Imperial College London

Q and A with a security expert who is making our mobile networks safer


People using mobile devices

An Imperial academic talks about his work rooting out cyber-attacks on phone networks in order to make them safer.

Professor Erol Gelenbe, from Imperial’s Department of Electrical and Electronic Engineering, has successfully concluded a large European project, which he was leading and coordinating, looking at ways of making our phones more secure and robust.

The NEMESYS consortium (Enhanced Network Security for Seamless Service Provisioning in the Smart Mobile Ecosystem) consisted of universities and industrial partners from across Europe. The aim of NEMESYS was to show why and how mobile network attacks occur, and how to detect them and mitigate them.

Colin Smith caught up with Professor Gelenbe to learn more about the underpinning technology behind our mobile phone network and why it is so important to make it more robust from cyber-attacks.

What does the mobile phone network actually look like and how does it work?

These types of attacks give mobile phone operators a bad reputation with consumers.

– Professor Erol Gelenbe

Department of Electrical and Electronic Engineering

Well, firstly there’s a signalling system that acts as the ’distributed brain’ of the mobile operator. It controls all the functions of the network. It keeps track of mobile devices via information from base stations and decides on whether to connect an incoming call to a given device or to allow a device to make an outgoing call.

The signalling system also links to the billing system, allowing calls, and making sure appropriate charges are applied.  Similar things happen when a mobile device tries to connect to specific web servers, or when it tries to download media or data.

How does the signalling system connect calls?

A mobile device is being constantly tracked by the mobile phone operator service through base stations, which are distributed throughout the world. They maintain wireless contact with the devices that are within their reach, typically several hundred metres at most. The purpose is to make sure that an incoming call can be routed to the device that is being called. Similarly, if the mobile phone users want to make a call, the same base station will pick it up and then contact the signalling system and on to the receiver, provided the receiver is near a base station.

What makes the network vulnerable to cyber-attacks?

Professor Gelenbe

Professor Gelenbe

The design of signalling systems is based on standards that are chosen by industry. These standards evolve slowly through interactions and discussions between industry partners including both the mobile operators and providers of the equipment for the network, including the signalling systems.

These standards are publicly discussed when they are being developed and much of the development occurs online. As soon as the inner workings or the working principles of any system are openly known, then the system becomes vulnerable to malicious attacks by people or organisations that exploit its weaknesses. In addition, the signalling system is the “brain” of the mobile network and when the brain is disrupted or tricked into making mistakes, then the whole system is adversely affected.

Can you describe a conventional attack?

Normally a mobile phone owner is tricked or unknowingly downloads malware, corrupt software, onto their smartphone.  This could mean that the signalling system registers calls that weren’t made, meaning that they get billed incorrectly. These malicious programs can misdirect calls to unwanted numbers or web services, cause battery depletion, and a ‘clogging up’ of the network bandwidth as well as its signalling system so that many other users suffer delays or are unable to  get a connection.

These types of attacks give mobile phone operators a bad reputation with consumers. This results in a loss of business, both through disrupted services, reduced usage, and decisions by users to move to other operators that appear to be more secure.

These attacks also add on to the operating costs of companies, where their Cloud systems and their underpinning internet services become congested, which drain energy.

What motivates these attacks?

Attackers have many different motivations including wanting to create political pressure or carry out extortion. Attacks can also be used to push users to access paid phone or web services unknowingly. These attacks can also cut into the margins of targeted mobile operators. It can congest the Internet service providers that different operators may share with other users. Sometimes attackers just wish to hack the various systems that are being used.

You developed a system to deflect attacks on signalling systems. How does it work?

We developed tools that could analyse these attacks in real-time and determine the source of the attack. These tools incorporate probability models, statistical methods and machine learning.

Our system first detects specific mobile calls that are acting in a manner that is detrimental to the signalling system. This detection is based on observing the effect of a specific call on the state of the inner workings of the signalling system.

If this pattern is repeated in other mobile phones, which would further disrupt the signalling system, then the specific call can be delayed or not allowed to re-enter the system for some time.

If the same type of attack persists over different instances from the same caller, then various measures can be taken, including running tests remotely on the phone itself and reloading its software and operating system to eliminate the malware.

We also look for patterns that allow us to determine the groups of mobile users that have been unwittingly compromised to attack the system in a coordinated manner.

How did this research help industry?

Overall, our technology was able to show why and how mobile network attacks occur, and how to detect them and mitigate them. The technology was transferred to our industry partners so that they can use them as a defensive tool in large-scale cyber-attacks.


Colin Smith

Colin Smith
Communications and Public Affairs

Click to expand or contract

Contact details

Show all stories by this author


Research, Europe, Strategy-collaboration, Strategy-share-the-wonder
See more tags

Leave a comment

Your comment may be published, displaying your name as you provide it, unless you request otherwise. Your contact details will never be published.