AT&T Announces End of 2G

AT&T just filed a 10-Q with the SEC and publicaly confirmed what the company has been warning in private for the past two years:

Also as part of our ongoing efforts to improve our network performance and help address the need for additional spectrum capacity, we intend to redeploy spectrum currently used for basic 2G services to support more advanced mobile Internet services on our 3G and 4G networks.

[…]

We expect to fully discontinue service on our 2G networks by approximately January 1, 2017.

[…]

As of June 30, 2012, approximately 12 percent of our postpaid customers were using 2G handsets.

A 5 year sunset plan seems like a long time for those of us who would argue 2G should be described as a terribly weak and dated protocol.

Any further delay is especially bad news for Apple customers who are unable to choose 3G-only (i.e. iPhone and iPad). (Another reason I recommend the Nokia N9 is the option to disable 2G communication).

2G, or 2nd Generation, was launched in Finland in 1991. How many electronic devices are you using today that are 22 years old? More to the point, 2G is older than the web and pre-dates the “data” revolution in communication. It also used a security-through-obscurity method, which became untenable by the mid 1990s. Although 2G had some functionality limitations fixed through extensions (2.5G) it never really fixed the security problems. Instead a 3G network was started in 1992 and by 2001 was launched in Japan. The path to far better performance and security should be crystal clear.

Yet AT&T doesn’t mention security in their filing as one of the reasons for ending their old network. Perhaps they don’t want to draw attention to the fact that it is trivial to impersonate a GSM base transceiver station (BTS). Or maybe they don’t want to mention that the fixed network is unprotected, encryption is weak (COMP128 implementation of the A3 and A8 algorithms can be broken in less than a minute), encryption is often disabled and/or completely useless (keys sent in the clear), there is no integrity or network identity…and so forth.

The AT&T filing says they have just over 100 million customers. So the end of service for 2G, which they say is 12%, must be around 12 million customers. That sounds like a lot of vulnerable end-users until you take a closer look at usage profiles. It is tempting to think of the numbers in terms of consumer handhelds. In fact this announcement has more relevance to appliance-like devices such as ATMs, Point-of-Sale and security alarms.

So the problem of 2G is not really about people who refuse to buy a new phone. There might be a few of those but most humans tend to frequently update their phones for a number of simple functionality reasons from dead batteries to better signal while moving around. Users also tend to absorb some of the replacement procedure costs.

The embedded device market however has a harder time discontinuing deployed assets and dealing with the cost of re-provisioning. Embedded devices tend to have a if-it-ain’t-broke-don’t-fix-it mentality for upgrades. Embedded devices also may drop down to 2G to provide service continuity. A message getting through often gets higher priority than a message being kept a secret; instead of demanding better service/coverage from AT&T, 2G may be given as an availability option. Unfortunately, embedded devices tend to be used for applications that are security-related and need confidentiality to be a priority.

In other words, AT&T could probably greatly accelerate the adoption of 3G and newer networks for millions of remaining devices if they admitted or otherwise raised awareness of serious security issues in 2G. In the meantime I suspect some may continue selling 2G as deceptively “inexpensive” and “reliable” option right up to the end of service in 2017.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.