collecting big data in an increasingly complex mobile world

Collecting Big Data in

an Increasingly

Complex Mobile World

Moray Rumney

Lead technologist

1st July 2013

Copyright Agilent Technologies 2013

1

Moray Rumney Collecting Big Data

1st July 2013 2

Agenda

Collecting wireless data – some big questions

Vulnerability of systems

IMSI catching

Geo-location techniques

TMSI tracking

Some future-looking game changers?

2


1st July 2013 3

Collection of wireless data – some big questions

1. What can be collected?

2. Where can it be collected?

3. Who can collect it?

4. Why do they want to collect it?

5. What level of transparency and consent should be required?

3


1st July 2013 4

1 What can be collected?

This is an easy question to answer.

Everything!

However, this covers a very large range of possibilities requiring

different levels of effort

Only the data that can be collected with reasonably low cost and

effort needs to be considered in the short to medium term

4


1st July 2013 5

2 Where can it be collected?

This is also an easy question to answer.

Everywhere!

Again, this covers a very large range of possibilities requiring

different levels of effort and so as with the “What” question only

the more probable cases need to be looked at

5


1st July 2013 6

3 Who can collect it?

Fortunately the answer to this question is not quite:

Anyone!

On the network side, access to data is typically limited to

operators and government agencies although there is concern

concern in the US and UK over potential vendor “back doors”

However, on the air interface (including wireless backhaul) the

physical signals cannot be hidden and so there exists a

theoretical possibility that anything carried over the air could be

monitored by anyone.

However, technical and cost constraints significantly limit what

can be monitored to a much smaller subset

6


1st July 2013 7

4 Why do they want to collect it?

This question has a wide range of answers so:

It depends

A possible list in order of altruism / legality could be:

1. National security

2. Network optimization

3. Business development and marketing (operator)

4. Business development and marketing (3rd party)

5. Commercial exploitation

6. Criminal activity

7. Espionage

7


1st July 2013 8

5 What level of transparency and consent should

be required?

This question also has a wide range of answers so:

It depends

At the national security end of the scale data gathering is

obviously covert and done without individual consent

For network operation/optimization it is unlikely individual

subscribers would have any issues for appropriate use

For business development or marketing carried out by the

operator, transparency and consent start to become issues

When this activity is carried out by a 3rd party with whom the

subscriber has no contract there is clearly public concern even

though using current technology, individuals are not identified

8


1st July 2013 9

Vulnerability

The ease with which location or other meta data and even

subscriber payload can be collected varies widely depending on

the technology

Older systems such as GSM have weaknesses which can be

exploited

Improvements in newer systems are welcome but the old

vulnerabilities remain and why attack a fortified 4G door if there

is an open 2G window next to it?

9


1st July 2013 10

Vulnerability by system

GSM – TDMA system so easy to correlate transmissions with

individual users, encryption has been cracked, authentication

issues

W-CDMA – CDMA harder to intercept than TDMA, adds network

authentication

LTE – TDMA system, backhaul not encrypted as standard, use

of various forms of MIMO increase difficulty of intercept

Wi-Fi – Very easy target for “Man in the middle” attack, VPN is

essential for any security

Bluetooth – Can be tracked but perhaps only 10% of users have

it enabled

10


1st July 2013

Types of identity and geo-location data collection

11

Covert

Overt

Legal Illegal

TMSI

tracking

Legal

interception

X-Interface

IMSI

catching

A-GPS

Google

Now

Operator

tracking

Silent

SMS


1st July 2013 12

IMSI catcher

Classic “Man in the middle” attack exploits vulnerability in GSM

Back in the late 1980s base stations were big, high-tech,

expensive and owned by trusted operators

In the system design the BTS authenticates the MS

But no one though that the MS should authenticate the BTS

Nowadays a GSM cell can be emulate using something the size

of a USB dongle which can act as a femtocell

12


1st July 2013 13

Security risks beyond IMSI catching

IMSI catching is fairly basic. For a more in-depth view of what is

possible with more sophisticated methods see:

Hijacking mobile data connections

13

http://www.blackhat.com/presentations/bh-europe-09/Gassira_Piccirillo/BlackHat-Europe-2009-Gassira-Piccirillo-Hijacking-Mobile-Data-Connections-slides.pdf

http://www.blackhat.com/presentations/bh-europe-09/Gassira_Piccirillo/BlackHat-Europe-2009-Gassira-Piccirillo-Hijacking-Mobile-Data-Connections-slides.pdf


1st July 2013 14

Geo-location techniques

Many geo-location techniques exist with varying degrees of

sophistication and accuracy driven by a variety of use cases

including E911 requirements

• Cell ID

• Observed Time difference of arrival

• Assisted GPS

• Network-based algorithms

• 3rd party techniques (TMSI tracking)

14


1st July 2013 15

Location tracking using Temporary Mobile

Subscriber Identity (TMSI)

TMSI was designed as an alternative to the IMSI to prevent

identification or tracking subscribers and is allocated as part of

the authentication of the mobile by the network and is changed

periodically or when changing cell

Location update procedure occurrs in increments of 6 minutes

Four byte TMSI is used to address the mobile over the air

Algorithms for TMSI pre-calculation can be developed leading to

more exposure of individuals

Basic location accuracy comes from proximity to the receiver.

More sophisticated triangulation methods are possible.

Shopping malls are a common deployment area

15


1st July 2013 16

Window shopping from a plane

“The Centre” Livingston, Scotland

16


1st July 2013 17 17

Would this

message put

you off entering?


1st July 2013 18

Example of large-scale collection of geo-location

using TMSI tracking

Major public event at sports stadium

60,000 spectators

Seven 3rd party receivers with approx. 100m range around

stadium

40,000 detected TMSI

Post processing showed people movements and density,

journey times and routes which were valuable for future event

planning

Alternative methods such as face recognition are not so

effective

18


1st July 2013 19

The use of TMSI for paging is not always

guaranteed so personal tracking is possible:

http://nion.modprobe.de/blog/archives/705-E-Plus-GSM-privacyTMSI-allocation-leak.html

19
















1st July 2013 20

Two future factors that may change the future of

data collection

LTE-D

Public concerns

20


1st July 2013 21

LTE proximity services and LTE-Direct (LTE-D)

A potentially revolutionary development in mobile comms is

taking place in 3GPP Release 12 with a study item into device

to device (D2D) communications.

In its first phase, LTE-D will focus on proximity services whereby

a UE equipped with a transmitter operating in the downlink band

will broadcast an “expression” of capability which provides e.g.

information about commercial services.

The target for this is UE in the local area not the eNB

Broadcasts of expressions are scheduled to avoid interference

Future developments could lead to direct UE to UE comms and

a whole new set of possibilities and issues

21


1st July 2013 22

Public concerns

We are in a twilight zone in the evolution of communications

where the realization of what is being collected will become

widely known which is going to lead to a backlash.

Future data collection and its uses will come under much closer

scrutiny with more opt in than opt out clauses.

International borders may complicate legislation.

Contractual agreements that provide mutual benefit should

succeed but on the back of this there will e many more

exploitative potential which could limit the success of the

genuine opportunities.

We don’t want to enable the “Internet of Thieves”

22


1st July 2013 23

Who provides your public Wi-Fi?

GCHQ?

23


1st July 2013

Thank you for listening!

collecting big data in an increasingly complex mobile world

Technology