Wireless Security

Prepared by Alan Vanderploeg

Written from a US Perspective but applies to all markets.

Introduction

Wireless communications, which is the use of cordless and cellular phones, has grown dramatically in the past ten years and has become a booming $11 billion market. The capability to communicate with others without being physically connected to a phone line has greatly increased the efficiency of corporate, government, and private sectors. Unfortunately, this capability has also led to a huge security problem, since the radio signals transmitted and received by these devices can be easily intercepted, compromised, and exploited.

These compromises include eavesdropping on conversations and spoofing (or cloning) cellular systems to gain fraudulent access. This high tech crime wave is costing the cellular industry alone over $300 million a year and has hit the above three sectors hard. Telecommunications experts believe this problem will only get worse as cordless and cellular use continues to increase. The cordless and cellular phone industry is just now beginning to design countermeasures into their devices and systems in an effort to combat this growing problem. In the meantime, it is imperative that everyone who uses these devices understand the threat they face, the scope of the problem, and present and future countermeasures they can implement to protect themselves from wireless security compromise.

The focus of this paper explains how cordless and cellular technology works and discusses the communications security threats to these systems, including how this technology is commonly compromised, who is affected, and what is lost. The effectiveness of some of the methods being explored to counter the problem is discussed, and conclusions about this problem and its countermeasures are also offered.

Explanation of Cordless/Cellular Phone Technology

To understand how "Phreakers" (a slang name for phone or cellular hackers) attack the vulnerabilities of these systems, one must understand how these systems work. Cordless phones are simply two-way radios that send an unprotected signal between the base unit (which is connected to a phone line) and the handset. Some of the more expensive versions even have a built-in encryption chip to increase conversation privacy. The ranges of these signals vary depending on the quality of the phone and surrounding interferences such as walls or powerlines, but most cordless phones are capable of transmitting and receiving signals up to 150 feet.

Cellular phones, like cordless phones, are also two-way radios. The cellular phone, however, is much more sophisticated and has a much greater, and in some cases, unlimited range. This is due to the honeycomb-like layout of cellular communications areas. Figure 1 shows a typical cellular system layout. These "cells," or communications areas, are controlled by a network control station, and each cell has a tower that can send and receive multiple radio frequencies.

Each tower periodically (usually once a minute) transmits an identifier signal. The cellular phone listens for this signal, adds a Mobile Identification Number (MIN -- programmed by the phone seller or service shop) and Electronic Serial Number (ESN -- installed by the factory and theoretically unique to each phone) to the signal, and sends it back to the tower, where it is then relayed to the network control station. This process identifies the cellular phone, billing account, and the cell location of the phone.

When a user wants to make a call, the network control station allocates an available frequency in that cell to the phone, charges the appropriate account, and allows the user to transmit a call. As the user nears the next cell, the network control station automatically hands-off the call to another available frequency in the next cell. This gives the cellular phone user a huge range from which to make or receive calls.

Current Threat

Because cordless and cellular phones transmit and receive radio signals, they face two main threats: electronic eavesdropping and cellular spoofing. One could argue that a third threat is the physical loss, damage, or theft of the actual device; however, for the scope of this paper, only the threats as they apply to electronic communications security will be discussed.

Electronic eavesdropping is listening to or recording a cordless or cellular call without the permission or knowledge of the calling and/or receiving parties. Eavesdroppers accomplish this feat by using radio frequency scanners and other receiving equipment to find and listen to the frequencies used by the devices.

This is a fairly simple process to scan cordless phone conversations since most brands operate on similar frequencies. Even baby-monitors and some brands of two-way radios share these frequency ranges. Because of these similar frequency bands, most people have picked up their cordless phone at some time and have been able to inadvertently listen to another person's conversation without that person's knowledge.

Cellular phones use frequencies that are very different from cordless phones, but since cellular phone frequencies are all in the same band range, it is very easy to intercept these frequencies with electronic scanners. Electronic eavesdropping is fairly common. According to Phil Karn, a Canadian telecommunications specialist, "...in a three-month study of Metro Toronto, Bell Canada found that 80 percent of all cellular telephone traffic is monitored by third parties."

While the author admits this number cannot be confirmed, similar studies suggest the actual percentage is anywhere between 20 and 50 percent, depending on the caller's location. Regardless of the actual percent, this is a growing problem. Not only is electronic eavesdropping easy to exploit, it is also readily available, inexpensive, and nearly impossible to detect. Communications magazines and the World Wide Web are full of advertisements and information describing how to eavesdrop on cordless and cellular traffic.

The July 1996 edition of Popular Communications alone has several ads aimed at the "eavesdropping hobbyist" that describe where to purchase scanners, what frequencies to scan, wiring diagrams, parts lists, and instructions on how to modify scanners to receive cordless and cellular frequencies. A good scanner that already receives cellular frequencies can be purchased for under $300. Due to recently enacted legislation, these types of scanners can no longer be produced, but plenty of the pre-ban scanners are still available, and just about any high quality scanner can be easily modified for under $100.

While communications privacy is a concern, it pales beside the threat of cellular spoofing. Cellular spoofing (also known as cloning) is the process where a person provides false identification [about a cellular account] to the cellular communications provider with the intent to defraud. The earliest form of spoofing appeared several years ago in the mobile telephone industry. Eavesdroppers would scan the airwaves until they identified a mobile phone channel. They would then monitor the transmissions on these frequencies and wait for an account owner to request a call.

The following is an example of how the spoofing would occur. The user would say, "Operator, this is Mobile 1111, may I please have 456-2345." The operator would connect the caller and bill Mobile Account 1111 for the call. Later, the eavesdroppers would call the operator and pretend to be Mobile Account 1111, thus charging the call to that particular account. The spoofing process became much more sophisticated with the implementation of high speed digital cellular technology.

Phreakers (or spoofers) now attempt to detect the MIN and ESN of cellular phones. They accomplish this feat by building electrical devices that scan cellular frequencies and detect the identifier signal the phone sends back to the cellular tower. The hacking equipment then strips the MIN and the ESN from the identifier signal. The phreaker takes the MIN and ESN and programs it into another cellular phone. Whenever the phreaker uses the reprogrammed phone, the network control station identifies the reprogrammed cellular phone and bills the stolen account for the call.

Cellular phones (which usually have been stolen) are commonly reprogrammed and sold for $5 or $10 dollars at flea markets and pawn shops. Many of these illegal enterprises "guarantee" the phone for one year. If the cellular service disables the account, the seller will reprogram the phone with a different MIN and ESN, re-enabling the phone.

Since the current trend of business people is to communicate via cellular phone, phreakers like to set up their equipment outside areas where business people congregate. Subways, freeways, traffic jams, downtown parks, and airports are prime spots for phreakers. Their equipment is small, lightweight, portable, and automatic, so all the phreaker is required to do is set up in an innocuous location, turn on the equipment, and wait until the memory of the device is full of numbers.

Scope of the Problem (Who Is Affected and What Is Lost)

Anyone who uses a cordless phone is susceptible to information compromise. Because electronic eavesdropping is easy to exploit and nearly impossible to detect, no one seems to be able to estimate the yearly losses it causes. However, with the rise of touch tone call routers, electronic operators, home shopping via credit cards, and 24-hour account assistance (credit card, banking, insurance, etc.), more people are giving out critical personal and financial information (such as credit card and bank account numbers) over the phone.

This development has led to a significant rise in financial fraud and will continue to do so. As an example of this, this author recently borrowed a friend's portable scanner (purchased prior to the legislation discussed previously) and listened to several wireless transmissions. After a few hours of listening, three credit-card account numbers, automobile insurance account number, and several social security numbers were obtained.

The amount of susceptible information is not limited to financial transactions. Private detectives, industrial espionage agents, drug dealers, and the press corps routinely scan wireless transmissions to increase their knowledge. Former President Jimmy Carter learned this lesson well. After completing a peaceful exchange of power in Haiti, he used a cellular phone onboard his airplane to discuss some of the aspects of the agreement. Several of the news services picked up his transmission via scanners, and made the information public before he landed in Washington DC.

Even small businesses may find themselves the target of electronic eavesdropping. A company that serviced machinery discovered they were losing business to a competitor. An investigation revealed that their competitor was intercepting their service dispatch orders (communicated to the maintenance personnel via cellular phone). The competitor would then dispatch their own personnel and beat the original maintenance crew to the scene, thus getting several of the jobs.

Cellular spoofing is directly costing the telecommunications industry over $300 million a year. While cellular spoofing is not an actual compromise of information (unlike electronic eavesdropping), it does hinder the information security process by increasing the costs of communicating. Whenever illegal (spoofed) cellular calls are made, the phone company charges the cellular account owners with the call. If the owners do not catch the erroneous calls, they unknowingly pay for it. If the owners do catch the call, they have to notify the phone company and asked to have the charge removed.

This inconvenient process (along with looking through each month's phone bill) wastes a large amount of the account owners' time. Jonathan Feinsod, a New York businessman, has had his cellular phone spoofed four times, and it took him over a week to clear up fraudulent bills in excess of $20,000. Kenneth Crupup, a Boston telecommunications consultant, has had his cellular phone spoofed twice. When he refused to change his account number for the third time, his cellular provider disabled his ability to "roam", or use the phone outside of his designated local area.

Events such as these waste a significant amount of customers' time, and tax the resources of both the customer and the cellular provider. The current design of cellular phones leads to this spoofing. The combination of the MIN and ESN was supposed to prevent spoofing and render stolen cellular phones inoperative, since cellular providers could permanently deny service to stolen phones. According to Electronic Industries Association (EIA) cellular standards, the ESN must be factory-set, the ESN must not be alterable, and any attempt to alter the ESN should render the phone inoperative.

In theory, even if phreakers identified the MIN and ESN, they would not be able to reprogram another phone with those numbers. Unfortunately, this theory is weak in practice. Most cellular phones are not constructed so that an attempt to alter their ESN will render them inoperative. ESN chips can be readily obtained or swapped on the black market or from unscrupulous cellular phone service shops. A recent case in Washington, DC revealed that an ESN was "bought" from a local service shop employee in exchange for a one-half gram of cocaine.

Even if one cannot buy an ESN, most cellular manufacturers use industry standard ROM (Read Only Memory) chips to produce an ESN. These chips can be bought in any electronics store and easily reprogrammed or copied to produce bogus ESNs. The most threatening spoofing device is known as a Cellular Cache-Box. It is a combination of a scanner, computer, and cellular phone. The Cache-Box has the capability to not only steal and memorize MINs and ESNs off the air, but also automatically reprogram itself to emulate these numbers.

After using a MIN/ESN pair one time, the Cache-Box purges these numbers from its memory and selects a new pair. This capability makes it nearly impossible to detect the fraud or catch the perpetrator. Although this equipment is rare and very expensive, it does exist and will continue to be a threat to cellular users. All of these factors, coupled with the growing number of people who are susceptible to these threats, make wireless communications extremely vulnerable. Everyone who uses wireless technology must be aware of the threat and begin taking steps to protect themselves from compromise.

Countermeasures

Even though the threat is huge, a number of common sense and technological countermeasures exist to combat electronic eavesdropping and cellular spoofing. Also, the telecommunications industry is beginning to implement new technologies to help lessen the scope of the problem. The cheapest and easiest countermeasure to fight electronic eavesdropping is to use basic communications security procedures.

Everyone who uses a wireless phone should try to minimize (or avoid) revealing any sensitive information over the airwaves. Any communications that reveal sensitive information, such as credit card numbers, financial accounts, social security numbers, passwords, etc. should be transacted over standard hard wired phones. While these devices can be bugged, the likelihood of this occurring is small. One may argue that since most telephone calls are transmitted through microwave towers, the transmissions could be easily intercepted. This is not true because the high volume, high speed, and mix of signals sent through microwave towers make electronic interception at these points nearly impossible.

Good communications security can be very effective, but people tend to forget they are on an unsecure line and accidentally give out sensitive information. Also, this countermeasure may be inconvenient if the user prefers or has to use a cordless or cellular phone to conduct business. Another countermeasure is a high-speed, frequency-switching network. This system constantly changes transmission frequencies throughout the communication. The theory is that eavesdroppers will be unable to identify, track, and listen to calls because the frequencies are constantly changing.

This system, however, still does not prevent the eavesdropper from getting lucky and finding the correct frequency and intercepting sensitive information. Additionally, these systems usually do not have a large number of frequencies available, and once the range of the frequencies has been identified, eavesdroppers can set their scanners to quickly scan only those frequencies. Regardless of the amount of common sense or knowledge of the threat one possesses, there will still be times when one must reveal sensitive information over a wireless phone.

Digital encryption is a solution for this problem. Digital encryption converts analog vocal sounds into digital signals. The transmitting phone uses a mathematical randomization code to scramble the signals and sends the transmission. The receiving phone is able to recognize the encryption code and descrambles the signals. The descrambled signal is then converted back to analog vocal sounds. Because the system randomizes the encryption code and changes it with each transmission, the code is nearly impossible to crack. The two problems with this countermeasure are its expense and availability.

Digitally encrypted cordless and cellular phones are more expensive than non-encrypted phones, and the telecommunications industry has only recently begun producing these devices. Digital cellular networks are slowly replacing analog networks throughout the country, and are only available in certain areas. According to Peter Ruber, "A national digital standard might not be reached until 1997." Until then, wireless users will have to take their own security precautions. While digital encryption seems to be the answer to the eavesdropping threat, there is an additional problem with this technology. The federal government is worried that encryption might hinder national security and federal crimefighting efforts, since legal wiretaps, which provide a large amount of evidence for federal cases, will be unintelligible.

The Clinton administration, backed by the FBI, has proposed the development and implementation of the Clipper chip as the national (and only) encryption standard. The Clipper chip is a microchip that can scramble electronic transmissions, rendering voices and digital data unintelligible. Although this sounds like an idea no one would dispute, it has caused a considerable amount of controversy amongst the telecommunications industry, civil libertarians, and the government. The controversy arises from the fact that the Clipper chip, developed by the National Security Agency, has a built-in cipher key that permits federal agents to descramble transmissions and eavesdrop on them.

Proponents of the chip point to the prospect of terrorists, spies, drug dealers, and other criminals using unbreakable scramblers to conduct business without fear of communication detection. Opponents believe the logic behind the necessity of the Clipper chip is flawed. Their main point is that since other types of electronic encryption are available, criminals could easily disable the Clipper chip and insert their own encryption chip, which would be unbreakable. Also, since there is a key to the Clipper chip, there is a chance that the key could either be broken or compromised, thereby eliminating the Clipper chip's usefulness.

Because of these concerns, the government has put a hold on the plan to implement this technology; however, this issue will continue to be controversial as more manufacturers develop and incorporate their own encryption methods in future hardware. Cellular spoofing is a harder problem to eliminate. Solutions exist, however, that can help reduce the problem. The easiest countermeasure is to keep the phone turned off until the user is ready to make a call. This technique eliminates the periodic transmissions between the network control station and the phone, making it harder to compromise number pairs. However, a phreaker only needs one transmission to steal the number pairs, so the user is still vulnerable.

Another low-tech method is to change the MIN routinely. Cellular providers and service shops can issue new MIN numbers, but this is an inconvenient and time-consuming process for both the user and the provider. It is also ineffective, since the user has no way of knowing whether their MIN/ESN has been compromised, and the phreaker can continue to use these numbers until the user changes the MIN. There are more high-tech (and more costly) countermeasures available. Many phones now incorporate a 4 digit PIN number that must be entered by the user before a call can be made. This feature hinders phreakers since their equipment usually identifies only the MIN and ESN. Most cellular phone designs now incorporate this feature.

Unfortunately, it is an easy step to modify the detection device to scan the transmission and intercept the PIN number, thereby negating the effectiveness of the countermeasure. Another high-tech countermeasure is to make the ESN chips harder to modify. Cellular phone manufactures should redesign the ESN chips and incorporate tamper-resistant circuitry. This step will make reprogramming much harder, eliminating all but the most technically advanced phreakers or phreakers with Cache-Boxes. Until ESN chips are made tamper-proof, phreakers will continue to modify and reprogram cellular phones.

The most effective countermeasure the telecommunications industry can implement is encryption. Encryption will not only help prevent unauthorized eavesdropping and compromise, it will also reduce, and possibly eliminate, cellular spoofing. The encryption design would randomly encrypt the MIN/ESN signal as well as voice communications, allowing cellular phones to identify themselves to the network control station without retransmitting the same digital signal each time. Since the encryption scheme changes with each transmission, it is extremely difficult, time-consuming, and nearly impossible to break, even with high speed computers.

Without the MIN or ESN, phreakers will be put out of business. Because the encrypted MIN/ESN signal changes after each transmission, Cache-Boxes, which retransmit the signals they intercept, would be defeated. The drawbacks to this countermeasure are complexity, cost, and time. The entire cellular system, including the phones, transmitting towers, and network control stations would need a large amount of new software and hardware.

The intricate process of establishing an encryption standard, implementing it, redesigning the current cellular system, and retrofitting the system with the new equipment presents a tough obstacle to overcome. This countermeasure is further complicated by the need to continue supporting both encrypted and nonencrypted systems during system transition. Whether the cellular industry, and ultimately the cellular customer base, are willing to shoulder these costs depends on their willingness to accept the costs and consequences of not implementing encryption countermeasures.

Conclusion

Wireless eavesdropping and cellular spoofing is a serious and costly problem that will continue to grow in the oncoming years as the cordless and cellular market increases. Electronic eavesdroppers and cellular phreakers are becoming more sophisticated in their activities, and the availability, inexpensiveness, and undetectability of this technology make eavesdropping and spoofing both effortless and profitable.

Anyone who uses these devices is vulnerable to compromise and must understand the scope of the threat they face. While the threat is large, several countermeasures exist to reduce the risk of compromise. Also, the telecommunications industry is taking a hard look at the problem and designing new high-tech countermeasures, such as digital encryption, to further combat the threat. Table 1 lists existing and future countermeasures and rates their merits and overall effectiveness.

As shown in Table 1, encryption is the most effective countermeasure to reduce both eavesdropping and cellular spoofing, and plans should be made to implement this system. The Clipper chip is not a good solution for two reasons: (1) There is nothing to prevent criminals from reprogramming their cordless and cellular phones with their own encryption schemes, thus negating the crime-fighting aspects of the Clipper chip; and (2) Since a decryption key exists, there is a good chance that this key will be compromised or that the code will be publicly broken, rendering the entire encryption system useless.

Therefore, a random cryptographic scheme is needed to reduce the chance, and possibly prevent the occurrence of communications compromise. The probability and threat of cordless and cellular compromise is high, and the effects of it are costly. We must, as a society, begin taking steps now to increase our communications security; otherwise, we will continue to risk and incur great losses in both personal and business affairs.