Cell Phone Security Linden Tibbets Coen 150 5/15/2004 Introduction The cellular phone has quickly become a necessity in the modern lives of every American. An easier way to communicate with another person simply doesn’t exist. Much credit has been given to the invention of the World Wide Web and the connections via email and content it has provided the world. Yet, the mobile phone has had just as much impact on everyday lives. Never before has someone been able to connect with someone halfway around the world while stuck in traffic or sitting on the beach. The introduction of the mobile phone caused the speed of business to grow in leaps and bounds and expanded the realm of communications just as the written word, telegraph, and original landline telephone did before it. Cellular phones allow a mother to get in contact with her child at anytime or rescue a stranded driver with a flat tire. More recently phones have become mobile Internet connections and personal organizers carrying large amounts of data rivaled only by desktop computers. Users can check email and weather reports as well as purchase tickets to a movie. The list of uses for a cell phone is endless. Along with these amazing possibilities come annoying side effects. The most obvious being the alarming ring in the middle of class or business meeting, and the fact that sometimes people just don’t want to be bothered. However it is the less obvious problems that really threaten cell phone users worldwide. Conversations are no longer humming along cables fifty feet high, they are all around, running trough the air unseen. Just waiting for a person with the right equipment and know how to pluck the data out of the air. Not only conversations are at risk, as cell phones become more like laptops all kinds of personal information will be floating around the airwaves. The possibility of someone masquerading as the owner of your cell phone and charging your account with expensive overseas calls is quite real as well. The containment of all these threats falls under one category, cellular phone security. In a wireless world personal data security is of the utmost importance. Before any new features are allowed to roll out, the cellular providers must convince their customers that the sharing over the radio waves of sensitive data is secure. How exactly can cellular service providers, and cell phone designers guarantee the security of their devices and services? What kind of security compromises have happened in the history of the cell phone and are users at risk now? A Brief History In order to understand how cellular phone security works there must be a working knowledge in the history and the operation of the cell phone. The concept of the cell phone began in 1947 when researchers realized they could improve the traffic of primitive car phones substantially by reusing frequencies in smaller service areas or ‘cells.’ The Federal Communications Commission (FCC) controls anything to do with broadcasting a signal, such as television, radio, and wireless communications. “In 1947, AT&T proposed that the FCC allocate a large number of radio-spectrum frequencies so that widespread mobile Figure 1: An old DynaTAC telephone service would become feasible and AT&T would have a incentive to research the new technology. We can partially blame the FCC for the gap between the initial concept of cellular service and its availability to the public” (Mary Bellis). The FCC decided to limit the number of frequencies available and only 23 phone conversations could be held at any one time in a given cell. In 1967 the FCC expanded the available frequencies and by April of 1973 Dr. Martin Cooper of Motorola made the first portable cell phone call to his rival Joel Engel, head of research at Bell Labs. Dr. Cooper is considered the inventor of the first modern portable handset. In 1979 the first commercial cellular telephone system began operation in Tokyo. It didn’t take long for the world to acknowledge the incredible uses for a portable communications system such as the cell phone. By 1983 the first cell phone network was made available in Chicago by Ameritech. Most phones were big and bulky with minimum features such as the DynaTAC phone in Figure 1. Despite being invented in 1946 “it took cellular phone service 37 years to become commercially available in the United States. Consumer demand quickly outstripped the 1982 system standards. By 1987, cellular telephone subscribers exceeded one million and the airways were crowded” (Bellis). Today, cell phones are almost as common as regular telephones and the technology and features they offer are far more advanced. How Does It All Work? Cell phones now offer a wide array of options and features. There are hundreds of different models each with unique specifications, and therefore potential security hazards. Figure 2: Different types of cellular phones. Depending on which model a user chooses they can: Store contact information Make task or to-do lists Keep track of appointments and set reminders Use the built-in calculator for simple math Send or receive e-mail Get information (news, entertainment, stock quotes) from the Internet Browse regular Internet sites Play simple games Integrate other devices such as PDAs, MP3 players, and GPS receivers Use credit cards to buy products and services Download ring tones, games, and other programs for the specific phone To understand how these different features are possible and how they can be threatened with security breaches one must understand the basic workings of the modern cell phone and how they have changed since the introduction in America in 1983. The inner workings of a modern cell phone are not much different from a computer (See Figure 3). There is a processor, RAM, input keys, screen, transmitter and receiver. The easiest way to understand cell phones is to relate it to a much more complicated radio. The earliest versions of car phones were nothing more than a two-way radio able to send and receive conversations. Yet this simplicity relied on a single radio tower per city and only 25 available channels. Also, this meant that the phone in your car needed to be quite powerful and able to transmit a signal over forty miles and very few people were able to use the system at any one Figure 3: Inside a phone time since the number of channels or frequencies was so limited. The cellular approach changed all of this by dividing the coverage into smaller cells usually ten square miles in area, each with its own small tower. Since the towers used low power transmitters the frequencies were reused in each individual cell. A typical cell phone service provider gets 832 different frequencies to use in each city. Any given cell uses approximately one seventh of these frequencies to avoid collision of signals between adjacent cells. A cell phone uses two frequencies per call since it is a two-way device, one for outgoing and one for incoming traffic. This approach is called a duplex channel (See figure 4). Figure 4: Duplex Channel Thus a provider has about 395 channels, the other 42 are control channels, and each cell has 56 channels. When the whole process later becomes digital the number of channels will increase three or four times as much. The cells allow for very low power transmitters in the phone as well as the tower making the small battery powered phone a possibility. Each cell phone has a specific code associated with it. Marshall Brian and Jeff Tyson from Howstuffworks.com explain how this works in detail: When you first power up the phone, it listens for an SID on the control channel. The control channel is a special frequency that the phone and base station use to talk to one another about things like call set-up and channel changing. If the phone cannot find any control channels to listen to, it knows it is out of range and displays a "no service" message. When it receives the SID, the phone compares it to the SID programmed into the phone. If the SIDs match, the phone knows that the cell it is communicating with is part of its home system. Along with the SID, the phone also transmits a registration request, and the MTSO keeps track of your phone's location in a database -- this way, the MTSO knows which cell you are in when it wants to ring your phone. The MTSO gets the call, and it tries to find you. It looks in its database to see which cell you are in. The MTSO picks a frequency pair that your phone will use in that cell to take the call. The MTSO communicates with your phone over the control channel to tell it which frequencies to use, and once your phone and the tower switch on those frequencies, the call is connected. You are talking by two-way radio to a friend! As you move toward the edge of your cell, your cell's base station notes that your signal strength is diminishing. Meanwhile, the base station in the cell you are moving toward (which is listening and measuring signal strength on all frequencies, not just its own one-seventh) sees your phone's signal strength increasing. The two base stations coordinate with each other through the MTSO, and at some point, your phone gets a signal on a control channel telling it to change frequencies. This hand off switches your phone to the new cell. Some Helpful Definitions: Electronic Serial Number (ESN) - a unique 32-bit number programmed into the phone when it is manufactured Mobile Identification Number (MIN) - a 10-digit number derived from your phone's number System Identification Code (SID) - a unique 5-digit number that is assigned to each carrier by the FCC While the ESN is considered a permanent part of the phone, both the MIN and SID codes are programmed into the phone when you purchase a service plan and have the phone activated. The early cell phones were purely analog devices. Each cell could only handle a maximum of 56 calls at any one time. These calls were easy to pick up and listen in on. As the phones advanced into the digital age and conversations were converted into 1’s and 0’s the calls were spread out over the available frequencies and encrypted. Three distinct methods were used to accomplish this, FDMA, TDMA, and CDMA. Frequency division multiple access (FDMA) is very much like a simple analog phone in which the calls are split up on different frequencies. FDMA is not as secure since it is a single stream on a single frequency. Time division multiple access (TDMA) splits the calls up into separate time slots and allocates a set amount of time on each frequency. TDMA introduces data encryption as well as a changing frequency to further disrupt any eavesdropping. TDMA is the basis of the Global System for Mobile Communication (GSM) that is the standard for much of the world excluding the United States. Finally Code division multiple access (CDMA) is entirely different then TDMA in that is uses a unique code in each phone that then is encrypted and spread across a wide range of frequencies at one time. The data is sent in small packets over multiple frequencies further scrambling the information. To understand the differences between FDMA, TDMA, and CDMA refer to Figure 5. Figure 5: FDMA, TDMA, and CDMA What Makes Cellular Insecure? The cell phone is unique in that it is compact and mobile making it easily stolen or lost. Most phones have a key lock feature that requires a password to unlock the phone before each use, yet most users cannot afford such a cumbersome process. This makes cell phones an easy target for stealing personal information. Moving beyond the physical realm there are also many problems with how cell phone transmit data. In the beginning the cellular phones operated on analog technology. This made it quite simple for calls to be intercepted and overheard. It required a two hundred dollar scanner and a simple understanding of the technology and an eavesdropper could easily listen in to all the conversations in a given area. Needless to say this was unacceptable and was quickly overcome with the introduction of the various DMA methods of digitizing the call. However despite encryption techniques very similar to those found on modern computer networks these calls can and will be intercepted, it is just going to take a lot more technical knowledge to break the ciphers. A cellular network is much the same as most wireless LANs in “the broadcast nature of wireless communication links makes them unique in their vulnerability to security attacks and their susceptibility to unintentional damage. Additionally, in wireless networks, mobile nodes continuously enter and leave the network and change locations with the resulting mobility impacting the degree of survivability, security and communications reliability. Such unique features of wireless access networks result in limited applicability of standard survivability and security techniques developed for wired networks” (Kabara, Krishnamurthy, Tipper). One of the main features of wireless networks is that they lack the inherent physical secure that cables provide a normal wired LAN. The data is simply floating along for anyone to grab. The availability of the data along with the fact that transfer rates are much slower than wired networks and error rates are higher due to the mobility of the user make authentication and security much more difficult. Furthermore “mobile nodes are limited in computational and battery power, all of which combine to constrain information security and availability mechanisms” (Kabara, Krishnamurthy, Tipper). In other words there are extreme limitations on the amount of security that can be placed on cellular networks in comparison to regular networks. The encryption and authentication scheme cannot be too complex due to the low battery power, CPU power, slow transfer rates, and high error rates that cell phones encounter. The number of bits that an encryption scheme can handle in a cellular network must be low and the number of ‘handshakes’ or checks the authentication method is allowed is also limited. Despite these problems the cellular network remains much more secure than most wireless networks due to the fast pace changes and the scrambling of the data over multiple frequencies that TDMA and CDMA provide. However there are still breaches and other unforeseen problems that have occurred. Attacks, Interference and Other Cell Phone Problems The threat of someone being able to steal your data out of the air or listen in on your digital cellular phone is quite small. It takes very sophisticated equipment and knowledge to do so. Only the government and other well-funded organizations would even be able to tape a digital cellular call, and then only for matters of national security. The costs would far outweigh the profits of stealing individual information, even a credit card number, over cellular networks. Yet there remain problems with the everyday usage of a cell phone. The main problem faced by both customers and service providers is called ‘cloning’. In the days of the analog phone this technique was quite simple. A malicious scanner would figure out an individual’s ESN, MIN, and SID (basically the numbers that make a users phone unique: refer to section on how cell phones work). The anonymous scanner would then program other phones with the exact same identification numbers and all subsequent calls would be then be billed to the user’s account. This problem cost cellular providers an estimated $500 million dollars a year. Now that cell phones are digital the threat has lessened, but there are still problems with the algorithms used to encrypt the ID numbers inside the phone. According to a recent “Wired News” story: “A group of California-based computer experts claims to have compromised the cryptographic security behind the world’s most popular digital cell-phone system, making it possible to clone any phone using GSM standard” (Annaliza Savage). UC Berkeley researchers claim to have deduced and recovered the key in about 10 hours by sending an attack that executes a large number of challenges to the authorization module in the phone. The article goes on to talk about how the A5 cipher that keeps conversations private was made intentional weaker by replacing 10 bits of the 64-bit key with zeros. The National Security Agency was blamed in forcing the standard in order to monitor cell phone traffic. With the added feature of SMS text messaging that can link text messages from all types of phones as well as the Internet a new denial of service attack has surfaced. The attack uses a Internet connection to send thousands of text messages to single phone number thus jamming all response from the phone and using up the predetermined number of texts a phone is allowed under the user’s billing plan. A limit must be set on the number of texts a minute to avoid such attacks. Another security concern for cellular phone users is the ability of cell phone providers to pinpoint a user’s exact location within one hundred feet when the phone is turned on. The phone constantly sends data to check that it is operating in the correct cell and as a side effect of this check the company is able to monitor a user’s current position. For those who don’t like the notion of being watched this can be quite disturbing. In the future there is a lot of possibility for invasive ‘area advertising’ on a cell phone. Think how easy it would be to track a user’s location and constantly send ads for the stores that the user is passing by. The signal the cell phone transmits is another area of concern since it has been proven that cellular signals can disrupt sensitive equipment. A single phone can do little damage but a whole airplane full of people on the phone could cause a change in the readings of certain equipment. That is the reasoning behind turning the cell phone off while in a plane. Similar problems have been reported at gas stations with the card payment equipment being disrupted by a large amount of cell phone traffic. It is unclear whether or not this is a direct cause of gas station customers on cell phones or problem with the payment equipment itself. An alarming device is starting to be used for a number of different applications. The cell phone jammer disrupts signal within a certain are to all phones, rendering them useless. When President Bush visited London shortly after the train bombing in Spain that was called in on a cell phone, security experts were considering using a jammer to protect the President. “A cellular "security bubble" in London could have protected Bush from a very real threat: terrorists who use cell phones to detonate bombs from miles away, or even another country” (David S. Bennahum). Such a device works by sending out a signal on all available cell phone frequencies rendering all local phones out of service. Many restaurants and movie theaters are considering using jammers to keep their dining rooms and cinemas quiet. Conclusion In a world where cellular phones are in the hands of elementary school children and used as a mobile connection to the Internet transferring personal information as well as private conversations security is a real concern. Just like secure computer networks cell phones must make use of current data encryption schemes, authentication methods and physical security. In order for the cell phone to become a more useful tool in everyday lives it must first secure its current features and gain the trust of the millions of users who still watch what they say over the phone. Bibliography Bennahum, David S. Hope You Like Jamming Too. MSN Slate. 14 May 2004. http://slate.msn.com/id/2092059/ Brian, Marshall, Jeff Tyson. How Cell Phones Work. How Stuff Works. 14 May S004. http://electronics.howstuffworks.com/cell-phone.htm Brown, Phillip D. Re: Tracking by Cellular Phone. The Risk Digest. 14 May 2004. http://catless.ncl.ac.uk/Risks/13.45.html#subj6 Kabara, Joseph, Prashant Krishnamurthy, David Tipper. Information Assurance in Wireless Networks. CERT. www.cert.org/research/isw/isw2001/ papers/Kabara-31-08.pdf Savage, Annaliza. Cell-Phone Security Far From Airtight. Wired News. 14 May 2004. http://www.wired.com/news/technology/0,1282,11630,00.html Figures provided by: www.howstuffworks.com www.msn.com www.nokia.com