•Advance Mobile Phone System (AMPS)
Mobile Phone Communication •Nordic Mobile Telephone (NMT)
•Total Access Communication System (TACS).
Analog Authentication Cellular Phone Cloning
•MIN/ESN Protocol • The “cloning” of a cellular telephone occurs when the
account number of a victim telephone user is stolen and
•MIN: Mobile Identify Number, 10 digits reprogrammed into another cellular telephone.
•ESN: Electronic Serial Number, 32 bits
• Each cellular phone has a unique pair of identifying
•Clear transmission numbers: the electronic serial number (“ESN”) and the
•Attack mobile identification number (“MIN”).
•Simple police frequency scanner. • The ESN/MIN pair can be cloned in a number of ways
•Prone to eavesdropping without the knowledge of the carrier or subscriber through
•Cloning the use of electronic scanning devices.
Cellular Phone Cloning Cont.
• After the ESN/MIN pair is captured, the cloner • Counter Measures
reprograms or alters the microchip of any wireless •Duplicate Detection
phone to create a clone of the wireless phone from •Velocity trap
which the ESN/MIN pair was stolen.
• The entire programming process takes ten-15 •Usage profiling
minutes per phone.
• After this process is completed, both •Pin code
• phones (the legitimate and the clone) are billed to
the original, legitimate account.
Eavesdropping GSM Authentication
• Eavesdropping means to overhear, record, •Encryption algorithms:
amplify or transmit any part of the private •A3 - Authentication algorithm.
discourse of others without the permission
•A5 - Encryption and Decryption
of all persons engaged in the discourse.
•A8 - Key generator
• Use of cellular phone ESN readers or police
•Currently COMP 128 algorithm is used as the
scanners can be used for eavesdropping on A3/A8 implementation in most GSM network
cell phone conversations.
M O B IL E R A D IO INT E RF A C E F IX E D NE T W O R K Ki (128), Rand (128)
C h allen g e R K ey
R es p on s e S RE S
EN C R YPTED D A TA
A5 A5 •A8
Ki (128), Rand (128)
GSM (cont.) GSM(cont..)
•A5 Kc(64bit), Frame Number(22bit)
Ki (128), Rand (128)
128bit ouptput A5 114 keystream
and Kc 54 bit
Cell Phone Tracking
• Every cellular telephone is a physical locating
•consist of three LSFRs of length 19, 22, and 23, which are device!
clocked based on the middle bits of the register
• This is generally true even when the user is not in
•Output of Three LSFRs are XOR
a call. The phone need merely be switched on.
• Attacks on A5 • Location tracking is inherent in the way cellular
•Brute-Force - time complexity 2^64 telephones work. The network needs to know
•Divide and conquer attack- reduce the complexity to 2^45 (approximately) where you are in order to do its
• There is no known way to avoid revealing your
location when you use a cell phone.
3GPP (3rd Generation Partnership Project)
• In the last few years, GSM took a lot of flak for
their approach to crypto algorithm design, which
relied on keeping the algorithms secret.
• 3GPP has chosen a superior approach to their
• They are making open to the public all of their
drafts, standards and recommendations, and rely
on their algorithms withstanding the scrutiny of
any interested researchers.