Cell Phone Security
Linden Tibbets
Coen 150
5/15/2004
Introduction
The cellular phone has quickly become a necessity in the modern lives of every
American. An easier way to communicate with another person simply doesn’t exist.
Much credit has been given to the invention of the World Wide Web and the connections
via email and content it has provided the world. Yet, the mobile phone has had just as
much impact on everyday lives. Never before has someone been able to connect with
someone halfway around the world while stuck in traffic or sitting on the beach. The
introduction of the mobile phone caused the speed of business to grow in leaps and
bounds and expanded the realm of communications just as the written word, telegraph,
and original landline telephone did before it. Cellular phones allow a mother to get in
contact with her child at anytime or rescue a stranded driver with a flat tire. More
recently phones have become mobile Internet connections and personal organizers
carrying large amounts of data rivaled only by desktop computers. Users can check
email and weather reports as well as purchase tickets to a movie. The list of uses for a
cell phone is endless. Along with these amazing possibilities come annoying side effects.
The most obvious being the alarming ring in the middle of class or business meeting, and
the fact that sometimes people just don’t want to be bothered. However it is the less
obvious problems that really threaten cell phone users worldwide. Conversations are no
longer humming along cables fifty feet high, they are all around, running trough the air
unseen. Just waiting for a person with the right equipment and know how to pluck the
data out of the air. Not only conversations are at risk, as cell phones become more like
laptops all kinds of personal information will be floating around the airwaves. The
possibility of someone masquerading as the owner of your cell phone and charging your
account with expensive overseas calls is quite real as well. The containment of all these
threats falls under one category, cellular phone security. In a wireless world personal
data security is of the utmost importance. Before any new features are allowed to roll
out, the cellular providers must convince their customers that the sharing over the radio
waves of sensitive data is secure. How exactly can cellular service providers, and cell
phone designers guarantee the security of their devices and services? What kind of
security compromises have happened in the history of the cell phone and are users at risk
now?
A Brief History
In order to understand how cellular phone security
works there must be a working knowledge in the history
and the operation of the cell phone. The concept of the cell
phone began in 1947 when researchers realized they could
improve the traffic of primitive car phones substantially by
reusing frequencies in smaller service areas or ‘cells.’ The
Federal Communications Commission (FCC) controls
anything to do with broadcasting a signal, such as
television, radio, and wireless communications. “In 1947,
AT&T proposed that the FCC allocate a large number of
radio-spectrum frequencies so that widespread mobile
Figure 1: An old
DynaTAC
telephone service would become feasible and AT&T would
have a incentive to research the new technology. We can partially blame the FCC for the
gap between the initial concept of cellular service and its availability to the public” (Mary
Bellis). The FCC decided to limit the number of frequencies available and only 23 phone
conversations could be held at any one time in a given cell. In 1967 the FCC expanded
the available frequencies and by April of 1973 Dr. Martin Cooper of Motorola made the
first portable cell phone call to his rival Joel Engel, head of research at Bell Labs. Dr.
Cooper is considered the inventor of the first modern portable handset. In 1979 the first
commercial cellular telephone system began operation in Tokyo. It didn’t take long for
the world to acknowledge the incredible uses for a portable communications system such
as the cell phone. By 1983 the first cell phone network was made available in Chicago
by Ameritech. Most phones were big and bulky with minimum features such as the
DynaTAC phone in Figure 1. Despite being invented in 1946 “it took cellular phone
service 37 years to become commercially available in the United States. Consumer
demand quickly outstripped the 1982 system standards. By 1987, cellular telephone
subscribers exceeded one million and the airways were crowded” (Bellis). Today, cell
phones are almost as common as regular telephones and the technology and features they
offer are far more advanced.
How Does It All Work?
Cell phones now offer a wide array of options and features. There are hundreds
of different models each with unique specifications, and therefore potential security
hazards.
Figure 2: Different types of cellular phones.
Depending on which model a user chooses they can:











Store contact information
Make task or to-do lists
Keep track of appointments and set reminders
Use the built-in calculator for simple math
Send or receive e-mail
Get information (news, entertainment, stock quotes) from the Internet
Browse regular Internet sites
Play simple games
Integrate other devices such as PDAs, MP3 players, and GPS receivers
Use credit cards to buy products and services
Download ring tones, games, and other programs for the specific phone
To understand how these different features are possible and how they can be threatened
with security breaches one must understand the basic workings of the modern cell phone
and how they have changed since the introduction in America in
1983. The inner workings of a modern cell phone are not much
different from a computer (See Figure 3). There is a processor,
RAM, input keys, screen, transmitter and receiver. The easiest way
to understand cell phones is to relate it to a much more complicated
radio. The earliest versions of car phones were nothing more than a
two-way radio able to send and receive conversations. Yet this
simplicity relied on a single radio tower per city and only 25
available channels. Also, this meant that the phone in your car
needed to be quite powerful and able to transmit a signal over forty
miles and very few people were able to use the system at any one
Figure 3: Inside a
phone
time since the number of channels or frequencies was so limited. The cellular approach
changed all of this by dividing the coverage into smaller cells usually ten square miles in
area, each with its own small tower. Since the towers used low power transmitters the
frequencies were reused in each individual cell. A typical cell phone service provider
gets 832 different frequencies to use in each city. Any given cell uses approximately one
seventh of these frequencies to avoid collision of signals between adjacent cells. A cell
phone uses two frequencies per call since it is a two-way device, one for outgoing and
one for incoming traffic. This approach is called a duplex channel (See figure 4).
Figure 4: Duplex Channel
Thus a provider has about 395 channels, the other 42 are control channels, and each
cell has 56 channels. When the whole process later becomes digital the number of
channels will increase three or four times as much. The cells allow for very low power
transmitters in the phone as well as the tower making the small battery powered phone a
possibility. Each cell phone has a specific code associated with it. Marshall Brian and
Jeff Tyson from Howstuffworks.com explain how this works in detail:


When you first power up the phone, it listens for an SID on the control channel.
The control channel is a special frequency that the phone and base station use to
talk to one another about things like call set-up and channel changing. If the
phone cannot find any control channels to listen to, it knows it is out of range and
displays a "no service" message.
When it receives the SID, the phone compares it to the SID programmed into the
phone. If the SIDs match, the phone knows that the cell it is communicating with
is part of its home system.





Along with the SID, the phone also transmits a registration request, and the
MTSO keeps track of your phone's location in a database -- this way, the MTSO
knows which cell you are in when it wants to ring your phone.
The MTSO gets the call, and it tries to find you. It looks in its database to see
which cell you are in.
The MTSO picks a frequency pair that your phone will use in that cell to take the
call.
The MTSO communicates with your phone over the control channel to tell it
which frequencies to use, and once your phone and the tower switch on those
frequencies, the call is connected. You are talking by two-way radio to a friend!
As you move toward the edge of your cell, your cell's base station notes that your
signal strength is diminishing. Meanwhile, the base station in the cell you are
moving toward (which is listening and measuring signal strength on all
frequencies, not just its own one-seventh) sees your phone's signal strength
increasing. The two base stations coordinate with each other through the MTSO,
and at some point, your phone gets a signal on a control channel telling it to
change frequencies. This hand off switches your phone to the new cell.
Some Helpful Definitions:



Electronic Serial Number (ESN) - a unique 32-bit number programmed into the
phone when it is manufactured
Mobile Identification Number (MIN) - a 10-digit number derived from your
phone's number
System Identification Code (SID) - a unique 5-digit number that is assigned to
each carrier by the FCC
While the ESN is considered a permanent part of the phone, both the MIN and SID codes
are programmed into the phone when you purchase a service plan and have the phone
activated.
The early cell phones were purely analog devices. Each cell could only handle a
maximum of 56 calls at any one time. These calls were easy to pick up and listen in on.
As the phones advanced into the digital age and conversations were converted into 1’s
and 0’s the calls were spread out over the available frequencies and encrypted. Three
distinct methods were used to accomplish this, FDMA, TDMA, and CDMA. Frequency
division multiple access (FDMA) is very much like a simple analog phone in which the
calls are split up on different frequencies. FDMA is not as secure since it is a single
stream on a single frequency. Time division multiple access (TDMA) splits the calls up
into separate time slots and allocates a set amount of time on each frequency. TDMA
introduces data encryption as well as a changing frequency to further disrupt any
eavesdropping. TDMA is the basis of the Global System for Mobile Communication
(GSM) that is the standard for much of the world excluding the United States. Finally
Code division multiple access (CDMA) is entirely different then TDMA in that is uses a
unique code in each phone that then is encrypted and spread across a wide range of
frequencies at one time. The data is sent in small packets over multiple frequencies
further scrambling the information. To understand the differences between FDMA,
TDMA, and CDMA refer to Figure 5.
Figure 5: FDMA, TDMA, and CDMA
What Makes Cellular Insecure?
The cell phone is unique in that it is compact and mobile making it easily stolen
or lost. Most phones have a key lock feature that requires a password to unlock the phone
before each use, yet most users cannot afford such a cumbersome process. This makes
cell phones an easy target for stealing personal information.
Moving beyond the physical realm there are also many problems with how cell
phone transmit data. In the beginning the cellular phones operated on analog technology.
This made it quite simple for calls to be intercepted and overheard. It required a two
hundred dollar scanner and a simple understanding of the technology and an
eavesdropper could easily listen in to all the conversations in a given area. Needless to
say this was unacceptable and was quickly overcome with the introduction of the various
DMA methods of digitizing the call. However despite encryption techniques very similar
to those found on modern computer networks these calls can and will be intercepted, it is
just going to take a lot more technical knowledge to break the ciphers. A cellular
network is much the same as most wireless LANs in “the broadcast nature of wireless
communication links makes them unique in their vulnerability to security attacks and
their susceptibility to unintentional damage. Additionally, in wireless networks, mobile
nodes continuously enter and leave the network and change locations with the resulting
mobility impacting the degree of survivability, security and communications reliability.
Such unique features of wireless access networks result in limited applicability of
standard survivability and security techniques developed for wired networks” (Kabara,
Krishnamurthy, Tipper). One of the main features of wireless networks is that they lack
the inherent physical secure that cables provide a normal wired LAN. The data is simply
floating along for anyone to grab. The availability of the data along with the fact that
transfer rates are much slower than wired networks and error rates are higher due to the
mobility of the user make authentication and security much more difficult. Furthermore
“mobile nodes are limited in computational and battery power, all of which combine to
constrain information security and availability mechanisms” (Kabara, Krishnamurthy,
Tipper). In other words there are extreme limitations on the amount of security that can
be placed on cellular networks in comparison to regular networks. The encryption and
authentication scheme cannot be too complex due to the low battery power, CPU power,
slow transfer rates, and high error rates that cell phones encounter. The number of bits
that an encryption scheme can handle in a cellular network must be low and the number
of ‘handshakes’ or checks the authentication method is allowed is also limited. Despite
these problems the cellular network remains much more secure than most wireless
networks due to the fast pace changes and the scrambling of the data over multiple
frequencies that TDMA and CDMA provide. However there are still breaches and other
unforeseen problems that have occurred.
Attacks, Interference and Other Cell Phone Problems
The threat of someone being able to steal your data out of the air or listen in on
your digital cellular phone is quite small. It takes very sophisticated equipment and
knowledge to do so. Only the government and other well-funded organizations would
even be able to tape a digital cellular call, and then only for matters of national security.
The costs would far outweigh the profits of stealing individual information, even a credit
card number, over cellular networks. Yet there remain problems with the everyday usage
of a cell phone. The main problem faced by both customers and service providers is
called ‘cloning’. In the days of the analog phone this technique was quite simple. A
malicious scanner would figure out an individual’s ESN, MIN, and SID (basically the
numbers that make a users phone unique: refer to section on how cell phones work). The
anonymous scanner would then program other phones with the exact same identification
numbers and all subsequent calls would be then be billed to the user’s account. This
problem cost cellular providers an estimated $500 million dollars a year. Now that cell
phones are digital the threat has lessened, but there are still problems with the algorithms
used to encrypt the ID numbers inside the phone. According to a recent “Wired News”
story: “A group of California-based computer experts claims to have compromised the
cryptographic security behind the world’s most popular digital cell-phone system,
making it possible to clone any phone using GSM standard” (Annaliza Savage). UC
Berkeley researchers claim to have deduced and recovered the key in about 10 hours by
sending an attack that executes a large number of challenges to the authorization module
in the phone. The article goes on to talk about how the A5 cipher that keeps
conversations private was made intentional weaker by replacing 10 bits of the 64-bit key
with zeros. The National Security Agency was blamed in forcing the standard in order to
monitor cell phone traffic.
With the added feature of SMS text messaging that can link text messages from
all types of phones as well as the Internet a new denial of service attack has surfaced.
The attack uses a Internet connection to send thousands of text messages to single phone
number thus jamming all response from the phone and using up the predetermined
number of texts a phone is allowed under the user’s billing plan. A limit must be set on
the number of texts a minute to avoid such attacks.
Another security concern for cellular phone users is the ability of cell phone
providers to pinpoint a user’s exact location within one hundred feet when the phone is
turned on. The phone constantly sends data to check that it is operating in the correct cell
and as a side effect of this check the company is able to monitor a user’s current position.
For those who don’t like the notion of being watched this can be quite disturbing. In the
future there is a lot of possibility for invasive ‘area advertising’ on a cell phone. Think
how easy it would be to track a user’s location and constantly send ads for the stores that
the user is passing by.
The signal the cell phone transmits is another area of concern since it has been
proven that cellular signals can disrupt sensitive equipment. A single phone can do little
damage but a whole airplane full of people on the phone could cause a change in the
readings of certain equipment. That is the reasoning behind turning the cell phone off
while in a plane. Similar problems have been reported at gas stations with the card
payment equipment being disrupted by a large amount of cell phone traffic. It is unclear
whether or not this is a direct cause of gas station customers on cell phones or problem
with the payment equipment itself.
An alarming device is starting to be used for a number of different applications.
The cell phone jammer disrupts signal within a certain are to all phones, rendering them
useless. When President Bush visited London shortly after the train bombing in Spain
that was called in on a cell phone, security experts were
considering using a jammer to protect the President. “A cellular
"security bubble" in London could have protected Bush from a
very real threat: terrorists who use cell phones to detonate bombs
from miles away, or even another country” (David S. Bennahum). Such a device works
by sending out a signal on all available cell phone frequencies rendering all local phones
out of service. Many restaurants and movie theaters are considering using jammers to
keep their dining rooms and cinemas quiet.
Conclusion
In a world where cellular phones are in the hands of elementary school children
and used as a mobile connection to the Internet transferring personal information as well
as private conversations security is a real concern. Just like secure computer networks
cell phones must make use of current data encryption schemes, authentication methods
and physical security. In order for the cell phone to become a more useful tool in
everyday lives it must first secure its current features and gain the trust of the millions of
users who still watch what they say over the phone.
Bibliography
Bennahum, David S. Hope You Like Jamming Too. MSN Slate. 14 May 2004.
http://slate.msn.com/id/2092059/
Brian, Marshall, Jeff Tyson. How Cell Phones Work. How Stuff Works. 14 May S004.
http://electronics.howstuffworks.com/cell-phone.htm
Brown, Phillip D. Re: Tracking by Cellular Phone. The Risk Digest. 14 May 2004.
http://catless.ncl.ac.uk/Risks/13.45.html#subj6
Kabara, Joseph, Prashant Krishnamurthy, David Tipper. Information Assurance in
Wireless Networks. CERT.
www.cert.org/research/isw/isw2001/ papers/Kabara-31-08.pdf
Savage, Annaliza. Cell-Phone Security Far From Airtight. Wired News. 14 May 2004.
http://www.wired.com/news/technology/0,1282,11630,00.html
Figures provided by:
www.howstuffworks.com
www.msn.com
www.nokia.com