conejota - Fotolia

Look to over-the-top services to secure mobile, says specialist

Mobile network operators should look to 3G and 4G while enterprises should consider OTT services to provide the best security, says telecommunications industry veteran and pioneer Charles Brookson

Enterprises should look to over-the-top (OTT) mobile systems to ensure their mobile business operations are secure, according to mobile security specialist Charles Brookson.

Brookson is currently a director at telecommunications firm Azenby and chair of the security group of the European Telecommunications Standards Institute’s (Etsi) Operational Co-ordination Group (OCG)

“Systems that run ‘over the top’ of a mobile network operator’s network and are secure in themselves are a wise choice because you are not relying on a third party,” he told Computer Weekly.

However, companies should examine OTT services carefully and validate suppliers’ claims about how secure they are, he said.

“In general, they are a good choice because they are basically an IP channel from end to end. There are also various different ways to pass voice and data over that securely without having to trust the person in the middle, which is not a wise thing to do from a security point of view,” he added.

Brookson, who describes himself as “old and cynical”, said enterprises need to recognise that there is no such thing as a perfect system.

“As with computers, the most secure mobile is one that is turned off. Businesses have to understand what the risks are and mitigate those risks,” he said.

Brookson, who founded and led the GSM Association security group guiding more than 800 mobile operators for 25 years, also advises companies to ensure they understand what they are buying and not to believe everything they are told.

“At the very least companies should get someone who understands it because there is a lot of misapprehension out there,” he said.

This is especially important with 5G on the horizon because it is likely to be connected to the internet of things (IoT), which Brookson believes in itself is likely to cause new security issues.

“The internet of things presents great opportunities for denial of service attacks and breaches of personal privacy, and all that will have to come into the equation because, rather than just looking at communications, enterprises will be controlling infrastructure as well,” he said.  

Switching to latest standards improves security

Brookson, who led the team that produced protocols and the A5/1, A5/2 and A5/3 algorithms used by mobile operators worldwide to encrypt calls, also advises that all mobile operators should switch to the latest mobile standard as soon as possible because of improved security.

“In the early 2000s we brought in new [security] algorithms, but some mobile network operators are switching to them only now 15 years later. The underlying infrastructure has been there, but people just don’t want to spend the money on it,” he said.

“They should be using 3G or 4G because they have much stronger algorithms and better authentication – anybody could pretend to be an operator with the older systems. Fom 3G onwards, the network itself is authenticated.”

That said, Brookson cautioned that the security standards for 5G are currently in the process of being written. This means any 5G implementations ahead of the finalisation of those standards will not be security compliant.

The process is expected to be completed in the next 14 months as the standard writers tackle the challenge of dealing with the issue of backwards compatibility, but he said mobile network operators should be looking at the draft versions to start preparing.

Repeating history

After a long career in mobile security, Brookson observes that the same issues keep cropping up as each generation discovers them anew.

“The only way to break that cycle is to look at what has gone before, learn from history and co-operate with your peers in industry, such as the GSM Association’s programme for sharing fraud information between operators,” he said.  

Brookson is a nominee in the “mobile mogul” category in the inaugural Security Serious Unsung Heroes Awards taking place on 4 October 2016.

“I have been writing standards for 40 years, but few people realise who is behind all this stuff, and there a lot of unsung heroes behind standards because people tend to think these things just happen by themselves,” he said.

Brookson’s work in the field of mobile security has not been overlooked entirely, earning him an OBE in 2015 for services to telecommunications security.

Read more about 5G

Read more on Hackers and cybercrime prevention