313 lines
17 KiB
Plaintext
313 lines
17 KiB
Plaintext
![]() |
|
|||
|
Letter 4 of 9, 16770 chars:
|
|||
|
|
|||
|
From pro-snapp!pro-sol!pnet01!mtbill Fri Jul 10 00:49:45 1987
|
|||
|
Date: Thu, 9 Jul 87 18:49:13 PDT
|
|||
|
Ppath: essug!chuck
|
|||
|
From: mtbill@pnet01.CTS.COM (Mountain Bill)
|
|||
|
To: pro-sol!pro-snapp!essug!chuck
|
|||
|
Subject: Cellular Telephone Security
|
|||
|
|
|||
|
The foolowing is fwd'd for addition to your data library. Isn't it
|
|||
|
wonderful that Rusty is paying the transmission costs for all these hogger
|
|||
|
messages/files? :-)
|
|||
|
|
|||
|
--------Forwarded Message--------
|
|||
|
From crash!hplabs.HP.COM!hp-sdd!seismo!F4.CSL.SRI.COM!GEOFF Wed Jun 17 11:36:09 1987
|
|||
|
Received: by crash.CTS.COM (5.54/UUCP-Project/rel-1.0/09-14-86)
|
|||
|
id AA15019; Wed, 17 Jun 87 11:28:37 PDT
|
|||
|
Reply-To: crash!hplabs.HP.COM!hp-sdd!seismo!F4.CSL.SRI.COM!GEOFF
|
|||
|
Received: from hplabs.HP.COM (hplabs) by hp-sdd.HP.COM; Wed, 17 Jun 87 11:27:22 PDT
|
|||
|
Return-Path: <hp-sdd!seismo!F4.CSL.SRI.COM!GEOFF@hplabs.HP.COM>
|
|||
|
Received: by hplabs.HP.COM ; Wed, 17 Jun 87 11:17:01 pdt
|
|||
|
Received: from [192.12.33.99] by seismo.CSS.GOV (5.54/1.14)
|
|||
|
id AA17626; Wed, 17 Jun 87 00:11:57 EDT
|
|||
|
Date: 16 Jun 1987 16:40-PDT
|
|||
|
Sender: crash!hplabs.HP.COM!hp-sdd!seismo!F4.CSL.SRI.COM!GEOFF
|
|||
|
Subject: Re: Cellular Telephone Security
|
|||
|
From: the tty of Geoffrey S. Goodfellow <crash!hplabs.HP.COM!hp-sdd!seismo!csl.sri.com!Geoff>
|
|||
|
Ppath: pnet01!mtbill
|
|||
|
To: pnet01!mtbill@hplabs.HP.COM
|
|||
|
Message-Id: <[F4.CSL.SRI.COM]16-Jun-87 16:40:13.GEOFF>
|
|||
|
In-Reply-To: <8706160157.AA19395@crash.CTS.COM>
|
|||
|
|
|||
|
|
|||
|
--------------------------------------------------------------------------
|
|||
|
The following is reprinted from the November 1985 issue of Personal
|
|||
|
Communications Technology magazine by permision of the authors and
|
|||
|
the publisher, FutureComm Publications Inc., 4005 Williamsburg Ct.,
|
|||
|
Fairfax, VA 22032, 703/352-1200.
|
|||
|
|
|||
|
Copyright 1985 by FutureComm Publications Inc. All rights reserved.
|
|||
|
--------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
THE ELECTRONIC SERIAL NUMBER: A CELLULAR 'SIEVE'?
|
|||
|
'SPOOFERS' CAN DEFRAUD USERS AND CARRIERS
|
|||
|
|
|||
|
by Geoffrey S. Goodfellow, Robert N. Jesse, and Andrew H. Lamothe, Jr.
|
|||
|
|
|||
|
What's the greatest security problem with cellular phones? Is it privacy of
|
|||
|
communications? No.
|
|||
|
|
|||
|
Although privacy is a concern, it will pale beside an even greater problem:
|
|||
|
spoofing.
|
|||
|
|
|||
|
'Spoofing' is the process through which an agent (the 'spoofer') pretends to
|
|||
|
be somebody he isn't by proffering false identification, usually with intent
|
|||
|
to defraud. This deception, which cannot be protected against using the
|
|||
|
current U.S. cellular standards, has the potential to create a serious
|
|||
|
problem--unless the industry takes steps to correct some loopholes in the
|
|||
|
present cellular standards.
|
|||
|
|
|||
|
Compared to spoofing, the common security concern of privacy is not so severe.
|
|||
|
Most cellular subscribers would, at worst, be irked by having their
|
|||
|
conversational privacy violated. A smaller number of users might actually
|
|||
|
suffer business or personal harm if their confidential exchanges were
|
|||
|
compromised. For them, voice encryption equipment is becoming increasingly
|
|||
|
available if they are willing to pay the price for it.
|
|||
|
|
|||
|
Thus, even though technology is available now to prevent an interloper from
|
|||
|
overhearing sensitive conversations, cellular systems cannot--at any
|
|||
|
cost--prevent pirates from charging calls to any account. This predicament is
|
|||
|
not new to the industry. Even though cellular provides a modern,
|
|||
|
sophisticated quality mobile communications service, it is not fundamentally
|
|||
|
much safer than older forms of mobile telephony.
|
|||
|
|
|||
|
History of Spoofing Vulnerability
|
|||
|
|
|||
|
The earliest form of mobile telephony, unsquelched manual Mobile Telephone
|
|||
|
Service (MTS), was vulnerable to interception and eavesdropping. To place a
|
|||
|
call, the user listened for a free channel. When he found one, he would key
|
|||
|
his microphone to ask for service: 'Operator, this is Mobile 1234; may I please
|
|||
|
have 555-7890.' The operator knew to submit a billing ticket for account
|
|||
|
number 1234 to pay for the call. So did anybody else listening to the
|
|||
|
channel--hence the potential for spoofing and fraud.
|
|||
|
|
|||
|
Squelched channel MTS hid the problem only slightly because users ordinarily
|
|||
|
didn't overhear channels being used by other parties. Fraud was still easy
|
|||
|
for those who turned off the squelch long enough to overhear account numbers.
|
|||
|
|
|||
|
Direct-dial mobile telephone services such as Improved Mobile Telephone
|
|||
|
Service (IMTS) obscured the problem a bit more because subscriber
|
|||
|
identification was made automatically rather than by spoken exchange between
|
|||
|
caller and operator. Each time a user originated a call, the mobile telephone
|
|||
|
transmitted its identification number to the serving base station using some
|
|||
|
form of Audio Frequency Shift Keying (AFSK), which was not so easy for
|
|||
|
eavesdroppers to understand.
|
|||
|
|
|||
|
Committing fraud under IMTS required modification of the mobile--restrapping
|
|||
|
of jumpers in the radio unit, or operating magic keyboard combinations in
|
|||
|
later units--to reprogram the unit to transmit an unauthorized identification
|
|||
|
number. Some mobile control heads even had convenient thumb wheel switches
|
|||
|
installed on them to facilitate easy and frequent ANI (Automatic Number
|
|||
|
Identification) changes.
|
|||
|
|
|||
|
Cellular Evolution
|
|||
|
|
|||
|
Cellular has evolved considerably from these previous systems. Signaling
|
|||
|
between mobile and base stations uses high-speed digital techniques and
|
|||
|
involves many different types of digital messages. As before, the cellular
|
|||
|
phone contains its own Mobile Identification Number (MIN), which is programmed
|
|||
|
by the seller or service shop and can be changed when, for example, the phones
|
|||
|
sold to a new user. In addition, the U.S. cellular standard incorporates a
|
|||
|
second number, the 'Electronic Serial Number' (ESN), which is intended to
|
|||
|
uniquely and permanently identify the mobile unit.
|
|||
|
|
|||
|
According to the Electronic Industries Association (EIA) Interim Standard
|
|||
|
IS-3-B, Cellular System Mobile Station--Land Station Compatibility
|
|||
|
Specification (July 1984), 'The serial number is a 32-bit binary number that
|
|||
|
uniquely identifies a mobile station to any cellular system. It must be
|
|||
|
factory-set and not readily alterable in the field. The circuitry that
|
|||
|
provides the serial number must be isolated from fraudulent contact and
|
|||
|
tampering. Attempts to change the serial number circuitry should render the
|
|||
|
mobile station inoperative.'
|
|||
|
|
|||
|
The ESN was intended to solve two problems the industry observed with its
|
|||
|
older systems.
|
|||
|
|
|||
|
First, the number of subscribers that older systems could support fell far
|
|||
|
short of the demand in some areas, leading groups of users to share a single
|
|||
|
mobile number (fraudulently) by setting several phones to send the same
|
|||
|
identification. Carriers lost individual user accountability and their means
|
|||
|
of predicting and controlling traffic on their systems.
|
|||
|
|
|||
|
Second, systems had no way of automatically detecting use of stolen equipment
|
|||
|
because thieves could easily change the transmitted identification.
|
|||
|
|
|||
|
In theory, the required properties of the ESN allow cellular systems to check
|
|||
|
to ensure that only the correctly registered unit uses a particular MIN, and
|
|||
|
the ESNs of stolen units can be permanently denied service ('hot-listed').
|
|||
|
This measure is an improvement over the older systems, but vulnerabilities
|
|||
|
remain.
|
|||
|
|
|||
|
Ease of ESN Tampering
|
|||
|
|
|||
|
Although the concept of the unalterable ESN is laudable in theory, weaknesses
|
|||
|
are apparent in practice. Many cellular phones are not constructed so that
|
|||
|
'attempts to change the serial number circuitry renders the mobile station
|
|||
|
inoperative.' We have personally witnessed the trivial swapping of one ESN
|
|||
|
chip for another in a unit that functioned flawlessly after the switch was
|
|||
|
made.
|
|||
|
|
|||
|
Where can ESN chips be obtained to perform such a swap? We know of one recent
|
|||
|
case in the Washington, D.C. area in which an ESN was 'bought' from a local
|
|||
|
service shop employee in exchange for one-half gram of cocaine. Making the
|
|||
|
matter simpler, most manufacturers are using industry standard Read-Only
|
|||
|
Memory (ROM) chips for their ESNs, which are easily bought and programmed or
|
|||
|
copied.
|
|||
|
|
|||
|
Similarly, in the spirit of research, a west coast cellular carrier copied the
|
|||
|
ESN from one manufacturer's unit to another one of the same type and
|
|||
|
model--thus creating two units with the exact same identity.
|
|||
|
|
|||
|
The ESN Bulletin Board
|
|||
|
|
|||
|
For many phones, ESN chips are easy to obtain, program, and install. How does
|
|||
|
a potential bootlegger know which numbers to use? Remember that to obtain
|
|||
|
service from a system, a cellular unit must transmit a valid MIN (telephone
|
|||
|
number) and (usually) the corresponding serial number stored in the cellular
|
|||
|
switch's database.
|
|||
|
|
|||
|
With the right equipment, the ESN/MIN pair can be read right off the air
|
|||
|
because the mobile transmits it each time it originates a call. Service shops
|
|||
|
can capture this information using test gear that automatically receives and
|
|||
|
decodes the reverse, or mobile-to-base, channels.
|
|||
|
|
|||
|
Service shops keep ESN/MIN records on file for units they have sold or
|
|||
|
serviced, and the carriers also have these data on all of their subscribers.
|
|||
|
Unscrupulous employees could compromise the security of their customers'
|
|||
|
telephones.
|
|||
|
|
|||
|
In many ways, we predict that 'trade' in compromised ESN/MIN pairs will
|
|||
|
resemble what currently transpires in the long distance telephone business
|
|||
|
with AT&T credit card numbers and alternate long-distance carrier (such as
|
|||
|
MCI, Sprint and Alltel) account codes. Code numbers are swapped among
|
|||
|
friends, published on computer 'bulletin boards' and trafficked by career
|
|||
|
criminal enterprises.
|
|||
|
|
|||
|
Users whose accounts are being defrauded might--or might not--eventually
|
|||
|
notice higher-than-expected bills and be reassigned new numbers when they
|
|||
|
complain to the carrier. Just as in the long distance business, however, this
|
|||
|
number 'turnover' (deactivation) won't happen quickly enough to make abuse
|
|||
|
unprofitable. Catching pirates in the act will be even tougher than it is in
|
|||
|
the wireline telephone industry because of the inherent mobility of mobile
|
|||
|
radio.
|
|||
|
|
|||
|
Automating Fraud
|
|||
|
|
|||
|
Computer hobbyists and electronics enthusiasts are clever people. Why should
|
|||
|
a cellular service thief 'burn ROMs' and muck with hardware just to install
|
|||
|
new IDs in his radio? No Herculean technology is required to 'hack' a phone
|
|||
|
to allow ESN/MIN programming from a keyboard, much like the IMTS phone thumb
|
|||
|
wheel switches described above.
|
|||
|
|
|||
|
Those not so technically inclined may be able to turn to mail-order
|
|||
|
entrepreneurs who will offer modification kits for cellular fraud, much as
|
|||
|
some now sell telephone toll fraud equipment and pay-TV decoders.
|
|||
|
|
|||
|
At least one manufacturer is already offering units with keyboard-programmable
|
|||
|
MINs. While intended only for the convenience of dealers and service shops,
|
|||
|
and thus not described in customer documentation, knowledgeable and/or
|
|||
|
determined end users will likely learn the incantations required to operate
|
|||
|
the feature. Of course this does not permit ESN modification, but easy MIN
|
|||
|
reprogrammability alone creates a tremendous liability in today's roaming
|
|||
|
environment.
|
|||
|
|
|||
|
The Rolls Royce of this iniquitous pastime might be a 'Cellular Cache-Box.'
|
|||
|
It would monitor reverse setup channels and snarf ESN/MIN pairs off the air,
|
|||
|
keeping a list in memory. Its owner could place calls as on any other
|
|||
|
cellphone. The Cache-Box would automatically select an ESN/MIN pair from its
|
|||
|
catalog, use it once and then discard it, thus distributing its fraud over
|
|||
|
many accounts. Neither customer nor service provider is likely to detect the
|
|||
|
abuse, much less catch the perpetrator.
|
|||
|
|
|||
|
As the history of the computer industry shows, it is not far-fetched to
|
|||
|
predict explosive growth in telecommunications and cellular that will bring
|
|||
|
equipment prices within reach of many experimenters. Already we have seen the
|
|||
|
appearance of first-generation cellular phones on the used market, and new
|
|||
|
units can be purchased for well under $1000 in many markets.
|
|||
|
|
|||
|
How High The Loss?
|
|||
|
|
|||
|
Subscribers who incur fraudulent charges on their bills certainly can't be
|
|||
|
expected to pay them. How much will fraud cost the carrier? If the charge is
|
|||
|
for home-system airtime only, the marginal cost to the carrier of providing
|
|||
|
that service is not as high as if toll charges are involved. In the case of
|
|||
|
toll charges, the carrier suffers a direct cash loss. The situation is at its
|
|||
|
worst when the spoofer pretends to be a roaming user. Most inter-carrier
|
|||
|
roaming agreements to date make the user's home carrier (real or spoofed)
|
|||
|
responsible for charges, who would then be out hard cash for toll and airtime
|
|||
|
charges.
|
|||
|
|
|||
|
We have not attempted to predict the dollar losses this chicanery might
|
|||
|
generate because there isn't enough factual information information for anyone
|
|||
|
to guess responsibly. Examination of current estimates of long-distance-toll
|
|||
|
fraud should convince the skeptic.
|
|||
|
|
|||
|
Solutions
|
|||
|
|
|||
|
The problems we have described are basically of two types. First, the ESN
|
|||
|
circuitry in most current mobiles is not tamper-resistant, much less
|
|||
|
tamper-proof. Second and more importantly, the determined perpetrator has
|
|||
|
complete access to all information necessary for spoofing by listening to the
|
|||
|
radio emissions from valid mobiles because the identification information
|
|||
|
(ESN/MIN) is not encrypted and remains the same with each transmission.
|
|||
|
|
|||
|
Manufacturers can mitigate the first problem by constructing mobiles that more
|
|||
|
realistically conform to the EIA requirements quoted above. The second
|
|||
|
problem is not beyond solution with current technology, either. Well-known
|
|||
|
encryption techniques would allow mobiles to identify themselves to the
|
|||
|
serving cellular system without transmitting the same digital bit stream each
|
|||
|
time. Under this arrangement, an interloper receiving one transmission could
|
|||
|
not just retransmit the same pattern and have it work a second time.
|
|||
|
|
|||
|
An ancillary benefit of encryption is that it would reasonably protect
|
|||
|
communications intelligence--the digital portion of each transaction that
|
|||
|
identifies who is calling whom when.
|
|||
|
|
|||
|
The drawback to any such solution is that it requires some re-engineering in
|
|||
|
the Mobile-Land Station Compatibility Specification, and thus new software or
|
|||
|
hardware for both mobiles and base stations. The complex logistics of
|
|||
|
establishing a new standard, implementing it, and retrofitting as much of the
|
|||
|
current hardware as possible certainly presents a tough obstacle, complicated
|
|||
|
by the need to continue supporting the non-encrypted protocol during a
|
|||
|
transition period, possibly forever.
|
|||
|
|
|||
|
The necessity of solving the problem will, however, become apparent. While we
|
|||
|
presently know of no documented cases of cellular fraud, the vulnerability of
|
|||
|
the current standards and experience with similar technologies lead us to
|
|||
|
conclude that it is inevitable. Failure to take decisive steps promptly will
|
|||
|
expose the industry to a far more expensive dilemma. XXX
|
|||
|
|
|||
|
|
|||
|
Geoffrey S. Goodfellow is a member of the senior research staff in the
|
|||
|
Computer Science Laboratory at SRI International, 333 Ravenswood Ave., Menlo
|
|||
|
Park, CA 94025, 415/859-3098. He is a specialist in computer security and
|
|||
|
networking technology and is an active participant in cellular industry
|
|||
|
standardization activities. He has provided Congressional testimony on
|
|||
|
telecommunications security and privacy issues and has co-authored a book on
|
|||
|
the computer 'hacking' culture.
|
|||
|
|
|||
|
Robert N. Jesse (2221 Saint Paul St., Baltimore, MD 21218, 301/243-8133) is an
|
|||
|
independent consultant with expertise in security and privacy, computer
|
|||
|
operating systems, telecommunications and technology management. He is an
|
|||
|
active participant in cellular standardization efforts. He was previously a
|
|||
|
member of the senior staff at The Johns Hopkins University, after he obtained
|
|||
|
his BES/EE from Johns Hopkins.
|
|||
|
|
|||
|
Andrew H. Lamothe, Jr. is executive vice-president of engineering at Cellular
|
|||
|
Radio Corporation, 8619 Westwood Center Dr., Vienna, VA 22180, 703/893-2680.
|
|||
|
He has played a leading role internationally in cellular technology
|
|||
|
development. He was with Motorola for 10 years prior to joining American
|
|||
|
TeleServices, where he designed and engineered the Baltimore/Washington market
|
|||
|
trial system now operated by Cellular One.
|
|||
|
------End Forwarded Message------
|
|||
|
|
|||
|
|
|||
|
UUCP: {cbosgd, hplabs!hp-sdd, sdcsvax, nosc}!crash!pnet01!mtbill
|
|||
|
ARPA: crash!pnet01!mtbill@nosc.mil
|
|||
|
INET: mtbill@pnet01.CTS.COM
|
|||
|
|
|||
|
m:
|
|||
|
|