In recent years, mobile service providers have deployed small cells to address network capacity and coverage demands. These small cells are in residential homes, enterprises and public areas with high traffic demand.
Small cells commonly use insecure backhaul connections that pass over the public Internet. This contrasts against macro-cells, which are generally deployed in secure locations with private backhaul connectivity. The vulnerabilities of small cells have been demonstrated by high-profile hackers, to the embarrassment of several well-known Tier 1 service providers and their technology vendors.
Notable security vulnerabilities include:
- Snooping on unencrypted backhaul traffic.
- Using exposed OA&M ports and SQL injection techniques to erase subscriber records and bring down mobile services.
- Capitalizing on open X2 interfaces and ‘flat’ LTE architectures to deploy distributed DDoS attacks.
- Compromising small-cell software to launch man-in-the-middle (MITM) attacks to enable a variety of vulnerabilities.
The mobile industry has developed solutions to address small-cell security vulnerabilities, with the support of standardization bodies including the 3GPP, ETSI, and the Broadband Forum.
These solutions are focused primarily towards:
- Strategies to protect subscribers and service providers’ core networks from attack vectors that emanate from small cells.
- Solutions to protect the hardware and software integrity of small cells.
- Ensuring the robustness of the security and small-cell management solutions that are used, such as TLS/SSL, TR069 and IPsec.
Figure 1 (at the right side) illustrates the primary components for a secure small-cell network implementation. In this implementation, User Equipment (UE) connects over 2G/3G, 4G, or Wi-Fi wireless links to eNodeB small cells. The small cells commonly connect to core networks via untrusted environments, such as residential and commercial broadband networks.