UMA – Potential Increased Operator Risk
UMA (Unlicensed Mobile Access) is a set of specifications now known as “Generic access to the A/Gb interface; Stage 2.” The purpose of these specifications is to allow cellular operators to terminate cellular services over unlicensed mediums that utilize IP. The original specifications catered to Bluetooth and WiFi, so the benefits of such a technology should be obvious. In the home or in metropolitan areas, it allows operators to move away from technologies that are costly, slower, higher-latency, or bandwidth-limited. By doing so, they reduce their own costs and improve user experience.
In March 2006, I wrote an internal Symantec paper entitled “UMA Attack Surface Analysis.” The purpose of this paper was to discuss the increased risks that subscribers or operators may be exposed to as a result of deploying UMA technologies. While I’m not going to go into the full contents of the paper, I wanted to touch upon one key point that did come out.
It was clear from the review we conducted that, although present in current deployments of GSM, GPRS and UMTS, the tunneling of protocols such as LLC, SNDCP, MM, CC, and SS over IP increases the exposure to an attacker. That is to say, that for an attacker without experience of or access to GSM, GPRS or UMTS radio stacks, there is now a means for them to be able to launch attacks against these protocol layers. The result is that operators are directly exposing their SGSNs and MSCs to any attacker with sufficient motivation who can obtain a subscription to their network. The potential impact is much larger than simply the UMA infrastructure; it extends to the security and availability of the operator’s core network.
At the moment, no publicly available pure software-based stacks exist for UMA (although they do exist under license). As a result, most implementations exist in baseband processors embedded within devices not accessible from the O/S. This means that the tools required to perform research or launch any feasible attack are not available yet to the wider world, but I believe this will change over time as the adoption of UMA grows.
My point really is this: cellular technologies initially came from a world that was circuit-switched where the skill set required to be nasty was confined to the industry. While I appreciate this was security by obscurity, it did serve the industry well. Now, with an industry quickly moving to common, off-the-shelf technologies, simply shoehorning legacy protocols over IP does not provide this same level of obscurity and increases exposure. Operators and network equipment providers need to understand this and ensure they are not jeopardizing security in the name of cost savings.