GSME proposals regarding mobile theft and IMEI security

Similar documents
INSPIRE status report

ITU Workshop Combating grey devices. Audrey Scozzaro Ferrazzini Standardisation and Industrial Policy Lead, EMENA Government Affairs 28 June 2016

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 26 September 2008 (30.09) (OR. fr) 13567/08 LIMITE ENFOPOL 170 CRIMORG 150

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

ECC Recommendation (17)04. Numbering for ecall

Security and resilience in Information Society: the European approach

Electronic Commerce Working Group report

Toward Horizon 2020: INSPIRE, PSI and other EU policies on data sharing and standardization

Third public workshop of the Amsterdam Group and CODECS C-ITS Deployment in Europe: Common Security and Certificate Policy

The importance of Whois data bases for spam enforcement

PUBLIC COUNCIL OF THE EUROPEAN UNION. Brussels, 26 May /03 LIMITE SIRIS 47 CATS 34 ASIM 31 COMIX 330

European Union Agency for Network and Information Security

IMEI Security Technical Design Principles

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

European Framework for C-ITS Security 6 th of March 2018 Gerhard Menzel European Commission

White Paper. The Impact of Payment Services Directive II (PSD2) on Authentication & Security

ENISA s Position on the NIS Directive

Implementation and functioning of caller location in Europe. Cristina Lumbreras Technical Director, EENA

ITU-T SG 11 Workshop Global Approaches on Combating Counterfeiting and Stolen ICT Devices

3GPP TS V ( )

A STUDY OF TWO-FACTOR AUTHENTICATION AGAINST ON-LINE IDENTITY THEFT

European Standards- preparation, approval and role of CEN. Ashok Ganesh Deputy Director - Standards

Market Surveillance Action Plan

Outcomes of the ITU Workshop. Global approaches on combating counterfeiting and stolen ICT devices. (23 July 2018, Geneva)

Authentication Technology for a Smart eid Infrastructure.

ETSI TS V6.2.0 ( )

ACCREDITATION: A BRIEFING FOR GOVERNMENTS AND REGULATORS

SECURING CORPORATE ASSETS WITH TWO FACTOR AUTHENTICATION

Valérie Andrianavaly European Commission DG INFSO-A3

Network and Information Security Directive

TECHNICAL REPORT Electronic Signatures and Infrastructures (ESI); Guidance on the use of standards for cryptographic suites

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

Electronic registered delivery services (ERDS) in light of the eidas regulation. Warsaw Common Sign Conference 2015

EUROPEAN COMMISSION DIRECTORATE GENERAL FOR INTERPRETATION

Reference Offer for Wholesale Roaming Access

EUROPEAN COMMISSION DIRECTORATE-GENERAL INFORMATION SOCIETY AND MEDIA

Submission. to the. Australian Communications and Media Authority. on the. Planning for mobile broadband within the 1.

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

GSMA TAC Allocation and IMEI Programming Rules for Device Brand Owners and Manufacturers

Computer Security Policy

The commission communication "towards a general policy on the fight against cyber crime"

A MODEL FOR INTERCONNECTION IN IP-BASED NETWORKS

Privileged Account Security: A Balanced Approach to Securing Unix Environments

FFIEC CONSUMER GUIDANCE

Comprehensive Study on Cybercrime

INCREASING TRUST IN CALLING LINE IDENTIFICATION AND ORIGINATING IDENTIFICATION

Basics of GSM in depth

2016 Global Identity Summit Pre-Conference Paper Biometric Interoperability 2021

How Next Generation Trusted Identities Can Help Transform Your Business

eidas Regulation eid and assurance levels Outcome of eias study

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

GSMA Embedded SIM 9 th December Accelerating growth and operational efficiency in the M2M world

DIGITAL IDENTITY TRENDS AND NEWS IN CHINA AND SOUTH EAST ASIA

OPINION ON THE DEVELOPMENT OF SIS II

COMMENTS BY THE CONFEDERATION OF SWEDISH ENTERPRISE ON:

Electronic signature framework

A comprehensive approach on personal data protection in the European Union

ETSI TS V ( ) Technical Specification

Privacy Notice - General Data Protection Regulation ( GDPR )

LL-C (Certification) Services Overview

Strategy for information security in Sweden

POMONA EUROPE ADVISORS LIMITED

Open letter from Access regarding document acquired through freedom of information request 5 messages

Data Protection and GDPR

16474/08 JJ/ap 1 DGH4

The telephone supports 2 SIM cards. All functions are available for both SIM cards and have independent settings.

Resilience, Responsibility, Responsiveness Towards a Future-oriented, Sustainable World Economy. B20 Recommendations on Digital Trade

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

Ulster University Standard Cover Sheet

Introductory Speech to the Ramboll Event on the future of ENISA. Speech by ENISA s Executive Director, Prof. Dr. Udo Helmbrecht

Biometrics problem or solution?

Workshop Numbering for ecall 31. January Johannes Vallesverd CEPT ECC WG NaN Chairman

Our Privacy Policy gives you detailed information on when and why we collect your personal information, how we use it and how we keep it secure.

ETNO-GSMA Position Paper on the BEREC Guidelines for the implementation of the Open Internet provisions of the TSM Regulation (2015/2120)

FFIEC CONSUMER GUIDANCE

Securing Multiple Mobile Platforms

KSi Malta Privacy Policy

TERMS AND CONDITIONS FOR THE USE OF THE WEBSITE AND PRIVACY POLICY

EU Cloud Computing Policy. Luis C. Busquets Pérez 26 September 2017

Workday s Robust Privacy Program

Cognizant Careers Portal Privacy Policy ( Policy )

COUNCIL OF THE EUROPEAN UNION. Brussels, 28 January 2003 (OR. en) 15723/02 TELECOM 78 JAI 307 PESC 593

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

The WAP Roadmap. Short Term Goals for WAP

European Commission Directorate General Enterprise and Industry INSTITUTIONAL FRAMEWORK ON

ETSI TS V8.0.0 ( )

Revision of BREF documents in light of the Industrial Emissions Directive

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

13967/16 MK/mj 1 DG D 2B

Market Surveillance Action Plan

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Non Person Identities After all, who cares about me? Gilles Lisimaque & Dave Auman Identification technology Partners, Inc.

Regulating Cyber: the UK s plans for the NIS Directive

FAQ of BIPT for the attention of the consumers relating to the compulsory identification of prepaid card users. Contents

15412/16 RR/dk 1 DGD 1C

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

ETSI TS V6.1.0 ( )

Directive on Security of Network and Information Systems

CEREMP Registration User Manual for Market Participants in Denmark

Transcription:

GSM Europe The European interest group of the GSM Association http://www.gsmeurope.org GSME proposals regarding mobile theft and IMEI security The question of mobile theft and ways of combating it has started to receive increased attention recently in some EU Member States. Various means have already been put in place in the past to secure mobile handsets, including means to prevent the use of the handset after theft. However, with the increase of the phenomena, the attraction of new mobile terminals with colour screens and other new features and the impact it has on security in general, some governments have decided to reinforce - or are in the process of reinforcing - the measures taken so far. It should be noted that there are EU countries were mobile theft does not show the same statistical figures and the issue is therefore not being addressed by public authorities. In any case mobile theft has a global dimension because of the trade of stolen phones which crosses national borders. Discussions on mobile theft were held in the meetings of the TCAM Committee in 2002 and GSM Europe has written to Commissioner Liikanen in December 2002 highlighting the need for the IMEI number to be regulated through the application of article 3.3.d of the RTTE Directive. A draft decision was tabled by DG Enterprise at the TCAM Committee in March 2003. In order to discuss the matter again in more depth at the next TCAM in June, DG Enterprise will organise a hearing early June on ways to combat theft and is interested to hear private sector representatives views on the matter. GSM Europe welcomes the opportunity that is given to examine in more detail ways of combating mobile theft. It is of the opinion that the international mobile equipment identifier (IMEI) is a key element in the discussions : an IMEI that resists tampering can appreciably increase the efficiency of the various technical solution that exist to combat mobile theft without precluding any solution as such. This paper therefore does not discuss the pro and cons of each technical solution but rather concentrates on IMEI as a tool for making existing anti-theft solutions more efficient. It is up to governments in close co-operation with manufacturers and operators to decide which anti-theft solution is the best response to tackle mobile theft where appropriate. As long as these solutions are not satisfying, any regulatory intervention in this respect should be prevented.

Various possibilities of securing mobile handsets Options for securing mobile handsets are numerous but it is possible to classify them into three families : 3 external interfaces Network interface GSM, 3G bluetooth, IR, USB,... User interface 1 4 7 2 5 8 3 6 9 Sim card interface * 0 1 1. Network Family : The interface is between a network/server (GSM, 3G, bluetooth, IR) and the handset The handset sends an identification number to the network/server The network/server is in a position to restrict the access to some mobile services (GSM, 3G) according to the identification value Common identification for this family : identification number of the terminal (IMEI) There is only an identification of the handset and not an authentication of the user. 2. Mobile User Family The interface is between the user and the handset The user authenticates himself to the handset The user proves he has the right to use the handset since he is the only one knowing the authentication value 2

Common authentication values for this family : Personal Identifier Number (PIN), password, secret key + ciphering component, biometrics (e.g. fingerprint) The handset can restrict the access to its services according to the authentication value. 3. Smart Card Family The interface is between the simcard - or any other external component - and the handset The handset is programmed for a restricted use : the handset compares if its own descriptive data corresponds to the data stored on the external component (e.g. data stored in the smart card); Common descriptive data for this family : country code, network code, service code, user s IMSI value. It should be noted that in the case of the Network Family, it is the network that checks the incoming identifier/ security parameter whereas for the Mobile User and Smart Card Families, it is the handset that checks the security parameter and there is no interface with the network. A list of possible methods to secure mobile phone handsets is attached. Annex 1 indicates to which family the anti-theft option corresponds and describes the effectiveness and possible security attacks. A necessary link between the hardware and the software of the handset Based on the analysis of the various methods listed at annex, it seems that for any anti theft solution to be efficient it needs to resist handset cloning attacks, i.e. the complete reload of handset software which allows the duplication of the security mechanism and its associated data. When you have one mobile handset with an anti-theft solution inactivated (e.g. mobile pin code off) and another handset with the anti theft solution activated (mobile pin code on), cloning the first on the second will have as a result that the anti-theft solution of the second handset becomes inactivated To resist cloning attacks there needs to be a robust link between the handset s hardware and the handset s software. Without any relation between the hardware and the software, data and software can be exchanged between handsets. In this case, handsets behave like floppies in which software and data are stored. This link between the hardware and the software must materialise, at one moment in time, as a constant data (functionally equivalent to a serial number) and needs to be stored in a dedicated and 3

secure confident area (OTP, ASIC, crypto processor, ). Once stored and secured, the data can be used as a confidence root to build the entire security controls and integrity measures of the handset. The hardware/software link does not preclude the choice of the anti-theft measure to be put in place it only reinforces the effectiveness of the anti-theft measure used. GSM Europe proposes that this link should be based on a secure IMEI number which is already attributed to most mobile terminals as it was used historically for type approval purposes. It is necessary for manufacturers to ensure as much as possible that IMEI resist tampering. One can add that besides improving the whole range of anti-theft measures, a secure IMEI will be useful for the delivery of new mobile services in the future and will also be a valuable asset for tracking criminals or persons guilty of fraud. A secure IMEI in every handset As of today most handsets placed on the market have an International Mobile Equipment Identifier (IMEI). As of 1 st June, ETSI TS 122.016 is applicable. This technical specification indicates that the IMEI shall not be changed after the Mobile Equipment s final production process. It shall resist tampering, i.e. the manipulation and change, by any means (e.g. physical, electrical and software). This requirement is valid for new GSMEs type approved after 1 st June 2002 the manufacturer is also responsible for ascertaining that each IMEI is unique. In practice, operators find that various types of handsets placed on the market after June 2002 do not have a secure IMEI. In fact, the standard is applied on a voluntary basis and some manufacturers (mostly non EU manufacturers) do not apply the standard. In addition, the ETSI standard does not give details about the technical means that need to be used to secure IMEIs. The level of security therefore varies greatly from one manufacturer to another. Commission decision on the application of article 3.3.d GSME therefore proposes that Article 3.3.d of the RTTE Directive be activated and that a Commission Decision is drafted as follows : Mobile Telecommunications Terminal Equipment shall be so constructed that its use after theft can be prevented. As a part of this, the equipment shall have a publicly available Mobile Equipment Identifier which shall resist tampering. 4

This provision is sufficiently open to allow the development of various anti theft solutions (SIM lock, blacklisting of stolen phones, mobile pin code ) according to the importance of the phenomena in each Member State. It highlights however the importance of a mobile equipment identifier which is not an anti-theft solution as such but a prerequisite for strengthening the various anti theft solutions available. As such, IMEIs should be implemented in the handset device in a way that its modification becomes economically unattractive. Process of detection and correction of IMEI anomalies GSM Europe believes that an additional significant improvement of IMEI security is possible by putting in place - in addition to the Commission Decision - a process engaging operators and manufacturers so as to detect weaknesses in IMEI - once the equipment is placed on the market - and improve the level of security accordingly during the life cycle of the product. 1. Once an operator detects a weakness on a specific mobile equipment model placed on the market, the operator alerts a relevant body (for example the GSM Association); The burden of proof lays with the operator. The anomaly is discussed and validated by this relevant body (for example GSMA TWG). 2. The GSM A formally addresses a notice to the manufacturer which has a week to give details on his planning to correct the anomaly; 3. 1 month after the formal notice, the manufacturer reports to the GSM A on the status of his action and details on the timing when the equipment with secure IMEI will leave the factory; 4. 2 months after the formal notice, equipment placed on the market have to present an IMEI of which the level of security is improved compared to the weakness initially identified; 5. If no correction is applied to eliminate the identified weakness and/or if no formal answer is given by the manufacturer to the GSMA, the GSM Association refers the case to the authorities which are to carry out the surveillance tasks related to the operation of the RTTE Directive. The relevant Member State is then in a position to activate Article 9 of the Directive (e.g. prohibition of placing the mobile equipment in question on the market). It is necessary that this IMEI process is carried out in the context of a broader regulatory framework of the RTTE Directive : the Directive (and subsequent Commission Decision on Article 3.3.d) sets the objective (each ME has an identifier which shall resist tampering) and in case of obvious infringement of this rule from the part of the manufacturer the relevant safeguards of the RTTE Directive can be activated by the Member States. GSME, London, June 2003 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback