The Department of Homeland Security (DHS) Study on Mobile Device Security identified threats to and security challenges in mobile network infrastructure that could negatively impact the federal government’s use of mobile technologies. It also identified the need for government research and development (R&D) to address the risks. The study concluded that targeted R&D could inform development and adoption of standards to improve security and resilience of critical mobile communications networks.
DHS’ Science and Technology Directorate’s (S&T) Mobile Security R&D Program has established the Secure and Resilient Mobile Network Infrastructure (SRMNI) project to address the threats and challenges to the nation’s mobile network infrastructure. Each of the nine R&D projects is being managed by S&T’s Office of Mission & Capability Support on behalf of CISA.
Mobile device and mobile network elements extend from the device through the radio access and core networks to the internet and into enterprise systems. Through its SRMNI project, S&T is working with several performers on innovative approaches to improving protection of the cellular mobile infrastructure against threats.
These threats impact the following elements of the mobile network infrastructure:
- The air interface between the mobile device and the Radio Access Network (RAN).
- The RAN cellular tower/base station.
- Virtualized elements of the RAN or the core network.
- Signaling System 7 (SS7), Diameter, and other signaling protocols within the cellular core network.
- Traffic sent from the core network to the internet or enterprise systems or networks (e.g., ESINet for NG911), across third party transport networks connecting RAN and core networks, and connectivity to Public Safety Answering Points (PSAPs)/Next Generation 911 systems.
- Security of enterprise systems and data accessed via mobile technologies.
To solicit qualified R&D proposals, DHS S&T issued a Broad Agency Announcement Solicitation (BAA) 70RSAT19RB00000001, under the project name “Secure and Resilient Mobile Network Infrastructure.” Through this BAA call, DHS sought R&D proposals from the mobile R&D community to develop technologies that will improve the security and resilience of the mobile network infrastructure, including 2G, 3G, LTE/4G, and emerging 5G technologies. The SRMNI BAA specifically sought R&D proposals focused on the following Technical Topic Areas (TTAs):
- TTA #1 focused on 2G, 3G, and 4G network protections.
- TTA #2 focused on building security into 5G networks and leveraging 5G to demonstrate solutions that meet government security needs. TTA #2 also focuses on development of end-to-end protection of network traffic, including development of a standardized secure voice and video capability for unclassified government communications.
- TTA #3 sought innovative approaches to improve government visibility of network traffic from mobile devices to identify potential malware, attacks or attempts to exfiltrate data from or through the device.
Following a competitive review process, nine R&D partners were selected from the submitted research proposals to conduct SRMNI projects addressing the above TTAs.
Following is the roster of SRMNI R&D performers and a brief summary of each of the nine projects:
- 4K Solutions, LLC - Secure Voice and Messaging Threat Mitigation from Backend Protocol and Over-the-Air-Attacks. This SRMNI R&D project is developing and refining the following two major software solutions—GovSecure and EchoPPT Pro—for secure voice and text communications.
- Adaptive Mobile Security - Threat Detection and Protection of Networks. AdaptiveMobile Security is developing an innovative threat-detection solution that will help increase the security posture of mobile networks and devices.
- Aether Arugus Inc. - Protecting the Mobile Core Network Elements via Air-Gapped Hardware Verification and Code Execution Tracking. The company is developing a firmware-anomaly detection system for 5G and ICT infrastructure components that will monitor device electromagnetic emissions to detect operational irregularities.
- AppCensus, Inc. - Mobile Traffic Intelligence at Scale. During this project AppCensus will research three potential protected domain name system solutions and determine their fit for use as the mobile proof-of-concept.
- Commdex Consulting - Fifth Generation (5G) Network Security. Commdex is developing and evaluating varying end-to-end security controls for 5G devices, 5G Radio Access Network, core, and transport network architecture. It will also determine the efficacy of the approaches in a testbed in coordination with Nokia using various real-world use-cases.
- GuidePoint Security - Mobile Network Traffic Visibility for the Enterprise. During its project, GuidePoint is seeking to improve protection and monitoring of mobile devices accessing systems and services on mobile networks by building protected domain name system capabilities and service offerings.
- Red Balloon Security - Symbiote Integration for Mobile Network Infrastructure. Red Balloon Security is integrating its patented firmware hardening and runtime protection technologies—Symbiote and Autotomic Binary Structure Randomization—into mobile network infrastructure embedded devices to mitigate exposure to a wide range of attack chains.
- Texas A&M University - Government Secure Voice Architecture. The Texas A&M Internet 2 Technology Evaluation Center, in partnership with Columbia University and Texas A&M University at Commerce, is developing a testbed for full-function secured and interoperable voice and data services.
- University of Florida - Deploying Defenses for Cellular Networks Using the AWARE Testbed. This R&D project is developing solutions for legacy and future cellular systems that will detect and mitigate voice call and message interception and user tracking by hostile third parties.
More information about these SRMNI R&D projects is available in the Secure & Resilient Mobile Network Infrastructure and Emergency Communications R&D Guidebook.
- Automating National Information Assurance Partnership Requirements Testing for Mobile Apps Report
- Cell Networks Vulnerable to Attack — Commdex SRMNI R&D Project Fact Sheet
- Challenges to Mobile Security — Adaptive Mobile SRMNI R&D Project Fact Sheet
- DHS Study on Mobile Device Security
- Embedded Devices are vulnerable — Red Balloon Security SRMNI R&D Project Fact Sheet
- Evaluating Mobile App Vetting Integration with Enterprise Mobility Management in the Enterprise
- Improve Mobile Communications Security — Texas A&M University SRMNI R&D Project Fact Sheet
- Microelectronics Security Concerns — Aether Argus SRMNI R&D Project Fact Sheet
- Mobile App Security Study: Securing Mobile Applications for First Responders
- Mobile Communications at Risk — 4K Solutions SRMNI R&D Project Fact Sheet
- Mobile DNS Security Threats — AppCensus SRMNI R&D Project Fact Sheet
- Providing Mobile DNS Security — Guide Point Security SRMNI R&D Project Fact Sheet
- Secure and Resilient Mobile Network Infrastructure & Emergency Communications Program R&D Guidebook
- Security Gaps in Telephony Systems — University of Florida SRMNI R&D Project Fact Sheet