards to
location and identity tracking at the air interface through changing and assigning
identifiers with the context as the basis. LTE HeNB deployment to protect the
network against DoS attacks was additionally presented.
MTC Security Solutions
Chen et. al. [2010] had presented an authentication and key agreement
approach which is grouped-based for the same home network (HN) UE groups
wandering to a serving network (SN). Through this, if there are large number of UEs
that are in the same home network, the UEs can just form a group. Whenever the
first UE in the group makes a movement to the SN, the authentication data for the
UE is obtained by the SN and as well as the other members from the original HN by
executing a full authentication. This would make the SN the chance to authenticate
the other group members locally without even having the HN.
Open Research Issues
Issues that are yet to be addressed were identified from the LTE networks. Some of
them are the MTC Security, Security Architecture, Security in Handover Procedure, IMS
Security, and HeNB Security.
B E R O U , A p p l e K a r e s s a B . P a g e | 10

There are a lot of issues that are pointed out by Ma in her presentation that are
listed in the following:
Traditional attacks in the protocol in the LTE technology as well as the illegitimate
intrusions are currently swirling around actively. With this, additional security
mechanisms should be considered from which it should be able to serve the
intention of protecting the EPC, UEs, as well as eNBs (HeNB)s communication
among them.

There is a need of additional improvement with regards to the LTE networks EPS-
AKA scheme to be able to avert the exposure of the identity of the user, the DoS
attacks and as well as the different kinds of malicious attacks. It will eventually lead
to a much improved performance in terms of authentication most especially when
an access of UE is made to the ECP through non-3GPP networks.

Handover authentication architecture are in need to be increased with a design that
would attain the safe seamless handover between the eNBs and the HeNBS and as
well as the handovers among non-3GPP networks and 3GPP networks. Furthermore,
there is a need to attain a goal of overcoming the disorganization and the
inconsistency of the current solutions.
To avert the possibility of various attacks of the protocol involving the reply and
desynchronization attacks, there is a need of further improvement with regards to
the key management mechanisms and as well as the procedures of handover
authentication.

To abridge the process of authentication and to prevent DoS attacks and other
different malicious attacks is what the robust and fast IMS access authentication
mechanisms design should be.

The mechanisms of robust mutual authentication and simple among the HeNBs and
the UEs should be designed to be able to avoid different kinds of attacks to the
protocols with a smaller amount of computation while minding the compatibility to
the architecture of LTE by the current 3GPP standard.

References
ABDO, J., CHAOUCHI, H., AND AOUDE, M. Ensured Confidentiality Authentication and Key
Agreement Protocol for EPS. In Proceedings of Broadband Networks and Fast
Internet (RELABIRA 2012). May 2012. 73-77.
BILOGREVIC, I., JADLIWALA, M. AND HUBAUX, J-P. 2010. Security and Privacy in Next
Generation Mobile Networks: LTE and Femtocells. In Proceedings of Femtocell
Workshop. June 2010.
B E R O U , A p p l e K a r e s s a B . P a g e | 11

CHEN, H., FU, Z. AND ZHANG, D. 2011. Security and Trust Research in M2M System. In
Proceedings of IEEE International Conference on Vehicular Electronics and Safety
(ICVES). July 2011. 286-290.
GU, L. AND GREGORY, M.A. 2011. A Green and Secure Authentication for the 4th Generation
Mobile Network. In Proceedings of Australasian Telecommunication Networks and
Applications Conference (ATNAC). November 2011.1-7.
JDSU. 2012. The Importance of Testing Long Term Evolution (LTE) in Public-Safety
Networks. Whitepapers. 2.
MA, M. Security Investigation in 4G LTE Wireless Networks. http://www.ieee-
globecom.orgprivateTF.pdf
MUTABAZI, G. 2013. Remarks By The Executive Director of UCC at The Launch of Smile
Communications 4g LTE Broadband Network and Services. Uganda
Communications Commission. http://ucc.co.ug/data/speeches/7/Remarks-By-The-
Executive-Director-Of-UCC-at-The-Launch-Of-Smile-Communications'-4g-LTE-
Broadband-Network-and-Services.html
NTANTOGIAN, C., XENAKIS, C., AND STAVRAKAKIS, I. 2007. Efficient Authentication for
Users Autonomy in Next Generation All-IP Networks. In Proceedings of Bio-Inspired
Models of Network, Information and Computing Systems. December 2007, pp.295-
300.
STOKE. 2014. LTE Security Concepts and Design Considerations. Whitepapers.
http://www.whitepapers.lightreading.com/whitepaper/technology-products-and-
services/lte-security-concepts-design-considerations-
wp1390608011?articleID=191740744
VINTILA, C., PATRICIU, V., AND BICA, I. 2011. Security Analysis of LTE Access Network. In
Proceedings of The Tenth International Conference on Networks (ICN 2011). January
2011. 29-34.
VERIZON. 2013. The Verizon Wireless 4G LTE Network: Transforming Business with Next-
Generation Technology. Whitepapers.
ZHENG, Y., HE, D., TANG, X., AND WANG, H. 2005. AKA and Authorization Scheme for 4G
Mobile Networks Based on Trusted Mobile Platform. Proceedings of Fifth
International Conference on Information, Communications and Signal Processing, 976-
980.
Y. ZHENG, D. HE, L. XU, AND X. TANG. 2005. Security Scheme for 4G Wireless Systems. In
Proceedings of Communications, Circuits and Systems. May 2005. 397- 401.