GSM Mobile Security


Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

GSM Mobile Security

  1. 1. GSM Mobile Security Prepared by: Leen F. Arikat
  2. 2. Introduction <ul><li>With GSM, systems for mobile communication reached a global scale. In the western world, it seems everyone has their own mobile phone, and GSM has taken more and more of the market. </li></ul><ul><li>GSM allows users to roam seamlessly between networks, and separate the user identity from the phone equipment. In addition the GSM system provides the functional basis for the 3rd generation mobile system, UMTS. </li></ul>
  3. 3. Some GSM Facts <ul><li>Nearly 1 billion subscribers worldwide </li></ul><ul><li>Estimated that worldwide mobile phone fraud will reach $40 billion dollars </li></ul><ul><li>US Law enforcement agents have found that 80% of drug dealers arrested in US using cloned mobile phones. </li></ul><ul><li>Ironically, Pablo Escobar the top Columbian drug dealer was tracked down by monitoring his mobile phone activity. </li></ul><ul><li>Two aspects relevant to a Forensic Analyst </li></ul><ul><ul><li>Has the phone been used for a criminal act? </li></ul></ul><ul><ul><li>Can the phone be used to secure a conviction? </li></ul></ul>
  4. 4. Some GSM Facts <ul><li>The European Telecommunication Standards Institute (ETSI) regulates the GSM standard (all 4000 pages of it!). </li></ul><ul><li>Any equipment used on a GSM network has to have approval by the ETSI. </li></ul><ul><li>All MS’s are independent from any network. </li></ul>
  5. 5. What are the components of a GSM network? <ul><li>Subscriber Equipment </li></ul><ul><li>The Mobile Station (MS) is the user equipment in GSM. It is what the user can see of the GSM system. </li></ul><ul><li>The station consists of two entities: </li></ul><ul><li>The Mobile Equipment (the phone itself) </li></ul><ul><li>The Subscriber Identity Module (SIM) </li></ul>
  6. 6. Components of a GSM network (cont..) <ul><li>The Switching System (SS) </li></ul><ul><li>Home Location Register (HLR) - A database which stores data about GSM subscribers, including the Individual Subscriber Authentication Key (Ki) for each Subscriber Identity Module (SIM). </li></ul><ul><li>Mobile Services Switching Center (MSC) - The network element which performs the telephony switching functions of the GSM network. </li></ul><ul><li>Visitor Location Register (VLR) - A database which stores temporary information about roaming GSM subscribers. </li></ul><ul><li>Authentication Center (AUC) - A database which contains the International Mobile Subscriber Identity (IMSI) the Subscriber Authentication key (Ki), and the defined algorithms for encryption. </li></ul><ul><li>Equipment Identity Register (EIR) - A database which contains information about the identity of mobile equipment in order to prevent calls from stolen, unauthorized, or defective mobile stations. </li></ul>
  7. 7. Components of a GSM network (cont..) <ul><li>The Base Station System (BSS) </li></ul><ul><li>Base Station Controller (BSC) - The network element which provides all the control functions and physical links between the MSC and BTS. The BSC provides functions such as handover, cell configuration data, and control of radio frequency (RF) power levels in Base Transceiver Stations. </li></ul><ul><li>Base Transceiver Station (BTS) - The network element which handles the radio interface to the mobile station. The BTS is the radio equipment (transceivers and antennas) needed to service each cell in the network. </li></ul>
  8. 8. Components of a GSM network (cont..) <ul><li>The Operation and Support System (OSS) </li></ul><ul><li>Message Center (MXE) - A network element which provides Short Message Service (SMS), voice mail, fax mail, email, and paging. </li></ul><ul><li>Gateway Mobile Services Switching Center (GMSC) - A network element used to interconnect two GSM networks. </li></ul>
  9. 9. <ul><li>The Subscriber </li></ul>
  10. 10. How to Identify a Subscriber <ul><li>Every mobile subscriber is issued with a smart card called a Subscriber Identity Module (SIM) </li></ul><ul><li>As physical evidence the SIM provides details printed on the surface of; </li></ul><ul><ul><li>Name of the Network Provider </li></ul></ul><ul><ul><li>Unique ID Number </li></ul></ul>
  11. 11. Electronic Access to the SIM <ul><li>Every SIM can be protected by a Personal Identification Number (PIN) </li></ul><ul><ul><li>Set at point of manufacture </li></ul></ul><ul><ul><li>Can be changed by the Subscriber </li></ul></ul><ul><ul><li>Four digit code </li></ul></ul><ul><ul><li>Usually 3 attempts before phone is blocked </li></ul></ul><ul><li>Bypassing the PIN requires the Pin Unblocking Key (PUK) </li></ul><ul><ul><li>8 digit code </li></ul></ul><ul><ul><li>Set by manufacturer </li></ul></ul><ul><ul><li>Maximum 10 attempts before phone i s p ermanently blocked </li></ul></ul>
  12. 12. What Can Be Extracted From A SIM? <ul><li>As SIM is a smart card it has </li></ul><ul><ul><li>A processor </li></ul></ul><ul><ul><li>Non-volatile memory </li></ul></ul><ul><li>Processor is used for providing access to the data and security </li></ul><ul><li>To access the data we need; </li></ul><ul><ul><li>Standard smart card reader </li></ul></ul><ul><ul><li>SIM access Software </li></ul></ul><ul><li>Data stored in binary files </li></ul>
  13. 13. What Can Be Extracted From A SIM? <ul><li>Ideally an Analyst would download an image of the contents and compute a hash value of the contents as a means of validating originality of content </li></ul><ul><li>At present files are downloaded traditionally </li></ul><ul><ul><li>Software </li></ul></ul><ul><ul><ul><li>Sim Manager Pro </li></ul></ul></ul><ul><ul><ul><li>ChipIt </li></ul></ul></ul><ul><ul><ul><li>SimScan </li></ul></ul></ul><ul><ul><li>Cards4Labs only available to Law Enforcement Agencies </li></ul></ul><ul><ul><ul><li>Produces a text report of content rather than downloading. </li></ul></ul></ul><ul><li>29 files stored on a SIM </li></ul>
  14. 14. Location Information File <ul><li>The bytes 5-9 of the LOCI contain the network Location Area Identifier (LAI) code </li></ul><ul><li>Network Operator specific </li></ul><ul><li>This data is retained when the MS is powered down </li></ul><ul><li>Updated as MS moves from one location to another </li></ul><ul><li>Analyst can determine which location the MS was present in when last used. </li></ul><ul><li>Location Areas can contain many cells. </li></ul><ul><li>LOCI DOES NOT DETAIL WHICH CELL! </li></ul><ul><li>Cell data not stored on SIM. </li></ul>11 bytes Location Information LOCI Size Purpose File
  15. 15. Serial Number <ul><li>Integrated Circuit Card Identifier </li></ul><ul><li>Corresponds to the number printed on the surface of the SIM </li></ul><ul><li>Identifies the SIM </li></ul>10 bytes Serial Number ICCID Size Purpose File
  16. 16. Subscriber Identifier <ul><li>International Mobile Subscriber Identity </li></ul><ul><li>As stored in the HLR/VLR’s on the networks </li></ul><ul><li>Unique ID for every subscription on the Operator’s network </li></ul>9 bytes Subscriber ID IMSI Size Purpose File
  17. 17. Phone Number <ul><li>Mobile Station International ISDN number </li></ul>variable Phone Number MSISDN Size Purpose File
  18. 18. Text Message Data (SMS) <ul><li>Short Message Service is a popular communication method </li></ul><ul><li>Most SIM’s have 12 slots for storing messages </li></ul><ul><ul><li>Modern MS’s allow storage on the device as well </li></ul></ul>variable Status of the message SMSS variable Message parameters SMSP n * 176 bytes The text messages SMS Size Purpose File
  19. 19. Text Message Data (SMS) - Status <ul><li>When user deletes a message only the status flag is changed </li></ul><ul><ul><li>Therefore, providing the message has not been overwritten any message in a slot can be recovered and translated using software </li></ul></ul>Mobile originated message, not sent 00000111 Mobile originated message, sent 00000101 Mobile terminated message, unread 00000011 Mobile terminated message, read 00000001 Unused 00000000 Interpretation Value
  20. 20. Threats to SIM Data <ul><li>Knowledgeable criminals will be aware of the properties of the SIM and thus manipulate them. </li></ul><ul><li>Greater threat is that of cloning SIM data for illicit use </li></ul><ul><ul><li>Two key pieces of data </li></ul></ul><ul><ul><ul><li>IMSI </li></ul></ul></ul><ul><ul><ul><li>The data encryption key (Ki) </li></ul></ul></ul><ul><ul><li>IMSI can be obtained; </li></ul></ul><ul><ul><ul><li>Directly from the SIM using a scanning software </li></ul></ul></ul><ul><ul><ul><li>Eaves-dropping on the networks for unencrypted transmission of the IMSI </li></ul></ul></ul><ul><ul><li>Ki cannot normally be obtained directly as it is derived from an encryption algorithm stored on the SIM </li></ul></ul><ul><ul><ul><li>However, if the encryption algorithm is weak then it is possible to feed numbers </li></ul></ul></ul>
  21. 21. Threats to SIM Data <ul><li>Obtaining blank SIMs </li></ul><ul><ul><li>These cards can be ordered from the same source where network providers get their cards. </li></ul></ul><ul><ul><li>The card must then be programmed with a special tool for programming of fresh cards. Such a tool is distributed together with the Sim-Scan package. </li></ul></ul><ul><ul><li>An attacker could also get hold of a generic smart card and smart card programmer, and then program the card to act as a SIM. </li></ul></ul>
  22. 22. <ul><li>The Equipment </li></ul>
  23. 23. Generic Properties <ul><li>All MS’s have GSM standards on how they access and communicate with the network and SIM card </li></ul><ul><li>Every MS has a unique ID called the International Mobile Equipment Identity (IMEI) </li></ul><ul><li>Everything else is manufacturer dependent </li></ul><ul><ul><li>File system </li></ul></ul><ul><ul><li>Features </li></ul></ul><ul><ul><li>Interface </li></ul></ul><ul><ul><li>Etc. </li></ul></ul><ul><li>Have to request the SIM PIN if activated </li></ul><ul><li>May have optional MS PIN </li></ul>
  24. 24. MS Data <ul><li>Very much dependent on the model, may include; </li></ul><ul><ul><li>IMEI </li></ul></ul><ul><ul><li>Short Dial Numbers </li></ul></ul><ul><ul><li>Text/Multimedia Messages </li></ul></ul><ul><ul><li>Settings (languge, date/time, tone/volume etc) </li></ul></ul><ul><ul><li>Stored Audio Recordings </li></ul></ul><ul><ul><li>Stored images/multimedia </li></ul></ul><ul><ul><li>Stored Computer Files </li></ul></ul><ul><ul><li>Logged incoming calls and dialled numbers </li></ul></ul><ul><ul><li>Stored Executable Progams (eg J2ME) </li></ul></ul><ul><ul><li>Stored Calendar Events </li></ul></ul><ul><ul><li>GPRS, WAP and Internet settings </li></ul></ul>
  25. 25. Threats to MS Data <ul><li>Tools such as Flashers and Data Suites can be used to directly manipulate MS data </li></ul><ul><li>Common threat is removing the Service Provider Lock (SP-Lock) limiting the MS to a single networked. </li></ul><ul><li>Changing the IMEI on stolen phones </li></ul><ul><ul><ul><li>Networks blacklist stolen IMEI’s in the EIR. </li></ul></ul></ul><ul><ul><ul><li>Can also be used to avoid tracing an MS. </li></ul></ul></ul><ul><ul><li>Detecting changes to the IMEI </li></ul></ul><ul><ul><ul><li>Compare the electronic IMEI with that printed on the inside of the device </li></ul></ul></ul>
  26. 26. <ul><li>The Network </li></ul>
  27. 27. Network Operator Data <ul><li>The Network Operators can provide detailed data on calls made/received, message traffic, data transferred and connection location/timing </li></ul><ul><li>The HLR can provide; </li></ul><ul><ul><li>Customer name and address </li></ul></ul><ul><ul><li>Billing name and address (if other than customer) </li></ul></ul><ul><ul><li>User name and address (if other than customer) </li></ul></ul><ul><ul><li>Billing account details </li></ul></ul><ul><ul><li>Telephone Number (MSISDN) </li></ul></ul><ul><ul><li>IMSI </li></ul></ul><ul><ul><li>SIM serial number (as printed on the SIM-card) </li></ul></ul><ul><ul><li>PIN/PUK for the SIM </li></ul></ul><ul><ul><li>Subscriber Services allowed </li></ul></ul>
  28. 28. The Call Data Records (CDR’s) <ul><li>Produced in the originating MSC transferred to the OMC </li></ul><ul><ul><li>Every call </li></ul></ul><ul><ul><li>Every message </li></ul></ul><ul><li>Each CDR contains; </li></ul><ul><ul><li>Originating MSISDN </li></ul></ul><ul><ul><li>Terminating MSISDN </li></ul></ul><ul><ul><li>Originating and terminating IMEI </li></ul></ul><ul><ul><li>Duration of call </li></ul></ul><ul><ul><li>Type of Service </li></ul></ul><ul><ul><li>Initial serving Base Station (BTS) (not subsequent BTSs after handover) </li></ul></ul>
  29. 29. Threats to Network Operator <ul><li>GSM not immune to interception </li></ul><ul><li>It is possible for the network to order the MS to switch on and off encryption at times of high loading </li></ul><ul><ul><li>This signal can be spoofed using a man-in-the-middle attack </li></ul></ul>
  30. 30. GSM Security Operation <ul><li>GSM networks utilize encryption for three purposes: </li></ul><ul><li>Authentication </li></ul><ul><li>Encryption </li></ul><ul><li>Key generation </li></ul>
  31. 31. GSM Security Operation (Cont..) <ul><li>GSM provides authentication of users and encryption of the traffic across the air interface. </li></ul><ul><li>This is accomplished by giving the user and network a shared secret, called Ki. This 128-bit number is stored on the SIM-card, and is not directly accessible to the user. </li></ul><ul><li>Each time the mobile connects to the network, the network authenticates the user by sending a random number (challenge) to the mobile. </li></ul><ul><li>The SIM then uses an authentication algorithm to compute an authentication token SRES using the random number and Ki. </li></ul>
  32. 32. GSM Security Operation (Cont..) <ul><li>The mobile sends the SRES back to the network which compares the value with an independently computed SRES. </li></ul><ul><li>At the same time, an encryption key Kc is computed. This key is used for encryption of subsequent traffic across the air interface. </li></ul><ul><li>Thus, even if an attacker listening to the air traffic could crack the encryption key Kc, the attack would be of little value, since this key changes each time the authentication procedure is performed </li></ul>
  33. 33. Forensics Tools <ul><li>SIMIS </li></ul><ul><li>SIM card Interrogation System is the world's leading forensic tool for examining SIM cards forensically.  </li></ul><ul><li>Used throughout the world since 1997, SIMIS has become an integral tool for law enforcement and digital investigators. </li></ul><ul><li>The SIMIS desktop software has been evaluated by the DoD, and is complimented by a mobile handheld device for data collection in the field </li></ul>
  34. 34. Forensics Tools <ul><li>Cell Seizure: </li></ul><ul><li>Paraben Cell Seizure is a piece of software that serves the main purpose of collection and examining data pulled from various types of cell phones . </li></ul>
  35. 35. Cell Seizure Tool <ul><li>The main goal of Cell Seizure is to organize and report various types of files. </li></ul><ul><li>Cell Seizure is able to generate comprehensive HTML reports of acquired data. </li></ul><ul><li>The software is able to retrieve deleted files and check for file integrity . </li></ul>
  36. 36. Advantages of Cell Seizure <ul><li>It is designed not to change the data stored on the SIM card or cell phone . In other words, all of the data can be examined while keeping the process undetected. </li></ul><ul><li>In fact, even some forensic software warns of possible data loss. Cell Seizure does not allow data to be changed on the phone . </li></ul>
  37. 37. Disadvantages of Cell Seizure <ul><li>It does not support all models of cell phones. However, this application can acquire information from most models made by the following companies: Nokia , LG , Samsung , Siemens , Motorola , Sony-Ericcson , and can also acquire GSM SIM Cards . </li></ul><ul><li>Another disadvantage would be that the format of acquired data can sometimes be confusing. The data is not organized nice and neat and given to the user in a way that they can easily understand what they are seeing. </li></ul>
  38. 38. Cell Seizure Features <ul><li>Supports GSM , TDMA , and CDMA cell phones </li></ul><ul><li>Acquires text messages, address books, call logs, etc. </li></ul><ul><li>Acquires complete GSM SIM card </li></ul><ul><li>Recovers deleted data and full flash downloads </li></ul><ul><li>Supports multiple languages </li></ul><ul><li>Contains comprehensive HTML reporting and other reporting formats </li></ul><ul><li>Provides advanced searching including text & hex values </li></ul><ul><li>Contains viewers for proprietary media file formats </li></ul><ul><li>Allows viewing of multiple workspaces at one time </li></ul>
  39. 39. Conclusion <ul><li>The sources of evidence </li></ul><ul><ul><li>The subscriber </li></ul></ul><ul><ul><li>The mobile station </li></ul></ul><ul><ul><li>The network </li></ul></ul><ul><li>Since GSM is the worlds largest system for mobile communication today and also lay the foundation for the future UMTS, it is important to recognize the need to study the methods and tools for forensic analysis of the GSM system. </li></ul>