On the (In)Security of 4G - Part I: An LDACS based View on Wireless Communications Systems

Table of Contents

Wireless Communications Systems

During my time at DLR, working on the security design of the L-band Digital Aeronautical Communications System (LDACS), I noticed many similarities among wireless communications systems. In this post I would like to briefly touch in some general workings of wireless communications system from my background with LDACS.

User and Control Plane

Every wireless communication system has some kind of control and user data plane. The control plane is responsible to “keep the system running”, e.g. which communication partner receives how many resources to send and receive data and so on. Usually the control plane is characterized by handling cell entry, handover and exit of mobile nodes, resource allocation, informing about communication channel quality and status, packet handling, synchronization, scheduling and so much more. The user plane is characterized by making use of the system’s control plane’s abilities to send and receive actual user payload over the wireless medium.

Frame Structure

In general wireless communication system must follow a certain frame structure, so that time and frequencies can be precisely synchronized. The frame does not have to be of always the same length, it could also be adaptive, however all participants of the system need to be aware of its design.

In figure 2 we see LDACS’s frame structure and the mapping of bits and bytes onto OFDM symbols. Thus every wireless communication system has a certain protocol stack and each entity in the stack has a certain task. The following section will provide some overview:

General Protocol Stack of a Wireless System

Overall each system has some kind of Physical (PHY) layer, where different coding, modulation schemes and usage of spectrum is used to modulate a signal onto the carrier and thus transmit data. Or to change bits and bytes into symbols (null, data, pilot, synchronization symbols) and vice versa and thus enable the wireless transmission and reception of these bits and bytes.
The Medium Access Control (MAC) layer is indeed responsible to access a medium, to access the physical channel. This physical channel access is handled through transparent logical channels. Furthermore the time framing service provides the functions for the synchronization of the MAC slot structure and the physical layer framing. Logical channels can be used to broadcast physical parameters, provide access to a system, allocate resources or transport user data. Methods such as Cyclic Redundancy Codes (CRCs) make sure, the received data has been received completely and no bit-flips occurred.
A mobility handling entity (for Long Term Evolution (LTE) it’s the Mobility Management Entity (MME)) is responsible for handovers, cell entry and exit, registration and deregistration, and is usually one of the first contact points when a new mobile node appears in a cell.
Data link layers above the MAC layer are responsible for fragmentation, segmentation and concatenation of data, to fit data into units, that are most efficient when being transmitted over the wireless medium. Also Automatic Repeat Request (ARQ) protocols make sure via if-necessary re-transmission of data, that all data is received in order.
Higher layers on the layer 2 usually transform IP based packets into the wireless system packet format and attach their system’s specific header and addressing to the user data packets.
Obviously this covers does not every aspect of every layer and even added some functionalities to some layers that they sometimes not have. However, it helps building a general stack and functionality model.

Cellular Based Wireless Communications System

In a cellular system, there are cells, usually controlled by a Ground Station or base station (for LTE the eNB), in which a mobile node receives the strongest signal from one specific base station. Thus with a precise measurement of the respective signal strengths of all base station nearby the mobile user equipment can decide to which station to connect. Cells can overlap, however with a certain reuse factor, frequencies should not overlap of overlapping cells. Every base station is controlled by a network behind it, either by some kind of base station controller or network (e.g. the EPC for LTE). Most of the time, the connection between the mobile user equipment and the base station happens wirelessly and the communication down the line between base station and controlling network is wired.

Summary

Equipped with this background knowledge, it is easier to analyze the security of 4G and the overall 4G architecture in general. Let’s start with that in the next post!

Here you can read Part II.

See you soon. :)

Abbreviations

• Air-Ground (A/G)
• Access Control Router (AC-R)
• Access Router (AR)
• Automatic Repeat Request (ARQ)
• Broadcast (BC)
• Broadcast Channel (BCCH)
• Common Control Channel (CCCH)
• Cyclic Redundancy Codes (CRCs)
• Dedicated Control (DC)
• Dedicated Control Channel (DCCH)
• Data Link Service Layer (DLS)
• FL Physical Service Data Unit (FL PHY-SDU)
• Forward Link (FL)
• Ground-Ground (G/G)
• Ground Station (GS)
• Ground Station Controller (GSC)
• LDACS Management Entity (LME)
• Long Term Evolution (LTE)
• Medium Access Control (MAC)
• Medium Access Layer (MAC)
• Multi Frames (MF)
• Mobility Management Entity (MME))
• Orthogonal Frequency Division Multiplexing (OFDM)
• Physical (PHY)
• Physical Layer (PHY)
• Physical Service Data Unit (PHY-SDU)
• Random Access (RA)
• Random Access Channel (RACH)
• Reverse Link (RL)
• Super Frame (SF)
• Sub-Network Protocol Layer (SNP)
• Voice Interface (VI)