Mobile is a domain comprising two major components, the end users and the providers. Mobile usually is considered part of the ICT landscape, evolving with similar challenges and at a similar speed, because it mainly exists and operates thanks to information technologies.
On one side, there is the operator - the mobile operator – taking a central role. Usually the operator decides on the base architecture and the core network it lays out to build, maintain and operate. The service provider deals with the interconnection of other networks and with other operators. It deals with the decisions on authentication mechanisms, the on-boarding of new clients, the management of the calls and activities happening on the networks such as calls taking place, the routing and termination of those calls, the data transmission, ... The service operator usually also deals with various manufacturers who would like to have their handsets enrolled in the operating network infrastructure.
The end user, on the other side, takes the handsets and starts to use them on the operator’s networks. The end user with a smartphone, tablet PC, laptop computer, ... has a device that today uses a SIM card (a microchip card) that identifies the device with the SIM card to the mobile network. The device uses components that need an operating system and software to bind the functionalities and to operate the device on the network.
All these components require specific considerations on security, a challenge that has been considered for many years by the sector and that continues to be a challenge due to the constantly evolving components.
Even more challenging now than before is that the mobile world has now also embraced the internet, and with it all of its specific challenges and demands related to threats that can be attributed to the specifics of the internet such as malware, trojans, botnets, online fraud, ... - cyber threats.
The mobile sector is an annual multi-billion euro industry, with a lot of vested interests, where the balance of power is shifting between continents and economies. Until a couple of years ago, Europe had a major role with companies such as Nokia, Ericsson and Alcatel, the market is now heavily reliant on Asian suppliers such as Huawei, ZTE, Samsung, LG and North American suppliers such as Intel, Apple, Google (with major Motorola and Qualcomm assets) and Microsoft (with major Nokia assets).
Europe is coordinating the landscape by organizing the way the wireless spectrum can be utilized, via its national regulators and grouped in ETSI. Other important organizations are ITU and the GSM Association, heavily impacting the way the mobile sector operates today and towards the future, and heavily involved into setting the security measures and defining components impacting security and privacy.
The European market has vested interests in sustaining smart card developments. For many years, these technologies have been dominating the way handsets are connecting to the networks. The SIM card is a major component of the way mobile operators authorize a handset to access and operate on their networks. Other major European components influencing the mobile sector are applications such as navigation, gaming and to a lesser extent audio and video developments.
The operator market has been scrutinized in the past for the way it dealt with private data. Operators can be seen as examples for markets where data protection regulation became an integrated part of the operations. Operators today also serve as a major source for criminal investigations, providing proof for whereabouts and identification of both victims and criminals, acting as witnesses in a crime scene.
Operators are regulated under a series of European Directives 1 and Member States’ specific regulations.
A multitude of threats exist for mobile, a list which never seems to end, but also which impacts not only the various different layers of the OSI-model, but also the end-to-end environment and the trustworthiness of the involved entities by themselves : Core Networks, Radio access network, IMS, Fraud, Authentication and identification technologies, Handset related, Application related, Mobile malware, Corporate espionage, …
Security measures have always been a constant challenge and task for mobile operators, but up until today, mainly to protect the operators’ interests (against fraud, abuse, control of the customers, limiting churn, ...).
Reliability for end users is not limited anymore to the data in transit and on the device, but also in availability of service. Mobile networks have become part of the critical infrastructures.
1. Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services.
Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 amending Directives 2002/21/EC;
Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC ; Undertakings providing public communications networks or electronic communications services must ensure the security of the networks. The competent NRA must be informed of any breach of security or loss of integrity on the network. They will in turn inform the NRAs of the other Member States.
Contributing to ensuring a high level of protection of personal data and privacy (the “Privacy and Electronic Communications Directive”).
Proposal for Directive 2013/0027/EC : NIS Directive Measures to ensure a high common level of network and information security across the Union ↩