 |
|
|
Cellular Networking Perspectives is proud to be able to link you to the anonymous Crypto Answer Man. He will attempt to answer questions of general interest related to wireless security. Due to personal security requirements (and a few unpaid bills) he cannot reveal his identity. Questions that are accepted by our man, will be posted here, along with the answers. Particularly interesting questions and answers will be published in Wireless Security Perspectives.
Question Number 4 comes from: 'israr' at email israr78@yahoo.com.
Hmmm ... Interesting. Why the interest my friend?! Very curious · perhaps you want it 'for educational purposes,' no? Well, in any event, let me begin by saying that a mobile telephone identifies itself by transmitting a pair of numbers stored in the telephone (this is shown in more detail in Wireless Security Perspectives, August 1999 issue). These numbers, the ESN (Electronic Serial Number) and MIN (Mobile Identification Number), are used to identify the mobile, to allow for proper routing of calls and for proper billing of the subscriber.
The MIN, assigned by the mobile telephone operator, typically can be changed using simple commands through the user interface of the telephone or through the data interface of the telephone. That is, just as other NAM (Number Assignment Module) parameters can be changed. On the other hand, the ESN, a 32-bit pattern that is 'burned' (stored, programmed, etc.) into the telephone, can be changed in several ways depending on the telephone manufacturer. It is a unique number assigned to the mobile telephone and it is typically designed-in such that it can never be changed. Per FCC guidelines, the ESN is stored obscurely (you know, 'security through obscurity') in the handset to prevent tampering. However, because the ESN is usually stored in a memory device (e.g., EPROM, EEPROM, flash memory, etc.) it is possible to change it. Building a truly tamper-proof device is difficult!
Crypto-Answer-Man Notable Note 1: It is illegal in the US and in some other countries to change the ESN of a mobile telephone once it is programmed by the manufacturer.
The 'cloning' fraud problem, caused by interlopers masquerading as legitimate customers typically for anonymity reasons, began in the US around 1992. Many operators of the North American mobile telephone system learned of and began to implement the Telecommunications Industry Association's (TIA) cryptographic authentication scheme. The major US operators began their implementation in the 1995 timeframe after they realized that the cloning fraud problem was not going to magically go away and that the authentication scheme was the best fraud-prevention scheme available. The other schemes, such as PIN validation and clone-detection-and-shutdown-systems, were easily defeated or were insufficient. The TIA authentication scheme is a simple 'challenge-response' system, although not perfect, that is used to validate the identity of the telephone. It does this by verifying crypto-graphically that the telephone is the one claimed. Essentially, the network proves that the telephone contains a secret that is shared with the network.
Crypto-Answer-Man Notable Note 2: In 1995, the losses due to cellular telephone fraud problem amounted to over $600 Million in the US according to the CTIA. Because of authentication, those losses have been reduced dramatically.
The basic steps of the authentication process for the North American cellular system is described in the August 1999 issue of Wireless Security Perspectives and in the December 1995 and January 1996 issues of Cellular Networking Perspectives.
Crypto-Answer-Man Notable Note 3: Not all operators in the US (and certainly not those in other countries) have implemented this strong security tool for fraud prevention. Because of the high integrity of the crypto-answer man and his desire not to perpetuate the fraud problem, he will not divulge specific means to modify ESNs nor means by which authentication can be defeated. ;-)
Crypto-Answer-Man Notable Note 4: To probe further on fraud control and authentication, obtain the TIA air-interface and interoperability standards (e.g., IS-41C, IS-54B, IS-91A, IS-95A, IS-136A, etc.), contact the CTIA, or seek the following United States patents:
- 1- Patent # 5,668,875, Brown, et al.; September 16, 1997
- 2 - Patent # 5,551,073, Sammarco; August 27, 1996
- 3 - Patent # 5,282,250, Dent, et al.; January 25, 1994
- 4- Patent # 5,241,598, Raith; August 31, 1993
- 5 - Patent # 5,237,612, Raith; August 17, 1993
- 6 - Patent # 5,204,902, Reeds, III, et al.; April 20, 1993
- 7 - Patent # 5,172,414, Reeds, III, et al.; December 15, 1992
- 8 - Patent # 5,159,634, Reeds, III; October 27, 1992
- 9 - Patent # 5,153,919, Reeds, III, et al.; October 6, 1992
- 10 - Patent # 5,060,265, Finkelstein; October 22, 1991
Alternatively, you may hire the Cellular Networking Perspectives Ltd. consultants. ;-)
© – Copyright