Mobile Phone Security. Hoang Vo Billy Ngo

Transcription

1 Mobile Phone Security Hoang Vo Billy Ngo

2 Table of Content 1. Introduction Page Analog Network Page Digital Network Page 2 2. Security Protocols Page Analog Page Digital Page 5 3. Vulnerability and Attack Page Analog Page Cellular Phone Cloning Page Eavesdropping Page Cellular Phone Tracking Page Digital Page 8 4. Countermeasures Page Conclusion Page 12 Bibliography Page 13

3 1. Introduction Mobile Phone usage has been increasing over the last few years. Today, many people are oriented toward the usage of wireless equipments. Cellular phones, personal pagers, personal digital assistants (PDAs) can be used to receive , weather updates, stock updates, and other wireless services. Since communication uses air as the transmitted medium, there is a potential that transmitted data can be intercept by other the adversaries. This raises some security issues on the integrity of the transmitted data, the authentication of the source. For communication using mobile phone, there is a potential that some one is eavesdropping, and impersonating. Hence, how reliable is communication on mobile phone. The security of mobile phone communication is relying on the implementation of the system, the protocols which the system is using. In order to understand about security of mobile phone communication, the basic knowledge of mobile phone systems is required. There are two types of network, analog and digital, which conduct wireless communication. 1.1 Analog network The Advance Mobile Service (AMPS) was developed in the Bell Laboratories in the mid 70 s. In the 1983, AT & T deployed a wireless system, which called the Advance Mobile Phone Service (AMPS). The AMPS operates in the 800 MHz frequency band using 30 khz wide channels. The AMPS used the cellular concept with hexagonal cells to divide the coverage area of the system. The AMPS uses a network of cell-sites and switch offices to interface with the landline network of the existing telephone system. The total number of cells covering the area is divided into cluster where each cell within the cluster will assign a distinct frequency and not interfere with the frequencies of the adjacent cells. In 1985, The Total Access Communication System (TACS) was also used in United Kingdom widely. The TACS was also similar to The AMPS network. Both of these network was consider the first generation of mobile phone network. 1.2 Digital Network During the early 1980, analog cellular telephone systems rapidly grow in Europe. Each country developed its own system, which was incompatible with other in equipment and operation. As the result a study group called Groupe Special Mobile (GSM) was

4 formed to study and develop a public mobile system. Hence, GSM was developed using TDMA technology, which operates at 900 MHz and 1800 MHz, to divide up the bandwidth among as many users as possible. The method chosen by GSM is a combination of Time and Frequency-Division Multiple Access (TDMA/FDMA). The GSM network divided into three broad sections: Mobile Station, Base Station Subsystem, and Network Subsystem. The mobile station consists of the mobile equipment and a smart card called the Subscriber Identity Module (SIM). The SIM card contains the International Mobile Subscriber Identity (IMSI) used to identify the subscriber to the system, a secret key for authentication, and other information. The Base Station Subsystem controls the radio link with Mobile Station. The Network Subsystem performs the switching of calls between the mobile and other fixed or mobile network users, as well as updating the locations, handover and authenticates the call. 2. Security Protocol The Security of the network is depends on the authentication process and the encryption algorithm the networks use. Analog and Digital Mobile systems use different security algorithms to authenticate the user of the network, and to encrypted the transmission. Some authentication processes and encryption algorithms are discussed below. 2.1 Analog The Security scheme of the analog system is quite simple. It uses the MIN/ESN scheme. phone. MIN: Mobile Identify Number. This is a 10-digit telephone number of the mobile ESN: Electronic Serial Number. This is a 32-bit binary stored in ROM at the time of manufacture. 32-bit = 8-bit manufacturer code + 6-bit reserved (unused) + 18-bit manufacturer assigned serial number.

5 When the mobile phone is requesting for an outgoing call, it sends a pair of unique number MIN/ESN to the base station unencrypted. Upon receiving the MIN/ESN pair, the base station matches its database for the identity of the mobile. In case of roaming, the base station will go against the bad MIN/ESN list; if the MIN/ESN is no in the bad list, the base station will authenticate the MIN/ESN with the mobile home station. All communication is send in clear. 2.3 Digital The Security protocol of digital system is not as simple as the Analog system. When the mobile phone is requesting for an out going call, it sends the IMSI in clear to the Visited Location Register (VLR), which in turn sends the request to the corresponding Home Location Register (HRL). The HRL then get an array of 3- component tuple, (RAND, SRES, Kc)s, from the Authentication Center (Auc) and send back to the VLR, where RAND is a random number, SRES is the output of A3 algorithm using input of RAND and Ki, Kc is the output of A8 algorithm using RAND and Ki as input. To verify the mobile, The VLR sends RAND to challenge the mobile. Upon receiving the correct SRES pack from the mobile, The VLR sends a temporary identity (TSMI) encrypted with Kc using A5 to the mobile. After received the TSMI, the mobile and the VLR communicate to make sure that both parties have the same Kc. For subsequent call, the subscriber use TSMI for requesting out going call, and to obtain new TSMI. All communication is encrypted using A5 algorithm (figure 1 and 2)[7]. figure 1. Authenticate using IMSI

6 figure 2. Authenticate using TMSI In the last few years, GSM took a lot of flak for their approach to crypto algorithm design, which relied on keeping the algorithms secret. 3GPP has chosen a superior approach to their crypto requirements. They are making open to the public all of their drafts, standards and recommendations, and rely on their algorithms withstanding the scrutiny of any interested researchers [2] The principles for 3GPP security is build on the GSM scheme. The Principles for 3GPP adopted the security features from GSM that have proved to be needed and robust. Also, 3GPP tries to ensure compatibility with GSM in order to ease inter-working and handover. 3GPP remains compatible with the GSM network architecture. It has user authentication and radio interface encryption. 3GPP uses SIM as a security module. This results in removable hardware, terminal independence, and management of all customer parameters. 3GPP operates without user assistance, and requires minimal trust in serving networks [2] Within the security architecture of the 3GPP system there are two standardized algorithms: A confidentiality algorithm f8, and an integrity algorithm f9. These algorithms are fully specified here. Each of these algorithms is based on the KASUMI algorithm that is specified. KASUMI is a block cipher that produces a 64-bit output from a 64-bit input under the control of a 128-bit key [1]. The confidentiality algorithm f8 is a stream cipher that is used to encrypt/decrypt blocks of data under a confidentiality key CK. The block of data may be between 1 and 5114 bits long. The algorithm uses KASUMI in a form of output-feedback mode as a key-stream generator [1].

7 The integrity algorithm f9 computes a 32-bit MAC (Message Authentication Code) of a given input message using an integrity key IK. The approach adopted uses KASUMI in a form of CBC-MAC mode [1]. 3. Vulnerabilities and Attack With the design and implementation of security protocols of both Analog and Digital System, There are some know vulnerabilities that has been found. 3.1 Analog Since Analog system is send data over the air medium unencrypted, it is prone to eavesdropping, and cloning Cellular Phone Cloning The cloning of a cellular telephone occurs when the account number of a victim telephone user is stolen and reprogrammed into another cellular telephone. Each cellular phone has a unique pair of identifying numbers: the electronic serial number ( ESN ) and the mobile identification number ( MIN ). The ESN/MIN pair can be cloned in a number of ways without the knowledge of the carrier or subscriber through the use of electronic scanning devices. After the ESN/MIN pair is captured, the cloner reprograms or alters the microchip of any wireless phone to create a clone of the wireless phone from which the ESN/MIN pair was stolen. The entire programming process takes ten-15 minutes per phone. After this process is completed, both phones (the legitimate and the clone) are billed to the original, legitimate account [9]. As recall early, when the mobile authenticates with the base station. It sends the unencrypted MIN/ESN pair over the communication channel. The MIN/ESN pair can be easy capture with the right equipments. Base on the captured MIN/ESN, the adversary can program his/her phone with the same MIN/ESN. Hence the phone is clone Eavesdropping Eavesdropping means to overhear, record, amplify or transmit any part of the private discourse of others without the permission of all persons engaged in the discourse.

8 Use of cellular phone ESN readers or police scanners can be used for eavesdropping on cell phone conversations [9] Cellular Phone Tracking Every cellular telephone is a physical locating device! This is generally true even when the user is not in a call. The phone need merely be switched on. Location tracking is inherent in the way cellular telephones work. The network needs to know (approximately) where you are in order to do its job. There is no known way to avoid revealing your location when you use a cell phone [4]. 3.2 Digital Digital communication is a little more secure than Analog. Since all the transmission is encrypted using the A5 algorithm, the security of the communication channel depend upon the security of A5 algorithm. A5 is vulnerable to brute-force attack, the divide and conquer attack, the biased birthday attach and the random subgraph attack. These attacks are non real-time attack. Brute-force attack has a time complexity of 2^64, there for it is not feasible to be eavesdropping on GSM calls in real time. The Divide and Conquer attack reduces the complexity from 2^54 to 2^45. The Divide and Conquer attack is based on a known plain text attack, where the attacker tries to determine the initial states of the LSFSs from a known keystream sequence [5, 8] The GSM security has a number of problems. The problems with GSM security stem by and large from design limitations on what is protected rather than on defects in the security mechanisms themselves. First, GSM only provides access security. This means communications and signaling in the fixed network portion aren t protected. Second, GSM does not address active attacks, whereby network elements may be impersonated. Next, GSM is designed to be only as secure as the fixed networks to which they connect. Then, lawful interception only considered as an after thought [3] There are a number of problems and limitations in terms of the GSM security. GSM fails to acknowledge limitations. For example, GSM needs encryption to guard against radio channel hijack. Also, the terminal is an unsecured environment, therefore

9 trust in the terminal identity is misplaced. Then, GSM has inadequate flexibility to upgrade and improve security functions over time. Next, GSM has a lack of visibility that the security is being applied. For example, there is no indication to the user that encryption is on. Also, there is no explicit confirmation to the home network that authentication is properly used when customers roam [3] Then, there is a lack of confidence in cryptographic algorithms. For example, A5/1 algorithm lacks the openness in design and publication. Also, there is misplaced belief by regulators in the effectiveness of controls on the export or (in some counties) the use of cryptography. Another example is that the key length is too short, but some implementation faults make increase of encryption key length difficult. Then, GSM needs to replace A5/1, but poor design of support for simultaneous use of more than one encryption algorithm, is making replacement difficult. Also, the use of COMP 128 is ill advised [3]. There are even more specific problems with GSM security. First, the encryption for GSM is terminated too soon. Therefore, user traffic and signaling is in the clear on microwave links. Second, there are clear transmission of cipher keys and authentication values within and between networks. This means that signaling systems are vulnerable to interception and impersonation. Third, the use of false base stations makes GSM security very vulnerable to cloning [3] The purpose of this clause is to list possible security threats to the 3G system, detailing what the threats achieve, how they are carried out and where in the system they could occur. It is possible to classify security threats in many different ways. In this clause threats in the following categories have been considered [2]. Unauthorized access to sensitive data (violation of confidentiality) - Eavesdropping: An intruder intercepts messages without detection. - Masquerading: An intruder hoaxes an authorised user into believing that they are the legitimate system to obtain confidential information from the user; or an intruder hoaxes a legitimate system into believing that they are an authorised user to obtain system service or confidential information.

10 - Traffic analysis: An intruder observes the time, rate, length, source, and destination of messages to determine a user s location or to learn whether an important business transaction is taking place. - Browsing: An intruder searches data storage for sensitive information. - Leakage: An intruder obtains sensitive information by exploiting processes with legitimate access to the data. - Inference: An intruder observes a reaction from a system by sending a query or signal to the system. For example, an intruder may actively initiate communications sessions and then obtain access to information through observation of the time, rate, length, sources or destinations of associated messages on the radio interface. Unauthorized manipulation of sensitive data (Violation of integrity) - Manipulation of messages: Messages may be deliberately modified, inserted, replayed, or deleted by an intruder Disturbing or misusing network services (leading to denial of service or reduced availability) - Intervention: An intruder may prevent an authorised user from using a service by jamming the user s traffic, signalling, or control data. - Resource exhaustion: An intruder may prevent an authorised user from using a service by overloading the service. - Misuse of privileges: A user or a serving network may exploit their privileges to obtain unauthorised services or information. - Abuse of services: An intruder may abuse some special service or facility to gain an advantage or to cause disruption to the network. Repudiation: A user or a network denies actions that have taken place. Unauthorized access to services - Intruders can access services by masquerading as users or network entities.

11 - Users or network entities can get unauthorised access to services by misusing their access rights A number of security threats in these categories are subsequently treated in the remainder of this clause according to the following points of attack: - Radio interface; - Other part of the system; - Terminals and UICC/USIM. 4. Countermeasure As cloning became a major problem for analog mobile phone, several countermeasures were implement and successfully prevent cloning. Here are various methods to detect cloned phones on the network. Duplicate detection. Duplicated detection occurred when same phone number communicate at the same time at different places. When the network detects duplicate number on the network, it will drop all of the calls conducted by that number [9]. Velocity trap. The network uses the time and places of the phone to detect cloning. For example, if the different between the time of the first call and the second calls is small, but the geographic distance is impossible for a person to move from one place to another place; the cloned number is detected [9]. Radio Frequency fingerprinting. The network keeps track of the fingerprint all the mobile phone in its database. Then the network will compare the fingerprint of a mobile phone when the mobile request a call. If invalid fingerprint was detected, cloned number is also detected [9]. Usage profiling. The mobile phone usages are kept and when discrepancies are noticed, the customer is contacted. For example, if a customer normally makes only local calls but is suddenly placing calls to foreign countries for long hours, there is a possible clone detects [9].

12 5. Conclusion This paper provides the basic understanding of analog and Digital network, and their security level. It shows that analog network does not provide any defends against attack such as eavesdropping and cloning. Even thought Digital network does provide some security features, it still vulnerable to some attacks. For example, A5 algorithm is proven to be crack able. In addition, the encrypted communication is only between the base stations to the mobile. Therefore, It might be unsecured when the communication is transmitted between the bases. Digital security is depends on the algorithm the network implemented. The obstacle this research faced is the lack of published technical details. There are quite a lot of advertising on the mobile communication but limited on the technical details.

13 Bibliography [1] Gina Ebenezersson, F8 and F9 Algorithm Specifications, [referred ] < [2] Janos A. Csirik, A guide to 3GPP security documents, [referred ] < [3] Michael Walker, On the Security of 3GPP Networks, [referred ] < [4] Phil Karn, Cell Phone Tracking, [referred ] < [5] David Wagner, GSM Cloning, [referred ] < [6] Lauri Tarkkala, Attacks against A5, [referred ] < [7] Hung-Yu Lin, Lein Harn, Vijay Kumar, Authentication Protocols in Wireless Communications, University of Missouri, Kansas City. [8] Lauri Pesonen, GSM Interception, [referred ] < w/corso-9900/a5/netsec/netsec.html> [9] Jukka Hynninen, Experiences in Mobile Phone fraud, [referred ] <

14