Digital Cellular and Fraud Prevention

Digital Cellular and Fraud Prevention

Post by Jason Hillya » Fri, 16 Dec 1994 10:05:29



With all the uproar over cellular fraud, there seem to be more people
inquiring about the security of digital cellular systems.  There are
two digital cellular systems currently being deployed in the US, CDMA
and TDMA.  Both are designed to prevent the sort of fraud that plagues
the current AMPS cellular system.  This is accomplished by using an
authentication parameter called the Shared Secret Data (SSD) along
with the MIN and ESN.  The SSD is stored in the phone and at the
service provider.  It's never transmitted in the clear, so people
monitoring digital cellular traffic won't be able to read the SSD off
the air.  This should (hopefully) make cell phone cloning impossible.

 From what I've read of the digital cellular specifications, Both CDMA
and TDMA do authentication in the same way.  The point of the authentication
is to check that the SSD in the phone, corresponding to a certain MIN
and ESN, is the same as the SSD stored at the service provider.  The
SSD is a 128 bit number and is split into two 64-bit parts, SSD-A and
SSD-B.  SSD-A is used for authentication and SSD-B is used for voice
encryption.

A simple authentication transation works like this: First, the mobile
unit generates a 32-bit random number called RAND.  This number, along
with the MIN, ESN, and SSD-A are used as input to the CAVE authentication
algorithm.  The output of CAVE is an 18 bit quantity called AUTH.
Then the mobile sends RAND, MIN, ESN, and AUTH to the base (the
service provider).  The base looks up the SSD-A corresponding to that
MIN and ESN and also calculates AUTH.  If the AUTH quantities match,
the mobile is authenticated.

There are several other types of authentication messages, but they all
are basically the same as described above.  There are also procedures
for the base to update the SSD in the mobile and for the mobile to
authenticate the base.  There are even procedures so that dual-mode
phones can do this sort of authentication in analog mode.

Now suppose someone hacked the service provider's computer and snagged
a bunch of corresponding MIN/ESN/SSD data.  If the perpetrator could
figure out the details of programming this information into a phone
they could clone it, right?  Nope.  There is also a quantity called
COUNT sent along during authentication.  This 64 bit number is stored
by the mobile and the base.  It keeps track of how many times the
mobile has been successfully authenticated.  Every time the mobile is
authenticated, the base and mobile increment their COUNT by one.  If a
mobile tries to authenticate and COUNT is off by more than one, the
base can reject it.  So if a phone is cloned, the COUNT in the cloned
phone and the original phone will become mismatched as the phones are
used.

Now suppose someone managed to get hold of a very fresh MIN, ESN, SSD,
and COUNT, and were capable of programming all of this into a phone.
They may be able to clone a phone for a short time, depending on
whether the original phone is used and whether the service provider is
keeping track of COUNT.

That's a quick look at how authentication works in digital cellular.
In general, it's going to be a lot harder for people to clone phones.
But the security of these new systems still needs to be explored.

Jason

 
 
 

Digital Cellular and Fraud Prevention

Post by Dave Levens » Tue, 20 Dec 1994 23:24:45



> Now suppose someone managed to get hold of a very fresh MIN, ESN, SSD,
> and COUNT, and were capable of programming all of this into a phone.
> They may be able to clone a phone for a short time, depending on
> whether the original phone is used and whether the service provider is
> keeping track of COUNT.

How does this work for roamer service?  Does the current COUNT value
for every subscriber have to be known by every service provider in the
country all the time?  If I place two calls from Newark Airport, New
Jersey, then turn my pocket cellular set off, board an airliner, and
two hours later step off the plane in Chicago and place two more
calls, and then ...  how does the Chicago system know the correct
value for my COUNT and how does it communciate its own updates to that
value back to the home system?


Westmark, Inc.          UUCP: uunet!westmark!dave
Stirling, NJ, USA       Voice: 908 647 0900  Fax: 908 647 6857

 
 
 

Digital Cellular and Fraud Prevention

Post by Jason Hillya » Thu, 22 Dec 1994 06:48:54



writes:

Quote:> How does this work for roamer service?  Does the current COUNT value
> for every subscriber have to be known by every service provider in the
> country all the time?  If I place two calls from Newark Airport, New
> Jersey, then turn my pocket cellular set off, board an airliner, and
> two hours later step off the plane in Chicago and place two more
> calls, and then ...  how does the Chicago system know the correct
> value for my COUNT and how does it communciate its own updates to that
> value back to the home system?

This is an important issue.  It really depends on how the cellular
companies implement their authentication networks.  I'm not aware of
what their plans are.  Maybe someone in the cellular industry can
enlighten us.

However, the COUNT quantity shouldn't be a problem.  The COUNT in the
mobile isn't updated until the base sends it a message telling it to
do so.  Then the mobile sends a message back confirming that it has
updated COUNT.

In your scenario, lets assume you're roaming in Chicago.  If the
Chicago system can't retrieve and update the COUNT from your home
system, it will not tell the mobile to update its COUNT.

Jason

 
 
 

Digital Cellular and Fraud Prevention

Post by p.. » Thu, 22 Dec 1994 08:22:38




>> Now suppose someone managed to get hold of a very fresh MIN, ESN, SSD,
>> and COUNT, and were capable of programming all of this into a phone.
>> They may be able to clone a phone for a short time, depending on
>> whether the original phone is used and whether the service provider is
>> keeping track of COUNT.
> How does this work for roamer service?  Does the current COUNT value
> for every subscriber have to be known by every service provider in the
> country all the time?  If I place two calls from Newark Airport, New
> Jersey, then turn my pocket cellular set off, board an airliner, and
> two hours later step off the plane in Chicago and place two more
> calls, and then ...  how does the Chicago system know the correct
> value for my COUNT and how does it communciate its own updates to that
> value back to the home system?

Yes, if the roaming service provider is using COUNT then it must
obtain the current value from the subscriber's Home Location Register
via an IS-41 message (IS-41 is the EIA/TIA standard that describes how
cellular switches interconnect).  I am not familiar with any active
implementations of IS-54 (TDMA) or IS-95 (CDMA) that are using both
authentication and IS-41-B-based intersystem roaming (frankly, I'm not
sure there are any today, but as soon as I go out on the limb and make
that statement ...), so I can't speak to how it all works in the field.

And yes, this type of signalling requires high speed (SS7) connections
between systems.  That has been one of the impediments to widespread
deployment of IS-41 -- the cost and effort involved in setting up the
hardware and making it all work together.  So if you really want to
speed up the process, make it worth your cellular carrier's while to
upgrade its network; keep the fraud and hacking up! ;)

Phil Brown     New Technology Engineer

(404) 391-8390

 
 
 

1. Digital Cellular and Encryption / Fraud Prevention

The cellular company I work believes that eventually digital will
replace analog but has committed analog service until 2003.  They
believe this because digital will allow more capacity, lower power
consumption (more talk time) eventually better audio and allow a full
range of new features (like CallerID).  They are also looking at the
new PCS market and the possibility of have dualmode phones (i.e.
GSM\TDMA) or having both marketswith one standard capability.

They are presently offering free phones for high usage customers.  For
know it makes sense to off load to digital and free up more space for
the predominately analog market.

Hope this helps,

Mike

2. Using FOP with an org.w3c.dom.Document

3. Does Privacy Lose Out in Cellular Fraud Prevention Plans?

4. Special on Imation CDR Media

5. Digital Cellular Encryption and Fraud

6. Mailing hypertext links with sendmail

7. Has There Been *Any* Digital Cellular Fraud Yet in the US?

8. Register your site with 25 search engines for free!

9. Digital Cellular Encryption and Fraud

10. Has There Been *Any* Digital Cellular Fraud Yet in the US?

11. Phone GIFs & JPGs - M1 Fraud Prevention - Cool Links

12. Fraud Prevention Seminar