Bo Diddley and the LTE Security Debate – Who Do You Trust?

I recall as a child repeatedly being told I should not accept lifts (rides) from strangers. And the fact that I’m still around to write this blog can, in part, be attributed to that good advice. But I could have chosen to ignore it, which I didn’t, so I guess I can take some credit for still being here too. In today’s world, while this advice still holds good maybe we should also counsel that you shouldn’t trust your data to strangers either.

Now that’s not so easy is it? Sure, there are a couple of people I know that I share some personal information with. But, in the main, I don’t actually know the majority of people that I freely pass personal data to. Like most of us, the greater part of that which I choose to share I do so with organizations.

It would be easy at this point to get seriously side-tracked by talking about organizations that hold information on me that I either don’t know exist or I don’t approve of. But, for now, I’ll leave that side of the debate to the likes of Snowden and Assange and I’ll focus on the stuff I willingly share - well, as willing as I can be when the option is “supply this information or don’t do business with us” (or even maybe face a fine or a jail term by failing to do so).

The reality is though, with the exception of parents and relations, the majority of lifts I accepted as a child were in fact with strangers. I didn’t actually know a single train or bus driver (and I used these services daily as a child) but there was an implied trust through the reputation of the organization that employed them. Hence, despite the majority of journeys I made as a child being willingly made with strangers, I’m still here to talk about it. Therefore, not knowing the majority of people that I share personal data with doesn’t really trouble me either.  

But it gets more complicated. It’s not just about me trusting people and organizations I share data with. I also need to trust the organization(s) that transport that data from me to the recipient. In my case I need to trust my mobile operator just as much, for example, as I trust my bank. And you could argue my bank needs to trust my mobile operator too if it wants me to continue to trade online with it.

So, where is all this leading? Simply this; I don’t believe I can trust my mobile operator to care for my data as much as I used to. Now, this seems a crazy thing to say as most people assume advances in technology bring with it advances in assuring information. But that is not necessarily the case. The move to all IP mobile networks – the Long Term Evolution (LTE) mobile network - is a good example of this. Whereas 3G is encrypted from the mobile device to the Radio Network Controller (RNC) deep in the mobile network, LTE (4G) is only encrypted from the mobile device to the base station. This opens up new security vulnerabilities.

I would be more comfortable if I knew all mobile operators were acting uniformly to address this. But in a white paper commissioned by Juniper Networks, and published by Heavy Reading, Patrick Donegan (Senior Analyst at Heavy Reading) shows this is not always so. Patrick names some of the mobile operators he considers to be adopting good LTE Security practice and highlights some of the drivers behind this. He also draws attention to Heavy Reading’s Ethernet backhaul Tracker published in June of 2013 which forecasts that by 2016 less than half of all LTE Cell sites will have IP Security. This concerns me.

Just as Patrick highlighted the drivers behind some operators adopting LTE Security, so he also identifies the reasons why others [choose to] stay exposed. In all there are seven themes that emerge here. One that leaps out at me is “many operators do understand the risk but believe that the cost of implementing IPSec is too high relative to the amount of risk entailed.” This implies operators are prepared to put my information at risk and, at risk also, is my trust in them to handle my personal information.

With a sizeable number of mobile operators allowing clear text to transit across their backhaul networks, Patrick goes on to predict that there will be “a pretty close correlation between end-to-end network security and superior financial performance” in years to come. At a time when mobile operators have the technology to develop exciting new revenue streams it seems the actions of some may directly affect their ability to exploit this.

Just as when I was a child I had a part to play in ensuring my own survival, I also have a part to play in ensuring my sensitive data is shared with organisations I can trust. Patrick Donegan’s white paper will encourage me to be more vigilant. To paraphrase the great Bo Diddly, who do you trust?

You can download the Heavy Reading white paper titled “The Security Vulnerabilities of LTE: Opportunities and Risks for Operators” by clicking on attachment link below. The paper will download straight from the link.

View the original article here