With all the uproar over cellular fraud, there seem to be more people
inquiring about the security of digital cellular systems. There are
two digital cellular systems currently being deployed in the US, CDMA
and TDMA. Both are designed to prevent the sort of fraud that plagues
the current AMPS cellular system. This is accomplished by using an
authentication parameter called the Shared Secret Data (SSD) along
with the MIN and ESN. The SSD is stored in the phone and at the
service provider. It's never transmitted in the clear, so people
monitoring digital cellular traffic won't be able to read the SSD off
the air. This should (hopefully) make cell phone cloning impossible.
From what I've read of the digital cellular specifications, Both CDMA
and TDMA do authentication in the same way. The point of the authentication
is to check that the SSD in the phone, corresponding to a certain MIN
and ESN, is the same as the SSD stored at the service provider. The
SSD is a 128 bit number and is split into two 64-bit parts, SSD-A and
SSD-B. SSD-A is used for authentication and SSD-B is used for voice
A simple authentication transation works like this: First, the mobile
unit generates a 32-bit random number called RAND. This number, along
with the MIN, ESN, and SSD-A are used as input to the CAVE authentication
algorithm. The output of CAVE is an 18 bit quantity called AUTH.
Then the mobile sends RAND, MIN, ESN, and AUTH to the base (the
service provider). The base looks up the SSD-A corresponding to that
MIN and ESN and also calculates AUTH. If the AUTH quantities match,
the mobile is authenticated.
There are several other types of authentication messages, but they all
are basically the same as described above. There are also procedures
for the base to update the SSD in the mobile and for the mobile to
authenticate the base. There are even procedures so that dual-mode
phones can do this sort of authentication in analog mode.
Now suppose someone hacked the service provider's computer and snagged
a bunch of corresponding MIN/ESN/SSD data. If the perpetrator could
figure out the details of programming this information into a phone
they could clone it, right? Nope. There is also a quantity called
COUNT sent along during authentication. This 64 bit number is stored
by the mobile and the base. It keeps track of how many times the
mobile has been successfully authenticated. Every time the mobile is
authenticated, the base and mobile increment their COUNT by one. If a
mobile tries to authenticate and COUNT is off by more than one, the
base can reject it. So if a phone is cloned, the COUNT in the cloned
phone and the original phone will become mismatched as the phones are
Now suppose someone managed to get hold of a very fresh MIN, ESN, SSD,
and COUNT, and were capable of programming all of this into a phone.
They may be able to clone a phone for a short time, depending on
whether the original phone is used and whether the service provider is
keeping track of COUNT.
That's a quick look at how authentication works in digital cellular.
In general, it's going to be a lot harder for people to clone phones.
But the security of these new systems still needs to be explored.