Download
cellular telephone security n.
Skip this Video
Loading SlideShow in 5 Seconds..
Cellular Telephone Security PowerPoint Presentation
Download Presentation
Cellular Telephone Security

Cellular Telephone Security

188 Views Download Presentation
Download Presentation

Cellular Telephone Security

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Cellular Telephone Security Tuesday, November 27, 2001 Matthew Manger Marjorie Quant Matthew Wiedemer

  2. Outline • Encryption • Cellular Process • Transmission Methods • Manufacturer Vulnerabilities • Hacking = 

  3. Cellular Phone Encryption • Hardware and Software in the cellular phone • Swapping or modifying EPROM • Physically change the EPROM • Decompile/compile software of EPROM • Modifying and bypassing ESN/MIN • Usually located on the EPROM • http://www.totse.com/en/phreak/cellular_phones/csecret.html

  4. ESN Are ESN/MIN VALID?? ESN Yes - VALID Valid ESN/MIN The Process • Power on - transmits ESN/MIN on the “reverse” channel - cellular site verifies MIN - site transmits via the “forward” channel of positive validation - line is open • Vulnerabilities • Cloning or altering the ESN transmission process • Well published hardware attacks to this vulnerability and less well published software techniques • Attention is generally focused on the hardware attacks - fairly inexpensive and not too difficult to pull off

  5. Cloning a Phone • Alter the ESN/MIN codes on the EPROM • Alter software of EPROM • Have code jump to a different address • Programmable by a handset • Use the cell phone to scan and capture ESNs to be stored in the EPROM • De-compile/compile the code on an EPROM

  6. Cellular Phone Transmission Methods • Digital • Time Division Multiple Access (TDMA) • Code Division Multiple Access (CDMA) • Analog • Frequency Division Multiple Access (FDMA) • Global System for Mobilization (GSM) • Established in 1982 to standardize European mobile communication systems http://www.iec.org – Time Division Multiple Access (TDMA)

  7. CDMA - Authentication, Secrecy & Identification • Process • CDMA , Cellular Mobile Communications, Network and Security CDMA Cellular Mobile Communications: Network and Security, Man Young Rhee, Prentice-Hall PTR, Upper Saddle River, NJ, 1998

  8. Vulnerabilities • Manufactures researched • Nokia • Motorola • Causes of vulnerabilities • Design/Implantation flaws • Manufacturer (Nokia, Motorola) • Human impatience and ignorance • Ericsson • Panasonic

  9. Vulnerabilities cont… • Number Assignment Module (NAM) programming • Primary phone identifiers • ESN – Electronic Serial Number (Hardware) • MIN – Mobile Identification Number (Software) • Other identifiers • SCM – Station Class Mark (Software) • SIDH – System Identification for Home System (Software) • Design exploits (wiretapping) • Pin output • Serial cable tutorials

  10. Phone Identifiers • Easy Step • Access the programming menu • http://www.hackcanada.com/ice3/cellular/index.html • gsm_underground@yahoogroups.com • Change MIN (phone number) • Change SIDH (city identifier) • Call service provider • http://www.totse.com/en/phreak/cellular_phones/cellpmod.html

  11. Phone Identifiers cont… • Harder Step • Obtain the ESN number of the phone you want to clone • Look under the battery • Access the programming menu • Identify EPROM chip in your cell phone • Flash EPROM chip with new information

  12. Hacking Techniques • Systems perspective • Many different points of attack • What is your goal? • Illegal free cell phone use for you and your friends • Denial of service • Listen in

  13. System Vulnerabilities • People • Insiders – ask your buddy to “hook you up” • Computer networks • Hack into provider database • HDML/WML servers, etc. • Wireless networks • Base stations, MTSO, local office • Physical security • Check out hotels, office buildings, base stations, etc. • Cell phone handsets • Biggest threat…

  14. Handset Hacking • Most convenient, easy, widespread • Basic reconnaissance • FCC ID check for manuals, diagrams, etc. • Gather technical info from service provider, retailer, phone manufacturer: brochures, web sites, etc. • Hacker web search (http://mobile.box.sk/ , http://www.hackcanada.com/ , etc.) • A little more in depth • Open it up – check out chip types, numbers; EPROM! • Access “secret” menus – more recon • Social engineering (tech support) • Start over again with more in-depth searches on Google

  15. More Cell Phone Hacking • Hardware modifications • Flash EPROM – need EPROM flashing hardware • More modern phones can have SmartMedia, flash cards, etc. • Change identifiers, phone numbers, modify system software • Software modifications • Change settings under “secret” menus • All are handset-dependent!

  16. Kyocera (Qualcomm)QCP-2035 Example • Take out battery – see FCC ID, ESN • FCC ID search (http://www.fcc.gov/oet/fccid/) basically unsuccessful • Hacker web sites • http://www.hackcanada.com/ice3/cellular/ yields “111111” code for secret menu • Menu includes many options: “040793”=debug code, “??????”=programming code for SprintPCS “000000”=programming code for Verison • Programming menu: change phone number, home area, country code, message encoding/size, many other settings not normally available… • Known DoS: set your phone # to someone else in same area – calls go unanswered • More info on http://www.cdma.f2s.com/

  17. Kyocera (Qualcomm)QCP-2035 Example Cont. • SprintPCS uses Wireless Web • Access to HDML, WDM pages – have to have some connection to www… • IP address under menu is 208.18.146.75:1905 or 208.18.146.139:1905 – found to be wapproxy1.upl.sprintpcs.com and wapproxy2.upl.sprintpcs.com • Potential DoS for Wireless Web, launching point for entry into SprintPCS computer network… • Still going…

  18. Conclusion Wireless Technology is convenient, yet SCARY! This pertains to both wireless communication and computing!!

  19. Questions