1 / 19

Cellular Telephone Security

Cellular Telephone Security. Tuesday, November 27, 2001 Matthew Manger Marjorie Quant Matthew Wiedemer. Outline. Encryption Cellular Process Transmission Methods Manufacturer Vulnerabilities Hacking. = . Cellular Phone Encryption . Hardware and Software in the cellular phone

shufang
Download Presentation

Cellular Telephone Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cellular Telephone Security Tuesday, November 27, 2001 Matthew Manger Marjorie Quant Matthew Wiedemer

  2. Outline • Encryption • Cellular Process • Transmission Methods • Manufacturer Vulnerabilities • Hacking = 

  3. Cellular Phone Encryption • Hardware and Software in the cellular phone • Swapping or modifying EPROM • Physically change the EPROM • Decompile/compile software of EPROM • Modifying and bypassing ESN/MIN • Usually located on the EPROM • http://www.totse.com/en/phreak/cellular_phones/csecret.html

  4. ESN Are ESN/MIN VALID?? ESN Yes - VALID Valid ESN/MIN The Process • Power on - transmits ESN/MIN on the “reverse” channel - cellular site verifies MIN - site transmits via the “forward” channel of positive validation - line is open • Vulnerabilities • Cloning or altering the ESN transmission process • Well published hardware attacks to this vulnerability and less well published software techniques • Attention is generally focused on the hardware attacks - fairly inexpensive and not too difficult to pull off

  5. Cloning a Phone • Alter the ESN/MIN codes on the EPROM • Alter software of EPROM • Have code jump to a different address • Programmable by a handset • Use the cell phone to scan and capture ESNs to be stored in the EPROM • De-compile/compile the code on an EPROM

  6. Cellular Phone Transmission Methods • Digital • Time Division Multiple Access (TDMA) • Code Division Multiple Access (CDMA) • Analog • Frequency Division Multiple Access (FDMA) • Global System for Mobilization (GSM) • Established in 1982 to standardize European mobile communication systems http://www.iec.org – Time Division Multiple Access (TDMA)

  7. CDMA - Authentication, Secrecy & Identification • Process • CDMA , Cellular Mobile Communications, Network and Security CDMA Cellular Mobile Communications: Network and Security, Man Young Rhee, Prentice-Hall PTR, Upper Saddle River, NJ, 1998

  8. Vulnerabilities • Manufactures researched • Nokia • Motorola • Causes of vulnerabilities • Design/Implantation flaws • Manufacturer (Nokia, Motorola) • Human impatience and ignorance • Ericsson • Panasonic

  9. Vulnerabilities cont… • Number Assignment Module (NAM) programming • Primary phone identifiers • ESN – Electronic Serial Number (Hardware) • MIN – Mobile Identification Number (Software) • Other identifiers • SCM – Station Class Mark (Software) • SIDH – System Identification for Home System (Software) • Design exploits (wiretapping) • Pin output • Serial cable tutorials

  10. Phone Identifiers • Easy Step • Access the programming menu • http://www.hackcanada.com/ice3/cellular/index.html • gsm_underground@yahoogroups.com • Change MIN (phone number) • Change SIDH (city identifier) • Call service provider • http://www.totse.com/en/phreak/cellular_phones/cellpmod.html

  11. Phone Identifiers cont… • Harder Step • Obtain the ESN number of the phone you want to clone • Look under the battery • Access the programming menu • Identify EPROM chip in your cell phone • Flash EPROM chip with new information

  12. Hacking Techniques • Systems perspective • Many different points of attack • What is your goal? • Illegal free cell phone use for you and your friends • Denial of service • Listen in

  13. System Vulnerabilities • People • Insiders – ask your buddy to “hook you up” • Computer networks • Hack into provider database • HDML/WML servers, etc. • Wireless networks • Base stations, MTSO, local office • Physical security • Check out hotels, office buildings, base stations, etc. • Cell phone handsets • Biggest threat…

  14. Handset Hacking • Most convenient, easy, widespread • Basic reconnaissance • FCC ID check for manuals, diagrams, etc. • Gather technical info from service provider, retailer, phone manufacturer: brochures, web sites, etc. • Hacker web search (http://mobile.box.sk/ , http://www.hackcanada.com/ , etc.) • A little more in depth • Open it up – check out chip types, numbers; EPROM! • Access “secret” menus – more recon • Social engineering (tech support) • Start over again with more in-depth searches on Google

  15. More Cell Phone Hacking • Hardware modifications • Flash EPROM – need EPROM flashing hardware • More modern phones can have SmartMedia, flash cards, etc. • Change identifiers, phone numbers, modify system software • Software modifications • Change settings under “secret” menus • All are handset-dependent!

  16. Kyocera (Qualcomm)QCP-2035 Example • Take out battery – see FCC ID, ESN • FCC ID search (http://www.fcc.gov/oet/fccid/) basically unsuccessful • Hacker web sites • http://www.hackcanada.com/ice3/cellular/ yields “111111” code for secret menu • Menu includes many options: “040793”=debug code, “??????”=programming code for SprintPCS “000000”=programming code for Verison • Programming menu: change phone number, home area, country code, message encoding/size, many other settings not normally available… • Known DoS: set your phone # to someone else in same area – calls go unanswered • More info on http://www.cdma.f2s.com/

  17. Kyocera (Qualcomm)QCP-2035 Example Cont. • SprintPCS uses Wireless Web • Access to HDML, WDM pages – have to have some connection to www… • IP address under menu is 208.18.146.75:1905 or 208.18.146.139:1905 – found to be wapproxy1.upl.sprintpcs.com and wapproxy2.upl.sprintpcs.com • Potential DoS for Wireless Web, launching point for entry into SprintPCS computer network… • Still going…

  18. Conclusion Wireless Technology is convenient, yet SCARY! This pertains to both wireless communication and computing!!

  19. Questions

More Related