Send email Copy Email Address

Annabelle Theobald

Mapping mobile communications security

"As a cellular network researcher, you are in some ways a prisoner of your geographic position," says CISPA researcher Dr. Adrian Dabrowski. What he is referring to is that, because of the large number of providers and networks, cellular network researchers have so far only been able to carry out tests and measurements in foreign cellular networks at immense expense. Together with Gabriel Gegenhuber from the University of Vienna and research colleagues from SBA Research, Dabrowski has therefore developed MobileAtlas, a kind of infrastructure that allows testing across Europe - from any location. He will present his paper and the new approach of "Geographically Decoupled Measurements in Cellular Networks for Security and Privacy Research" at the renowned IT security conference USENIX.

2G, 3G, 4G, 5G - What sounds a little like a bingo draw describes the mobile communication standards currently in use. The latest 5th generation standard - that's what all the Gs stand for - is still being developed. The oldest of the bunch, 2G, was introduced back in the 1990s and is still in use. "2G is mainly used for voice transmission or for simple smart devices; such as a beverage dispenser that indicates it needs to be refilled," Dabrowski explains. The subsequent 3G was switched off in Germany in 2021 and replaced by 4G, also known as LTE. With 4G, users can enjoy streaming services or make video calls on the go, for example. In the meantime, these mobile communications standards, which exist side by side, apply worldwide. Roaming is intended to enable mobile network customers to use the services agreed with their mobile network provider while abroad and to enjoy the promised security and privacy protection. At least that's what it's supposed to be.

Is the "Roam-Like-At-Home-Principle" an empty promise?

At issue here is the so-called Roam-Like-At-Home principle promised to EU citizens in the EU Roaming Regulation, which was revised in 2022. The Bundesnetzagentur (the German Federal Network Agency) writes: "As a result of the revision of the Roaming Regulation, not only will the same price apply when traveling in the EU as at home, but also basically the same quality." Dabrowski doubts that this promise can be kept. "With roaming, the home network and the network of the country I'm visiting work together. They want to offer a service that is also as consistent in terms of privacy and security as the one in the home network. But the technical implementation is completely different." For example, when on vacation in Switzerland, the voice connection is established directly via the Swiss network, while the Internet connection takes a detour via Germany. In the home network, both would go the direct route. "If you look closely, there is no consistency between roaming and non-roaming connections," the researcher explains. Mobile providers have an extremely large amount of leeway, he says, and have been virtually impossible to control. According to Dabrowski, this also applies to network security.

Cross-border tests hardly possible so far

The problem: So far, tests and measurements across borders have been extremely costly.  "Europe is extremely fragmented. There are many mobile network providers in each country. Germany, with only three providers, is the exception. If I find that there is a security gap in one of our domestic mobile networks and want to check whether this is also the case in other networks, I currently have two options: Either I travel around a lot and test every network in every country in every constellation, or I equip as many devices as possible in every country with as many different SIM cards from different providers as possible. In no time at all, I thus have 1000 SIM cards, 1000 contracts and a private bankruptcy."

"Decoupled measurements" are the solution

The solution could be a framework developed by the researchers that allows the geographical separation of the SIM card from the cellular modem. The modem is a component in mobile devices such as smartphones that provides the connection between the devices and a cellular network. Its job is to put the radio data into the right form and to send it to and receive it from transmission towers. The SIM card is used to identify the user and assigns the smartphone to a specific network. Dabrowski explains the connection between all this and his framework: "Normally, the SIM card and the phone are one unit. We separate this unit and remove the SIM card from the phone. We simulate the communication protocol over the Internet and can thus travel virtually. To explain it more simply, let's take an example: We connect the SIM card to our measuring station in Germany and can pretend that we are in Germany. Then we disconnect it and connect it to our measuring station in France and can pretend to be there. All we need for that is a terminal in Germany or just in France."

Cost-effective and open source

The resulting measurement and test platform, which works for standards 2G to 4G, provides a controlled experimentation environment that is extensible and cost-effective, according to Dabrowski. "In addition, our approach is open source, so other researchers can contribute sites, SIM cards and measurement scripts." The researchers are making the platform accessible and usable under the name MobileAtlas. The tool is likely to be of interest not only to researchers. "Mobile operators could also use it for the first time to check whether their roaming partners keep their promises." The name Mobile Atlas is no coincidence. According to Dabrowski, it was derived from the name of the RIPEATLAS Internet test platform, which has been in existence since 2010. "RIPE NCC is the European Internet Governance. The RIPE Atlas is a global network of meters that measure the connectivity and accessibility of the Internet.

The frontiers of borderlessness

With the MobileAtlas, there are measurement stations in ten countries so far, along with the infrastructure suitable for the measurements. Dabrowski hopes that the measurement network will quickly expand with the help of other researchers. "However, we will also have to make sure that no shenanigans are committed with the SIM cards so that we don't incur any costs. Whether we can offer MOBILEATLAS as comprehensively as RIPE NCC offers its platform remains to be seen. Dabrowski and his colleagues have shown that their approach can uncover interesting information: "We have discovered, for example, that certain services can be camouflaged in some mobile networks in such a way that the data traffic they generate is not deducted from the data volume included in the rate. Worse for end users, however, are the security problems that we were also able to demonstrate. In some cases, we found problematic firewall configurations or uncovered hidden SIM card communication with the home network." The findings are not all that alarming in this regard. Exploiting these problems would require very targeted attacks and savvy attackers. "But gaps like that are never good. And now we have the opportunity to point them out to vendors."


If you want to know more about MOBILEATLAS and the other results, you can find more info in the paper: Gegenhuber, Gabriel Karl and Mayer, Wilfried and Weippl, Edgar and Dabrowski, Adrian (2023) MobileAtlas: Geographically Decoupled Measurements in Cellular Networks for Security and Privacy Research.

In: USENIX Security Symposium 2023, August 9-11, 2023, Anaheim, California, United States. Conference: USENIX-Security Usenix Security Symposium.

Or on the website: