> 5G and the Imminent Proliferation of Cellular IoT

5G and the Imminent Proliferation of Cellular IoT


July 16th, 2020

#5g #network slicing #botnets #rf engineering

Guest contributor: T. Jayawardena, Principal Technical Staff Member, AT&T Chief Security Office

The 5G cellular network deployment currently underway is the most anticipated event in today’s networking world. One of the three major drivers for 5G is “massive machine to machine type communication” driven by the growth of the Internet of Things (IoT). With 5G, it is anticipated that the IoT density, i.e. number of devices per unit area, may ultimately increase ten-fold compared to the LTE network (See [1]). The vision of the 5G network is to one day serve up to a million IoT devices within a square kilometer.

There are numerous standards body efforts and pieces of legislation addressing the vulnerabilities in the design and deployment of IOT devices (e.g., NIST 8259, CSDE/C2 Consensus on IoT security baselines, ENISA/EU Cybersecurity Law, Japan’s METI IoT Security Safety Framework, etc.) but the sheer number of devices, the economics of their production, and possible lack of compliance with these design recommendations has the potential to increase the attack surface. Devices with exploitable insecure features become targets for hackers looking to create botnets and denial of service attacks. Unforeseen stress on the network due to such a high concentration of IoT devices is also a concern. For example, how would the 5G network handle millions of IoT devices trying to connect at the same time when recovering from a power outage in a large geographic area?

In the following, we discuss these issues and, how both 3GPP standards and AT&T’s LTE and 5G network capabilities can help mitigate them.

A distinguishing feature of IoT devices is their widely differing needs (see [3] for a characterization effort to create a taxonomy for IoT devices.) Compared to a cellphone, IoT devices have a range of different operational profiles for network bandwidth and delay, power budgets, price ranges, and security needs, which vary across device types. Some IoT devices such as a structural integrity sensor may send/receive a trickle of data, say, once a day, while others such as security cameras may send/receive at rates of Mbps every few minutes. Some are mobile and may move from cell tower to cell tower while others are stationary. Their prices can range from hundreds of dollars to under a dollar per device. Battery life can range from a year or less up to ten years where battery life determines device life cycle management. Sensors and non-mission critical IoT devices may only need basic security features, while soon there may be IoT devices in mission-critical medical and automation fields that require built-in high security protocols and mechanisms.

LTE and Narrow Band-IoT (NB-IoT) RF Engineering

IoT-specific optimizations in the current LTE RAN (Radio Access Network) and core network provide a glimpse of how massive IoT deployments become feasible and what mechanisms could be useful in overcoming challenges in future 5G networks. The third-generation partnership project (3GPP) addressed some IoT-specific needs by introducing a category 0 UE (User Equipment) with a maximum data rate of up to 1 Mbps and a transmission bandwidth of 20 MHz.

In release 13, 3GPP introduced two more UE categories, category M1 and NB1, commonly referred to as LTE-M and NB-IoT. Category M1 supplements category 0 by reducing the transmission bandwidth to 1.08 MHz making the M1 type UE radio chip much cheaper. The category M1 transmission is defined within the LTE system band, while NB-IoT has three options for transmission bands: within the LTE system band, in an LTE guard band at either end of the LTE system band or outside the LTE system band.

For Down Link (DL) transmission LTE and 5G New Radio (5G-NR), both use an Orthogonal Frequency Division Multiple Access (OFDMA) scheme. The sub-carrier signals in OFDM can overlap without causing interference at the receiver due to their orthogonality in the frequency domain. This results in spectral efficiency, i.e. the ability to transmit more information within a frequency band or higher bits per second per hertz. Although no guard bands are needed between OFDM sub carriers they are still necessary to separate the LTE system band from other LTE and non-LTE transmissions. For example, in an eNB (evolved Node B) which uses the full LTE bandwidth of 20 MHz, there are typically two guard bands of 1 MHz at each end of the usable frequency band of 18 MHz. An eNB could be configured to use one or both of these guard bands for NB-IoT.

The NB-IoT category focuses on simple, stationary IoT devices supporting delay tolerant services with very low bandwidth needs. These devices will be idle most of the time and may trigger notifications and alarms. Examples are water sensors in a basement that detect flooding or manhole cover sensors in a city that detect when a cover is moved. In LTE, RAN DL resources are assigned using a time-frequency resource grid. The smallest LTE resource unit that the eNB can schedule is called a Physical Resource Block (PRB) which is a contiguous set of 12 sub carriers with a bandwidth of 180 kHz and a time slot of 0.5 ms containing seven OFDM symbols. With NB-IoT, the smallest resource block assignable to these ultra-low bandwidth UEs had to be changed. Thus, NB-IoT UEs use a single 15 kHz sub carrier in both the UL and DL. This accommodation for ultra-low bandwidth NB-IoT UEs has consequences. The eNB broadcasts system information and synchronization signals in several DL channels used by UEs to synchronize in time and frequency with the eNB and exchange a few messages paving the way for the UE to connect to the network.

The DL broadcast and synchronization channels span multiple sub carriers, and since NB-IoT UEs are limited to a single sub carrier, they cannot receive this system information via the standard DL control channels. Thus, narrow band versions of these control channels and signals were introduced to accommodate NB-IoT UEs. Limiting NB-IoT transmissions to a 15 kHz band allows a very large number of such devices to coexist with smart phones and other high bandwidth UEs.

When a UE is not receiving or transmitting user or control data for some time period, the eNB signals the UE to go into a “Radio Resource Control (RRC) idle” mode and tears down the radio resources dedicated to that UE. This behavior saves substantial signaling load on the eNB and the UE for mobile UEs. It also makes precious air interface radio resources available for active UEs. However, when either the UE needs to send data to the network or vice versa, the UE needs to exchange control messages to rebuild the radio and other related resources. For NB-IoT devices which are stationary and remain dormant for the vast majority of time a new RRC state, RRC suspend, was introduced to reduce the control information exchange needed to reconnect. Thus, when configured for NB-IoT, the eNB can signal an NB-IoT UE to go into RRC suspend mode instead of RRC idle mode. In this case, both the UE and the eNB store the UE state information needed to build the radio resources. When the UE wishes to reconnect it can send the eNB an RRC Restore message with the previously stored state information. The eNB can choose to bring the UE to RRC connected state or, if it is busy, send a reject message indicating when the UE should retry to connect. This is one method to delay NB-IoT UEs attempting to connect to the network during a connection surge at the eNB.

Figure 1. Major Components of the LTE Network.

In several releases, 3GPP came up with an access class barring (ACB) mechanism to address the issue of RAN congestion caused by a large number of UEs attempting to access the LTE network simultaneously. ACB allows an eNB to delay whole classes of UEs from connecting to the network. Before a UE attempts to connect to the network, it checks one of the DL broadcast channels of the eNB for a list of barred UE classes. If the UE finds its class in the list of barred classes, it will delay attempting to connect to the eNB and keep rechecking the barred list until its class is not in the list. ACB allows the eNB to give priority to first responders and other select personnel and devices during congestion of the RAN.

There are other optimizations for NB-IoT in the core network which allow UEs in this category to check for paging messages less frequently than non-NB-IoT UEs. This allows the NB-IoT UEs to save battery power.

Interim Non-Standalone 5G Network

3GPP proposed several hybrid architectures for initial deployment of 5G networks. Figure 2 depicts the option 3X architecture where the only new network element is the gNB, the 5G analog of the eNB. In this architecture, the 5G RAN on a gNB can be coupled with existing LTE eNBs and the LTE core network. This gives users access to very high bandwidth applications via the gNB’s high bandwidth air interface, while the LTE RAN and core are used for control plane functions. To take advantage of this, UEs must be capable of dual connectivity to both eNB and the gNB, simultaneously. It's likely that only high-end IoT devices would use this architecture for bandwidth gains due to the cost of UE hardware that makes dual connectivity possible.

Figure 2. Option 3X Non-Stand Alone 5G Architecture: UE can take advantage of high bandwidth capability of the 5G New Radio (5G-NR), while using the LTE network for all control plane functions including authentication.

In LTE, the sub carrier spacing is fixed at 15 KHz, and the maximum DL carrier bandwidth is fixed at 20 mHz. All LTE UEs except NB-IoT UEs are capable of receiving 20 MHz signals in various LTE radio bands within a 450 - 6000 MHz range.

In the 5G-NR two frequency ranges (FRs) are defined: FR 1 - all existing and new bands up to 6 GHz, called the sub 6 range, and FR 2 which includes new bands in the 24.25-52.6 GHz range, called the mm wave range. The DL modulation method remains OFDMA while the sub carrier spacing can vary according to the formula 15x2^n KHz, where n is called the numerology of the modulation scheme and can be 0, 1, 2, 3 or 4. The carrier bandwidth in 5G-NR can be 50, 100, 200 MHz in FR1 and 200, 400 MHz in FR2. Due to such a wide range in the 5G-NR all UEs are not expected to need to receive transmissions in all these bandwidths and frequency bands. Thus, depending on the IoT device and service only a few of these bands would be enabled for a 5G-capable IoT device.

IoT Botnets and 5G Network Slicing

More than a decade ago, it became apparent that there would be a multitude of electronic devices in the home that could potentially be exploited by hackers to create botnets. (See [1] for an early lab experiment creating a “hybrid” botnet of varied devices.) In the years since, we have seen many IoT botnets in the wild. As IoT deployments continue, standards, best practices, baselines for good design, and legislative proposals are focusing on the potential threat. With services and technologies such as autonomous vehicles and telemedicine to the home, focus is being made on security as services which require high security and availability demand improvements. There is growing attention from governments, industry, and academia to security as a core design principle for IOT services.

The future standalone 5G network is designed to support mIoT (massive IoT) through in part by the use of cloud infrastructure, which can help with managing the anticipated massive growth of IoT devices. Also, 5G “network slicing” may be a valuable tool in logically segregating and managing different types of IoT classes within the cellular network (see [3] for a characterization of IOT device that identifies slice types to match various IoT device types). 3GPP standards currently define 4 standardized slice types which can be applied to IoT classes. In LTE, it is possible to logically separate services in the LTE network to some extent, for example, using APNs (Access Point Names). This did not gain extensive use, perhaps due to the burden of maintaining internal cellular network DNS databases with Name Authority Pointer (NAPTR) records pointing to network gateways corresponding to APNs.

Figure 3. Major Network Functions of the 5G Core Showing Some Important Standard Interfaces.

The 5G next generation core (NGC) has a service-based architecture, i.e. network functions in the 5G core register their services with a network function repository. When a network function needs the services of another network function it queries the network function repository and gets the information necessary to make API calls for those services. This information is exchanged via a shared service-based interface message bus implemented using RESTful API calls based on HTTP/2.

In the 5G NGC, network slicing support is built-in, i.e. when a UE registers with the network, it can indicate all the multiple network slices to which it is subscribed. Based on this information and other network information such as subscriber data, the gNB may select an appropriate AMF (Access Management Function) for the UE. In some instances, a default AMF is selected, and the default AMF will select an appropriate AMF using the Network Slice Selection Function (NSSF) for the indicated network slices. Once the allowed network slices and the AMF are chosen, the AMF selects a Session Management Function (SMF) that can handle the allowed slices. When the UE needs to connect to some external network, it will request a PDU (Protocol Data Unit) session from the SMF. The SMF will select a User Plane Function (UPF) for the indicated PDU session. The UPF is the gateway to the external network to which the UE needs access. The SMF will assign an IP address to the UE if the external network is an IP network. The IP address can be sent to the UE during the PDU session establishment or via a UE initiated DHCP request following the PDU session establishment. The UPF will handle the routing of protocol data units to and from the external network. IP, ethernet and unstructured PDU sessions to external networks are defined for the 5G network.

Slicing in the 5G standalone network may help prevent cellular IoT botnets becoming a menace with the anticipated massive IoT growth. By segregating IoT categories to network gateways, i.e. UPFs, that do not have open access to the Internet, future 5G networks can proactively prevent botnet formation.

One aspect of the 5G NGC that stands out is the flexibility it will ultimately have. Network slicing will be a major enabler of this. Thus, we may see numerous customizations of the 5G cellular network that closely match the service and operational profiles of UEs in various network slices ([3]). Such customization may provide additional capabilities to solving some of the potential security issues of IoT devices.

Glossary of Acronyms

  • AMF: Access Management Function
  • APN: Access Point Name
  • DHCP: Dynamic Host Configuration Protocol
  • DL: Down Link
  • DNS: Domain Name Service
  • eNB: Evolved Node B
  • gNB: g(next gen) Node B
  • LTE: Long Term Evolution
  • IoT: Internet of Things
  • NAPTR: Name Authority Pointer
  • NB-IoT: Narrow Band IoT
  • NR: New Radio
  • NSSF: Network Slice Selection Function
  • OFDMA: Orthogonal Frequency Divison Multiple Access
  • PDU Session: Protocol Data Unit Session
  • RAN: Radio Access Network
  • SMF: Session Management Function
  • UE: User Equipment
  • UL: Up Link
  • UPF: User Plane Function


  • ITU-R (Radiocommunications Sector of ITU) Recommendation ITU-R M.2083-0, September, 2015
  • “MobileBot, GameBot, ?Bot: The Security Threats To and From the Intelligent Electronic Devices”, Gang Xu, Jay Jayawardena, Cristina Serban, Gustavo de los Reyes, Gokul Singaraju, Krishna Sistla and Phi Nga Hoang, Annual Computer Security Applications Conference (ACSAC), June, 2010
  • ATIS IoT Characterization project.