Tuesday 31 August 2010
EDGE evolution to REDHOT
Tuesday 3 August 2010
Double whammy for GSM Security
How does the GSM snooping work?
Chris Paget was able to patch together an IMSI (International Mobile Identity Subscriber) catcher device for about $1500. The IMSI catcher can be configured to impersonate a tower from a specific carrier. To GSM-based cell phones in the immediate area--the spoofed cell tower appears to be the strongest signal, so the devices connect to it, enabling the fake tower to intercept outbound calls from the cell phone.
What happens to the calls?
Calls are intercepted, but can be routed to the intended recipient so the attacker can listen in on, and/or record the conversation. To the real carrier, the cell phone appears to no longer be connected to the network, so inbound calls go directly to voicemail. Paget did clarify, though, that it's possible for an attacker to impersonate the intercepted device to the wireless network, enabling inbound calls to be intercepted as well.
But, aren't my calls encrypted?
Generally speaking, yes. However, the hacked IMSI catcher can simply turn the encryption off. According to Paget, the GSM standard specifies that users should be warned when encryption is disabled, but that is not the case for most cell phones. Paget explained "Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers."
What wireless provider networks are affected?
Good news for Sprint and Verizon customers--those networks use CDMA technology rather than GSM, so cell phones on the Sprint or Verizon networks would not connect to a spoofed GSM tower. However, AT&T and T-Mobile--as well as most major carriers outside of the United States--rely on GSM.
Does 3G protect me from this hack?
This IMSI catcher hack will not work on 3G, but Paget explained that the 3G network could be knocked offline with a noise generator and an amplifier--equipment that Paget acquired for less than $1000. With the 3G network out of the way, most cell phones will revert to 2G to find a viable signal to connect to.
A researcher released software at the Black Hat conference on Thursday designed to let people test whether their calls on mobile phones can be eavesdropped on.
The public availability of the software - dubbed Airprobe -- means that anyone with the right hardware can snoop on other peoples' calls unless the target telecom provider has deployed a patch that was standardized about two years ago by the GSMA, the trade association representing GSM (Global System for Mobile Communications) providers, including AT&T and T-Mobile in the U.S.
Most telecom providers have not patched their systems, said cryptography expert Karsten Nohl.
"This talk will be a reminder to this industry to please implement these security measures because now customers can test whether they've patched the system or not," he told CNET in an interview shortly before his presentation. "Now you can listen in on a strangers' phone calls with very little effort."
An earlier incarnation of Airprobe was incomplete so Nohl and others worked to make it usable, he said.
Airprobe offers the ability to record and decode GSM calls. When combined with a set of cryptographic tools called Kraken, which were released last week, "even encrypted calls and text messages can be decoded," he said.
To test phones for interception capability you need: the Airprobe software and a computer; a programmable radio for the computer, which costs about $1,000; access to cryptographic rainbow tables that provide the codes for cracking GSM crypto (another Nohl project); and the Kraken tool for cracking the A5/1 crypto used in GSM, Nohl said.
More information about the tool and the privacy issues is on the Security Research Labs Web site.
Monday 1 March 2010
GSM-UMTS Network migration towards LTE
A reported 130 operators around the world have written LTE into their technology roadmaps. In December 2009, TeliaSonera launched the world’s first LTE networks in Norway and Sweden and an estimated 17 operators are expected to follow in its footsteps in 2010.
Thursday 11 February 2010
UICC and USIM in 3GPP Release 8 and Release 9
In good old days of GSM, SIM was physical card with GSM "application" (GSM 11.11)
In the brave new world of 3G+, UICC is the physical card with basic logical functionality (based on 3GPP TS 31.101) and USIM is 3G application on a UICC (3GPP TS 31.102). The UICC can contain multiple applications like the SIM (for GSM), USIM and ISIM (for IMS). There is an interesting Telenor presentation on current and future of UICC which may be worth the read. See references below.
UICC was originally known as "UMTS IC card". The incorporation of the ETSI UMTS activities into the more global perspective of 3GPP required a change of this name. As a result this was changed to "Universal Integrated Circuit Card". Similarly USIM (UMTS Subscriber Identity Module) changed to Universal Subscriber Identity Module.
The following is from the 3G Americas Whitepaper on Mobile Broadband:
UICC (3GPP TS 31.101) remains the trusted operator anchor in the user domain for LTE/SAE, leading to evolved applications and security on the UICC. With the completion of Rel-8 features, the UICC now plays significant roles within the network.
Some of the Rel-8 achievements from standards (ETSI, 3GPP) are in the following areas:
USIM (TS 31.102)
With Rel-8, all USIM features have been updated to support LTE and new features to better support non-3GPP access systems, mobility management, and emergency situations have been adopted.
The USIM is mandatory for the authentication and secure access to EPC even for non-3GPP access systems. 3GPP has approved some important features in the USIM to enable efficient network selection mechanisms. With the addition of CDMA2000 and HRPD access technologies into the PLMN, the USIM PLMN lists now enable roaming selection among CDMA, UMTS, and LTE access systems.
Taking advantage of its high security, USIM now stores mobility management parameters for SAE/LTE. Critical information like location information or EPS security context is to be stored in USIM rather than the device.
USIM in LTE networks is not just a matter of digital security but also physical safety. The USIM now stores the ICE (In Case of Emergency) user information, which is now standardized. This feature allows first responders (police, firefighters, and emergency medical staff) to retrieve medical information such as blood type, allergies, and emergency contacts, even if the subscriber lies unconscious.
3GPP has also approved the storage of the eCall parameters in USIM. When activated, the eCall system establishes a voice connection with the emergency services and sends critical data including time, location, and vehicle identification, to speed up response times by emergency services. ECalls can be generated manually by vehicle occupants or automatically by in-vehicle sensors.
TOOLKIT FEATURES IMPROVEMENT (TS 31.111)
New toolkit features have been added in Rel-8 for the support of NFC, M2M, OMA-DS, DM and to enhance coverage information.
The contactless interface has now been completely integrated with the UICC to enable NFC use cases where UICC applications proactively trigger contactless interfaces.
Toolkit features have been updated for terminals with limited capabilities (e.g. datacard or M2M wireless modules). These features will be notably beneficial in the M2M market where terminals often lack a screen or a keyboard.
UICC applications will now be able to trigger OMA-DM and DS sessions to enable easier device support and data synchronization operations, as well as interact in DVB networks.
Toolkit features have been enriched to help operators in their network deployments, particularly with LTE. A toolkit event has been added to inform a UICC application of a network rejection, such as a registration attempt failure. This feature will provide important information to operators about network coverage. Additionally, a UICC proactive command now allows the reporting of the signal strength measurement from an LTE base station.
CONTACT MANAGER
Rel-8 defined a multimedia phone book (3GPP TS 31.220) for the USIM based on OMA-DS and its corresponding JavaCard API (3GPP TS 31.221).
REMOTE MANAGEMENT EVOLUTION (TS 31.115 AND TS 31.116)
With IP sessions becoming prominent, an additional capability to multiplex the remote application and file management over a single CAT_TP link in a BIP session has been completed. Remote sessions to update the UICC now benefit from additional flexibility and security with the latest addition of the AES algorithm rather than a simple DES algorithm.
CONFIDENTIAL APPLICATION MANAGEMENT IN UICC FOR THIRD PARTIES
The security model in the UICC has been improved to allow the hosting of confidential (e.g. third party) applications. This enhancement was necessary to support new business models arising in the marketplace, with third party MVNOs, M-Payment and Mobile TV applications. These new features notably enable UICC memory rental, remote secure management of this memory and its content by the third party vendor, and support new business models supported by the Trusted Service Manager concept.
SECURE CHANNEL BETWEEN THE UICC AND TERMINAL
A secure channel solution has been specified that enables a trusted and secure communication between the UICC and the terminal. The secure channel is also available between two applications residing respectively on the UICC and on the terminal. The secure channel is applicable to both ISO and USB interfaces.
RELEASE 9 ENHANCEMENTS: UICC: ENABLING M2M AND FEMTOCELLS
The role of femtocell USIM is increasing in provisioning information for Home eNodeB, the 3GPP name for femtocell. USIMs inside handsets provide a simple and automatic access to femtocells based on operator and user-controlled Closed Subscriber Group list.
Work is ongoing in 3GPP for the discovery of surrounding femtocells using toolkit commands. Contrarily to macro base stations deployed by network operators, a femtocell location is out of the control of the operator since a subscriber can purchase a Home eNodeB and plug it anywhere at any time. A solution based on USIM toolkit feature will allow the operator to identify the femtocells serving a given subscriber. Operators will be able to adapt their services based on the femtocells available.
The upcoming releases will develop and capitalize on the IP layer for UICC remote application management (RAM) over HTTP or HTTPS. The network can also send a push message to UICC to initiate a communication using TCP protocol.
Additional guidance is also expected from the future releases with regards to the M2M dedicated form factor for the UICC that is currently under discussion to accommodate environments with temperature or mechanical constraints surpassing those currently specified by the 3GPP standard.
Some work is also expected to complete the picture of a full IP UICC integrated in IP-enabled terminal with the migration of services over EEM/USB and the capability for the UICC to register on multicast based services (such as mobile TV).
Further Reading:
- Business perspective and Mobile service offer through Future SIM - Telenor (http://www.ux.uis.no/atc08/workshop/Larsen.pdf)
- The role of the UICC in Long Term Evolution all IP networks - Gemalto (http://www.gemalto.com/telecom/download/lte_gemalto_whitepaper.pdf)
- Technical White Paper: Smart Card in IMS - 3G Americas (http://www.3gamericas.org/documents/GEM_WP_IMS.pdf)
- 3GPP TS 31.101: UICC-terminal interface; Physical and logical characteristics (http://www.3gpp.org/ftp/Specs/archive/31_series/31.101/)
- 3GPP TS 31.102: Universal Subscriber Identity Module (USIM) application (http://www.3gpp.org/ftp/Specs/archive/31_series/31.102/)
- 3GPP TS 31.111: Universal Subscriber Identity Module (USIM) Application Toolkit (USAT) (http://www.3gpp.org/ftp/Specs/archive/31_series/31.111/)
- 3GPP TS 31.115: Secured packet structure for (Universal) Subscriber Identity Module (U)SIM Toolkit applications (http://www.3gpp.org/ftp/Specs/archive/31_series/31.115/)
- 3GPP TS 31.116: Remote APDU Structure for (U)SIM Toolkit applications (http://www.3gpp.org/ftp/Specs/archive/31_series/31.116/)
- 3GPP TS 31.220: Characteristics of the Contact Manager for 3GPP UICC applications (http://www.3gpp.org/ftp/Specs/archive/31_series/31.220/)
- 3GPP TS 31.221: Contact Manager Application Programming Interface (API); Contact Manager API for Java Card™ (http://www.3gpp.org/ftp/Specs/archive/31_series/31.221/)
Thursday 17 September 2009
Wireless Subscribers Forecast 2014
Source: Informa Telecoms & Media, WCIS+, June 2009
Thursday 27 August 2009
Security of Mobiles and Networks to be tested soon
In comments made to the German edition of the Financial Times, the hacking group claims that governments, and criminals, are already using the technique which can break the encryption used to protect 2G GSM calls in near-real time using existing systems. The group says a public exposure of the technique will take place in the next month or two and allow anyone equipped with a laptop and an antenna to listen in to GSM phone calls.
Wednesday 8 July 2009
Wireless Cellular Security
There are lots of interesting Questions and Answers. One interesting one is:
Does number portability mean that data within an AuC is compromised?
Not really. Number portability does not mean sensitive data from old AuC are transferred to the new AuC. The new operator will issue a new USIM which will have a new IMSI. Number portability only means that MSISDN is kept the same for others to call the mobile. The translation between MSISDN and IMSI is done at a national level register. Such a translation will identify the Home PLMN and the HLR that’s needs to be contacted for an incoming call.
That’s the theory and that’s how it should be done. It will be interesting to know how operators in India do this.
You can read all Q&A's here.
I wrote a tutorial on UMTS security many years back. Its available here.
Thursday 5 February 2009
GSM: Architecture, Protocols and Services
There is a new book on GSM in the market. Now it makes me wonder that since we are all focussing on 3.6G, 3.75G, 3.9G, 4G, etc., etc. what would be the point of a GSM book?
The following is from the preface of the book:
The GSM family (GSM, GPRS, EDGE) has become one of the most successful technical innovations in history. As of June 2008, more than 2.9 billion subscribers were using GSM, corresponding to a market share of more than 81%, and its story continues, even now, despite the introduction and development of next-generation systems such as IMT-2000 or UMTS (3G) and even systems beyond 3G, dubbed IMT-Advanced.
At the same time, wireless local area networks have substantially expanded the wireless market, sometimes drawing market share from GPRS and 3G (e.g. in public WiFi hotspots), sometimes coexisting (e.g. in UMTS home routers used as a replacement for fixed wire connections). However, these are used typically for low mobility applications. Mobile communication with all of its features and stability has become increasingly important: cellular and GSM technology, plus, of course, lately 3G, GSMs sister technology, so-to-say.
Another impressive trend has emerged since our last edition: the permanent evolution in the handheld market, producing fancy mobile phones with cameras, large memory, MP3 players, Email clients and even satellite navigation. These features enable numerous nonvoice or multimedia applications, from which, of course, only a subset is or will be successful on the market.
In this third edition, we concentrate again on the architecture, protocols and operation of the GSM network and outline and explain the innovations introduced in recent years. The main novelties in this book are the presentation of capacity enhancement methods such as sectorization, the application of adaptive antennas for Spatial Filtering for Interference Reduction (SFIR) and Space Division Multiple Access (SDMA), a detailed introduction to HSCSD and EDGE for higher data rates, and an update of the available GSM services, specifically introducing the Multimedia Messaging Service (MMS).
I think that GSM is going to be the fallback option for most of the new technologies due to its worldwide deployment so now is the time for us to brush up our GSM concepts
Friday 22 June 2007
2.5 Billion GSM Subscribers Worldwide
Today, 3G Americas reports that the number of GSM mobile wireless subscribers worldwide has reached 2.5 billion, a stunning 400% increase in GSM subscribers from only six years ago, according to the estimates of Informa's World Cellular Information Service. Every day, there are more than one million new additions to the GSM family of technology users receiving service from one of 700 commercial GSM networks across 218 countries and territories around the world.
“It’s unprecedented for almost any global industry to achieve the growth and success demonstrated by the GSM family of technologies, with an estimated 2.5 billion global customers today,” stated Chris Pearson, President of 3G Americas. “This level of wireless technology growth exceeds that of almost all other lifestyle-changing innovations.”
Looking back, it was almost one hundred years ago when the first so-called "mobile" phone call was made by Lars Ericsson in 1910— although not wireless, as Ericsson attached wires to a telephone pole terminal to make his call while on the road. 2007 marks the 60th anniversary of AT&T and Bell Laboratories' 1947 invention of the cellular phone. Today, it is estimated that more than 37% of the world's 6.6 billion people (US Census Bureau) use GSM technology.
GSM subscribers, including nearly 130 million UMTS/HSDPA subscriptions, currently comprise nearly 85% of the global mobile wireless market. GSM became the dominant Latin American mobile wireless technology in less than a decade since its launch in the region in 1998, acquiring 2 million subscribers by the year 2000, and 200 million by end of year 2006. The GSM family now serves 331 million customers in all the Americas as of 1Q 2007, and is available in every single country. This market leadership is due to the numerous technical and economic benefits of the GSM family of technologies for both operators and their customers.
GSM technologies, including GPRS, EDGE and UMTS/HSPA, offer overwhelming advantages in terms of global scope, scale, international roaming and service that are still unmatched by other mobile wireless technologies. As of May 2007, there are 169 UMTS operators in service across 71 countries, and 117 of those operators in 59 countries have deployed an enhanced version of UMTS called HSDPA. Additionally, nearly all UMTS/HSDPA devices manufactured today include the EDGE technology as the compatible fallback technology, allowing for global roaming and delivery of high-speed wireless data services.
HSPA (HSDPA/HSUPA) technology is poised to be the leading mobile broadband technology for the rest of the decade, outpacing alternative mobile broadband technologies by leveraging on the current installed base of the GSM family of technologies and providing the most efficient solution. It is expected that almost all GSM/EDGE operators will someday migrate to HSPA technology.
Pearson continued, “While other technologies are grabbing attention, HSPA is being rolled out around the world, separating future promise from that which is available today. Building upon the enormous foundation of customers and commercial deployment of GSM, and the broad research and development by vendors, HSPA will continue in its mobile broadband leadership position for years to come.”
For white papers, statistics and more information on the GSM family of technologies, visit http://www.3gamericas.org/.
About 3G Americas: Unifying the Americas through Wireless Technology
The mission of 3G Americas is to promote and facilitate the seamless deployment throughout the Americas of GSM and its evolution to 3G and beyond. The organization fully supports the Third Generation (3G) technology migration strategy to EDGE and UMTS/HSPA adopted by many operators in the Americas. The GSM family of technologies accounts for 85% of wireless mobile customers worldwide. 3G Americas is headquartered in Bellevue, WA with an office for Latin America and the Caribbean in Dallas, TX. For more information, visit our website at http://www.3gamericas.org/.
About Informa Telecoms & Media
Informa Telecoms & Media provides business intelligence and strategic services to the global telecoms and media markets. All of our products and services - from news, trend analysis and forecasting to industry data, face-to-face events and training - are driven by our deep understanding of the markets we serve and by our goal to help our clients make better business decisions. http://www.informatm.com/