Working in mobile security, especially in standardization, more often than not it feels like very few people outside the industry are aware of what is actually happening within. I presume the majority of users, even the ones who are rather security-aware, only think of it in terms of Over-The-Top (OTT) services, such as WhatsApp or Signal. After all, this is what you interact with directly on a daily basis. This is what (ideally) protects your data end-to-end. However, one must not dismiss the protocol layers below, which actually enable your phone to send data off to a remote server halfway around the globe and allow you to receive push messages on the go everywhere where there is a cell tower. Plus, with 5G just around the corner, it is not only enhanced data-rates and latency that people can look forward to, but substantial improvements to security and privacy as well.
So how did we get into this situation? One key aspect is the topic's huge complexity and lack of visibilty. I resent the fact that users don't care about the security of their mobile communication, it's just that you would not go out of your way to research this information. What is more, even the tech-savvy usually don't get in contact with things like DIAMETER, MILENAGE or SIP, unless specifically pursuing a career in telecommunication or related research. The technology stack has always been highly specialized and incredibly complicated. Luckily, this changes with 5G to some extend, too. Focussing on one specific feature at a time and "translated" from rather abstract language, the topic would be much more digestible for sure.
But it is not just a visibility issue either. Even at the occasion that telco security is covered in the press, it's often lurid headlines that miss out on important details or background information, required to accurately assess the issue at hand. Granted, short articles such as these cannot fully represent the contents of a research paper that took weeks or months to compile, but they should at least strive to offer a well-thought-out summary.
The above eventually convinced me to start a series of technical write-ups on what is currently being discussed in the field of mobile security standardization. While still targetted to professionals as well, the content on here should ideally be much easier to understand than 3GPP's official security specifications - a plethora of documents filled with normative language that usually takes a lot of inside knowledge and cross-reading between multiple documents to comprehend. First and foremost, I would like to provide insights into what level of protection and new security features users can expect from future mobile generations. Given that 3GPP's documents are all stored on a public FTP server, this information is available to anyone already today. However, the process of finding consensus and the reason for why the group decided to go into a certain direction are difficult to assess retrospectively without being present at the meeting. Secondly, aside from presenting this information to a broader audience, this blog might also serve a pure documentary purpose. I imagine it will be fun to look back at this process in a couple of years to get an understanding of how it all came to be. After all, 3GPP is specifying the technology that billions of people and devices will soon be using.
While telecommunications will certainly be the main focus of this blog, I also plan to cover a broader range of topics in the area of information security from now and then, be it secure programming, network design, or just security-related side projects that would be interesting to share. But for now, enough of the introduction -- let's get on with it. Thanks everyone for following along!