Introducing Mobile Network Security Experiments to Communication Technology Education

We describe a new viable lab assignment that enhances the theoretical study of wireless network security in our master-level communication technology education with hands-on mobile access network experimentation for the students. This new part is added to a well established student lab on wireless network security, by making use of low cost software deﬁned radio devices and readily available open source software for experiments with one-cell GSM mobile access networks. The students can use their own smartphones. The overall objective of the lab is to support the students’ practical understanding of the technical problems of building and managing wireless network security mechanisms. We report our ﬁndings and experiences from designing, constructing, testing and managing this lab assignment in the autumn semester of 2016.


Motivation
Cellular mobile access networks (GSM, UMTS, and LTE) have become a ubiquitous part of the world-wide communication systems and are used in both personal and professional everyday life now.Access authorization and authentication, confidentiality, integrity, and location and tracking privacy are some of the highly important communication security properties.The topic of mobile network security has been included in university level curricula at some engineering and computer science programs.Typically, however, the teaching is theory-only with no provision for lab work with real wireless setups.
We propose that gaining experience by a process of doing hands-on experimentation will significantly improve the intuition and understanding of mobile network security concepts and theory, and ought to be an essential component of teaching network security.It should make students skilled in both practical attacks, and the best practice of security mechanisms and protocols.As a consequence, a natural question arises: "How to introduce mobile network security experiments to network engineering education?".We describe our recent work of designing, constructing, testing and managing a lab assignment for mobile network security included in a master level course in wireless network security.

Our Contribution
For many years, the student assignment associated with our Wireless Network Security course within the Master's Programme in Communication Technology has helped students explore the security mechanisms and protocols used in wireless LANs.Useful open source software and inexpensive equipment for this communication technology have been easy to acquire and set up.During the autumn semester of 2016, we have successfully extended this lab assignment with realistic mobile network security experiments based on software-defined radio devices controlled by readily available open source software.The students are able to explore mobile network security protocols by building a one-cell mobile access network and run tests with their own smartphones.For a start, the students can analyze live radio communication protocols, authentication, encryption, and anonymity mechanisms for the GSM mobile system.Equipment and devices useful for setting up such experimental mobile wireless networks are now available at affordable cost, and this creates exciting new possibilities for communication security engineering education.Let this new part of the lab assignment be referred to as the Mobile Access Network Security section.This paper describes both the technical details of the lab equipment and tools, and the pedagogical experiences that we have gained so far.Finally, we indicate possible directions for further developments that we plan to take.

The Course
The Wireless Network Course is part of the first year master's program in Communication Technology.It builds upon our basic Cryptography, Computers, and Network Security course.Other recommended prerequisites are courses in Access and Transport Networks, Mobile Networks and Services.In general, the scope of the course is functions, protocols, and configurations for realizing authentication, key distribution, integrity, confidentiality and anonymity in wireless access networks for mobile users.Mobile forensics has been included too.The course presents and analyses security techniques employed in existing systems, including WPAN, WLAN, GSM/UMTS/LTE, IMS.In addition, we may present proposed solutions for new wireless technologies, such as ad-hoc and sensor networks.One of the main learning objectives is to acquire analytical skills for information security assessment of communication systems that provide services for mobile users by wireless access networks.
The lab assignment is 20% of the total course.The content of the assignment has steadily evolved since the start in 2006.The original inspiration for creating the course and the lab assignment did not come from similar teaching at other universities.It is our perception that there have been, and still are, few courses on wireless security in university level curricula.A major part of our early inspiration came from open source network tools and WiFi hacker tools that were developed and emerged at that time, such as wireshark, kismet, and the aircrack-ng suite of tools [1][2][3].Note that the first cryptanalytic results on WEP were published a few years earlier, in 2001.Note also that around that time the term ethical hacking became a professional security testing skill sought after by big corporations and governments, which spawned a heated discussion at universities whether computer engineering students ought to be taught attacker/hacker skills.Retrospectively, we are now able to find that Hartpence paper from 2005 describes some of the same considerations that we started out with [4].
This same sort of practical impetus that we had for creating the lab in the first place also holds for our newly added Mobile Access Network Security part.Our inspiration here is the availability and low cost of USRP devices, together with open source software [5][6][7][8].After having constructed and conducted this new part, we found out that similar labs exist at some very few other universities, suggesting that the approach starts to gain momentum [9].

Structure
A total of 40 students enrolled in the course for the autumn semester of 2016, whereof 31 males and 9 females.The course attracts a significant number of international exchange students (9 students in 2016).Over the years, the total number of students have fluctuated around 50 students.
We measure that the entire assignment will nominally require at most one full week effort for a group of three students sharing the work load.We advice cooperation on problems both within the group and across groups, and commend self-organised designation of roles and responsibilities within each group.We allow flexibility in establishing the groups (student driven), and Table 1 shows the numbers for the groups last year (2016).
We allocate two calendar weeks due to limitation in lab space and for various other reasons, such as computer resources, noise level, course staff availability.This allows some flexibility for the students or groups to pick a preferred week, thus eliminating absence problems that might be caused by personal circumstances or conflicts with other courses and activities.The groups are granted access to the laboratory room for the week they are registered for.One week before the lab work, the course staff will give an introductory talk on the lab objectives, description, deliverables and grading criteria.The complete lab assignment description becomes available well in advance for the students to understand the theoretical background needed and to organize their work.
The lab assignment is a mandatory 20% portfolio of the course, and consists of two main tasks over two weeks' time: (1) Carry out the lab experiments, and demonstrate the results after each milestone to a teaching assistant.All milestones must be passed and approved by a teaching assistant by the end of the first week (pass or fail).
(2) Prepare and submit a written lab report for grading and the end of the following week.We encourage the students to record their progress in a lab journal.The submitted lab report is graded by the course staff.

Content
The work plan for the mobile network security part contains four main tasks: 1. Set up a one-cell GSM network.2. Enable 'Open Registration'.
First task aims to become familiar with the hardware and software tools that will be used later in the lab.The main objective is to set up the hardware and the software for the GSM one-cell network, for which they will configure and test security mechanisms.
The next three tasks challenge the students to experiment with the GSM authentication and access control, (un)linkability, and confidentiality mechanisms.The 2G mobile access networks should issue random strings for TMSI (Temporary Mobile Subscriber Identity), replacing the permanent identity string of IMSI (International Mobile Subscriber Identity).So, students first enable TMSI allocation for their network service, having in mind a purpose for this: to secure their network against passive adversaries (eavesdroppers) that want to break the privacy of a targeted subscriber (identified by a given IMSI).
The access control and authentication protocols of mobile networks are central topics in the course.Hence we ask the students to perform some experiments with two (quite naive) access control mechanisms implemented in OpenBTS: Open Registration and Cached Authentication.This offers the students a practical environment to reflect on different access control mechanisms.They will analyze the security performance of the mechanisms used, and compare against the real mechanisms in GSM networks.Finally, we ask to enable encryption, keeping in mind the goal of private communication.
Each of the four main tasks corresponds to one milestone.By this, we expect the students to demonstrate the operation, the functionality and their comprehension.We find these milestones to be a good method for the teaching assistants to monitor the progress of each group.

Instrumentation
A student group will normally use the following equipment: -One networked computer. 1One USRP (Ettus B200mini) as in Figure 2.

Universal Software Radio Peripheral (USRP).
A USRP is a device used to prototype wireless communication systems.The B200mini is a USRP with size less than a payment card that can be programmed to operate over a wide radiofrequency range (70MHz -6GHz) and communicate in full duplex.For instance, it can be used in all of the standard GSM, UMTS, and LTE frequency bands.Figure 1 shows the USRP B200mini board, while Figure 2 shows the hardware enclosed and with antennas mounted [10], as presented to our students in the lab.More detailed technical specifications on the B200mini can be found at Ref. [11].
OpenBTS.OpenBTS is a Linux-based open source software that can interface to software-defined radio hardware [5].The OpenBTS implements most of the GSM stack above the radio modem; however, it requires some other distinct applications as prerequisites: SMQueue (SIP Message Queue) stores and forwards text messages, being a prerequisite for the SMS service between mobile stations using OpenBTS.Asterisk is a Voice over IP (VoIP) switch that performs call establishment between mobile stations using OpenBTS.
Asterisk is an open source framework sponsored by Digium [12].SIPAuthServe (SIP Authorisation Server) is an application that manages the subscriber database, thus replacing the HLR (Home Location Register) entity found in a conventional GSM network architecture.
The OpenBTS suite and all the prerequisites were installed and configured by the course staff to work with the USRP B200mini before the lab started.More detailed information on OpenBTS is available at Ref. [13,14].
Computers.The computers used in the lab are desktop computers with Intel Core2 Quad CPU Q9400@2.66GHzrunning Ubuntu 12.04.The recommendation is to connect the USRP device via a USB3, but we found out that the USB2 transfer speed is sufficient for our lab activities.
Smartphones.Following the BOYD (Bring Your Own Device) policy, we encouraged the students to switch their own mobile phones to 2G and use them for the experiments.Nevertheless, we provided LG Nexus 5X handsets running Android v6 to a few groups that lacked access to the necessary two mobile phone devices.(This was the case for the "one-student group", as well as for some students whose phones disallowed network type selection -e.g.: older versions of iOS).

The Lab Tasks
This is a brief description of the tasks in the mobile access network part of the lab.The tasks focus on the security aspects in GSM, as previously explained in Section 3.
The course staff have downloaded and built all the necessary software on all desktop computers prior to the lab start.This assures an effective start for the students and avoids much hassle and frustration that can occur with incompatibility of the operating system, drivers, and building the applications.However, the complete installation guidance is given too, say, for or students who want to reproduce the experiments on their personal computers.
The first task is to connect the USRP device to a computer and check if the device is properly connected, by inspecting the LEDs and running specific commands.Each group creates a one-cell mobile network by starting and running the OpenBTS processes.Running several base stations concurrently in the same lab hall must be done with care to avoid radio frequency interferences.There are at least two concerns: 1. Interference with the commercial networks (that use licensed GSM frequency bands) outside the lab hall.2. Interference among the lab group networks inside the lab hall.
We have put in place the following strategy to avoid these problems: each group is assigned a distinct ARFCN (Absolute Radio Frequency Channel Number) -chosen such that there are no interferences with cells of the other groupsfrom a frequency band that is not allocated for commercial mobile communication.This avoids interference with the commercial mobile networks [15].Additionally, the students are asked to configure the USRP devices to a very low transmission power such that the cell radio coverage is effectively restricted to the lab hall.
Further, the lab tasks include the capture, storage, and analysis of network traffic, identify specific messages and parameters in several scenarios, and find and explain particular handset behaviour corresponding to distinct configurations of the network.
As an example, we outline here the procedure for the task Enable link encryption.The main objective for this is to investigate the confidentiality mechanisms in GSM.The students have to inspect encryption related parameters in the OpenBTS command line interface and enable encryption by setting appropriate values.Students can make calls from one handset to another, capture the traffic, and observe the differences between the situation where encryption is disabled, respectively enabled.Students are asked to compare the encryption behaviour they observe in the lab with the GSM encryption standard, and to give a description of the technical differences.
A similar method is applied for the others tasks: -Enable TMSI allocation and observe which changes occur in the message flow.Check if the security goal is fulfilled.-Experiment with the two access control mechanisms implemented in OpenBTS: Open Registration and Cached Authentication.Note the differences between the two and compare them with the textbook description of GSM authentication.
We aim for communication observations and analyses to be conducted both on the network side and on the user equipment side.The students are asked to observe how the mobile devices operate in different scenarios and to evaluate the security functionality on both sides.For example, we ask questions related to user experience and privacy, such as: "Which security modes of operation are signalled by the phone's display to the user?In particular, consider various types of registration, authentication, and encryption modes".

Experience and Students' Feedback
The Mobile Access Network Security assignment part has been well received by the students so far.We suggest possible improvements in the final section of the paper.We have used two methods for collecting feedback: a question to be answered in the lab report, and direct interviews and report from the student reference group for the course.
Specific question in the lab report.We use one assignment question to probe the students' opinions about the lab, and suggestions for possible improvements.
"How can this lab project be improved?(Answering is optional and does not influence your grade.)".
The question was optional, so not all groups answered.However, we got feedback from several groups, and overall it was positive indeed.Two of the responses are: "We think that the practical part was very interesting, not too difficult nor too easy, and it is possible to finish within one week." "The motivation behind the lab project was clear, visible, and comprehensible.The tasks to be performed were interesting and informative.The well-prepared equipment enabled us to work directly 'hands-on' without long installation tasks. . . .All in all, the lab was a great success." Reference group report.At our university, it is required that three or four students volunteer to become a reference group for the class and course.They shall represent all students in the class, and provide a formal communication channel between the class and the course staff.They write up a short report at the end of the course, which is used as input to the overall evaluation of the course.Their reported feedback for the lab reads very encouraging: "Lab: Very good, interesting and relevant topics.Hard to find information about different modification that you had to do.The description was very helpful, and the lab was well prepared, including the new part.".
Finally, we present here some of our findings and experiences from the construction, testing and management of the laboratory.
During the development work of the lab, we tested several USRP devices, mostly from Ettus Research [16].The final decision on the B200mini was due to several factors: compliance to our needs, affordable price, and small enough to be easily stored and transported in one box.Also, we have tested and found that the B200mini are compatible with our not-so-new desktop computers already in use for the lab.As mentioned earlier, we found that we did not need to upgrade to USB3 ports, so the only additional equipment that had to be bought were the antennas [10] and making the encapsulation for the board.Currently, the USRPs are used in other wireless communication courses and in our master thesis research projects, so they have proved to be a good investment.
We encountered some problems with the software during our lab construction.OpenBTS is an open source platform, always under development, so we sometimes had problems with the up-to-date version of the software, which cracked.We solved this by using a functional version of the source code, but changed the drivers to the ones compatible to the B200mini.This and the amount of time required for build the executables (approx.30 min) made us decide to pre-install all the necessary software on the lab computers, thus allowing the students to focus their activities on the security related issues.
Students encountered a problem with identifying their own access network when more cells were up in the lab hall at the same time.This happens because some handsets always display the network as Test PLMN 1-1 (for default Mobile Country Code and Mobile Network Code), independent of the actual name assigned to the network by the software configuration.To avoid this, we asked the students to set the Mobile Network Code to their group number, which makes each cell directly identifiable.
We have succeeded in enhancing the theoretical study of wireless network security in our master-level communication technology education with hands-on mobile access network experimentation.We consider this as our first and exciting step into the learning possibilities that the brave new environment of open source based mobile networks can bring.
We decided to start with the GSM mobile networks, and next we want to move on directly to 4G (LTE).There are open source projects for LTE emerging, which makes this plan feasible [6][7][8].At the same time, we want to develop further the GSM part of the lab, by making use of configurable SIM cards and allow the complete GSM authentication mechanism and encryption to take place.For this, we already acquired and tested configurable SIM cards [17], which we can configure for our purposes by using the PySim software [18] and a card reader [19].These ideas were independently suggested by some of our students in their lab report feedback: "It would be a nice feature if we had the possibility to use programmable SIM-cards in order to play with GSM.Cipher.Encryption enabled or disabled and see the difference in the captured traffic in Wireshark.""Could it be an idea to set up LTE instead of GSM? Obviously LTE have less security vulnerabilities and is probably more time consuming to set up, however the relevance is greater."

Figure 2 .
Figure 2. We built our own robust enclosure for the USRP boards and antennas.