Abstract: A method and apparatus for a first IAB node for securely communicating with at least one second IAB node is provided. A secure connection with a node of a network is established. A message is received, from the node, indicating a secure messaging protocol to use to communicate with the at least one second IAB node, the message including one of at least one nonce or a key. A control message to be sent to the at least one second IAB node is transformed into a secure control message using the secure messaging protocol. The secure control message is transmitted to the at least one second IAB node.

Abstract: A method for improving data transmission security at a user equipment comprises receiving, from a source network node, a connection release message including instructions for computing a hash value for data to be included in a connection request message; computing the hash value based on the instructions included in the connection release message; calculating a token based on the hash value, and sending, to a target network node, the connection request message including the token. The method may further forward the data from the target network node directly to a gateway after the token has been verified. The method may reduce a signaling overhead by having a fixed-size hash value for data. Furthermore, the method may improve a transmission security by including the token in an RRC message, in which the token is calculated based on the hash value representing the data.

Abstract: A method and a User Equipment, UE (120) for detecting that the UE has received a fraudulent missed call, e.g. from a non-legitimate device (150). When receiving a missed call which is ended before a user of the UE has answered the incoming call, the UE determines the duration of the missed call, and indicates, e.g. to a user of the UE, the 5 duration of the missed call. The missed call may be determined as potentially fraudulent if the duration of the missed call is below or equal to a predetermined threshold.

Abstract: A method performed by a network node of a serving public land mobile network, PLMN, associated with a user equipment, UE, comprising: obtaining a secret identifier that uniquely identifies the UE, wherein the secret identifier is a secret that is shared between the UE and at least a home PLMN of the UE and that is shared by the home PLMN with the network node; and performing an operation related to the UE using the secret identifier. Other methods, computer programs, computer program products, network nodes and a serving PLMN are also disclosed.

Abstract: A method for re-establishing a Radio Resource Control (RRC) connection between a UE and a target eNB. The method is performed by the UE. The method includes the UE receiving an RRC Connection Reestablishment message from the target eNB, the RRC Connection Reestablishment message including a DL authentication token which has been generated by an MME and has had a Non Access Stratum integrity key as input. The method also includes the UE authenticating the received DL authentication token.

Abstract: A wireless device (14) receives, over an access stratum (18), a capability enquiry (24) that requests the wireless device (14) to transmit capability information (22) indicating one or more capabilities of the wireless device (14). After receiving the capability enquiry (24), the wireless device (14) generates a token (26) using one or more input parameters (28) and transmits the token (26). The one or more input parameters (28) include at least some part of the capability enquiry (24) and/or at least some of the capability information (22). In some embodiments, the token (26) is generated or transmitted based on a non-access stratum security context (30) at the wireless device (14). The wireless device (14) also transmits the capability information (22) over the access stratum (18).

Abstract: A network node (30A, 30B) is configured for use in a wireless communication network (10). The network node (30A, 30B) is configured to acquire radio access capability information (28) of a wireless device (14). The radio access capability information (28) of the wireless device (14) indicates radio access capabilities of the wireless device (14). The network node (30A, 30B) is configured to determine if the wireless communication network (10) received the radio access capability information (28) of the wireless device (14) before access stratum security (24) was activated for the wireless device (14).

Abstract: A method is provided to operate a CN node to determine UP security activation. A UP session establishment request is obtained for a wireless device. An indication is obtained that the UP session establishment request is associated with an emergency session and/or that null ciphering and/or null integrity protection are applied to a CP associated with a CP session for the wireless device. It is determined that a UP should be configured for the UP session without activating integrity and/or confidentiality protection for the UP based on the indication. A UP security policy is provided to a RAN node associated with the wireless device, wherein the UP security policy indicates to configure the UP for the UP session without activating integrity and/or confidentiality protection based on determining that a UP should be configured for the UP session without activating integrity and/or confidentiality protection.

Abstract: A method performed by a mobile terminal is provided for supporting positioning of the mobile terminal. The method includes receiving a defined filter pattern from a network node in a communications network or another node of the communications network, discovering identities of a plurality of reference devices based on signals received from the plurality of reference devices, filtering the identities of the plurality of reference devices to obtain a subset of identities of the plurality of reference devices that each satisfy the defined filter pattern, and reporting information on the subset of the identities of the plurality of reference devices to the network node.

Abstract: Procedures are provided for robust handling of NAS request messages that contain a spurious information element (IE). The spurious information element could comprise a NAS message container containing a NAS message with the wrong procedure type, i.e., a procedure type that does not match the type of the parent NAS message. The spurious information elements could also comprise redundant IEs that are not necessary for the emergency services fallback request.

Abstract: A method in a first node of a wireless communications network comprises: inspecting a data packet or message to determine a characteristic of the data packet or message; and selectively activating integrity protection for onward transmission of the data packet or message to a second node of the wireless communications network based on the determined characteristic.

Abstract: According to an aspect, there is provided a method performed by a first core network, CN, node in a telecommunication network. The telecommunication network comprises a first radio access network, RAN, node that operates according to a first radio access technology, RAT. An update to a first security configuration between a wireless device and the first RAN node is required. The method comprises, after receiving a request from the wireless device for an emergency session so that the wireless device can establish an emergency call, initiating (901) an Emergency Service Fallback procedure to a second RAT.

Abstract: Network equipment (12) comprising a processing circuitry (81) and a memory (83), where the memory contains instructions executable by the processing circuitry whereby the network equipment is configured to: identify a set of measurements to be used for false base station detection in an area (22); configure different sets (18-1, 18-2, 18-N) of one or more wireless devices (14) to report different respective measurements in the set by transmitting measurement reporting configurations (20-1, 20-2, 20-N) to the wireless devices (14); receive measurement reports from the different sets (18-1, 18-2, 18-N) of one or more wireless devices (14) as configured; and perform false base station detection for the area (22) using the received measurement reports. Methods, a wireless device (14), and communication systems are also disclosed.

Abstract: A method performed by a resolver in a core network of a wireless communication system, where the method comprise: receiving, from a requester in the core network, a request to resolve a provided identifier that is one of a subscription identifier and a pseudonym identifier serving in the core network as a pseudonym for the subscription identifier; and transmitting, to the requester as a response to the request, a resolved identifier that is the other of the subscription identifier and the pseudonym identifier.

Abstract: Systems and methods of the present disclosure are directed to a method performed by a Wireless Communication Device (WCD) for securing wireless communication. The method includes obtaining a configuration descriptive of network entity(s) comprising (a) Legitimate Network Entity (LNE(s)); (b) or Illegitimate Network Entity (INE(s)); or (c) both LNE(s) and INE(s). The method includes determining that a trigger condition for applying the configuration has occurred. The method includes, responsive to making the determination, applying the configuration to the WCD such that connection related procedure(s) of the WCD related to connection between the WCD and the network entity(s) are adjusted in such a manner that the WCD is permitted to connect to only the LNE(s), not permitted to connect to the INE(s), both permitted to connect to only the LNE(s) and not permitted to connect to the INE(s), or not permitted to connect to any network entity.

Abstract: A network node (30A, 30B) is configured for use in a wireless communication network (10). The network node (30A, 30B) is configured to acquire radio access capability information (28) of a wireless device (14). The radio access capability information (28) of the wireless device (14) indicates radio access capabilities of the wireless device (14). The network node (30A, 30B) is configured to determine if the wireless communication network (10) received the radio access capability information (28) of the wireless device (14) before access stratum security (24) was activated for the wireless device (14).

Abstract: A network function performs a method to identify an invalid subscription concealed identifier, SUCI. When the network function receives a message containing a SUCI, it determines a size of the SUCI contained in the received message, and also determines an expected size of the SUCI in the received message. The network function then determines whether the size of the SUCI contained in the received message satisfies a criterion associated with the expected size. If the size of the SUCI contained in the received message does not satisfy the criterion associated with the expected size, the network function determines that the SUCI in the received message is invalid, and it rejects the SUCI in the received message if it is determined to be invalid.

Abstract: A method for improving data transmission security at a user equipment comprises receiving, from a source network node, a connection release message including instructions for computing a hash value for data to be included in a connection request message; computing the hash value based on the instructions included in the connection release message; calculating a token based on the hash value, and sending, to a target network node, the connection request message including the token. The method may further forward the data from the target network node directly to a gateway after the token has been verified. The method may reduce a signaling overhead by having a fixed-size hash value for data. Furthermore, the method may improve a transmission security by including the token in an RRC message, in which the token is calculated based on the hash value representing the data.

Abstract: A method (200) for operating a User Equipment (UE) is disclosed, the UE configured to connect to a communication network. The method comprises: indicating to the communication network an Integrity Protection for User Plane (IPUP) mode supported by the UE when requesting registration with the communication network (202). The IPUP mode comprises one of: use of Integrity Protection for User Plane data exchanged with the UE (202a), non-use of Integrity Protection for User Plane data exchanged with the UE (202b), or use of Integrity Protection for User Plane data, and non-use of Confidentiality Protection for User Plane data (202c). Also disclosed are an apparatus for operating a UE, methods and apparatus for operating a radio access node and a core node of a communication network, and a computer program operable to carry out methods for operating a UE, a radio access node and/or a core node of a communication network.

Abstract: There is provided mechanisms for configuring use of keys for security protecting packets communicated between a wireless device and a network node. A method is performed by the wireless device. The method comprises exchanging key use information with the network node in conjunction with performing a key change procedure with the network node during which a first key is replaced with a second key. The key use information indicates which of the packets are security protected using which of the first key and the second key.