GSM Europe The European interest group of the GSM Association http://www.gsmeurope.org GSME proposals regarding mobile theft and IMEI security The question of mobile theft and ways of combating it has started to receive increased attention recently in some EU Member States. Various means have already been put in place in the past to secure mobile handsets, including means to prevent the use of the handset after theft. However, with the increase of the phenomena, the attraction of new mobile terminals with colour screens and other new features and the impact it has on security in general, some governments have decided to reinforce - or are in the process of reinforcing - the measures taken so far. It should be noted that there are EU countries were mobile theft does not show the same statistical figures and the issue is therefore not being addressed by public authorities. In any case mobile theft has a global dimension because of the trade of stolen phones which crosses national borders. Discussions on mobile theft were held in the meetings of the TCAM Committee in 2002 and GSM Europe has written to Commissioner Liikanen in December 2002 highlighting the need for the IMEI number to be regulated through the application of article 3.3.d of the RTTE Directive. A draft decision was tabled by DG Enterprise at the TCAM Committee in March 2003. In order to discuss the matter again in more depth at the next TCAM in June, DG Enterprise will organise a hearing early June on ways to combat theft and is interested to hear private sector representatives views on the matter. GSM Europe welcomes the opportunity that is given to examine in more detail ways of combating mobile theft. It is of the opinion that the international mobile equipment identifier (IMEI) is a key element in the discussions : an IMEI that resists tampering can appreciably increase the efficiency of the various technical solution that exist to combat mobile theft without precluding any solution as such. This paper therefore does not discuss the pro and cons of each technical solution but rather concentrates on IMEI as a tool for making existing anti-theft solutions more efficient. It is up to governments in close co-operation with manufacturers and operators to decide which anti-theft solution is the best response to tackle mobile theft where appropriate. As long as these solutions are not satisfying, any regulatory intervention in this respect should be prevented.
Various possibilities of securing mobile handsets Options for securing mobile handsets are numerous but it is possible to classify them into three families : 3 external interfaces Network interface GSM, 3G bluetooth, IR, USB,... User interface 1 4 7 2 5 8 3 6 9 Sim card interface * 0 1 1. Network Family : The interface is between a network/server (GSM, 3G, bluetooth, IR) and the handset The handset sends an identification number to the network/server The network/server is in a position to restrict the access to some mobile services (GSM, 3G) according to the identification value Common identification for this family : identification number of the terminal (IMEI) There is only an identification of the handset and not an authentication of the user. 2. Mobile User Family The interface is between the user and the handset The user authenticates himself to the handset The user proves he has the right to use the handset since he is the only one knowing the authentication value 2
Common authentication values for this family : Personal Identifier Number (PIN), password, secret key + ciphering component, biometrics (e.g. fingerprint) The handset can restrict the access to its services according to the authentication value. 3. Smart Card Family The interface is between the simcard - or any other external component - and the handset The handset is programmed for a restricted use : the handset compares if its own descriptive data corresponds to the data stored on the external component (e.g. data stored in the smart card); Common descriptive data for this family : country code, network code, service code, user s IMSI value. It should be noted that in the case of the Network Family, it is the network that checks the incoming identifier/ security parameter whereas for the Mobile User and Smart Card Families, it is the handset that checks the security parameter and there is no interface with the network. A list of possible methods to secure mobile phone handsets is attached. Annex 1 indicates to which family the anti-theft option corresponds and describes the effectiveness and possible security attacks. A necessary link between the hardware and the software of the handset Based on the analysis of the various methods listed at annex, it seems that for any anti theft solution to be efficient it needs to resist handset cloning attacks, i.e. the complete reload of handset software which allows the duplication of the security mechanism and its associated data. When you have one mobile handset with an anti-theft solution inactivated (e.g. mobile pin code off) and another handset with the anti theft solution activated (mobile pin code on), cloning the first on the second will have as a result that the anti-theft solution of the second handset becomes inactivated To resist cloning attacks there needs to be a robust link between the handset s hardware and the handset s software. Without any relation between the hardware and the software, data and software can be exchanged between handsets. In this case, handsets behave like floppies in which software and data are stored. This link between the hardware and the software must materialise, at one moment in time, as a constant data (functionally equivalent to a serial number) and needs to be stored in a dedicated and 3
secure confident area (OTP, ASIC, crypto processor, ). Once stored and secured, the data can be used as a confidence root to build the entire security controls and integrity measures of the handset. The hardware/software link does not preclude the choice of the anti-theft measure to be put in place it only reinforces the effectiveness of the anti-theft measure used. GSM Europe proposes that this link should be based on a secure IMEI number which is already attributed to most mobile terminals as it was used historically for type approval purposes. It is necessary for manufacturers to ensure as much as possible that IMEI resist tampering. One can add that besides improving the whole range of anti-theft measures, a secure IMEI will be useful for the delivery of new mobile services in the future and will also be a valuable asset for tracking criminals or persons guilty of fraud. A secure IMEI in every handset As of today most handsets placed on the market have an International Mobile Equipment Identifier (IMEI). As of 1 st June, ETSI TS 122.016 is applicable. This technical specification indicates that the IMEI shall not be changed after the Mobile Equipment s final production process. It shall resist tampering, i.e. the manipulation and change, by any means (e.g. physical, electrical and software). This requirement is valid for new GSMEs type approved after 1 st June 2002 the manufacturer is also responsible for ascertaining that each IMEI is unique. In practice, operators find that various types of handsets placed on the market after June 2002 do not have a secure IMEI. In fact, the standard is applied on a voluntary basis and some manufacturers (mostly non EU manufacturers) do not apply the standard. In addition, the ETSI standard does not give details about the technical means that need to be used to secure IMEIs. The level of security therefore varies greatly from one manufacturer to another. Commission decision on the application of article 3.3.d GSME therefore proposes that Article 3.3.d of the RTTE Directive be activated and that a Commission Decision is drafted as follows : Mobile Telecommunications Terminal Equipment shall be so constructed that its use after theft can be prevented. As a part of this, the equipment shall have a publicly available Mobile Equipment Identifier which shall resist tampering. 4
This provision is sufficiently open to allow the development of various anti theft solutions (SIM lock, blacklisting of stolen phones, mobile pin code ) according to the importance of the phenomena in each Member State. It highlights however the importance of a mobile equipment identifier which is not an anti-theft solution as such but a prerequisite for strengthening the various anti theft solutions available. As such, IMEIs should be implemented in the handset device in a way that its modification becomes economically unattractive. Process of detection and correction of IMEI anomalies GSM Europe believes that an additional significant improvement of IMEI security is possible by putting in place - in addition to the Commission Decision - a process engaging operators and manufacturers so as to detect weaknesses in IMEI - once the equipment is placed on the market - and improve the level of security accordingly during the life cycle of the product. 1. Once an operator detects a weakness on a specific mobile equipment model placed on the market, the operator alerts a relevant body (for example the GSM Association); The burden of proof lays with the operator. The anomaly is discussed and validated by this relevant body (for example GSMA TWG). 2. The GSM A formally addresses a notice to the manufacturer which has a week to give details on his planning to correct the anomaly; 3. 1 month after the formal notice, the manufacturer reports to the GSM A on the status of his action and details on the timing when the equipment with secure IMEI will leave the factory; 4. 2 months after the formal notice, equipment placed on the market have to present an IMEI of which the level of security is improved compared to the weakness initially identified; 5. If no correction is applied to eliminate the identified weakness and/or if no formal answer is given by the manufacturer to the GSMA, the GSM Association refers the case to the authorities which are to carry out the surveillance tasks related to the operation of the RTTE Directive. The relevant Member State is then in a position to activate Article 9 of the Directive (e.g. prohibition of placing the mobile equipment in question on the market). It is necessary that this IMEI process is carried out in the context of a broader regulatory framework of the RTTE Directive : the Directive (and subsequent Commission Decision on Article 3.3.d) sets the objective (each ME has an identifier which shall resist tampering) and in case of obvious infringement of this rule from the part of the manufacturer the relevant safeguards of the RTTE Directive can be activated by the Member States. GSME, London, June 2003 5