How it works: Mobile Networks

Mobile networks are an integral part of our daily lives. This blog dives into the history of mobile networks, and how they work so that we can better understand the security of them.
How it works: Mobile Networks

Mobile Networks have become an integral part of our daily lives, with more that 90% of the world owning a mobile phone (according to BankMyCell), and more that 85% of the world owning smart phones. Understanding the history of mobile networks and how they work is crucial in understanding the security of mobile networks and how you can be affected.


The current generation of Mobile Networks span to the 5G (5th Generation) which allows ultra-fast internet speeds, low latency, better connectivity in crowded areas, and broader wavelength spectrum for communication among other benefits. But to get here, it all started at 1G.

1G (First Generation)

Implemented in the early 1980s, 1G allowed only voice calls over an unencrypted channel. These calls were operated on analog signals and were typically limited to calls regionally due to lack of global standardization (although international calls were available).

2G (Second Generation)

The second generation, introduced in the 1990s, came to replace 1G with improved sound quality, security (added encryption) and an increased frequency range. Additionally, 2G introduced the ability to send SMS and MMS (Multimedia Messages) as well as basic internet connectivity through technologies such as GPRS (General Packet Radio Service) and EDGE (Enhanced Data Rates for GSM Evolution). The introduction of a global standard (GSM - Global System for Mobile Communications) also introduced international roaming, allowing users to connect anywhere and improved international calling.

3G (Third Generation)

In the early 2000's, 3G was introduced. The third generation of mobile networks enabled faster internet speeds, as well as the introduction of video calling and streaming. The security was also improved, implementing Kasumi block cipher to encrypt user data.

The Kasumi Block Cipher is a type of encryption method. Read more about encryption here.

4G (Fourth Generation)

The fourth generation (4G LTE - Long-Term Evolution) introduced various improvements on 3G, such as increased speeds, more flexible frequency spectrum usage (wider accommodation), lower latency, greater signal reliability, stronger encryption in the AKA protocol, etc. Alongside this, 4G took a different approach to the architecture of how mobile networks are structured. It introduced a flatter architecture (less hierarchical layers /hoops in sending data to the internet), and packet switching, among other things.

Packet Switching: Rather than each connection being it's own dedicated path (circuit switching - 3G), limiting the devices on the network and speeds, 4G introduced packet switching which meant that the data was split into different packets, and sorted from there which allows for more devices to connect at the same time, and less limitations on the number of devices.

5G (Fifth Generation) - Current Generation

The fifth generation of mobile networks improves on speed, latency, frequency ranges (from below 6GHz in 4G, to 30-300GHz in 5G - millimetre-wave spectrum), connectivity (designed to support up to 1 million devices in the same area, as opposed to 4G's 2000 devices per square kilometre). In addition to these enhancements, 5G utilises both smaller and large pre-existing cell towers, increasing efficiency.

As with previous generations, the latest generation improves on the encryption, as well as providing more robust protection against spoofing and tracking attacks.

Spoofing Attacks are when an attacker pretends to be someone they're not - essentially a type of phishing attack.
Tracking Attacks are when an attacker monitors a victims movement and behaviour without consent.

It's important to note, however, that since 5G is still relatively new and came with a lot of changes, it's susceptible to vulnerabilities that may not have been discovered yet.

How data is transmitted

When you send a text message on your phone to one of your contacts, a series of communications between your phone, different cell towers, and other devices are being conducted, as well as different protocols being implemented. Here's a rough outline on the process of a text message over a 5G network.

1. Initialisation

Utilising a protocol known as the NR (New Radio) Protocol, your mobile phone connects to the nearest 5G cell tower (gNodeB) and initiates a connection using Authentication and Key Agreement (AKA) Protocols.

The AKA Protocol has 3 main components involved in the process. These are the UE (User Equipment - mobile phone) that contains a SIM card which identifies them through a unique subscriber ID, the AuC (Authentication Centre) which holds a secret value for subscriber, and the HE (Home Environment) which is a hub of different components that are related to the identity of the subscriber (includes things like a registry of all subscriber data, equipment registry, authentication centre, etc.).

2. Composing the message

This step is pretty self-explanatory. After initialising a connection to the network, the next step is to compose/click send on a message. Although actually composing the message can be done without a connection since it’s local to the phone, lets assume that composing is when you finalise your text and click send.

3. Encryption

Once the message is composed, the message contents and SUPI (Subscriber Unique Permanent Identifier - Subscriber ID) are encrypted on the device through use of the unique session key determined in the initialisation step (these keys are refreshed each time the device connects to a cell tower).

4. Transport

Once the message is encrypted, the message travels from the phone to the gNodeB (5G Cell Tower), then through to the Core Network.

Core Network

The Core Network is critical in mobile networks and is (as the name suggests) the core component that is responsible for connecting users to the rest of the world. While the RAN (Radio Access Network) is responsible for the radio connection between devices and the mobile network, the CN (Core Network) is responsible for routing, management and other essential functions. The below components are not exhaustive and only include 5 of the many components of the CN.

Components (Non-exhaustive)
  • AMF (Access and Mobility Management Function)
    • Manages user access, session management, and tracking device movements (ensuring continuous service).
  • SMF (Session Management Function)
    • Manages the establishment, maintenance, and release of connection sessions, as well as assisting in routing.
  • UPF (User Plane Function)
    • In charge of routing and forwarding data, ensuring internet traffic, SMS, Voice calls, etc. are directed correctly.
  • PCF (Policy Control Function)
    • Ensures that the users get the quality of service that they are subscribed to (internet speed, time limits, etc.)
  • UDM (Unified Data Management)
    • Manages all subscriber data and holds subscriber information such as subscription details, current location, and authentication information.

The data will traverse through various different components of the core network (some of which are listed above) and then eventually reach the nearest gNodeB (Cell Tower) closest to the destination phone.

Through some other protocols, the phone then listens for incoming messages and receives the message from the closest cell tower.

5. Delivery / Decryption

When the message is sent to the Core Network, it is decrypted to allow for verification / other processes of the message and subscriber data (remember that they are tied together in 5G). From there, the message is then re-encrypted with a key that the recipient device has (remember that whenever a device connects to a new tower (session) a new encryption key is created. Since the destination device connects to a cell tower and creates it's own encryption key between the cell tower and device, this is the key that the text is encrypted with).

From here, the user can read the text message / data in their corresponding application.

This post is for subscribers only