Cell phone zombies a possibility? -- Theoretical discussion

[omol]

Phone security runs on eliptic curves and is so secure, only about 80-100 posabilitys have been uncovered and it would take about a network of 3000 computers to break the code as it runs on a mathmatical theroy with about 1000 billion possabilitys.

[Tronic]

Are we speaking of landline or wireless phone?

It depends on the fone and the implimentation and what it travels through and what company it's goin thru etc etc.

But your right about one thing, it is very tough to break. Since most phoned these days are digital and switch frequencies VERY fast, you would have to monitor thousands of frequencies at a time, and even then you'de probably get an extremely high rate of unwanted traffic and not come close to getting a single conversation with much intelligable data. UNLESS you can predict the switching algorithm in place, which from what i've heard it's extremely difficult to even come close to that.

Ahh, just got my new palm pilot too

About ActiveSync, i've noticed on my firewall that ActiveSync attempts to contact some(seems to be an ad-server) server, on the internet. Quite possibly the data that this server sends could infact be executed in a manner which is malicious in nature. Quite possibly you could spoof the reply packets source IP and somehow send malicious code over the wire, however, only if ActiveSync knows how to run the code and if theres no valid code checking involved. And this would probably require a DoS to the ActiveSync server so that ActiveSync doesn't close the connection on ya. But I duno, thats the only thing I could think of right now..

[Cybr1d]

Tronic we're talking about cell phones (Wireless)

As for:

Since most phoned these days are digital and switch frequencies VERY fast, you would have to monitor thousands of frequencies at a time, and even then you'de probably get an extremely high rate of unwanted traffic and not come close to getting a single conversation with much intelligable data. UNLESS you can predict the switching algorithm in place, which from what i've heard it's extremely difficult to even come close to that.

Here's some information on how Cell Phones actually work...perhaps we can come up with more theories about the posibility of malicious code being transmited through cell phones. Hopefully Cell Phone makers are reading this and learning how to make cell phones safer in the future.

Info Provided by: http://electronics.howstuffworks.com

In a typical analog cell-phone system in the United States, the cell-phone carrier receives about 800 frequencies to use across the city. The carrier chops up the city into cells. Each cell is typically sized at about 10 square miles (26 square kilometers). Cells are normally thought of as hexagons on a big hexagonal grid.

Because cell phones and base stations use low-power transmitters, the same frequencies can be reused in non-adjacent cells.

A single cell in an analog system uses one-seventh of the available duplex voice channels. That is, each cell (of the seven on a hexagonal grid) is using one-seventh of the available channels so it has a unique set of frequencies and there are no collisions:

A cell-phone carrier typically gets 832 radio frequencies to use in a city.
Each cell phone uses two frequencies per call -- a duplex channel -- so there are typically 395 voice channels per carrier. (The other 42 frequencies are used for control channels -- more on this on the next page.)
Therefore, each cell has about 56 voice channels available.
In other words, in any cell, 56 people can be talking on their cell phone at one time. With digital transmission methods, the number of available channels increases. For example, a TDMA-based digital system can carry three times as many calls as an analog system, so each cell has about 168 channels available

Cell phones have low-power transmitters in them. Many cell phones have two signal strengths: 0.6 watts and 3 watts (for comparison, most CB radios transmit at 4 watts). The base station is also transmitting at low power. Low-power transmitters have two advantages:
The transmissions of a base station and the phones within its cell do not make it very far outside that cell. Therefore, in the figure above, both of the purple cells can reuse the same 56 frequencies. The same frequencies can be reused extensively across the city.
The power consumption of the cell phone, which is normally battery-operated, is relatively low. Low power means small batteries, and this is what has made handheld cellular phones possible.
The cellular approach requires a large number of base stations in a city of any size. A typical large city can have hundreds of towers. But because so many people are using cell phones, costs remain low per user. Each carrier in each city also runs one central office called the Mobile Telephone Switching Office (MTSO). This office handles all of the phone connections to the normal land-based phone system, and controls all of the base stations in the region.

Digital cell phones use the same radio technology as analog phones, but they use it in a different way. Analog systems do not fully utilize the signal between the phone and the cellular network -- analog signals cannot be compressed and manipulated as easily as a true digital signal. This is the reason why many cable companies are switching to digital -- so they can fit more channels within a given bandwidth. It is amazing how much more efficient digital systems can be.
Digital phones convert your voice into binary information (1s and 0s) and then compress it (see How Analog-Digital Recording Works for details on the conversion process). This compression allows between three and 10 digital cell-phone calls to occupy the space of a single analog call.

Many digital cellular systems rely on frequency-shift keying (FSK) to send data back and forth over AMPS. FSK uses two frequencies, one for 1s and the other for 0s, alternating rapidly between the two to send digital information between the cell tower and the phone. Clever modulation and encoding schemes are required to convert the analog information to digital, compress it and convert it back again while maintaining an acceptable level of voice quality. All of this means that digital cell phones have to contain a lot of processing power!

There are three common technologies used by cell-phone networks for transmitting information:
Frequency division multiple access (FDMA)
Time division multiple access (TDMA)
Code division multiple access (CDMA)
Although these technologies sound very intimidating, you can get a good sense of how they work just by breaking down the title of each one.
The first word tells you what the access method is. The second word, division, lets you know that it splits calls based on that access method.

FDMA puts each call on a separate frequency.
TDMA assigns each call a certain portion of time on a designated frequency.
CDMA gives a unique code to each call and spreads it over the available frequencies.
The last part of each name is multiple access. This simply means that more than one user can utilize each cell.


GSM is the international standard in Europe, Australia and much of Asia and Africa. In covered areas, cell-phone users can buy one phone that will work anywhere where the standard is supported. To connect to the specific service providers in these different countries, GSM users simply switch subscriber identification module (SIM) cards. SIM cards are small removable disks that slip in and out of GSM cell phones. They store all the connection data and identification numbers you need to access a particular wireless service provider.

Unfortunately, the 1900-MHz GSM phones used in the United States are not compatible with the international system. If you live in the United States and need to have cell-phone access when you're overseas, the easiest thing to do is to buy a GSM 900MHz/1800MHz cell phone for traveling. You can get these phones from Planet Omni, an online electronics firm based in California. They offer a wide selection of Nokia, Motorola and Ericsson GSM phones. They don't sell international SIM cards, however. You can pick up prepaid SIM cards for a wide range of countries at Telestial.com.

Technically you'd only need a fast frequency scanner to do the work. Generally if a user is not driving...and they stay in one location, they could be affected by malicious code transmitted through the wiFi. (Theoretically)


An article from Cornell University speaks of Cell Phone security:
http://www.cit.cornell.edu/cellphone/security.html

Cell phones are more vulnerable than regular phones due to two dangers: eavesdroppers can listen in on your calls, and thieves can bill their own calls to your account.

Eavesdropping: Anything you say on an analog cell phone can be easily overheard by someone using a scanner. Digital cell phone transmissions are scrambled for better protection, but eavesdroppers with the right equipment may be able to unscramble them.

The best protection? Be aware of what you discuss on your cell phone. Remember that it acts as a handheld broadcast station. Don't give out your credit card number or other sensitive or confidential information; don't say anything you wouldn't say on broadcast radio or TV.

Fraudulent billing: It is possible for thieves to intercept a cell phone signal and clone the phone's ID numbers (its Electronic Serial Number and Mobile Identification Number, or ESN/MIN). The result is the equivalent of a stolen calling card. Some simple countermeasures include:

Limit "roaming": Review which phones have roaming enabled and limit these as much as practical. Roaming usually defeats the use of Personal Identification Numbers (PINs). Cloners prefer roaming phones for this reason and they target airport parking lots, airport access roads, and rural interstates. Roaming also makes it more difficult for some cellular carriers to use fraud-detection programs to monitor an account and shut it down when fraud is detected.

Turn the phone off. Cell phones poll the cellular base station with the strongest signal every few second. This is how the system knows which base station to route calls through. However, this polling exposes the phone to interception and cloning.

Review all bills and report every erroneous call to the service provider. There are two types of cloning:
Outright theft of the phone's ESN/MIN is most common. A bill will reflect hundreds, even thousands of bogus calls.
The other type of cloning is called tumbling, where a cloned phone uses a different ESN/MIN for each call. A bill might have only one bogus call this month, none next month, but three calls the month after that. The phone has still been cloned and fraud is occurring.

Prefer hands-off vehicle-mounted phones to handhelds. The boxes used to capture ESN/MIN have a limited range; cloners will follow an individual they know is using a phone. Recent news reports reflect the chances of an accident increase substantially if a driver is operating a vehicle and a cellular phone simultaneously.

Whats most interesting though, is this article from Wired News written in 1998:

http://www.wired.com/news/technology...,11630,00.html

A group of California-based computer experts claims to have compromised the cryptographic security behind the world's most popular digital cell-phone system, making it possible to clone any phone using the GSM standard.

The Smartcard Developer Association says it cracked the algorithm used as the basis for the The Global System for Mobile Communications (GSM) -- a digital cellular phone system that is used in about 80 million cell phones, primarily in Europe and Asia. Many US networks are starting to implement GSM standards, too, and this attack was launched against a card issued by Pacific Bell. If the group's claims are true, it could lead to a recall or reissue of the smart cards used in GSM-based phones.



never settle. "GSM is likely to face fraud problems of the same magnitude as analog systems have had," said Marc Briceno, a member of the SDA who said that analog systems have lost billions of dollars because of cellular phone cloning.

GSM-based cell phones work with a small card containing an electronic chip called a Subscriber Identity Module card. The SIM card inserts into the back of the cellular phone and contains information that is used to identify subscribers and their account information to the GSM network. The SIM card must be inserted into a GSM Mobile handset to obtain access to the network, and one of the primary benefits of the technology is that cell phones have access to GSM networks worldwide.

However, to clone a SIM card, a would-be cracker would have to have physical possession of one. Unlike the cloning used in analog systems, the crack does not yet include being able to listen in on peoples phone calls or obtain a SIM ID via the airwaves, although the SDA has stated that an "over-the-air attack should not be ruled out."

The SIM uses encryption to keep the identity of the phone secret, and the encryption algorithm used on most of the GSM network is called COMP128. The SDA was able to obtain the secret ciphers used by the GSM network. After verifying authenticity, the group turned them over to UC Berkeley researchers David Wagner and Ian Goldberg, who were able to crack the COMP128 algorithm within a day. In 1995, Wagner and Goldberg succeeded in another high-profile hack when they compromised the crypto code used in Netscape's Navigator browser, which was supposed to secure credit-card transactions.

"Within hours they discovered a fatal flaw," said Briceno. "The attack that we have done is based on sending a large number of challenges to the authorization module in the phone. The key can be deduced and recovered in about 10 hours."

A group of hackers gathered with security and crypto experts Friday evening at a San Francisco hacker club called New Hack City, for a demonstration of the hack, but it never came off. Eric Hughes, a member of the SDA and founder of the Cypherpunks cryptography group, discussed the technical aspects of the hack, but had to give up the planned demonstration after threats of legal action from Pac Bell and other telephone company executives. It is illegal in the United States to possess cellular phone cloning equipment, although legitimate businesses are exempted. The telephone companies dispute SDA's claims to legitimacy.

Wagner blames the ease of the crack on the secrecy with which the ciphers were kept.

"There is no way that we would have been able to break the cryptography so quickly if the design had been subjected to public scrutiny," said Wagner.

The GSM standard was developed and designed by the European Telecommunications Standard Institute, an organization that has about 500 members from 33 countries, representing administrations, network operators, manufacturers, service providers, and users.

"There's going to be an orgy of finger pointing," said Hughes, referring to all the engineers and other people associated with the design of the GSM network.

The SDA say that they were able to crack the GSM network algorithm due to weak encryption in the original design. When the system was being designed, several European government agencies were successful in their demands to weaken encryption standards for government surveillance purposes.

The SDA also claimed that the GSM security cipher that keeps eavesdroppers from listening to a conversation called A5 was also made deliberately weaker. The A5 cipher uses a 64-bit key, but only 54 of the bits are actually in use -- 10 of the bits have been replaced with zeroes. The SDA's Briceno blames government interference.

"The only party who has an interest in weakening voice privacy is the National Security Agency," he said.

The SDA said that a proper demo will be taking place soon from somewhere outside the United States. The group has also released the source code for COMP128 and A5 for further testing.

Phone security runs on eliptic curves and is so secure, only about 80-100 posabilitys have been uncovered and it would take about a network of 3000 computers to break the code as it runs on a mathmatical theroy with about 1000 billion possabilitys.

Omol, how did you come up with those numbers?

[RoadClosed]

Encryption standards on modern systems are very tough to break. I think that is what omol was getting at. You wouldn't need a very fast frequency scanning device if you listen to a single transmitter and recorded all the data. Of course you would have to break the encryption on the systems that utilize it. In this scenario you could listen to an entire cell and record data for all channels. Those frequencies are fixed and assigned by the FCC. Fast frequency hopping is only an issue for systems that spread data packets across mutiple frequencies. CDMA does that and there are definitely systems that us that in the US. But again those freqs are hopping among the same site and if you record all fixed channels, then technically you could figure out the hopping algorythm and get it. You could see patterns easily in the hopping, propietary systems utilize methods to radomize the events. Cell phone companies have laptop tools to monotor the process, and those could be compromised. But all in all the encrytpion is outstanding. Attacks made against cell sites will not be to comprmise data, that would have to come from the source gatway in the near future unless encrytpion keys in cell phone are compromised. There are multiple layers of security and authentication built in.

Do not confuse Cell Phone technology with Wi-Fi, they aren't the same beast to me.

Excellent research Cybr1d

But no matter how secure the phone is, once it hits the switch it's converted to the same exact technology used to carry any call in the world and those areas can be intercepted and tapped along with data gatways to the internet so you get your text message from sweety.

[bballad]

I think tronic was wondering about wireless land line type phones...correct? Forget about security with those any one with a scanner that can hit 900mhz (or whatever your phone uses) can pick up your conversation. (my baby monitor picks up my nabighors phone.)

[RoadClosed]

There are freqency hopping versions of those 900 -5 Ghz wireless phones as well. They are expensive and most people wouldn't pay that much for something they wrongfully believe to be secure, that is until recently. Make sure you get a digital spread spectrum one. There are scanners that will figure the hop algorythym when fed random information from number generators, but the baby monitor won't pick up on it. If it does happen across a channel for a split second, it will sound like static. By the time the baby monitor locks the signal it would be gone again. It seems that it's actually getting hard to find a 900 these days at specialty shops outside of Wal Mart. Most are 2.4 Gig.

[bballad]

Ya but with some of the older scanners you can pick up 2.4 band also...I have one somewhere in my basment, but it was my understanding that most 2.4's hopped is this correct?

[RoadClosed]

Most hop because by the time they were licensed the technology was cheaper. Some do not because at the beginning the difference between hopper and nonhoppers was several hundred dollars. Most people didn't want to pay over 300 bucks for a coordless phone. If it says digital spread spectrum or DSS it's a hopper.

[Soda_Popinsky]

This Time, Cell Phone Virus Is for Real
Fri Jun 18, 2:05 PM ET
Carol Ellison - eWEEK

It had to happen: A computer virus has spread to cell phone networks. Kaspersky Labs issued an advisory Thursday on a network worm called Cabir that is evidently crawling its way through phones that use the Symbian operating system.

http://story.news.yahoo.com/news?tmp...8/tc_zd/129901

Cabir is the first network worm capable of spreading via Bluetooth; it infects mobile phones which run Symbian OS.

A wide range of phones from a number of manufacturers use this technology. It is clear that Nokia 3650, 7650 and N-Gage phones can all be infected by Cabir. However, any handset running Symbian OS is potentially vulnerable to infection.

http://www.viruslist.com/eng/viruslist.html?id=1689517

[Trojan]

Hi,

My 2 pence on all of this.

Regarding breaking encyrption algorithms, there are alot easier ways of eavesdropping on a call. At the end of the day encryption to an entity must end somewhere for the transmitted data to any use, hence in our case it is de-crypted in the mobile handset.

On the issue of smart phones, one can implement a MIDP applet to listen to the speaker on the handset when it starts to transmit data, the applet then just collects the data and pushes this out somewhere when the user connects to the net via his handset. Some thing that springs to mind here is DRM (Digital Rights Management) will this ever work!! when data has to be de-crypted and played back somewhere!!

Redarding different platforms and the difficulty to propogate a virus, I think this is interesting. I think there is a common factor in all OS's provided vendors and that is a standard way to do a service and alomost all handset now have support for J2ME i.e. SMS is supported both on claosed and open OS's, newer services that you will see (in the future) PoC (Push to talk over cellular) is another service that will be supported by all OS's. My point being, potentially a J2ME applet can easily exploit new services on a handset by propogating it-self to all subscribers on a particular handsets phonebook. If you take a look at some MIDP API's there is a powerful infrastructure already in place to access sensitive areas of a mobile handset.

Bluetooth on the other hand is a different kettle of fish. It can be used to transmit AT commands to a phone, meaning anything and everything can be exploited on a mobile handset unless some propritary implementation prevents it. In-fact this can be done over Infra-red but obviously more restritive due the frequency range. The Bluetooth protocol it-self is fairly good security wise (to my knowledge) as they have just defined a new security pairing scheme and also working on taking on ciphering options over a bluetooth link. I thnk in the future we will be seeing something called PAN's (Pesonal Area Networks) which use bluetooth to connect to one another, this is where thigs may get a little complicated as definitions for Master objects and authorisation/authentication within the PAN will become an issue, perhaps the use of TCG (Trusted Computing Group) may come into use here.

Regards,