Before attacks on mobile phones can be discussed it is important that the underlying system employed by mobile phone providers is understood.
There are a number of digital networks worldwide that support mobile phones, of which Global System for Mobile Communications (GSM) is the most popular. GSM accounts for around 80 of worldwide networks with over 3 billion users across over 200 countries, and its ubiquity enables ease of roaming between providers for users that are travelling. cdmaOne (2G) and CDMA2000 (3G), often referred to colloquially as CDMA, are two other competing standards to GSM. Confusingly, CDMA is an acronym for code division multiple access, which is a channel access method used by these systems.
Mobile phone networks have also evolved through a number of generations. 1G phones were analogue cellular networks, which were replaced by 2G networks that use digital technology. 2.5G is now the baseline standard and enables data support to be added to 2G services. 3G networks are increasing in number with an associated increase in available bandwidth and support for more enhanced services. GSM uses a technique called TDMA or Time Division Multiple Access to share a single carrier frequency between multiple users, all taking turns to use their allocated slice of the channel. This time slicing happens fast enough so that users aren't aware of sharing the channel with others.
Aside from voice traffic, cell phones have evolved to enable data transfer as an additional service. New protocols have been developed in support of this including General Packet Radio Service (GPRS), which is a packet switching protocol used across GSM networks for data transmission. Enhanced Data rates for GSM Evolution (EDGE) is a development of GPRS that provides even greater data transmission rates.
Mobile phone networks typically consist of a number of elements:
- Mobile phone handset which acts as a transceiver.
- Removable subscriber identity module, or SIM card. Combined with a mobile phone this is referred to as the mobile station.
- The International Mobile Subscriber Identity (IMSI) is a unique number stored inside the SIM and sent to the network by the phone. To reduce the opportunities to compromise a mobile phone via the air interface a Temporary Mobile Subscriber Identity (TMSI) number is assigned by the network once the original IMSI has been processed.
- The International Mobile Equipment Identity (IMEI) is a unique number used to identify a particular handset to a network, a feature that is used to "bar" stolen phones from accessing a particular network.
- Base Transceiver Station (BTS), which receives and transmits the phone signal. Importantly, it is also responsible for encrypting and decrypting call traffic with the base station controller.
- Base Station Controller (BSC) coordinates a number of base transceiver stations and manages the allocation of call channels and the important task of handing off calls between BTSs. Combined with a BTS this is referred to as the Base Station Subsystem (BSS).
- Mobile Switching Centre (MSC) is part of the network switching subsystem (NSS) and manages the routing of calls, setting up end-to-end connections, hand over requirements and account monitoring. The NSS is also responsible for managing the Home Location Register, Visitor Location Register (which are databases containing the details of authorised users of the GSM network) and the Authentication Centre that authenticates each SIM card trying to connect to the network.
Understanding GSM encryption
The design of cell phone systems originates from before direct attacks were considered. The move from an analogue to a digital system was believed to add sufficient security and network providers had historically been more concerned with tracking call fraud rather than dealing with eavesdroppers.
Early analogue cell phones were basically simple radio systems that had no in-built security features and were subsequently open for anyone to listen into with simple radio equipment. As technology advanced users quite rightly demanded better security, and in 1987 a stream cipher called A5/1 was developed for that purpose. A5/2 was developed in 1989 as a weakened version of the cipher for export to less trusted regions of the world.
The algorithm behind A5/1 was originally kept secret, an approach that modern cryptographers quite rightly deride as foolishness. It is only by opening up algorithms to analysis and in-depth review that the security community can gain confidence in the robustness of these tools. Security by obscurity, in the case of cryptographic algorithms, is a flawed approach. Suffice to say that by 1994 the algorithm had been more or less worked out and by 1999 it had been successfully reverse engineered.
Academic hacks against A5/1 have in the past relied upon knowing some plain text—perhaps a couple of seconds of a conversation—to get to the encryption key. In reality this won't happen, as conversations would be encrypted from the start so, unless there was a flaw in the system that provided such a snapshot, this academic hack is not possible. Other hacks have relied on significant computing power, costing around $100,000, but even with such processing power the system could only decrypt around 1 SMS text message a day.
A5/1 itself is vulnerable to generic pre-computation attacks in the form of a code book attack. For ciphers with small keys, code books allow decryption to take place—facilitated by the fact that a code book provides a mapping from a known plain text output to a cipher text. An A5/1 code book is 128 Petabytes and will take about 100,000 years to compute on a desktop PC. More sophisticated attacks have been shown (Karsten Nohl, Aug 2009) using rainbow tables (look up tables of plain text hashes) of about 3TB with decryption times in a matter of minutes.
A5/3 is a stronger encryption algorithm designed for use in 3G systems. This is not always implemented by service providers and a vulnerability for this was demonstrated in early 2010. In this case it took 2 hours to conduct a related key attack on A5/3 data but, as this attack relies on a large volume of plain text to be successful, it remains an academic attack at the moment.
The next article will look at specific cell phone attacks.