This is part one in a multi-threaded string on connectivity in the mobile age (part 2 & party 3 are linked here). The goal is to outline the various technologies used to connect your mobile device to the Internet and other private networks.
This series will focus on a number of topics around how the mobile networks are built to take data from your device, through the telecom/carrier network, and ultimately to either a private network or the public Internet, so that you can consume services like Facebook or some sort of internal application.
Throughout, there will be a number of “Interesting Facts” that will provide some deeper technological or managerial insights.
The goal of these documents is to give you enough insight as to mobile data connectivity that you will reconsider your access methodology and look to leverage more secure access paths for your mobile data.
Not that we are not discussing WiFi/ WLAN, or whatever you want to call communications based on the 802.11 standard. WiFi is great for short distances and limited range communications, e.g. your coffee shop or at the office. However, WiFi is out of the scope of this document. Rather, I’d like to purely focus on discussing the “bars” on your device: the communication from your mobile device to the Internet using your mobile phone provider’s network.
Why explain this?
There are two main reasons to detail mobile connectivity in this document; both are aimed at informing the reader to be able to make informed decisions about their mobile data security and experience. The two reasons are:
- Understanding the process of how devices connect over a mobile network will give you clarity on what is happening to personal and professional information as it traverses the varying paths to access applications. One must understand this scenario before making a decision on whether to change it.
- With this understanding will come options and considerations for how to leverage mobile connectivity for better value, from both security and functionality perspectives.
How does your device talk to the Internet?
TLDR;
Your time is appreciated, and more than likely you will be consuming this article on your mobile device of choice. So we will dive straight into how your device is seeing this very article. To do this, I will divide the connectivity up into three elements:
- The Mobile Device: as captured in the name — this is your phone, which is connected to your telecom provider. Initial connectivity is via radio signaling, e.g. LTE, and then data is transported via packet switching.
- The Carrier (black box): a “black box” network that transports, segregates, inspects, dissects, analyzes, and controls your traffic, and ultimately charges us for our consumption.
- The Destination Network: Where your traffic is headed so that you can consume a service. This will most likely be the Internet, but it is also possible to access some private applications.
Your Device
Connecting your device to a mobile network, as with any network, requires that your device is able to speak the language of that network. This language is how your information is it transmitted over the radio.
What once started out as simple voice transmission has now led to the incredible data transmission rates that we have all come to expect, e.g. when viewing an HD video whilst on the move. Over time, this has taken many forms and many languages, such as CDMA or LTE. (If you want to know more about these languages, check out this article: https://internet-access-guide.com/the-alphabet-soup-of-mobile-standards-gsm-cdma-and-lte/
Therefore, if a network is available and you want to connect to it, your device must speak its language. This is done by having a translator on your device — a MODEM — to send radio signals in a way that the network understands. Today this is 4G/LTE and 5G.
Interesting Fact: “MODEM” is actually is a mash of two technical terms; modulation and demodulation — which means the conversion (translation) of signal from one network to another.
In short, it is this radio MODEM that takes your data, packages it up, and sends it across these radio signals to your telecom carrier.
Before your telecom carrier authorizes you to connect to the data network, there are multiple layers of testing/validation that occur. First, your SIM card number, known as an IMSI (international mobile subscriber identity (IMSI), is a unique ID that allows the carrier to validate that you are allowed to connect. The IMSI also how allows the carrier to identify the card, and ultimately the owner of the card. This validation allows you to use the mobile network
Interesting Fact: There are other layers of validation, but I won’t dive into them here. If you’re interested, check out these great resources
SIM (https://en.wikipedia.org/wiki/SIM_card)
ICCID (https://www.iso.org/standard/70484.html)
Auth Key Ki (http://www.liquisearch.com/simcard/data/authentication_key_ki)
Once your communication method is confirmed, the next decision is based on the Access Point Name (APN) that has been assigned to you and your device. This APN instructs your carrier as to what “gateway” you are allowed to pass through, as well as what resources you are able to see and access. We will address APNs in more detail in the next section.
After your device and access rights have been validated, the carrier gives you access to the telecom network that you are allowed to use.
The Carrier Network
Generally, the carrier network is a “black box” where the internal function is not really well known outside of the carrier (and varies from carrier to carrier). On this network, your data is taken, routed, assessed, formatted, and then connected to another network — usually the Internet.
As outlined in the previous device topic, there are a number of tests that must occur before you get on the carrier network. Ultimately, these tests are in place to ensure that you can pay for the services that you consume.
Interestingly, though, these tests also greatly empower you as you travel. For example, your carrier does not have a global mobile network — so how does you carrier enable your device to connect when you are visiting another country?
Using the previously explained checks, you can see how the carriers enable your roaming:
- Radio: your device connects to a local radio network using the language it speaks, such as 4G
- SIM: your SIM identifies who you are, what device you have, and whether you are allowed to send data
If international service is enabled for your device, your carrier will pass this information and approval to the local carrier and allow (or deny) you access. This is called roaming; for more details on roaming, check out this lovely article: https://www.ctia.org/consumer-resources/how-roaming-works
Your home carrier will apply a set of controls to your account that tell the connected carrier network what to do with your data. Once the traffic is sent from your mobile phone into the telecom backbone, functional inspection and decision-making / routing occurs based on your carrier’s rules.
Your telecom provider sits in between you and the Internet and has the ability to see what you consume. This way the carriers are able to offer you value-added services, such as Netflix streaming for no additional cost, etc. This is done through the telecom provider knowing the types of traffic that are going to the various streaming services and ensuring that this traffic is enabled (or limited) for your account.
On the telecom network, your traffic is identified and isolated so that the carrier knows:
- Who is requesting access
- What they are consuming
- Who to their billing model to
- What limits you may or may not have
In general, the telecom provider will connect your device to a network space (normally private RFC 1918 or IPv6 space) that is segmented by the provider into different access paths — for example, private or public access paths. This decision is based on your APN (covered in detail in the next installment).
It is important to remember that any access to any destination network through a telecom carrier must pass traffic through the telecom provider network; only after they have finished analyzing your traffic will they connect you via one of their outbound gateways to the respective destination network.
In terms of security, you must presume that connecting to a telecom network is like connecting to a large open WiFi network, e.g. a coffee shop hot spot. It is a network controlled by someone you do not know and more than likely should not trust.
You must presume that any traffic that you send over this network will be assessed. Everything from the DNS request, the destination IP, accessed domains, and so forth will be observed and logged by the carrier; if possible, the carrier will also inspect the content of the traffic. Ultimately the carrier wants to provide you with a service, and they need to see your traffic to be able to provide you with that service.
The Carrier Network
Once the traffic is processed by the telecom provider, your traffic egresses out from the carrier network to the destination network (normally the Internet) and on to the service you would like to consume. Depending on the telecom provider, your egress location will vary; however, this egress gateway will be the source of your connection to the network.
In terms of access paths, the Internet services will see connections coming from the telecom provider, allowing the telecom carrier to define how to route your traffic. For international roaming, it’s common for the local carrier to route your traffic from the country you are visiting back to your resident country and then on to the service. For example, a German customer using their phone in Sweden may have their traffic routed back to Germany before exiting to the Internet. This global roaming and backhaul requires substantial setup by carriers, especially for a private APN, and can imply significant price and delivery time challenges.
Interesting Fact: As with most services today, the data collected by these services is being sold to third parties. In 2019 it was shown that American carriers would sell any customer data to external companies. For reference:
- https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile
- https://www.theverge.com/2019/5/17/18629553/att-t-mobile-sprint-verizon-selling-user-location-data-illegal-fcc-letters-public
Traffic Isolation
One question that you should be thinking about is: how does a telecom provider isolate your traffic from others? How can they know that it is you consuming your data, versus someone else? How can the carrier provide differing services to you versus other customers?
The answer is surprisingly simple: the segmentation is performed by the same functions that validate the source of the connection, the IMSI and the APN.
The IMSI identifies the device, and the APN identifies the network to which to connect the device. IMSIs cannot be changed, but APNS can be. APNs are segmented access networks provided by telecom providers that allow the carrier to control not only who connects to which network, but also what services are available to that network. Clearly, there are some challenges regarding APNs that put customer data at risk. I will review these challenges in more detail in the next section.
Wrapping up this first section in mobile connectivity — while there are three elements of access that need to be considered, the main function of control and access management sits with the telecom carrier. Thus, next time you are browsing a website over your smart phone, give some thought to how the traffic goes from your device, through the carrier network and controls, before the egress to the external network such as the Internet.
Up next in this “Connectivity in the Mobile Age” series will be the deeper discussion of Segmentation, after which will looking at a Better way of working.
