ETSI TR 103 087 V1.2.1 (2017-11)

TECHNICAL REPORT
Reconfigurable Radio Systems (RRS);
Security related use cases and threats

2 ETSI TR 103 087 V1.2.1 (2017-11)

Reference
RTR/RRS-0313
Keywords
radio, safety, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2017.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M logo is protected for the benefit of its Members.
GSM® and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI
3 ETSI TR 103 087 V1.2.1 (2017-11)
Contents
Intellectual Property Rights . 8
Foreword . 8
Modal verbs terminology . 8
Introduction . 8
1 Scope . 9
2 References . 9
2.1 Normative references . 9
2.2 Informative references . 9
3 Definitions and abbreviations . 11
3.1 Definitions . 11
3.2 Abbreviations . 12
4 Method of analysis . 14
5 Security objectives . 19
5.1 Overview . 19
5.2 Assumptions and assertions of RRS . 21
5.3 Objectives arising from RED analysis . 22
5.4 Objectives arising from ComSec analysis . 22
5.5 Objectives arising from the analysis of the RAP as ToE#2 . 23
5.6 Objectives arising from the analysis of the DoC as ToE#3 . 23
6 Stakeholders and assets . 24
6.1 Use cases . 24
6.1.1 Introduction. 24
6.1.2 Timing dependencies between use cases . 27
6.2 Assets . 28
6.2.1 Mobile Device Reconfiguration Classes . 28
6.2.2 Radio Application operating environment . 29
6.2.3 Radio Application and Radio Application Package . 31
6.2.4 Declaration of Conformity and CE marking . 31
6.2.5 External assets . 31
6.3 Cardinalities . 32
7 Identification of ToE for RRS App deployment . 33
7.1 Overview . 33
7.2 ToE#1: communication between the RadioApp Store and the RE . 34
7.2.1 Introduction. 34
7.2.2 Threats . 35
7.2.3 Risk assessment . 36
7.3 ToE#2: Radio Application Package . 36
7.3.1 Introduction. 36
7.3.2 Lifecycle starting from the availability on the RadioApp Store . 36
7.3.3 Other aspects of the lifecycle . 38
7.3.3.1 Withdrawal of a Radio Application from the Radio Market Platform . 38
7.3.3.2 Development and pre-distribution phase . 38
7.3.3.3 RE and RA lifetime . 38
7.3.3.4 Identification of rogue or compromised Radio Applications . 39
7.3.4 ToE#2 environment . 39
7.3.5 Out-of-scope aspects of ToE#2 . 39
7.3.6 Threats . 39
7.4 ToE#3: Declaration of Conformity and CE marking . 39
7.4.1 DoC characteristics . 39
7.4.2 Consequences drawn from characteristics . 41
7.4.3 DoC usage from a market surveillance perspective . 41
7.4.4 ToE#3 environment . 42
ETSI
4 ETSI TR 103 087 V1.2.1 (2017-11)
7.4.5 Out-of-scope aspects of ToE#3 . 42
7.4.6 Threats . 42
7.5 Conceptual countermeasure framework for RRS to address ToE#1, ToE#2 and ToE#3 . 42
7.5.1 Introduction. 42
7.5.2 Framework elements . 42
7.5.3 Revised risk calculations . 43
7.5.3.1 Application of identity management framework . 43
7.5.3.1.0 Introduction . 43
7.5.3.1.1 Identities in RRS. 43
7.5.3.2 Application of non-repudiation framework . 46
7.5.3.3 Application of integrity verification framework . 46
7.5.4 Summary of threats introduced by countermeasures . 46
8 Modifications applicable to the RRS architecture . 46
8.1 Additional elements . 46
8.2 Additional flow diagrams . 47
8.2.1 RAP endorsement, distribution, and validation . 47
8.2.2 DoC endorsement, distribution, and validation. 48
9 Remote attestation of the Reconfigurable Equipment status (installed RA and DoC) . 50
9.1 Overview of remote attestation use case . 50
9.2 Actors and relationships . 51
9.2.1 The platform . 51
9.2.2 The attesting entity. 51
9.2.3 The verifying entity . 51
9.2.4 The requestor . 52
9.3 Considerations for remote attestation solutions in RRS . 53
9.3.1 Relation to the non-repudiation framework . 53
9.3.2 Implementation . 53
9.4 Direct Anonymous Attestation . 53
10 Configuration enforcement of reconfigurable equipment . 54
10.1 Introduction and scenario . 54
10.2 Scope . 54
10.2.1 Background . 54
10.2.2 Core Command set. 55
10.2.3 Extended Command Set . 55
10.2.4 Actors . 56
10.3 Technical considerations . 57
10.3.1 RAT capabilities . 57
10.3.2 Access control . 57
10.3.3 Default control channel . 57
10.4 Technical implementation . 58
10.4.1 Introduction. 58
10.4.2 Data model and data flows . 58
10.4.3 Delivery mechanisms in selected RAT . 59
10.5 Security objectives . 60
10.6 Threats . 60
11 Long-term management of reconfigurable equipment . 61
11.1 Introduction and scenario . 61
11.2 Scope . 62
11.3 Architecture and Actors . 62
11.3.1 Introduction. 62
11.3.2 The RRS Configuration Profile . 63
11.3.3 The RRS-CP Profile. 63
11.3.4 Transfer of Authority Document (TAD) . 63
11.3.5 Effective transfer of authority . 64
11.4 Verification of profiles and actors, profile updates . 64
11.5 Message flows . 65
11.5.1 Transfer of authority between two RRS-CA . 65
11.5.2 Designation of legitimate RRS-CP by the RRS-CA . 66
11.5.3 Distribution of a new RRS Configuration Profile . 67
ETSI
5 ETSI TR 103 087 V1.2.1 (2017-11)
11.6 Security objectives . 67
11.7 Threats and limitations . 69
12 Device root of trust for RRS . 70
12.1 Introduction . 70
12.2 Services . 71
12.2.1 Immutable pre-provisioned data . 71
12.2.2 Measurement. 71
12.2.3 Secure cryptographic primitives and execution environment . 71
12.2.4 Secure boot . 71
12.2.5 Secure storage . 72
12.2.6 Policy-based access control . 74
12.2.7 Random number generation . 74
12.2.8 Trusted time . 74
12.2.9 Trusted environmental information . 74
12.2.10 Audit . 74
12.2.11 Mutual authentication and secure communications between entities . 74
12.2.12 (remote) Attestation of platform configuration . 75
Annex A: Impact on RRS Security of European Radio Equipment Directive . 76
A.1 Introduction . 76
A.2 Summary of applicable requirements . 76
A.2.1 Applicability . 76
A.2.2 General principles. 76
A.2.3 Technical and security considerations . 77
A.3 Declaration of Conformity (DoC) . 77
A.3.1 Introduction . 77
A.3.2 Technical and security considerations . 78
A.4 Safekeeping of the Declaration of Conformity . 78
A.4.1 Introduction . 78
A.4.2 Technical and security considerations . 78
A.5 Affixing of Declaration of Conformity . 79
A.5.1 Overview . 79
A.5.2 Technical and security considerations . 79
A.6 Pre-market actors and roles from the Directive 2014/53/EU perspective . 80
A.7 Other information to indicate on the RE . 81
A.7.1 Introduction . 81
A.7.2 Technical and security considerations . 81
A.8 Actions in case of formal non-compliance, or with compliant radio equipment that presents a
risk . 81
A.8.1 Introduction . 81
A.8.2 Technical and security considerations . 81
A.9 Post-market actors and roles from the RED perspective . 82
A.10 Actions in case of RE presenting a risk . 82
A.10.1 Introduction . 82
A.10.2 Technical and security considerations . 83
A.10.3 Additional considerations . 83
Annex B: Summary of security objectives . 84
Annex C: Summary of high level security requirements . 87
Annex D: Completed TVRA pro forma for RRS security . 88
Annex E: TVRA Risk Calculation for selected RRS aspects . 90
ETSI
6 ETSI TR 103 087 V1.2.1 (2017-11)
Annex F: Void . 93
Annex G: Trust models in RRS app deployment . 94
G.1 Overview of trust . 94
G.2 Role of trust in RRS . 94
G.3 Public Key Infrastructures and Trust . 95
G.4 Models of trust . 97
G.4.1 Overview . 97
G.4.2 Directly delegated trust . 98
G.4.3 Collaborative trust . 98
G.4.4 Transitive trust . 99
G.4.5 Reputational trust . 99
Annex H: Wireless Innovation Forum security considerations for SDRD . 100
H.1 Introduction . 100
H.2 Identification of assets . 100
H.3 Actors (stakeholders) . 101
H.4 Threat analysis . 102
H.4.1 Vulnerability classes. 102
H.4.2 Threat classes . 103
H.4.3 Attacks and exploits . 103
H.5 Identification of security critical processes . 103
H.6 Security services . 104
H.7 Other considerations . 106
H.7.1 Downloadable policies . 106
Annex I: Review of remote control management protocols . 107
I.1 Overview . 107
I.2 OMA Device Management . 107
I.2.1 Introduction . 107
I.2.2 General principles. 107
I.2.3 Security . 108
I.2.3.1 Communication security . 108
I.2.3.2 Bootstrap security . 108
I.2.3.3 Access control . 108
I.2.3.4 Other mechanisms . 108
I.3 OMA LWM2M . 108
I.3.1 Introduction . 108
I.3.2 General principles. 108
I.3.3 Security . 109
I.3.3.1 Communication security . 109
I.3.3.2 Bootstrap security . 109
I.3.3.3 Access control . 110
I.4 GSMA Service Provider Device Configuration . 110
I.4.1 Introduction . 110
I.4.2 General principles. 110
I.4.3 Security . 111
Annex J: Usage of the DoC and the RE Configuration Policy in RRS . 112
J.1 Introduction . 112
J.2 Distribution scenarios . 113
ETSI
7 ETSI TR 103 087 V1.2.1 (2017-11)
J.3 Applicability to other regulatory frameworks . 114
Annex K: Implementation guidelines . 115
K.1 Introduction . 115
K.2 Guidelines for the configuration enforcement framework . 115
K.2.1 APDU identification and anti-replay . 115
K.2.2 Leveraging the root of trust for management of critical assets . 115
K.3 Guidelines for the long-term lifecycle management framework . 116
K.3.1 Certification paths . 116
K.3.2 Leveraging the root of trust for management of critical assets . 116
Annex L: Bibliography . 118
History . 119

ETSI
8 ETSI TR 103 087 V1.2.1 (2017-11)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Reconfigurable Radio Systems (RRS).
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Introduction
The present document presents a security threat analysis of RRS networks and devices for a set of specific use cases and
operational scenarios defined in ETSI TC RRS.
It is recommended to consider [i.1], [i.2], [i.3], [i.5], [i.6], [i.7], [i.8] and [i.18] for further information on the framework
related to the solutions in the present document.
ETSI
9 ETSI TR 103 087 V1.2.1 (2017-11)
1 Scope
The present document provides an analysis of the risk of security attacks on the operation of reconfigurable radio
systems. It identifies which security threats can disrupt RRS networks and devices or can induce negative impacts on
other radio communication services operating in the same radio spectrum. The present document also identifies
stakeholder and assets, which can be potentially impacted by the security threats.
The present document extends the set of use cases addressed over those covered by ETSI TR 103 087 (V1.1.1) [i.30] to
cover the following:
• Remote attestation of the Reconfigurable Equipment status (installed RA and DoC).
• Configuration enforcement of reconfigurable equipment.
• Distribution and enforcement of mobility policies.
• Long-term management of devices (in particular orphaned devices).
• Secure device root of trust.
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] Recommendation ITU-T E.408: "Security in Telecommunications and Information Technology.
An overview of issues and the deployment of existing ITU-T Recommendations for secure
telecommunications. Telecommunication networks security requirements".
[i.2] L. B. Michael, M. J. Mihaljevic, S. Haruyama and R. Kohno: "A framework for secure download
for software-defined radio", IEEE Communications Magazine, July 2002.
[i.3] A. N. Mody, R. Reddy, T. Kiernan and T.X. Brown: "Security in cognitive radio networks: An
example using the commercial IEEE 802.22 standard", Military Communications Conference,
2009. MILCOM 2009. IEEE, vol., no., pp.1-7, 18-21 Oct. 2009, Boston, MA, USA.
[i.4] Document Id: WINNF-08-P-0013: "Wireless Innovation Forum's Security Working Group.
Securing Software Reconfigurable Communications Devices".
[i.5] ETSI TR 103 062: "Reconfigurable Radio Systems (RRS); Use Cases and Scenarios for Software
Defined Radio (SDR) Reference Architecture for Mobile Device".
[i.6] ETSI TR 102 907: "Reconfigurable Radio Systems (RRS); Use Cases for Operation in White
Space Frequency Bands".
[i.7] ETSI TR 103 063: "Reconfigurable Radio Systems (RRS); Use Cases for Reconfigurable Radio
Systems operating in IMT bands and GSM bands for intra-operator scenarios".
ETSI
10 ETSI TR 103 087 V1.2.1 (2017-11)
[i.8] ETSI TR 102 944: "Reconfigurable Radio Systems (RRS); Use Cases for Baseband Interfaces for
Unified Radio Applications of Mobile Device".
[i.9] ETSI TS 102 165-1 (V4.2.3): "Telecommunications and Internet converged Services and Protocols
for Advanced Networking (TISPAN); Methods and protocols; Part 1: Method and proforma for
Threat, Risk, Vulnerability Analysis".
[i.10] ETSI TR 187 011: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Security; Application of ISO-15408-2 requirements to
ETSI standards - guide, method and application with examples".
[i.11] ETSI EN 302 969: "Reconfigurable Radio Systems (RRS); Radio Reconfiguration related
Requirements for Mobile Devices".
[i.12] ETSI TS 103 436: "Reconfigurable Radio Systems (RRS); Security requirements for
reconfigurable radios".
[i.13] ETSI EN 303 095: "Reconfigurable Radio Systems (RRS); Radio Reconfiguration related
Architecture for Mobile Devices".
[i.14] Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the
harmonisation of the laws of the Member States relating to the making available on the market of
radio equipment and repealing Directive 1999/5/EC.
[i.15] Directive 2014/35/EU of the European Parliament and of the Council of 26 February 2014 on the
harmonisation of the laws of the Member States relating to the making available on the market of
electrical equipment designed for use within certain voltage limits Text with EEA relevance.
[i.16] Directive 2014/30/EU of the European Parliament and of the Council of 26 February 2014 on the
harmonisation of the laws of the Member States relating to electromagnetic compatibility (recast)
(Text with EEA relevance).
[i.17] Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008
setting out the requirements for accreditation and market surveillance relating to the marketing of
products and repealing Regulation (EEC) No 339/93 (Text with EEA relevance).
NOTE: Available at http://eur-lex.europa.eu/.
[i.18] ETSI TR 102 967: "Reconfigurable Radio Systems (RRS); Use Cases for dynamic equipment
reconfiguration".
[i.19] ETSI EN 303 146-2: "Reconfigurable Radio Systems (RRS); Mobile Device (MD) information
models and protocols; Part 2: Reconfigurable Radio Frequency Interface (RRFI)".
[i.20] ETSI TS 103 146-3: "Reconfigurable Radio Systems (RRS); Mobile Device Information Models
and Protocols Part 3: Unified Radio Application Interface (URAI)".
[i.21] Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a
common regulatory framework for electronic communications networks and services (Framework
Directive).
[i.22] ETSI GS NFV-SEC 003: "Network Functions Virtualisation (NFV); NFV Security; Security and
Trust Guidance".
[i.23] ETSI TS 103 146-4: " Reconfigurable Radio Systems (RRS); Mobile Device Information Models
and Protocols; Part 4: Radio Programming Interface (RPI)".
[i.24] Open Mobile Alliance™ OMA-ERP-DM-V1_3: "OMA Device Management".
NOTE: Available at http://www.openmobilealliance.org/.
[i.25] Open Mobile Alliance™ OMA-ERP-LightweightM2M-V1_0: "OMA LightweightM2M
(LWM2M)".
NOTE: Available at http://www.openmobilealliance.org/.
ETSI
11 ETSI TR 103 087 V1.2.1 (2017-11)
[i.26] GSM Association RCC.14 : "Service Provider Device Configuration".
[i.27] ETSI TR 103 502: "Reconfigurable Radio Systems (RRS); Applicability of RRS with existing
Radio Access Technologies and core networks Security aspects".
[i.28] Trusted Computing Group: "Trusted Platform Module Library, Part 1: Architecture, Family '2.0'".
[i.29] Trusted Computing Group: "TPM Main, Part 1, Design Principles".
NOTE: Available at https://trustedcomputinggroup.org/.
[i.30] ETSI TR 103 087 (V1.1.1): " Reconfigurable Radio Systems (RRS); Security related use cases and
threats in Reconfigurable Radio Systems".
[i.31] IEEE 802.11™: "IEEE Standard for Information technology -- Telecommunications and
information exchange between systems Local and metropolitan area networks -- Specific
requirements -- Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY)
Specifications".
[i.32] Recommendation ITU-T X.509: "Information technology - Open Systems Interconnection - The
Directory: Public-key and attribute certificate frameworks".
3 Def
...