Cellular Network Security
Secure Systems Administration
Spring 2011
Ryan Stepanek
A brief history of cellular networks

Cellular networks have been deployed for the last three
decades

1G networks had maxspeeds of about 9.6 kbs [1]

As network technology evolved, two standards emerged:
CDMA and GSM

Modern cellular networks operate in the third and fourth
generation, reaching theoretical speeds up to 100 Mbit/s
Challenges of Cellular Networks






Open Access Wireless – No physical connection
necessary!
Bandwidth Limitations – Everyone has to share the
network.
System Complexity – The larger the implementation of
the system the more difficult it is to maintain security.
Confidentiality – Private data needs to be encrypted.
Integrity – Must minimize data loss; more services being
sent through the network.
Authentication With Other Networks – Companies need
to play nice with each other.
Security Issue for Cellular Networks

Operating systems on mobile devices – Android,
Windows, iPhone

Web services – Potential for abuse through the addition
of new services; DOS.

Location Detection – Keep the location of the user
private!

Spyware; malware – Phones and network may be
vulnerable.
Phone OS by Market Share
Phone OS Market Share – US, UK, China
I-Security

Mobile OS – left open to viruses and malware


History of being slow to patch




Users can jailbreak and run their own code
SMS virus – over two months to patch!
Spreading the virus required only the victims phone number
Spread through memory corruption in iPhone[6]
Potentially detrimental to host network


Dangerously popular – In December 2009 AT&T was forced to
halt iPhone sales in New York[5]
Can you hear me now? Network load became too great for
existing infrastructure
Blackberries

Very good encryption




Relies on security through obscurity
Vulnerable through third party apps


Causes conflicts with governments on the grounds of national
security
i.e. India 2009[7]
i.e. the Webkit browser was used at this year’s Pwn2Own
hacking expo.[8]
Blackberry Enterprise Server(BES)


Commonly used in business and government, compromising
the server could allow access to phone information
Fairly secure if configured correctly(EAL 4+)[10]
Android

Open source



Incredibly threatening to network profit/security
i.e. free WiFi tethering
Rooting




Allows greater control over the phone
Creates a natural conflict between the service provider and
customer
Also increases vulnerability to viruses i.e. custom ROMs will
not receive updates from the service provider
Companies now actively trying to hinder rooting i.e.
Motorola[8]
GSM vs CDMA

GSM






More than 3.8 billion people worldwide
Far more common outside of North America
More than 89 percent of market share[4]
More than more than 212 countries and territories[3]
Interferes with some electronics
CDMA



Transmits data signal modulated with pseudorandom code
Generally allows for larger transmission cells
Allows users to share frequencies
3G – Network Components

Radio Access Network



Towers
Radio Network Controllers
Core Network




Packet Switched Network
Circuit Switched Network
SGSN – Handles Access Control and Route Management
GGSN – Gateway to the Internet
3G – Implementation
Attacks on Cellular Neworks

DOS/DDOS – Probably the most common.




Jamming


iPhones
Services and bandwidth usage seems to be increasing faster
than network infrastrucure
More achievable now through infecting phones
Highly localized, similar in effect to DOS
Eavesdropping


Man in the Middle attacks
Session hijacking
3G - Defensive Measures

Network Access Security



Utilizes secret keys and secret key ciphers to maintain
confidentiality
Uses a temporary International Mobile User Identity to
protect the user’s identity.
Challenge Response System


Used when Authenticating
Occurs when user first connects to network, when the
network receives a service request, when a location update is
sent, on attach/detatch request, etc..[1]
3G-Integrity and Confidentiality

Signaling communications between mobile station and
network



F9 algorithm used to calculate 32-bit MAC-I for data integrity
then compared to a calculated XMAC-I
F8 used to keep data confidential, utilizes a cipher key that
comes from the mobile device; output is then XORed with the
original data stream
Both F8 and F9 rely on KASUMI cipher

Based on feistel structure to create 64bit data blocks and a
128 bit key
F8 – Confidentiality Algorithm
3G-Internet Security

Wireless Application Protocol





Protocol that handles wireless devices connecting to the web
Independent of underlying OS
WAP2 – puts devices into direct communication with servers
Uses layers similar to standard networks
IPv6 and IPv4


3G allows for circuit switched and packet switched network
nodes
4G is packet switched nodes only; completely IPv6 compatible
Cellular Network Security – Factors to Consider

Liability




Quantity and nature of data
Potential harm from data
Lawsuits
Profits



Bandwidth is not free
Capability of devices vs. popularity of devices
Risk for every network expansion
Sources

[1] “Security in Wireless Cellular Networks” Gardezi, Ali.
http://docs.google.com/viewer?a=v&q=cache:mFeuQOB24gwJ:www1.cse.wustl.edu/~jain/cse5
7406/ftp/cellular_security.pdf+cellular+network+security&hl=en&gl=us&pid=bl&srcid=ADGEESg
k1O3TVCFitfU0KCDfZp2FIogPvw0bjkw767GFdWlAOyWm866YcuCt8IEn2uag617WAW0S3
2eIhFbaoMgQiJh_WJi5QYE2RIwkizPeTRzmsFcBNMtESgBQNA9NmF5VgqtrQBe0&sig=AHIEt
bR683Y3fhGxdHQa47sZCueMwq3jsA

[2] “Exploiting Vulnerabilities and Security Mechanisms in Internet Based SMS Capable Cellular
Networks” Azim, Akramul.
http://docs.google.com/viewer?a=v&q=cache:AmTvXrmYVNoJ:citeseerx.ist.psu.edu/viewdoc/d
ownload%3Fdoi%3D10.1.1.121.2158%26rep%3Drep1%26type%3Dpdf+cellular+network+secu
rity&hl=en&gl=us&pid=bl&srcid=ADGEESiJC2Zrk8fOWOH70HSEDwahX_x1pJXZOS2AndHNcBqh0Qm3xcBlkqiVgOW0spQM0aqzoMxYkuT
hzhKiHCKxOa8nc8slQ_qDM1a5OQ_zO0qnBL3Y_9zylwEMLPYr8ORC5mXftkM&sig=AHIEt
bQjQIcq5LnEbumpqWogCCN3u0uXVA
Sources - Countinued

[3] “CDMA vs. GSM – Which One is the BestYou?” http://www.cellutips.com/gsm-vs-cdmawhich-one-is-the-best-for-you/

[4] “GSM: Global System for Mobile Communications”
http://www.3gamericas.org/index.cfm?fuseaction=page&sectionid=242

[5] “AT&T apparently resumes online iPhone sales in New York City”
http://articles.cnn.com/2009-12-28/tech/iphone.sales.nyc_1_iphone-sales-online-sales-at-tservice?_s=PM:TECH

[6] “First iPhone Virus Found Using SMS Testing”
http://ironmill.wordpress.com/2009/07/30/iphone-virus/

[7] “BlackBerry encryption 'too secure': National security vs. consumer privacy”
http://www.zdnet.com/blog/igeneration/blackberry-encryption-too-secure-national-securityvs-consumer-privacy/5732

[8] “BlackBerry security breached at Pwn2Own 2011” http://crackberry.com/blackberrysecurity-breached-pwn2own-2011

[9] “Are the Days of Rooting Android Phones Coming to an End?” http://www.droidlife.com/2011/04/04/are-the-days-of-rooting-android-phones-coming-to-an-end/

[10] “Approvals and Certifications”
http://us.blackberry.com/ataglance/security/certifications.jsp