May 28th, 2004, 10:49 AM
With the amazing advent of the cell phone in the past decade,I thought it'd be interesting to have some information on how they actually communicate,some different cellular technologies and a few vulnerabilities in cell phone systems.NOTE:This tutorial is not a comprehensive guide on the subject by any means,and due to reasons of brevity,I've condensed the subject matter,search google if you want more
The revolutionary concept which made cell phones so popular was their size.Now,in every electronic circuit,the size of the components depends on the power supply,more the power, larger the component size and vice versa.The other problem cell phones faced during their early use ofcourse,was that there simply wasnt enough bandwidth to go round for a large number of users.Enter frequency reuse: Every city is divided into a number of 'cells' or 'grids' by a cellular network.Each cell comprises of a service area which is attended to by a tower.Now,by making cell phones transmit at a very low operating power,the frequencies transmitted would 'die' out within a cell making it possible for the same frequency to be reused in another cell.All towers are linked to a central MTSO(Mobile Telephone Switching Office) that actually makes your calls for you.
How calls're actually made:
Before we get into this,there's the not so little matter of authentication required so that your provider actually knows you're a legit user.When someone turns on their phone,it listens for a SID(System Identification Code) on a control channel.(The bandwidth alloted to a provider is generally divided into two parts:Control channels and Voice channels.Control channels are frequencies that are used to authenticate a phone as well as to change channels or other call setup details.Voice channels are a frequency pair assigned to you temporarily if you decide to make a call).The phone then matches the SID sent to it with the SID already programmed into the phone(in the SIM card).It then transmits a registration request so that the home system(provider) knows which cell you're currently in.If no control channels are presently available,the phone gets a 'network unavailable' or 'no service' message.If you decide to make a call,the MTSO assigns you a random frequency pair and makes the call for you.If you get a call,the MTSO routes it to your particular cell tower and hence,you get the call.The tower you're in also monitors the signal strength on your phone.If you move closer to the end of your cell,the signal strength diminishes and the tower in your adjacent cell that you're moving closer to gets an increase in your signal strength.The MTSO decides at some point to tell your phone to switch frequencies from your original cell to the other one.This is the concept of 'Roaming'.Ofcourse,like your browser establishes a TCP handshake with a site,this process barely takes a few seconds
Some cellular technologies:
FDMA:FDMA or Frequency Division Multiple Access is an old out of date system which sends analog signals to transmit information.It was obviated as analog signals could be easily tapped into and they required more power.Each call made had to be made on a different frequency.
TDMA(Time Division Multiple Access):This technology is being largely used in the world atm.Basically,your voice is encoded,digitised and then put on a time slot for a particular frequency.Each frequency can be divided into 6 time slots,thereby allowing a greater amount of simultaneous transmissions on a particular wave.IS-54 and IS-136 are standards for TDMA American Digital Cellular.They use an algorithm called CAVE(Cellular Authentication, Voice Privacy and Encryption) for authentication and CMEA(Cellular Message Encryption Algorithm) for encryption.(
CAVE and CMEA are documented in Common Cryptographic Algorithms and Interface Specification for Common Cryptographic Algorithms.
David Wagner, Bruce Schneier and John Kelsey published Cryptanalysis of the Cellular Message Encryption Algorithm, which documents deep flaws in the CMEA algorithm.(http://www.schneier.com/paper-cmea.pdf)
CDMA(Code Division Multiple Access):This again is a digital system in which your voice is encoded,digitised and divided into packets.These packets are then tagged with 'codes'.The packets're then sent over the system and the recieving system only accepts packets with codes destined for it.The CDMA system has a better voice quality than any other system.The only downfall is..it's pretty expensive.
GSM(Global System for Mobile communication):This is a variation of the TDMA system.It digitises data,compresses it and sends it down a channel,each in its own fixed time slot.The GSM system is probably the most popular one in the world atm.
GPRS(General Packet Radio Service):This is a new NON-VOICE system that is used to send and recieve information.It incorporates several new features and has the advantage of speed among other things.The GPRS facility can also be used to access the Internet throwing open a whole new world of information which naturally come with security concerns
Bluetooth:Bluetooth is a wireless radio communication system that was originally develpoed by Ericsson.It enables devices to communicate with each other over a range of 10 metres without any wires.One of the main functions of Bluetooth is to provide a handsfree communictaion system between cellular phones.
Some security probs in the system:
Tumbling:This method takes advantage of a weakness in the authentication procedure.The phone number or the ESN(Electronic Signal Number) are changed after every call.By utilising a different set of ESN/MIN pairs(MIN is your mobile number),you can call without being charged.However,due to faster databases and agreements between different operators,tumbling incidents are very rare.
Cloning:Apart from the ESN,the mobile number of an actual subscriber is picked up and programmed into the phone.The provider is forced to think that the call is being made by the professed subscriber.This process involves replacing the EPROM(Electrically Programmable ROM) by a chip which would allow you to change your ESN/MIN pair every time you turned on your cell.Again,this method is dying out due to the increasing complexities of newer phones.
Bluejacking:Bluejacking involves sending anonymous text messages to other Bluetooth enabled phones within 10 metres of your vicinity.It isnt exactly a malicious problem but it's rather fun to see the expression on someone's face when he gets a message out of nowhere
BlueSnarfing:This is yet another Bluetooth vulnerability.It allows a hacker/phreaker to download all the information on your phone like phone books etc etc.And since most phones just have an option saying Bluetooth ON/OFF rather than specific configuration options,there's no way you're not at risk from bluesnarfing if you've got Bluetooth enabled.
I havent been able to explain everything in detail as I've tried to keep this as small as possible.If anyone'd like a better explaination please post or search on google