1. Mobile Phones: Strengths & Weaknesses Lecture 2

2. How a mobile network works? How a mobile phone functions? Triangulation location – service providers Triggerfish – covert triangulation (no warrant required) Overview

3. How mobile network works

4. Mobile phones can be termed as two-way radios that use RF (Radio Frequency) signaling to transmit and receive call. When we make or receive calls mobile phone communicates with a network of low-powered radio trans-receivers called base stations. Each base station covers a small geographical area called “cell”. From here we obtain the name of “Cellular Network”. The cryptographic algorithms used in GSM are A5/1 and A5/2 stream ciphers. These algorithms ensure over-the-air voice privacy. But A5/1 can be broken by the rainbow table attack whereas A5/2 can be compromised using cipher-text only attack. How a mobile phone functions?

5. There are three different approaches to security in mobile communications. They are: Old analog phones did not have any security The North American Digital Standards have voice privacy which is implemented by using encryption. The European GSM standards supports voice encryption but they suffer from various other straightforward attacks. Security in Mobile Communications

6. The five major security issues in mobile communications are listed as under: The communicating parties are not exactly sure of each other identities. They may recognize one another by voice, but there does not exist any real authentication system. In addition, it is not certain that calling a phone number will connect to a right cell phone A user may eavesdrop on a communication by intercepting a call broadcast by a cell phone. There exists some protection, but it is not enough to deter a motivated eavesdropper. Security issues in Mobile Communications

7. The billing records gives an audit trail which contains details of the numbers called and received. These records are often used by law enforcement agencies to track suspects. The caller ID (CID) reveals the phone number of the caller to the recipient. Further, multiple calls made from a single phone number to different phone numbers can give an idea about the nature of communication. The weak authentication of devices permits fraud and masquerading. Security issues in Mobile Communications (continued)

8. No unauthorized entity be allowed to bill a call of a user as it contains the user’s private information. A stolen mobile phone should not be allowed to place a call. The network should not keep any record of sent or received calls. No records of the use of digital information should be kept. Basic security requirements of the end-user

9. It should not be possible to record a clear copy of a conversation or a data session. The user location should not be disclosed without consent. Identification of the end user/ end device should not be allowed unless permitted by the user. Location information should not be available to unauthorized entities. Basic security requirements of the end-user (continued)

10. Cabir – it’s a first known malware for cellphones. Uses bluetooth to infect phones. Cardtrap.A – it’s a trojan which infects computers when users transfer data from cellphone to computers. Commwarrior – it is the first worm to spread via MMS. MetalGear – its disables anti-virus and is a type of trojan horse FlexiSpy – found in March, 2006. it’s a spyware which installs on a phone and MMS messages and phone logs to a remote internet server used by a third party. Examples of Mobile Malware

11. The attacker intercepts information or reads signaling messages but does not modify or delete them. Such attacks affect the privacy of the subscriber and the network operator. The attacker may use the data obtained from interception to analyze traffic. The two ways of intercepting communications on a GSM mobile are: Using Cloning Using Special software and hardware Interception

12. A mobile sometimes also called mobile terminal, identifies itself to the network using a ID. This ID has two components: ESN – Electronic Serial Number MIN – Mobile Identification Number ESN physically identifies the cell phone whereas MIN identifies the phone holder (subscriber). MIN is usually the cell number of the subscriber and ESN is the number that identifies the cell phone. ESN is normally the IMEI number. A common attack on these numbers are done by the method of cloning, in which ESN and MIN numbers are duplicated in another cell phone and submitted to the system. As a result now this cell phone is capable of acting as a clone. It can both receive and transmit data. 1. (Interception) Cloning

13. Various Nokia phones used for maintenance were accidently shipped for sale in the market. These phones can be configured from a PC to receive any GSM data from the broadcast channel. Another utility by the name USRP which is a software defined radio that can transmit and receive any data between 0 and 3 GHz frequency. It has a software module to receive and decode GSM signals. It costs around US$750 in the market. 2. (Interception) Special software and hardware

14. LBS is used to locate and identify the geographical position of a cell phone while it is operating in a network. Localization based systems are divided into 3 broad categories: Network based- it utilizes the infrastructure of the service provider to locate the position. The accuracy of locating a cell phone in a network depends on the density (number) of base station in a given area. Therefore in a area with many base stations the location of cell phone is very accurate. The method used is triangulation which is explained in the next slide. Handset based – it requires the installation of client software for location identification on the hand-set. Hybrid – it uses a combination of both network based and handset based approach. Localization based systems (LBS)

15. The triangulation is a method implemented as follows: Calculate distance from the first tower based on speed which gives a radius value. Draw a circle with the distance radius around the first tower with than distance. Calculate distance from the second tower. Draw a circle around this tower which results in 2 points where the user may be[maybe 1 if you happen to be in the exact middle!] Calculate the distance with the third tower Draw a circle. The point where circle 1, circle 2 and circle 3 meet is where the cell phone is located. So if the phone gives us any of this info [speed, tower locations], we can do the triangulation. Triangulation location- service providers

16. Triggerfish, also known as cell-site simulators or digital analyzers, are devices that act by posing as a cell tower. Triggerfish trick nearby cell phones into transmitting their serial numbers, phone numbers, and other data to law enforcement. However, because of range limitations, triggerfish are only useful for zeroing in on a phone's precise location once cooperative cell providers had given a general location. Triggerfish does not require any warrant (permission) to be used for surveillance by law enforcement authorities. Triggerfish- covert triangulation (no warrant required)

17. Intercepting GSM traffic, Washington DC, Feb, 2008, Black Hat Briefing Security of Mobile Communications, NoureddineBoudriga, CRC Press, Taylor & Francis Group Location based systems,- two new implementations- MobiSys 2004, Christopher Intemann, Zentrum for Informatics, University of Goettingen, December 2004. Schneier on Security, Bruce Schneier, Wiley Publications Triangulation, Richard I Hartley, Peter Sturm, GE-CRD, Rm K1-5C39, P.O. Box 8, Schenectady, NY, 1230, CAIP- 6th International Conference on Computer Analysis of Images and Patterns, Prague, Czech Republic References