Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Phreaking Cellular - Misc. :: cellu.txt

Cellular phone stuff





=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

                              Cellular Telephones
                      [Written By The High Evolutionary]

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

    I assume that most of us know many of the technical aspects of Cellular
Phreaking therefore this file is intended for general information as to how
these unique devices operate.

        --------------------------------------------------------------

    Cellular is likely to be successful because it provides dramatic
improvements over the historic automobile phones.  For years, mobile
radio-telephone service was an extremely limited proposition.  There were only
forty-four radio channels available, and a maximum of about thirty were
assigned to any one area.  That meant if all thirty channels were occupied-one
conversation per channel-and you were the thirty-first mobile phone user who
wished to make a call, you would have to wait thirty minutes or more, even in a
city the size of New York.  As you can imagine, mobile radio-telephone service
like that could not become very popular.  Even with the limited number of
channels, long delays in making calls during busy periods, and often poor
quality transmission, there were big waiting lists for mobile service.  But
with a fully equipped cellular radio-telephone system, it is possible to make
5000 times as many calls simultaneously in the same metropolitan area, opening
up the service to anyone that can pay the hefty prices.

    That is because cellular radio-telephones systems are technically quite
different from traditional mobile telephones.  First, the FCC (Federal
Communications Commission) has allocated far more channels to cellular, 666 in
all.  Second, those 666 channels are broadcast from many different locations.
In the old mobile telephone systems, there was one powerful radio station with
a large antenna that served an entire city.  In the new system, a geographical
area is honeycombed with many cells, hence the name 'Cellular'.  Each cell has
its own low-powered radio transmitter and receiver. As a car with a cellular
telephone or a person carrying a portable moves from one cell to the next, the
call is transferred automatically.  You're unlikely to notice when this
transfer takes place, even though your phone is suddenly switched to a
different radio station and to another channel while you are talking.

    Because the cellular signal is low-powered, it doesn't go very far.  This
permits the same channel you are talking on to be used for calls in other parts
of the same metropolitan area without interference.  This would mean cellular
radio-telephone systems can serve a very large number of customers in an area
because there are more channels than before-and the larger number of channels
are reused.

    Unlike local telephone service, which is provided by a monopoly, there is
competition in cellular.  Two classes of companies are allowed to offer
cellular telephone service in every market.  One cellular system can be owned
by a telephone company, the other by someone else.  The two-company rule was
adopted by the FCC so that AT&T, which developed cellular, could not monopolize
the whole thing.

    Cellular Telephones come in two basic versions, as car phones and portable
phones, with a briefcase hybrid.  Car phones are by far the most common,
because they are much cheaper.  But most believe that, ultimately, portables
will be the most popular.  Washington Post Company president Richard Simmons,
whose company is a partner in several cellular systems, even predicts that by
the early 1990's "There will be phones roughly the size of a calculators that
you carry around in your pocket.  They will cost no more than five hundred
dollars.  They will emancipate people from the necessity of locating a phone to
make calls. The bad news is, you will never be able to get away from the phone,
and we'll call it progress."

    Car telephones include a small transmitter-receiver unit that is usually
mounted in the trunk, an antenna and a control head that includes the handset.
In most cellular systems, the telephone touchpad is located on the handset.
Many domestic and foreign manufacturers make cellular car phones, but so far
only Motorola makes portables, the DYNA T-A-C 8000X and 8000S. Motorola's
portables look like a slightly enlarged, somewhat chunky telephone handset,
with a stubby antenna at one end.

    Portables are less powerful than car units, so they can't be used with some
cellular systems.  The portable's other limitation is battery life.  A portable
can listen for calls for about eight hours, but it can only transmit for only
thirty minutes.  After that time it must be charged for a minimum of an hour.

    The following American cities have cellular telephone service or soon will
get it:

                         New York         Denver
                         Los Angeles      Seattle
                         Chicago          Milwaukee
                         Philadelphia     Tampa
                         Detroit          Cincinnati
                         Boston           Kansas City
                         San Francisco    Buffalo
                         Washington       Phoenix
                         Dallas           San Jose
                         Houston          Indianapolis
                         St. Louis        New Orleans
                         Miami            Portland
                         Pittsburgh       Cleveland
                         San Diego        Atlanta
                         Baltimore        Minneapolis
        --------------------------------------------------------------
%





              THE ELECTRONIC SERIAL NUMBER: A CELLULAR 'SIEVE'?
                  'SPOOFERS' CAN DEFRAUD USERS AND CARRIERS

    by Geoffrey S. Goodfellow, Robert N. Jesse, and Andrew H. Lamothe, Jr.


What's the greatest security problem with cellular phones? Is it privacy of
communications?  No.

Although privacy is a concern, it will pale beside an even greater problem:
spoofing.

'Spoofing' is the process through which an agent (the 'spoofer') pretends to
be somebody he isn't by proffering false identification, usually with intent
to defraud.  This deception, which cannot be protected against using the
current U.S. cellular standards, has the potential to create a serious
problem--unless the industry takes steps to correct some loopholes in the
present cellular standards.

Compared to spoofing, the common security concern of privacy is not so severe.
Most cellular subscribers would, at worst, be irked by having their
conversational privacy violated.  A smaller number of users might actually
suffer business or personal harm if their confidential exchanges were
compromised.  For them, voice encryption equipment is becoming increasingly
available if they are willing to pay the price for it.

Thus, even though technology is available now to prevent an interloper from
overhearing sensitive conversations, cellular systems cannot--at any
cost--prevent pirates from charging calls to any account. This predicament is
not new to the industry.  Even though cellular provides a modern,
sophisticated quality mobile communications service, it is not fundamentally
much safer than older forms of mobile telephony.

History of Spoofing Vulnerability

The earliest form of mobile telephony, unsquelched manual Mobile Telephone
Service (MTS), was vulnerable to interception and eavesdropping.  To place a
call, the user listened for a free channel.  When he found one, he would key
his microphone to ask for service: 'Operator, this is Mobile 1234; may I
please have 555-7890.'  The operator knew to submit a billing ticket for
account number 1234 to pay for the call.  So did anybody else listening to the
channel--hence the potential for spoofing and fraud.

Squelched channel MTS hid the problem only slightly because users ordinarily
didn't overhear channels being used by other parties.  Fraud was still easy
for those who turned off the squelch long enough to overhear account numbers.

Direct-dial mobile telephone services such as Improved Mobile Telephone
Service (IMTS) obscured the problem a bit more because subscriber
identification was made automatically rather than by spoken exchange between
caller and operator.  Each time a user originated a call, the mobile telephone
transmitted its identification number to the serving base station using some
form of Audio Frequency Shift Keying (AFSK), which was not so easy for
eavesdroppers to understand.

Committing fraud under IMTS required modification of the mobile--restrapping
of jumpers in the radio unit, or operating magic keyboard combinations in
later units--to reprogram the unit to transmit an unauthorized identification
number. Some mobile control heads even had convenient thumb wheel switches
installed on them to facilitate easy and frequent ANI (Automatic Number
Identification) changes.

Cellular Evolution

Cellular has evolved considerably from these previous systems.  Signaling
between mobile and base stations uses high-speed digital techniques and
involves many different types of digital messages.  As before, the cellular
phone contains its own Mobile Identification Number (MIN), which is programmed
by the seller or service shop and can be changed when, for example, the phones
sold to a new user.  In addition, the U.S. cellular standard incorporates a
second number, the 'Electronic Serial Number' (ESN), which is intended to
uniquely and permanently identify the mobile unit.

According to the Electronic Industries Association (EIA) Interim Standard
IS-3-B, Cellular System Mobile Station--Land Station Compatibility
Specification (July 1984), 'The serial number is a 32-bit binary number that
uniquely identifies a mobile station to any cellular system.  It must be
factory-set and not readily alterable in the field.  The circuitry that
provides the serial number must be isolated from fraudulent contact and
tampering.  Attempts to change the serial number circuitry should render the
mobile station inoperative.'

The ESN was intended to solve two problems the industry observed with its
older systems.

First, the number of subscribers that older systems could support fell far
short of the demand in some areas, leading groups of users to share a single
mobile number (fraudulently) by setting several phones to send the same
identification.  Carriers lost individual user accountability and their means
of predicting and controlling traffic on their systems.

Second, systems had no way of automatically detecting use of stolen equipment
because thieves could easily change the transmitted identification.

In theory, the required properties of the ESN allow cellular systems to check
to ensure that only the correctly registered unit uses a particular MIN, and
the ESNs of stolen units can be permanently denied service ('hot-listed').
This measure is an improvement over the older systems, but vulnerabilities
remain.

Ease of ESN Tampering

Although the concept of the unalterable ESN is laudable in theory, weaknesses
are apparent in practice.  Many cellular phones are not constructed so that
'attempts to change the serial number circuitry renders the mobile station
inoperative.'  We have personally witnessed the trivial swapping of one ESN
chip for another in a unit that functioned flawlessly after the switch was
made.

Where can ESN chips be obtained to perform such a swap?  We know of one recent
case in the Washington, D.C. area in which an ESN was 'bought' from a local
service shop employee in exchange for one-half gram of cocaine.  Making the
matter simpler, most manufacturers are using industry standard Read-Only
Memory (ROM) chips for their ESNs, which are easily bought and programmed or
copied.

Similarly, in the spirit of research, a west coast cellular carrier copied the
ESN from one manufacturer's unit to another one of the same type and
model--thus creating two units with the exact same identity.

The ESN Bulletin Board

For many phones, ESN chips are easy to obtain, program, and install.  How does
a potential bootlegger know which numbers to use?  Remember that to obtain
service from a system, a cellular unit must transmit a valid MIN (telephone
number) and (usually) the corresponding serial number stored in the cellular
switch's database.

With the right equipment, the ESN/MIN pair can be read right off the air
because the mobile transmits it each time it originates a call.  Service shops
can capture this information using test gear that automatically receives and
decodes the reverse, or mobile-to-base, channels.

Service shops keep ESN/MIN records on file for units they have sold or
serviced, and the carriers also have these data on all of their subscribers.
Unscrupulous employees could compromise the security of their customers'
telephones.

In many ways, we predict that 'trade' in compromised ESN/MIN pairs will
resemble what currently transpires in the long distance telephone business
with AT&T credit card numbers and alternate long-distance carrier (such as
MCI, Sprint and Alltel) account codes.  Code numbers are swapped among
friends, published on computer 'bulletin boards' and trafficked by career
criminal enterprises.

Users whose accounts are being defrauded might--or might not--eventually
notice higher-than-expected bills and be reassigned new numbers when they
complain to the carrier.  Just as in the long distance business, however, this
number 'turnover' (deactivation) won't happen quickly enough to make abuse
unprofitable.  Catching pirates in the act will be even tougher than it is in
the wireline telephone industry because of the inherent mobility of mobile
radio.

Automating Fraud

Computer hobbyists and electronics enthusiasts are clever people.  Why should
a cellular service thief 'burn ROMs' and muck with hardware just to install
new IDs in his radio?  No Herculean technology is required to 'hack' a phone
to allow ESN/MIN programming from a keyboard, much like the IMTS phone thumb
wheel switches described above.

Those not so technically inclined may be able to turn to mail-order
entrepreneurs who will offer modification kits for cellular fraud, much as
some now sell telephone toll fraud equipment and pay-TV decoders.

At least one manufacturer is already offering units with keyboard-programmable
MINs.  While intended only for the convenience of dealers and service shops,
and thus not described in customer documentation, knowledgeable and/or
determined end users will likely learn the incantations required to operate
the feature.  Of course this does not permit ESN modification, but easy MIN
reprogrammability alone creates a tremendous liability in today's roaming
environment.

The Rolls Royce of this iniquitous pastime might be a 'Cellular Cache-Box.' It
would monitor reverse setup channels and snarf ESN/MIN pairs off the air,
keeping a list in memory.  Its owner could place calls as on any other
cellphone.  The Cache-Box would automatically select an ESN/MIN pair from its
catalog, use it once and then discard it, thus distributing its fraud over
many accounts.  Neither customer nor service provider is likely to detect the
abuse, much less catch the perpetrator.

As the history of the computer industry shows, it is not far-fetched to
predict explosive growth in telecommunications and cellular that will bring
equipment prices within reach of many experimenters.  Already we have seen the
appearance of first-generation cellular phones on the used market, and new
units can be purchased for well under $1000 in many markets.

How High The Loss?

Subscribers who incur fraudulent charges on their bills certainly can't b
expected to pay them.  How much will fraud cost the carrier?  If the charge is
for home-system airtime only, the marginal cost to the carrier of providing
that service is not as high as if toll charges are involved.  In the case of
toll charges, the carrier suffers a direct cash loss.  The situation is at its
worst when the spoofer pretends to be a roaming user.  Most inter-carrier
roaming agreements to date make the user's home carrier (real or spoofed)
responsible for charges, who would then be out hard cash for toll and airtime
charges.

We have not attempted to predict the dollar losses this chicanery might
generate because there isn't enough factual information information for anyone
to guess responsibly.  Examination of current estimates of long-distance-toll
fraud should convince the skeptic.

Solutions

The problems we have described are basically of two types.  First, the ESN
circuitry in most current mobiles is not tamper-resistant, much less
tamper-proof.  Second and more importantly, the determined perpetrator has
complete access to all information necessary for spoofing by listening to the
radio emissions from valid mobiles because the identification information
(ESN/MIN) is not encrypted and remains the same with each transmission.

Manufacturers can mitigate the first problem by constructing mobiles that more
realistically conform to the EIA requirements quoted above.  The second
problem is not beyond solution with current technology, either.  Well-known
encryption techniques would allow mobiles to identify themselves to the
serving cellular system without transmitting the same digital bit stream each
time.  Under this arrangement, an interloper receiving one transmission could
not just retransmit the same pattern and have it work a second time.

An ancillary benefit of encryption is that it would reasonably protect
communications intelligence--the digital portion of each transaction that
identifies who is calling whom when.

The drawback to any such solution is that it requires some re-engineering in
the Mobile-Land Station Compatibility Specification, and thus new software or
hardware for both mobiles and base stations.  The complex logistics of
establishing a new standard, implementing it, and retrofitting as much of the
current hardware as possible certainly presents a tough obstacle, complicated
by the need to continue supporting the non-encrypted protocol during a
transition period, possibly forever.

The necessity of solving the problem will, however, become apparent.  While we
presently know of no documented cases of cellular fraud, the vulnerability of
the current standards and experience with similar technologies lead us to
conclude that it is inevitable.  Failure to take decisive steps promptly will
expose the industry to a far more expensive dilemma.  XXX


Geoffrey S. Goodfellow is a member of the senior research staff in the
Computer Science Laboratory at SRI International, 333 Ravenswood Ave., Menlo
Park, CA 94025, 415/859-3098.  He is a specialist in computer security and
networking technology and is an active participant in cellular industry
standardization activities.  He has provided Congressional testimony on
telecommunications security and privacy issues and has co-authored a book on
the computer 'hacking' culture.

Robert N. Jesse (2221 Saint Paul St., Baltimore, MD 21218, 301/243-8133) is an
independent consultant with expertise in security and privacy, computer
operating systems, telecommunications and technology management.  He is an
active participant in cellular standardization efforts.  He was previously a
member of the senior staff at The Johns Hopkins University, after he obtained
his BES/EE from Johns Hopkins.

Andrew H. Lamothe, Jr. is executive vice-president of engineering at Cellular
Radio Corporation, 8619 Westwood Center Dr., Vienna, VA 22180, 703/893-2680.
He has played a leading role internationally in cellular technology
development.  He was with Motorola for 10 years prior to joining American
TeleServices, where he designed and engineered the Baltimore/Washington market
trial system now operated by Cellular One.
   --------


A later note indicates that one carrier may be losing something like $180K per
month....





TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH