Practical Operator Considerations Cellular Analog Cellular Rogue Base Station Tumbling Cloning

Similar documents
Pertemuan 7 GSM Network. DAHLAN ABDULLAH

Basics of GSM in depth

GLOBAL SYSTEM FOR MOBILE COMMUNICATION (2) ETI2511 Friday, 31 March 2017

CTIA Certification Program

Chapter 3 GSM and Similar Architectures

Cellular Communication

Analysis of Security Based on CDMA Air Interface System

E2-E3: CONSUMER MOBILITY. CHAPTER-5 CDMA x OVERVIEW (Date of Creation: )

UNIT-5. GSM System Operations (Traffic Cases) Registration, call setup, and location updating. Call setup. Interrogation phase

Security of Cellular Networks: Man-in-the Middle Attacks

Mobile Security / /

CHAPTER 4 SYSTEM IMPLEMENTATION 4.1 INTRODUCTION

E3-E4 (CM MODULE) CDMA x & EV-DO. For internal circulation of BSNL only

Understanding Carrier Wireless Systems

EUROPEAN ETS TELECOMMUNICATION November 1996 STANDARD

Cellular Mobile Systems and Services (TCOM1010) GSM Architecture

International Journal of Scientific & Engineering Research, Volume 4, Issue 11, November-2013 ISSN

Network Security: Cellular Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Security Provisions in CDMA2000 Networks

Mobile Security Fall 2013

Design of a Routing Mechanism to Provide Multiple Mobile Network Service on a Single SIM Card Boobalan. P, Krishna. P, Udhayakumar. P, Santhosh.

The Mobile Equipment Identifier (MEID)

Information Technology Mobile Computing Module: GSM Handovers

Communication Networks 2 Signaling 2 (Mobile)

Contents. GSM and UMTS Security. Cellular Radio Network Architecture. Introduction to Mobile Telecommunications

Mobility and Security Management in the GSM System

Mobile Communications

Short Message Service (SMS)

GSM. Course requirements: Understanding Telecommunications book by Ericsson (Part D PLMN) + supporting material (= these slides) GPRS

Wireless Security Security problems in Wireless Networks

Securing SMS of a GSM Network Message Center Using Asymmetric Encryption Technique Algorithm.

Moving Forward on MEID. March, Contacts Bill Dahnke, David Crowe A RCA Webinar

Sniffer. J.DEEPTHI Associate Professor & HOD, Department of CSE,

GSM Hacking. Wireless Mobile Phone Communication 30 th January 2014 UNRESTRICTED EXTERNAL

Frequently Asked Questions (FAQ) MEID and Expanded UIMID (E-UIMID)

GSM Open-source intelligence

Semi-Active GSM Monitoring System SCL-5020SE

The Commercial Issues of Interstandard Roaming. Interstandard Roaming

10 Call Set-up. Objectives After this chapter the student will: be able to describe the activities in the network during a call set-up.

INSTITUTO DE MATEMÁTICA E ESTATÍSTICA UNIVERSIDADE DE SÃO PAULO. GSM Security. MAC Computação Móvel

G 364: Mobile and Wireless Networking. CLASS 19, Mon. Mar Stefano Basagni Spring 2004 M-W, 11:40am-1:20pm, 109 Rob

GSM System Overview. Ph.D. Phone Lin.

Advanced Computer Networks Exercise Session 4. Qin Yin Spring Semester 2013

Nexus8610 Traffic Simulation System. Intersystem Handover Simulation. White Paper

Security issues in mobile communications

Moving Forward on MEID and Expanded UIMID (E-UIMID) July, Contacts Bill Dahnke, David Crowe Version 3.0

NGN Security. Next Generation Nightmare? Emmanuel Gadaix Telecom Security Task Force. Dubai, HITB 2007

GPRS security. Helsinki University of Technology S Security of Communication Protocols

Course Outline Comprehensive Training on Bypass/SIM Box Fraud Detection and Termination Duration: 3 Days

Application of ESA in the CAVE Mode Authentication

Telecommunication Services Engineering Lab

Client Server Programming and GSM Networking Protocols (SS7 Signaling)

MEID FAQ. (FAQs also assist in the ESN and UIM_ID transition to MEID & EUIMID)

Telecommunication Services Engineering Lab

Moving Forward on MEID and Expanded UIMID (E-UIMID) February, Contacts Bill Dahnke, David Crowe Revision A

Cellular Networking Perspectives

COMP327 Mobile Computing Session: Lecture Set 5 - Wireless Communication Part 2

Threat patterns in GSM system. Basic threat patterns:

Cellular Networks and Mobility

Designing Authentication for Wireless Communication Security Protocol

Security functions in mobile communication systems

Editor David Crowe Phone Fax Vol. 3, No. 6 June, IS-41 Rev. C Delayed? The scheduled date to start the ballot

International Journal of Innovative Research in Advanced Engineering (IJIRAE) ISSN: Volume 1 Issue 6 (July 2014)

Signaling System 7 (SS7) By : Ali Mustafa

Hands-On Modern Mobile and Long Term Evolution LTE

Wireless and Mobile Network Architecture

Wireless and Mobile Network Architecture

UMTS System Architecture and Protocol Architecture

ETSI TS V7.1.0 ( )

ETSI TS V1.1.1 ( )

A Pattern Language for Mobility Management [1] Petri Jokela

Dimensioning, configuration and deployment of Radio Access Networks. part 1: General considerations. Mobile Telephony Networks

Technical description of international mobile roaming May 2010

3G TS V3.6.0 ( )

RF OPTIMIZATION FOR QUALITY IMPROVEMENT IN GSM NETWORK

Mobile Application Part (MAP) -

Florida State University Libraries

Mobile communications an overview

Support for the Mobile Equipment Identity (MEID)

Internal. GSM Fundamentals.

Data and Voice Signal Intelligence Interception Over The GSM Um Interface

JP-3GA (R99) Network Architecture

GSM Security Overview

ITU Workshop Combating grey devices. Audrey Scozzaro Ferrazzini Standardisation and Industrial Policy Lead, EMENA Government Affairs 28 June 2016

Authentication Technologies

Wireless Communications

Chapter 2 The 3G Mobile Communications

SMARTPHONES AND MOBILE PHONE TECHNOLOGY MOBILE TECHNOLOGY BASICS. Lecture: 2 Instructor Mazhar Hussain

Mavenir Keynote. Think Smarter Secure communication Innovate Services. By Mohamed Issa Regional Head of Africa Sales

Security Management System of Cellular Communication: Case Study

A Review on Security in Mobile Communication Technology

The GSM Standard (An overview of its security)

TS V5.1.1 ( )

GOPALAN COLLEGE OF ENGINEERING AND MANAGEMENT Electronics and communication Department

GSME proposals regarding mobile theft and IMEI security

Wireless Security K. Raghunandan and Geoff Smith. Technology September 21, 2013

The GSM Standard (An overview of its security)

GLOSSARY OF CELLUAR TERMS

Wireless Networking Basics. Ed Crowley

Removable User Identity Module (R-UIM) for cdma2000 Spread Spectrum Systems

Transcription:

Practical Operator Considerations Cellular Analog Cellular Rogue Base Station Tumbling Cloning

Getting paid Prevent (limit) subscriber fraud Ensure accurate clearing with other operators Reduce churn Ensure sufficient capacity Provide CALEA compliance Maintain public perception of security Provide a2dditional features (marketing) Page 3

Analog Digital - TDMA Digital - CDMA Digital - GSM Page 4

Control channel Forward is continuous Reverse is shared Voice (Traffic) channel Assigned for the call Shared in digital systems Page 5

Authentication is valid Electronic Serial Number (ESN) and Mobile Identification Number (MIN) pair Sent from mobile to base in the clear Early systems had just a deny list Not all systems initially available to each other for roaming verification Page 6

Automobile smash and grab Use until service is canceled Call-sell operations Page 7

Dumpster diving Insider account maintenance Hack into authorization database Hack into switch maintenance port Page 8

Forward link has no authentication Mobiles lock to false outbound Cell phone suppressor Test equipment (ESN readers) Page 9

Read pairs on link between base station and switch Microwave in many areas Page 10

ESN/MIN pair sent to home system Pre-call validation not available First call allowed to go through Tumble through random ESN/MIN pairs Page 11

Replace legit ESN with snarfed ESN Reprogram MIN Extension phones Rewrite phone firmware (Chip in lower left corner is conveniently socketed) Page 12

Tune scanner to control channel Decoder monitors inbound data Computer stores ESN/MIN pairs when the mobile registers AMPS data is simple FSK, in the clear Page 13

Sign up for service under false identity Identity Theft Page 14

Overpower base station during legitimate call Use cell phone test mode to match Supervisory Audio Tone (SAT) Flashhook and place another call Page 15

Legal Illegal to eavesdrop Illegal to clone Illegal to possess equipment that might be used to clone Technical PINs Customers hated this Velocity checks Good for roaming, not great for local clones Don t allow more than one active at a time RF Fingerprinting Page 16

Generally, mobile is given a challenge and network checks the response US Digital Cellular Cellular Authentication and Voice Encryption (CAVE) Control Message Encryption Algorithm (CMEA) Voice Privacy Mask (VPM) GSM A3 Authentication A8 cipher key generation A5 privacy Page 17

A-key, 64 bits (20 digits plus 6 check digits) RANDSSD: 56 bits Electronic Serial Number (ESN): 32 bits Shared Secret Data (SSD) SSD_A: 64 bits, for authentication SSD_B: 64 bits, for encryption Authentication Result, AUTHx: 18 bits Unique Challenge Uses voice channel during call attempts Global Challenge Uses control channel, checks during registration, call attempt and call delivery All phones challenged with the same number Page 18

Phone attempts to access the network indicates authentication capability Serving MSC contacts HLR and AC indicates whether it can do CAVE (if not, SSD cannot be shared, AC must do all the work) Gets profile Includes whether authentication should be done Generates random number RANDU and sends it to phone Page 19

Phone runs CAVE ( RANDU, SSD, MIN, ESN ) Produces AUTHU Sends AUTHU to MSC MSC runs CAVE ( RANDU, SSD, MIN, ESN ) Produces local AUTHU At MSC, if received AUTHU matches local AUTHU, authentication is successful Page 20

Phone and AC update their SSD AC generates RANDSSD Sends it to Serving MSC Computes SSD from RANDSSD, ESN, A-key MSC sends RANDSSD to phone Phone generates SSD from RANDSSD, ESN, A-key Phone authenticates Base Station (or AC) Generates RANDBS Calculates AUTHBS from RANDBS and new SSD Sends RANDBS to Serving MSC Either MSC or AC uses RANDBS and new SSD to calculate AUTHBS MSC sends AUTHBS to phone If phone AUTHBS and MSC AUTHBS match, phone stores new SSD Another authentication process is performed If successful, AC stores new SSD Page 21

Mobile maintains a 6-bit COUNT variable Incremented on instruction from AC AC maintains COUNT for each mobile COUNT values must match in order for mobile to gain access Page 22

Information sent in the clear on interconnection networks (SS7, etc) Secret information held in vulnerable locations (HLR, VLR, etc) CMEA broken Small keysize Poor A-keys VPM fixed for the length of the call XOR against known voice (e.g. silence) Page 23

Handsets and SIMs International Mobile Equipment Identifier (IMEI) International Mobile Subscriber Identity (IMSI) Page 24

AuC: Authentication Center BTS: Base Transceiver Station BSC: Base Station Controller EIR: Equipment Identity Register (white, black, grey) HLR: Home Location Register ME: Mobile Equipment MSC: Mobile Switching Center OMC: Operations & Maintenance Center SIM: Subscriber Identity Module Visitor Location Register Page 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback