ABSTRACT Mobile handsets are insecure, it is a common knowledge.

New developments to make handsets secure are facing many challenges and difficulties. This project analysed the GSM security mechanism based on IMSI/IMEI combination. All handset security problems are clarified by understanding the security provided by 2G and 3G. Technical and non technical solutions are identified with network operators, handset manufacturers, and GSM association approaches. National and International efforts are discussed. On the base of the lessons from 2G and 3G security possible developments in 4G suggested. At the end few recommendation are made for further research on this topic.

1

1.0 INTRODUCTION Mobile Phones are used by the hundreds of million people every day and this trend is increasing day by day. As compared to the land line, mobile phones are more vulnerable because of their wireless link. Mobile handsets are very attractive for the thieves due to their light weight and high cost. The wireless communication as compared to wired communication is inherently unsecured. Three types of wireless communication [1] are WAN (Wide Area Network e.g. GSM, GPRS), LAN (Local Area Network e.g. Wi-Fi) and PAN (Personal Area Network e.g. Bluetooth). The WAN and LAN are more venerable because it cover the large geographic area as compared to the PAN, which cover small geographic area. There are six generic security problems [1] associated with the wireless communication which are: • • • • • • Physical access to networks/devices not required Facilitates anonymous attacks Device authentication - Risk of stolen device Confidentiality Integrity Availability

In wireless communication electromagnetic waves propagate through air so it is easy to access data. In the wired communication physical link (coaxial cable, optical fibre) make it difficult to access the information. As wireless communication is inherently unsecured so it is more likely to make easy unknown attacks. Every device needs to authenticate itself to the network in order to get services. One problem in the wireless communication is the device authentication rather than user makes it easy use of stolen device, for e.g. a stolen mobile phone can be used by the thieves as only device authentication is required instead of user. All other usual risk of communication confidentiality, integrity and availability are also associated with wireless. In wireless WAN (GSM, GPRS) security has always been a problem for e.g. in the first generation analogue phones due to eavesdrop on the radio path people easily listen other’s conversation. Another common security related problem [2] was to

2

reprogram the identities of mobile phone such that the cast of the calls made using them appeared on the others customer’s bill. The second generation GSM system was designed by keeping in mind the problems of eavesdropping and cloning. The second generation provided the features of authentication, confidentiality and anonymity [2]. The authentication is use to identify the subscriber, it practically make the fraudulent calls impossible by recognizing the genuine user. The eavesdropping along the radio link for both voice and data is control by the authentication. The anonymity1 is use to make IMSI (International Mobile Subscriber Identify) secure. Initially three protocols were introduced to provide the security in the GSM which are GSM authentication protocol, GSM confidentiality protocol and GSM location privacy protocol. [3] Later many flaws found in these GSM protocols. The flaws in GSM security has been improved to some extent with the arrival of GSM 1800, HSCSD, GRPS, EDGE and UMTS but still it needs more improvement. Two common security problems in handsets are: (1) Insufficient linkage between SIM and Mobile terminal (IMEI and IMSI). (2) Reprogramming of IMEI (International Mobile Equipment Identity) and non unique IMEI. Many protocols have been proposed by the standard bodies to cope with the security situation of LAN for e.g. 802.11 standards for the wireless communication used the WEP (Wired Equivalent Privacy) protocol in order to bring the security equivalent to the wire one. The primary goal of the WEP is to maintain the confidentiality of subscriber by protecting from eavesdropping. WEP work fine to some extent but later many flaws has been found in it. Two drawback of the WEP are: (1) It can easily crack by getting a software form internet. (2) All users in WEP must use the same encryption key. WEP replaced by the WPA (Wi-Fi Protected Access) which provides the stronger security. This project begins with the GSM Architecture builds on three main subsystems Mobile Station, Base Station and Network Subsystem. Mobile Station and Network Subsystems are discussed briefly as a demand of this project with a short description of Base Station. IMEI (International Mobile Equipment Identity) and IMSI (International Mobile Subscriber Identity) are described briefly in Mobile Station for
1

The quality or state of being unknown or unacknowledged.

3

clear understanding. GSM security feature are discourse with flaws at the end of chapter 3. In the fourth chapter problems with handset security are clarified with the possible technical and non technical solutions. Network Operators, Handset Manufacturers and GSM Association efforts to make handset secure are included. National Laws and International (UNO) Approaches are discussed with an investigation of public perception on mobile handset security. Finally chapter 5 summarise the work and chapter 6 will conclude the write up with further research recommendations.

4

1 AIM To produce recommendations for unsecured Mobile handsets. . To investigate the public perception of mobile security To highlight the National and international level approaches.Laws regarding security.Partial implementation drawbacks • • • To discuss Network operator approaches. How do they work? To clarify the problems associated with mobile handset security.2 OBJECTIVES • • • • • To understand what are the IMSI and IMEI.As an example the UK mobile Network studied. . .UN approaches • To evaluate new developments in 4G.2. 5 . 2.Advantages and disadvantages . . . To discuss what happen if fully implemented.A survey has been carried out. To identify the possible security solution technical and non technical. To critically analyse the 2G and 3G security.

The GSM subscribers exceeded above 2 billion by the end of year 2005 according to the GSM association report. The number of the GSM subscriber increased dramatically during the last fifteen years.0 Technical Background 3. Most European countries used their own systems which were incompatible with other courtiers systems in operation and equipment. The task of specifying a common mobile communication system for Europe in the 900MHz was taken up in the mid 1980s by the GSM(Groupe special mobile) committee which was a work group of CEPT(Conference of Europe Post and Telegraph). Before the GSM there was not any global mobile system. GSM was introduced as a second generation cellular system.[4] GSM was first introduced in the European market in 1991 and in 1992 it changed its name to Global System for Mobile Communication.1 Global System for Mobile Communication In order to solve the fragmentation problem in the first cellular system in Europe.3. 6 .2 2 GSM Association press release 18 September 2005 London.

2 GSM Architecture The GSM has three major subsystems as shown in the figure 3.23 3 Figure 3. 7 .3.2.2 is directly copied from REF [5]. [5] (1) Mobile Station (2) Network Subsystem (3) Base Station Subsystem Figure 3.

Figure 3. The mobile equipment without a SIM does not work except for emergency calls. (1) Subscriber Identity Module(SIM) (2) Mobile Equipment 3. The main function of SIM is not only to store subscriber data but also user authentication and authentication of validity of MS.2 Subscriber Identity Module (SIM) It is a smart card which contains both programming and information.3 below.3. A SIM can be use in different GSM phones which make the upgrading easy.3 SIM card 8 .1 Mobile Station It consists of two parts.2.2. The SIM card is shown in figure 3.

3.4) below with MCC.It is sent by the mobile to network and is use to share security related data (Key ki) with HLR (Home Location Register) or VLR (Visitor Location Register). IMSI (International Mobile Subscriber Identify) . MNC and MSIN specification.TMSI(Temporary Mobile Subscriber Identity) and Network identifier all store in the SIM. [6] (1) Administrative data (2) Security related data (3) Subscriber data (4) Roaming data (5) PLMN5 data The Personal Identification Number (PIN). Public Land Mobile Network.4 The IMSI is store in the SIM . Key Kc . 9 . Algorithm A3 and A8. Key Ki. It consists of three types of identification numbers which are MCC (Mobile Country Code).Five data types store4 in the SIM are as follow.3 International Mobile Subscriber Identity (IMSI) It is a unique number allocated to all subscribers in GSM and UMTS network used for the identification. An example of IMSI used by the Orange Mobile UK is as follow. MNC (Mobile Network Code) and MSIN (Mobile Station Identification Number) which is subscriber personal telephone number. The IMSI is shown in figure (3.2.1 for full details. IMSI: 234337966968338 MCC: 234 MNC: 33 MSIN: 7966968338 4 5 See REF [6] table 2. Figure 3.

(5) On MS switch off TMSI is stored on SIM card to be reused next time.2.It makes difficult to trace the mobile. The main uses of TIMSI are as follow. [6]An important use of TMSI is Paging.4 Temporary Mobile Subscriber Identity (TMSI) It is a randomly generated number given to the mobile when it is switched on. The Visitor Location Register (VLR) performs assignment. When the data of mobile is become invalid for any reason the IMSI must send to the network instead of TMSI. administration and update of the TMSI. 3. The network can also change the TMSI [7] in order to avoid from subscriber being identified . The TMSI consist of four octets. with the same Mobile Network Code. [8] (1) TMSI is assigned by transmitting IMSI for Authentication. but only one of which is home network. The exact encoding of TMSI is chosen by agreement between the network operator and equipment to suit the local needs. Every time mobile moves to new geographic area the TMSI change because it is local to the particular area.g. It is use instead of IMSI as a temporary subscriber identity in order to avoid from the eavesdropping. [11] Assignment and use of TMSI is only possible with active ciphering. (2) Every time a location update (new MSC) occur the networks assigns a new TMSI. The HNI is important in the countries which have multiple country codes (e. when the first time mobile phone switches on. 10 .[7] By analysing the HNI one can easily find the corresponding network. except when the mobile is just switch on. It is use for one to one communication in between the mobile and base station.The combination of the MCC and MNC is the called Home Network Identity. (4) Network uses TMSI to communicate with MS. USA has code 310 to 316) there may be two different networks. The TMSI can take any value except FF FF FF FFhex [6] which is reserved in case SIM does not contain a valid IMSI. 6 randomly Listen secretly private conversation of others. In order to avoid from the eavesdropping6 on radio interface the generated number TMSI is used. (3) TMSI is used by the MS to report to the network or during a call initialization.

Whenever a phone stolen subscriber complain the Network Operator.The second TMSI is assign by the second MSC which is use to identify the mobile station while it operates in the second MSC service area.6 International Mobile Equipment Identity (IMEI) It is a unique number use to identity the each Mobile Equipment (Mobile Phone) of GSM and UMTS. 3. The IMEI is usually found beneath the battery of phone and can also find by dialling *#06# (star hash 0 6 hash) into the phone. a network consists of two neighbours MSC and a mobile station which is currently operating in the first MSC.5 Mobile Equipment The Mobile Equipment is the terminal in which a GSM SIM is inserted in order to work as a Mobile Station.Two methods are use for TMSI allocation. Consider a scenario. which ban that IMEI (consider as black). It authenticates the mobile equipment rather then the subscriber (SIM). IMEI is one of important number use for the mobile handset security. The mobile station invalidates the first TMSI when it receives the second VAP and registers itself in the second MSC using MIN (Mobile Identification Number). The first TMSI is allocated to the mobile station by the first MSC. which is use to identify the mobile station while mobile station operates within the first MSC service area.It is use to identity the stolen device by looking in the EIR.2. The Mobile Equipment is identified by the IMEI (International Mobile Equipment Identity). In an alternative embodiment. IMEI is use by the network operator for the passive theft protection.It is not always necessary for the Network Operator to query the IMEI. 7 It is described later in the Mobile Switching Centre.[look website] 3. which are called first VAP and second VAP for the first and second MSC respectively. Grey for GSM Mobile Station to be tracked and black for Barred Mobile Station. and a single TMSI is utilized to identify the mobile station in all MSCs associated with the allocating VLR. TMSIs are allocated by each visitor location register (VLR) in the network. Each MSC transmit a Validity Area Parameter (VAP). The IMEI is store in EIR7 (Equipment Identity Register). 11 .2. Three type of IMEI are store in the EIR: White for valid GSM Mobile Station.No service possible once an IMEI blacklist.

2004 and Type Approval Code increased to 8 digit and became known as Type Allocation Code(TAC). The first 8 digit called Type Allocation Code (TAC) include the model and origin.2003 until this time was set to 00.FAC is a manufacturer specific code which shows the location of device’s construction. The format of an IMEI is AABBBB--CC-DDDDDD-E. [9] AA BBBB CC DDDDDD E Country Code Final Assembly Code Manufacturer Code Serial Number Unused IMEI manufacture code IMEI Manufacturer Codes include: [9] 01 02 07 10 20 40 41 44 51 AEG AEG Motorola Nokia Nokia Motorola Siemens Siemens Sony. Siemens.digit number which included model.7 Network Subsystem 12 . Before 2002 the TAC was 6 digits long with two digit long FAC (Final Assembly Code) . The FAC ceased to exist from April 1.2. The last 7 digit called Lunch check digit are defined by manufacturer are never transmitted where last digit is spare and is set to 0.IMEI format IMEI is a 15. Ericsson 3. origin and device serial number.FAC for all phone from January 1.

MSC control several base stations several base station systems through the A interface that follows a signalling protocol used in the telephone network.The Network Subsystem provide the switching and communication between mobile and PSTN (Public switch Telephone Networks). [6] 3. Every PLMN usually connected with one HLR. [10] The MSC provide the services like circuit switching. mobility management (subscriber location finding).g. so it is important that response from HLR must be quick to connect each call in a reasonable time.8 Mobile Switching Centre (MSC) The basic switching in the NSS is carried out in the Mobile Switching Centre.2. specific GSM services requested by subscriber. (1) Mobile Switching Centre (MSC) (2) Home Location Register /Authentication Centre(AUC) (3) Visitor Location Register (4) Equipment Identity Register 3. Gate way MSC. which is just an ordinary ISDN (Integrated Services Digital Network) with added feature required for handling mobile communication application.All MSC can be Gateway MSC. Target MSC and Anchor MSC Gate way MSC: It is the MSC which interface with other networks . Other important information store in the HLR are subscriber telephone number. this is up to the network operator which MSC is equip with gateway.9 Home Location Register/Authentication Centre The home location register is the main database of all locally resident subscribers. Visited MSC. There are four main parts in the Network Subsystem. current location of subscriber(VLR) and call divert information. The HLR store details of every SIM card issued by the network operator and IMSI. 13 .It contains user information such as address. The gateways MSC perform some additional task during call establishment. The HLR is the important part of GSM .The Network Subsystem is roughly similar to the ordinary telephone exchange but not exactly as it works for the mobile telephones. HLR manage the data for the hundred of the thousand users. MSC has different names indifferent context e.2. account status and preferences. roaming and all other GSM services. The call has to enter PLMN via MSC which queries the HLR and then forward the call to the MSC where the called party is currently located.

2. A mobile phone needs to authenticate its SIM card to the GSM network when it attempts to connect with it. the signed response (SRES). To prevent the unauthorised access. The GSM authentication procedure is later discussed in the GSM security. If the authentication fails no service is possible. Kc: Over the air encryption is carried out by 64-bit ciphering key used as a session key. VLR As compared to HLR cover a limited geographic area. RAND and Algorithm A3.2. As the HLR is the central database which contains sensitive data so it is necessary to prevent the loss of subscriber data.10 Visitor Location Register Visitor Location Register as by name Visitor contains temporary information of all subscribers which currently resides in that particular area. process used is called authentication. The major function of AuC is provide the authentication triplets. SRES: It is a 32 bit signed response produce by the mobile and network. Dynamic data management can only be done by VLR even subscriber resides in the home area. The Ki also store in the HLR known to the network operator. Kc is calculated using the RAND. 3. that is. Ki and Algorithm A8. the random number (RAND) and Kc. It is calculated using Ki. VLR is a database which provides dynamic subscriber data management while HLR provides static data management. old VLR handover the related data to new VLR. data are passed between the VLR of the location the subscriber is leaving (old VLR) to the VLR of the location being entered (new VLR). 3.To reduce the load of HLR the VLR is introduced.11 Equipment Identity Register 14 . Authentication Centre Telecommunication services access by cloning of the valid identifier is a common problem in many mobile networks. [6] As the subscriber moves from one location to another. RAND: It is 128 bit random number generated by the HLR.In this scenario. [6] AuC does not directly engage in authentication instead it generates triplets which MSC use during the authentication procedure. The authentication (AuC) is implemented in HLR as an essential part to keep the data safe. Consider an example of roaming subscriber. Ki: It is secret parameter key store in the SIM but unknown to the user.

[6] Grey mobile phones are those which contain non-conforming but may be allow using at network. cell configuration data and control of Radio Frequency (RF) power levels in Base Transceiver Stations.12 Central Equipment Identity Register The CEIR is the unique computer located in the GSM Association headquarters in Dublin. The CEIR is link with the all its register EIR (which store information of different networks) of country. It contains list of IMEI ranges from million of the handsets . A single MSC sever many BSCs. 15 .13 Base Station Subsystem All radio related functions are performed in the Base Station Subsystem (BSS).[12] It is a global central database which hold all the information(IMEI) of all the mobile phone.The IMEI store as a black are banned to get any service from the network while IMEI stores as a white are approved handset.2. The black mobile phones are those which are stolen or to barred for some technical reason.Every EIR download this list of big black for its own use.When a mobile phone request a service from the network its IMEI may check by looking in the EIR. It consists of two main parts: (1) Base Station Controller (BSC) (2) Base Transceiver Station (BTS) • BSC. Ireland. IMEI number which containing information on serial number (IMEI) ranges of millions of handsets that have been approved for use on GSM networks.It is the database which store three types of mobiles .Basically it contains three types of IMEI black. The CEIR stores all the black IMEI into a big black list . The CEIR share the information with all the register EIR on a secure internet connection on daily basis. These mobile phones are not allowed to get services from network. It is high capacity switch which provides all control function such as handover. EIR store information of only one network which CEIR (Central Equipment Identify Register) store information of all networks within a country. White contains all the approved types of mobile station.It provides a link between MSC and BTS.2. [12] 3. Whenever a mobile phone stolen from any network it pass the data to CEIR as a black IMEI. white and grey . 3.

Figure show the distribution of security feature among all three different system. 3. individual subscriber authentication key Ki. A5 and A8 are also store in the GSM network. BTS needed radio equipment (transceiver and antennas) to server all the cell in the network. All three different systems (SIM. [13] Due to tremendous growth of mobile phone in international market. to prevent access by unregistered user. A group of BTSs are controlled by a BSC. the GSM handset or MS.Ciphering algorithm A3. 16 . Security information in the GSM network is further divides into the AUC. 14] (1) Authentication. (3) Anonymity. GSM security has became more important for international communication. authentication algorithm A3 and PIN(Personal Identification Number) .It provides radio interface for Mobile Equipment (ME). ciphering algorithm A8.• BTS.5 GSM Security Features The security mechanisms of GSM are implemented in three different system elements. to prevent unauthorised listening. Fig 3.Mobile station contains ciphering algorithm A5. and the GSM network.3 GSM SECURITY GSM is the public radio network and hence it is necessary to build a security features which protect the network against fraudulent access and ensure subscriber privacy. (2) Encryption. SIM contains IMSI. to prevent subscriber location disclosure. [13] the Subscriber Identity Module (SIM). HLR and VLR. The security function in GSM include: [13. GSM handset and GSM network) are required to provide the security and authentication.

Mobile station computes the 32 bit response SRES using secret key Ki . Any subscriber when want to make a call enters the PIN which is checked by the SIM. 128 bit random number RAND in sent to the MS. [14] 17 . The authentication procedure is shown in above figure.6 Authentication procedure Mobile station send this signed response SRES to the Network.3. without transmission on the radio interface. Every GSM subscriber assigned a unique identity a secret parameter key Ki . Second method use for the Authentication is more sophisticated.3. because the confidential subscriber information such as the IMSI or the individual subscriber authentication key (Ki) is never released from the SIM during the authentication process. Both SRES compare if identical authentication authorised otherwise connection is terminated and authentication failure message send to the MS.1 Authentication Two methods used for the authentication.The Ki is also known to network operator and store in the HLR of the mobile. upon receiving the SRES from subscriber network computes the SRES again. Fig 3. The signed response is calculated in SIM. RAND and authentication algorithm A3. The PIN which is usually 4 digits long is store in the SIM. This provides enhanced security. It is based on the challenge response protocol and start from the fixed network. in first method a PIN (Personal Identification Number) is used to identify the subscriber. [14] In order to authenticate the user.

Therefore taping of the call is possible on the terrestrial part of the connection. Encryption applies only to the Air-interface . Encryption (also known as ciphering) was introduced. RAND (same as used in authentication) and ciphering key algorithm A8. [6] Two modes of transmission are used in between mobile and base station for all data transmission: (1) Protected mode (encrypted) (2) Clear text mode It is necessary to protect the actual user identity even in the open mode.3. The security level can be increase by changing the ciphering key which makes the system more resistive to eavesdropping.7 Ciphering key Generation Ciphering is achieved by exclusive or (XOR) in between the normal burst data bits (114) and pseudo random sequence (A5).3. The ciphering key may be changed at regular intervals as required by network design and security considerations. 18 . This is achieved by using an identity alias known as Mobile Subscriber Roaming Number (MRSN) instead of the International Mobile Subscriber Identity (IMSI). 64 bit ciphering key Kc is calculated by using the Ki.[13] After successful authentication.3 Encryption In order to prevent the unauthorised listening between MS (Mobile Station) and BS (Base Station).Ciphering key Kc is used to encrypt and decrypt the data between MS and BS. [14] Fig 3. In order to reproduce the original data bits (114) deciphering can be achieved by same operation (XOR twice with the A5).

Every time when subscriber move to new geographic as it is particular for a specific area.Fig 3.4 Flaws in GSM security Many flaws found in the second generation GSM system some important are as follow.8 Ciphering Mode Mechanism 3. [23] In order to protect the IMSI a randomly generated TMSI (Temporary Mobile Subscriber Identity) is used. [3] (1) SIM/MS Interface Tapping (2) Attacks on the Algorithm A3/8 (3) Flaws in A5/1 and A5/2 algorithm (4) Attacks on the SIM Card (5) False base station SIM/MS Interface Tapping 19 . TMSI change because of two reasons: 1. 3.4 Anonymity The word “Anonymity” has meaning of unknown or undeclared origin. Change by network for subscriber being identified.3. 2. The anonymity feature was designed to protect against someone who know the user’s IMSI form using this information to track the location of the user or to identity calls made to or from the user by eavesdropping on radio path.

later on further improved by the Wagner[18] . In this way message can be tapped on SIM/MS Interface. Attacks on SIM card: Subscriber Identity Module (SIM) store very sensitive information and any attack on SIM affect the IMSI and Ki . This method takes almost ten hours because of the SIM card slow version of encryption algorithm.The algorithm A5/1 is the original cipher invented in 1989.Due to the insufficient linkage between SIM and MS. some important are as follow.SIM card implemented on the smart card and vulnerability on smart card directly affect security of SIM. [16] Both algorithms were breakable even in late 90ies and it is very easy today to break them. use the Algorithm A3/8 for over the air privacy of data and voice.The effective key length in this algorithm is 40 bits. [15] Many GSM operators used the COM 128. A5 and A8. The SIM can be connected with the terminal emulator instead of genuine. More than 250 million users worldwide.A5 is the stream cipher which comes in two flavour A5/1 and A5/2. Attack on Algorithm A3/8: The authentication and radio link privacy are provided in GSM network by the GSM security algorithms . new version of A3/8. in between the MS (Mobile Station) and BS (Base Station). Optical Fault Induction: 20 .The key Ki used in this algorithm has been found by the Wagnner and Gold Berg in 1998 by collecting 160000 RAND-SRES pairs.[3] A simple way of doing this is to steal the SIM card connection to PC emulator which send 160000 chosen RAND to SIM card and receive SRES.[ 3]Many attacks were made on SIM card.GSM provided different algorithms such as A3. it is possible to use the SIM with any MS. Practically when A3 and A8 implemented together it is known as A3/A8.A5/2 was developed in the 1999 with breakability in mind and was used in some non EU GSM nets. In this method Kc is calculated for decrypting purpose. so it is very important to make it secure. Flaws in A5/1 and A5/2 algorithm: Algorithm A5 is used in GSM for communication.It is implemented in SIM and GSM authentication centres used to authenticate the customer and generate a key for encrypting voice and data. Attacks on these algorithm were initially made by Biryukov and Shamir[17] and .

which extract secret key information from SIM cards by monitoring side-channels. the SIM become useless and subscriber is forced to contact 21 . [20] This new method extract the information from SIM with in one minute while the method used before require up to eight hours. Over the air SIM cloning is not possible but it can’t be completely ruled out. Once terminated. The cryptographic algorithm ( COM128) or its derivatives are used by GSM phones for user identification and communication security. [21] In this method attacker can remotely attack the SIM cards. All cryptographic algorithm use the table look up as an integral part of its practice to retrieve the value store in the particular location of computer memory. The IBM Research team is the first one to illustrate a new class of side-channel attacks. In order to make these attacks hacker needs physical access to the phone.This can be carried out by using a flash gun. such as power consumption and electromagnetic (EM) emanations. This replacement is achieved by using a small randomly generated ancillary table. Partitioning attacks: These attacks are also known as SIM cloning. called partitioning attacks. IBM research introduced new technique to protect SIM card from side channels attacks. IBM research designed a new way of table look up in which instead of single table look up sequence of table lookup used at a random location.These attack revealed by the Andresn[19] after skorobogatov research. In this method secret information of IMSI and Ki were found by reverse engineer the memory address map. [20] The attack can get the key information within minutes. [20] This technique stopped the information leaking to the side channels. In these attacks hacker find your phone secret keys and using these secret keys he makes the phone calls and transaction on your behalf. All GSM phones use some secret and cryptographic keys for security and privacy. Operation of smart card processor can be intercepted by using this electric camera flash bulb. Remote attacks: A few lines of code and one SMS message can terminate thousands of subscriber SIM cards at the same time. The IBM Research team discovered a new way to quickly extract the COMP128 keys in SIM cards using side channels in spite of existing protections. Illumination of a target transistor causes it to conduct inducing a transient fault . These attacks are possible now a days and they do not need even laser equipment.

games etc) to their subscribers via so-called applets9. One effect of this attack is that the call made on 8 9 An independent smart card security evaluation company based in Netherlands. electronic wallet. False BS emulated acting as a MS and genuine BS (Wired access network PLMN) are shown in figure. Mobile telecom companies use the Java technology on the card to offer extra functionality (e. [3] False base station is shown in fig with all the necessary steps which it follows to make a false BS attacks. in which SIM card hack when the subscriber asked to enter the PIN. Due to the unencrypted call in between the target MS and False BS data can be heard. Riscure8 demonstrated how an attacker can remotely control and terminate SIM cards of subscribers by sending a specific data-download SMS to the card.Every time user get services from base station it authenticates itself to it but base station do not authenticate itself to the MS/ME. REF[21] for dtails. attacks made as the false base on the GSM system. so it seems to the caller that it is a genuine call. [21] The applet is nothing more than a small program on SIM card consisting of up to 2000 lines. Target MS. False Base Station: GSM security provided only one way authentication in between the MS/ME and BS (Base Station). The attack implemented by Riscure is based on five lines of trojan code in an otherwise valid Java applet.the nearest GSM office to swap the SIM card. Due to this unilateral authentication. Now a days cost of GSM devices decrease and these attacks become very easy to make.g. The call in between the target MS and False BS is unencrypted but the call in between the False BS and genuine BS is encrypted. Mostly SIM cards used in the world are the java card. When false BS try to connect with the genuine BS (PLMN) it realise the problem that PLMN expecting encryption. This method is base to the fact that ciphering of the call does not start automatically. 22 . PLMN does not know anything because the call in between false BS and PLMN is an encrypted genuine call. An alternative attack consists of eavesdropping of sensitive data. rather the ciphering starts when BS instructs ME to start encryption. This causes the SIM card terminates by listening the incoming message. In the beginning this it was assumed to impossible to make this type of attacks due to the high cost of GSM base station.

This attack can be detected once some one gets the itemised bill. Fig GSM False Base Station [3] 23 .the false BS subscription and not that of the MS. [3] .s.

Arrivals of GPRS/UMTS bring following security features in mobile security. HSCSD.0 Technical Approach The 2nd Generation GSM mobiles phones have all security related problem described above. In 1990 3GPP adopt more open approach to publish cipher algorithms with other UMTS standards. The strength of the cipher algorithm depends on the length of the cipher key. GSM used the 64 bit cipher key . [3] New A3/A8 Implementation: impact on the design of UMTS 24 . Development of new security feature to protect against the active attacks (false base station attacks) on radio path. Due to this reason GSM cipher algorithms were not available for the peer review. EDGE) were introduced to solve all these problems .4. The currently used GSM cipher algorithms (used to provide the confidentiality) are not published with the bulk of GSM standards. although the 10 bits were set to zero which reduce the effective key length to 54. 3. Many new technologies (GSM1800. GPRS. 4. [21] [22] [23] 1. GSM used full length 64 cipher key algorithm. 2. GSM Association controls the distribution of algorithm. Later this decision has been changed due to the criticism from the academic bodies. Some of the important issue that have had an security are as follow. UMTS required a new algorithm of 128 bits for better security. New implementation of A3/A8 (COM 128-2 & COM 128-3) to stop the SIM cloning.Every new technology contribute to some extent but 3rd Generation technology UMTS has really improved these security flaws.This restriction was applied by the regularity control which relaxed later.

10 RLC : Radio Link Control MAC : Medium Access Control 25 .The new implementation of Algorithm A3/A8 are known as COM 128-2 & COM 128-3 (Originally derived from COM 128) has done much to stop the SIM cloning. A5/3 ciphering: Flaws in A5/1 and A5/2 improved with the arrival of A5/3 which is based on the Kasumi core (the core encryption algorithm for UMTS). Network in UMTS send an Authentication Token (AUTN) along with the RAND . 4.GEA3 ciphering: Similarly like the A5/3 the new algorithm called GEA3 added to the GPRS system. In GPRS and UMTS. [3] The MAC code in the UMTS work same like the GSM SRES but in opposite direction. GPRS/UMTS-ciphering before FEC: In order to minimize the errors ciphering is used before the FEC (Forward Error Correction). if both are different authentication reject message send to network and connection is over.2 Mobile Handset Security Problems After wide consultation [23] [26] [29] the most important problems concerning mobile handset have been identified as follows*: (1) Insufficient linkage between handset software and hardware.The authentication consists of a sequence number (SQN) encrypted using the RAND and the root key (K). GPRS. The procedure which mobile phone used to authenticates itself to the network is same as like the GSM. In order to authenticate both MAC compare. COM 128-2 still have same 10 bit weakening of ciphering Kc (54-bit ). ciphering occurs at RLC/MAC10. GAE3 is also based on the Kasumi. It also makes the Ki extraction difficult over the air. FEC is performed at physical layer. however COM 128-3 have stopped SIM cloning by using the 64-bit Kc.(handset cloning) (2) Insufficient linkage between SIM and Mobile terminal (IMSI and IMEI). UMTS.Network authentication to phone: UMTS uses the two way authentication between mobile phone and network.

26 . [24] User Interface The interface between user (subscriber) and handset is user interface. 4. SIM Card Interface The interface between the SIM card and handset is called SIM Card Interface. service code. As described in the background that a subscriber is recognized by the IMSI and Mobile terminal is recognized by the IMEI. user. Bluetooth) and the handset. On the base of linkage between IMSI and IMEI strong security can be provided. Data store on the handset and SIM Card are compare for authentication purposes. Reprogramming of IMEI is another serious problem now a days. (4) Authentication of IMEI at serving network. Due to insufficient linkage between SIM and Mobile terminal. (5) Allocation of TMSI by sending the IMSI in clear text. use of stolen handset is very common all around the World. 3 G. This interface only identifies the handset not users. It is a common practice to use one network SIM with other network Mobile Handset. * They are not listed in order of importance. which allow or restrict the services by looking in the EIR (Equipment Identity Register).3 Technical & Non Technical Solutions A mobile handset has three external interfaces which must consider in order to providing the security. Usually the Handsets are programmed for the restricted use. [24] (1) Network Interface (2) SIM card Interface (3) User Interface Network Interface This is an interface between network (GSM.s IMSI value. The common descriptive data for this family : country code.(3) Reprogramming of IMEI (International Mobile Equipment Identity) and non unique IMEI. The user authenticates itself to the handset by entering PIN (Personal Identification Number). network code. The handset sends the identification number (IMEI) to the network. It is common practice that IMEI is not secure.

If every thing work fine people use cloning only as an extension there would not be any problem notice. By stealing somebody else's mobile number (MIN) and Electronic Serial Number (ESN). In the media lot of propaganda is going on by the network operator about cloning with out knowing about it. This problem aroused due to the use of cloning for fraudulent purposes. The law has since been updated.1 Linkage between software & Hardware All handset security functions need a strong link between software and hardware. 4. When original phone ring. Handset cloning is very common and serious problem which arises because of the weak link between handset software and hardware.3. There is much about the legality of cloning. It’s called fraud. The more strong linkage between software and hardware make handset more secure. Interesting enough. Second phone (cloned phone) is exactly copy of first one (genuine phone). In one sense it is totally illegal but in other it may legal. Every network operator wants that subscriber get a new phone and pay twice. Identity and phone number both are copied in other handset. secret key+ ciphering component and biometrics (fingerprint). On the other hand subscribers don’t want to get two lines with two different numbers. If someone cloned other phone and use it for him. duplicated ring as well. Although a law exist to stop tampering for fraudulent purposes but in this situation cloning of handset can’t be totally consider illegal. If someone needs a extension he can use clone phone. Is this illegal? No definitely not. This is same a subscriber have one landline number and he use many extension. If one 27 . [25] In order to stop cloning a strong linkage between hardware and software is necessary. [25] This is clearly illegal. Model and brand are not necessary to be same for cloning. will cost the original user. In cloning complete reload of software allow to make duplicate handset. a person can "clone" a cellular phone and then make calls which are charged unlawfully to another. In short cloned phone work same like the original handset and any call made by it. some cellular companies are now starting (11-41998) to offer cloning as part of their service packages.Other common authentication values for this interface are password. Usually a pin code is used to make anti theft system in the mobile phones.

mobile pin code off) and another handset with the anti theft solution activated (mobile pin code on). Similarly mobile terminal recognized by the 15 digit unique number called IMEI (International Mobile Equipment Identity)12. This made the mobile phone very insecure. It made use of stolen devices very easy. A GSM SIM can be used with any GSM handset ideally. [24] GSM Europe [24] proposes that linkage between hardware and software should be based on the secure IMEI number which is already attributed to most mobile terminal as it was used historically for type approval purposes. Second generation GSM system is based on the linkage between software and hardware.2 Linkage between SIM card and Mobile Terminal: A mobile handset has two essential parts mobile terminal and SIM card. It will affect the innocent user. cloning the first on the second will have the result that anti theft solution of second handset become inactivated. Similarly IMEI used to identify the mobile terminal start work with the arrival of 2G handset although it proved an unsecured identity later. 4.mobile phone handset with an anti theft solution inactivated (e. Without the SIM card mobile terminal can’t provide any service except emergency calls. in order to provide all the services. Every GSM subscriber (SIM) is recognized by a 15 digit unique number called IMSI (International Mobile Subscriber identity)11. The most important feature of the GSM is the use of SIM card which store all the identification and security related data needs to make or receive calls.3. Many problems arose due to this fact. A stolen mobile phone can easily used by inserting the new SIM. Each subscriber use IMSI for identification. Due to the eavesdropping people easily listen other conversation and reprogram the identities of mobile phone such that cost of call made appear on other customer’s bill.g. 28 . Many of the first generation analogue phones were susceptible in abuse. In the past there was not any linkage between SIM and mobile terminal. Described in the technical background. It cannot be fair to completely stop the cloning by making a strong linkage between handset hardware and software. [23] Problems like cloning and eavesdropping were common in the first generation phones. 11 12 Described in the technical background.

It introduced integrity in IMEI. Due to this fact to make handset secure become important. Very few network operators in World introduced this security feature.3G handsets were introduced with extra built in security. The security feature based on the linkage between IMSI and IMEI is useful. New handsets are introducing with extra facilities. black) are store in the EIR (Equipment Identity Register) and CEIR (Central Equipment Identity Register). If the handset restricted to some specific SIM definitely international mobile phone trade become affected. In developing countries people are not able buy new handsets. Mobile phones users are increasing day by day globally. This fact is true as it is. Secondary purposes [24] include special network handling of specific mobile equipment types (e.3. On the other hand people want to use any network SIM with any handset. white. It was found during the “Handset Security Survey” that more than 60 percent people believe that SIM card and Mobile Terminal do not have sufficient linkage. For example 3 Mobile Network in UK has built a strong linkage between SIM and Mobile Terminal.3 Reprogramming of IMEI or non unique IMEI In many countries IMEI is used to stop the mobile phone theft. In short IMEI security is equally important for mobile manufacturer and network operator. for compensation of mobile. 4. Network internetworking issues). the tracing and prevention of malicious call use. A strong relationship between IMSI and IMEI can built a better security. assistance in fraud investigation and configuration management of the customer equipment base. People want the secure handset but free to use with any SIM. Every EIR mange IMEI usually belongs to one Network while CEIR manages all the IMEI of different 29 . This is the main purpose of IMEI. Mobile phone trade is getting better globally. According to a “Handset Security Survey” which was carried out during this project more than 85 percent people want to keep the handset free to use with any available SIM. It makes the handsets less attractive for thieves. Old mobile phones import from the developed countries at reasonable prices. All type of IMEI numbers (grey. 3 Mobile Network SIM can only be use with the specific handsets. Network Operators are not ready to implement this type of security feature which subscribers do not like. A secure IMEI is necessary in every handset.g.

Two requirements to make the IMEI secure are as follow: [30] (1) “It shall not be possible to change the IMEI after the ME’s final production process. A stolen handset can be used after unlocking with any network SIM all around the world. IMEI security depends on software security. The IMEI is supposed to a unique number which cannot be change easily but this is not true due to the following resons [7][30] • • • • • • “New IMEIs can be programmed into stolen handsets and 10 percent of IMEI are not unique” According to a BT-Cellnet sposkesman. Practically it seems to nearly impossible to make the IMEI totally unchangeable.Networks. No proof of origin or type approval is possible.g. owner contact the operator which banned IMEI in his own EIR and send the information for CEIR which blacklist the stolen handset in all operator switches. It shall resist tampering by any means (e. The security of the SVN shall be separate from that of the IMEI. IMEI can be change at very cheap price all around the world. It makes the mobile phone unusable. Facilities do not exist to de-bare number listed in error. In unlocking. According to “Handset Security Survey” more than 50%t people believe that recently used IMEI blacklist method is worthy but on the other hand more 70% people do not 30 . These soft wares are easily available at internet. When a mobile phone stolen. At present it is a common knowledge that IMEI is unsecured.” (2) The security policy for the Software Version Number (SVN) is such that it cannot be readily changed by the user. physical. Due to this mobile phone theft became a useless business. but can be updated with changes to the software. electrical or software). Due to the unlocking mobile phone become very attractive for the thieves. This problem created due to the above given two reasons (non unique IMEI and no way to debar number listed in error). IMEI is sent in clear (open identity). Reprogramming of IMEI is called unlocking. IMEI function in GSM failed till now. IMEI of a handset is reprogram by using the some specific soft wares.

To make the Re-programming of IMEI less attractive financially. as discussed before that international trade of used mobile phone is increasing day by day. in the United Kingdom under the Mobile Telephones (Re-programming) Act.keep the IMEI number at safe place. Neither GSM nor UMTS provide a method for authenticating the mobile equipment identity.3. If it is essential to change its content must be done by the authorised individual. In case if any part which contain IMEI need repair must replace by new one. This is not possible to completely stop the reprogramming the IMEI. changing the IMEI of a phone. A secret IMEI (only known to manufacturer) should be use to identify the mobile terminal. This secret IMEI must store in the non volatile memory in such a way it is hard to remove and replace.4 Suggestions Some suggestions to make IMEI secure are as follow [26] [] • • • • • Each mobile equipment must be identify by a unique IMEI.3. There should not be any way to duplicate the IMEI. This is the problem where any technical or non technical method can’t work. 4. 4. [7] This legislation enables the police to tackle those fuelling the trade in stolen mobile phones with penalties of up to five years in prison for those reprogramming the IMEI number on mobile phones. In some countries reprogramming of IMEI is illegal. For example. • • Modification of IMEI should be impossible without the secret part. IMEI requires physical protection of removed and replace. IMEI must not be change out side its manufacturer place if necessary must be done by the authorised bodies.5 Authentication of IMEI at serving Network In certain cases serving network may request to send the IMEI for authentication. or possessing equipment caught that can change it. [23] This is due to the complexity of designing a robust 31 . IMEI should be electronically sign by the manufacture. A standard body verify the signature. is considered an offence under some circumstances.

4. (1) New TMSI allocated every time when subscriber moves to new area. It is expected that mobile terminal send every time genuine IMEI. T-Mobile. Sometime it is necessary to send the IMSI instead of TMSI: (1) First time to identify the subscriber. This facility is provided both for the pay as you go and contract phones. During this project UK mobile network (Orange. (2) Subscriber can’t be identified.g. Every mobile network has dedicated contact numbers for its customers to bar the stolen handsets for e. TMSI (Temporary Mobile Subscriber Identity) is used.6 Allocation of TMSI by sending the IMSI in clear text Every GSM or UMTS subscriber is recognize by a 15 digit number called IMSI (International Mobile Subscriber Identity).3. Standard bodies impose the requirement on the mobile terminal to make sure the integrity of IMEI and stop any re-programming or tampering. (2) If the data in mobile become invalid due to some reason. IMSI send in the clear text for above given two reasons. 4. Any system which black list the stolen mobile phones depends totally on the mobile terminal. This number stored in the SIM. 3 mobile and BT cell net) has been studied. O2. It has been discussed that 10% of IMEI are not unique and re-programming is possible in mobile phones. Orange 32 . Virgin Mobile. In order to avoid the subscriber being identified from the eavesdropping on radio interface instead of IMSI. Vodafone. Specially need of secure IMEI is necessary for both. Any stolen mobile phone can be banned same like the stolen credit card.4 Network Operator approaches All security problems are important for the network operator as well as the handset manufacturers. TMSI change after some time due to the following two reasons.system. In UK the mobile phone database (CEIR) can prevent the use of stolen mobile phone on any UK mobile network by barring the IMEI numbers. Due to eavesdropping on radio path subscriber identified. This made the phone useless for thieves.

the unique identifying characteristic of a mobile phone . (the IMEI number) and Possessing. Virgin. Orange and 3 Mobile networks are ready to offer the service.5 National level approaches Rate of mobile phone theft is increasing all over the World. O2. 2002 and makes offences of: [27] • • Changing without the authorisation of the manufacturer. 4. but more needs to be done before Britain’s mobile phone system can lead the world in security. “they are saying it is not worth 33 . If all mobile networks follow the 3 G.” Home Office has spent years to persuade the network operator to install equipment for barring the stolen handsets. Even if a handset is unlocked it can’t work with the 3G SIM. The Mobile Telephones (Re-programming) Act 2002 came into force on October 4. Many actions has been taken by the Home Office to make handset secure. The offences carry maximum penalties of five years imprisonment of unlimited fines or both. In UK mobile phones are involved in 28% of robberies. Minister John Denham said [b] “A start has been made. Use of mobile phones for crimes is a serious problem. Vodafone and BT Cellnet are not completely agreed to use IMEI blacklist method. it can make unlocking (re-programming) useless. Two UK mobile network operators (BT Cellnet & Vodafone) have failed to meet new measures. supplying or offering to supply the necessary equipment with the intent to use it for re-programming mobile phones. A 3 G mobile network SIM can only used with 3G dedicated handsets. 3 G Mobile Network: Most advance security features are provided by the 3 G mobile network in UK. A Home Office spokesman has said[b].• • • • Contract 07973100150 Prey-pay 08700776655 Contract 07836191191 Prey-pay 08700776655 Vodafone Unfortunately not all of the UK mobile network operators are ready to corporate.

not a handset manufacturer.” “But the government declined the offer for whatever reason. Handset manufacturer will have to asked question as well. the camera will automatically 13 It is leading mobile operator in Japan and is a subsidiary of Vodafone.Both network operators are worried about the reprogramming of IMEI. By pre registering the customer face and a secret question and answer.” Face Recognition Vodafone KK13 introduce a face recognition method [] to secure the handset by recognizing the user.” Vodafone: Vodafone has not adopted the technology because it is “unreliable” a spokesman said and lead to innocent phone user being disconnected. “Duplicate numbers are coming out of the factories now and you can have two or three handsets with the same number. He said. “We are a network.” she said. The opinions of BT Cellnet and Vodafone about the IMEI security are as follow: BT Cellnet A BT Cellnet spokeswoman said[b]: “IMEI barring does not solve the problem and is a red herring. 2. A Vodafone spokesman had told the government if it was sent all stolen IMEI number it could search records and hand over names and hand over names and addresses of user matching the number. 34 .” Re-programming . “We are working with the Home Office on all aspects of security for current and future networks. All IMEI are not unique and reprogramming is possible in stolen handset. “We thought it would perhaps lead police to someone with spurious reason for holding the phone and would be a step in the right direction to breaking up these crime rings. mouth and other facial feature. A sub-camera is used to recognize the customer by sensing the position of their eyes. Vodafone is ready to corporate with government. By changing the SIM mobile phone is useable with all other networks. eyebrows.because the next generation of phones are coming along in a couple of years and customer are not demanding”. “You might be blocking several other people who have done nothing wrong. “she said.” This method is not worthy because: 1.

14 REF [] for details 35 .14 Some network operators are ready to corporate. tube/trains station and all others public places to keep the mobile phones safe. * Remain alert.activate when the handset is opened and authenticate a customer in less than a second. Home Office has made many efforts for securing the handsets. When you are out be aware of your surroundings and don't use your phone in crowded areas or where you might feel unsafe. *Record your IMEI number and your phone number and keep these in a safe place separate from your phone. You have seen the many sign boards on high streets. Your IMEI number can be accessed by keying *#06# into most phones or by looking behind the battery of your phone. Your phone is a valuable item. Advice from Home Office: Additional advice from the Home Office to coincide with the launch of the database is to: * Register your phone with your network operator. * Report the number of your stolen phone to your network operator as quickly as you can. This will make barring easier. Opinion of the Orange and Virgin Mobile Network Operator say about these problems. It can now be disabled. Thousands of leaflet has been distributed to aware the public from mobile phone thieves.

Handset Survey with accurate results is given in the appendix. . A Handset Security Survey has been carried out during this project. It was found that Males are mostly targeted of mobile phone theft. More than 50% people think that recently used IMEI blacklist method is worthy but on other hand only 22% keep the IMEI safe by writing it.4. In answering the question about the most important change to make the phone less attractive for thieves’ people said “make it simple and less attractive. Mostly people want to use any SIM with any network. People are not happy with the SIM.Mobile terminal linkage. 36 . The graph shows the positive results received during the survey.6 Layman Approaches Mobile Handset security is a common serious public problem.

4.7 International Approaches Need of secure handset is important everywhere. No law exist nor any effort were made by international bodies until now .8 Handset Manufacturer Approaches Mobile handset security is equally important for manufacturer as well.Mobile Handset Security Survey 90 80 Positive Answer% 70 60 50 40 30 20 10 0 1 3 5 7 9 11 Male Female Children Question numbers 4. Number of mobile phone users dramatically increased in the last ten years. A central database CEIR exist to keep the records of all IMEI number but this is not possible until now. A stolen mobile phone can easily used in any country (except GSM IMEI DB registered) after unlocking. Manufacturer can play an important role in this effort. All the suggestion made to secure the IMEI need manufacturer co-operation. [27] International trade of new and used mobile phones is getting better. with China and India leading the way. however rate of mobile phone theft is not same all around the World.United Nation need to introduce laws to make handset secure internationally. Growth in mobile phone connection world-wide running at an unprecedented 40 million new connection per month. 37 .

"[31] 4. Nokia. CEO of the GSM Association said. such as we have seen in the UK. Motorola. together with the continued extension of the GSMA's handset database are critical elements in tackling the problem of handset theft. In addition. Panasonic. more than 180 manufacturers and suppliers support the Association’s initiatives as associate members. To send IMSI always encrypted when it is necessary. To introduce the electronic signature in such a way that a third party confirm it.” "We would like to see a more comprehensive approach that includes additional government-led action. Siemens and Sony Ericsson announce agreement on measures to drastically reduce the theft of mobile phones in the world. As a result of this effectiveness of EIR greatly increased. [31] GSM Association and handset manufacturers have done many efforts to enhance the integrity of IMEI. but they are only part of the overall solution. • • • • • To make sure the integrity of IMEI by making it unique. NEC. To make the IMEI authentication possible at network. Rob Conway.The GSM Association (GSMA) and leading manufacturers including Alcatel. The GSM Association (GSMA) is a global trade association representing more than 690 GSM mobile phone operators across 214 territories and countries of the world. [32] GSM Association is working in close relation with the handset manufacturer to bring the extra security in handsets. To develop the face recognition function handsets by using cameras. 4. "The commitment by manufacturers.10 New Development in 4G Recently used 3G mobile phones have many security flaws.9 GSM Association Approaches Founded in 1987. Some necessary new developments in 4G should be as follow. 38 . Sagem.

5.0 SUMMARY 39 .

countries. Although technically it needs many improvement but without co operation between handset manufacturer. 40 . mobile phone subscriber and Laws enforcement agencies it seems impossible to solve it. All the sources are working to make handset secure but lack of co operation has been found. Network Operator. UNO is unique body which represent the …….  Further research on serving network so that it provides IMEI authentication. During the report GSM Security Architecture was critically anatomised.0 Conclusions This report clarified the handset security weakness build on the IMSI and IMEI. any effort made by it will be very helpful. Integrity and reprogramming of IMEI are two problems without solving them handset cannot be secure.6. With the increasing trade of mobile phones these problems became clearer. It is true that it is not possible to completely exclude the reprogramming of IMEI.. It was found that almost all problems are linked with the IMEI security.1 Recommendations Several areas of further research were identified to include mainly:  Further research on IMEI to make sure its integrity. Authentication of IMEI at serving network is difficult as it needs a complex and robust system. It was found that security provided by the 2G and 3G has many flaws. GSM Association. 6. Insufficient linkage between SIM and mobile terminal cannot be removed as it was found people want to use any SIM with any available handset.

ppt Accessed: July 2006. 2006. Accessed: June 2006 [3] Dr.uwaterloo. Inc 2005. Horn. Artech House Publishers Boston London. Prentice Hall. 41 .shtml .Rappaport. [12] GSM security algorithm available from http://www. 2006.cs. Overview of Global System for Mobile Communication available from https://styx.il/~sans/students_lectures/GSM%20Security. [8] Max Stapanov. Accessed: August 2006.pentest. available from www.net. Accessed: July 2006. 0278-6648/95/$4. Gunnar Heine.org/wiki/IMSI. [6] GSM Network: Protocols. Pen Test Ltd 2003.huji.shtml Accessed: August. UET Peshawar Pakistan. Architecture. Theodore S.html#3. McGraw-Hill Companies. Terminology and implementation. 1998 [7] International Mobile Subscriber Identity. Accessed: August. [11] Sumit Kasera.uk/documents/wless-salford. Boman.Neimi. GSM Security from http://www. 2006. UMTS security. Wikepedia. available from http://en.1.gsm-security.net/faq/imeiinternational-mobile-equipment-identity-gsm. [10] Yi-Bin Lin. [9] GSM-Security. GSM Security Overview available from www.Howard and V. [2] K. Muhammad Amir.00 0 1995 IEEE.REFRENCES [1] Wireless Security problems.gsmworld. Accessed: June 2006 [4] Wireless Communication Principle and Practice 2/e. Nishit Narang . IEEE Computer Society. G. P. Reaching out with GSM. 2002 [5] John Scourias.ac. Electronics & communication Engineering Journal October 2002.ca/~jscouria/GSM/gsmreport.co. Muhammad Siddique.com/using/algorithms/index. the free encyclopaedia. Accessed: September.pdf. No Wire Attached. S. Protocol and procedures.3G Mobile Networks.wikipedia.

Preliminary draft.ics. F and WALKER. ANDERSON. December 1999.G Smith.sasase.keio.Howard and V.1978. in FSE 2000. Taiwan [16] Florian Schmidt. R.nsf/pages/news.com available from http://66. BIRYUKOV . Real time cryptanalysis to A5/1 on a PC. Proc COMPSEC 98 (Elsevier. Oakland May 2000. D.pdf Accessed: June 2006 [17] A. A.BIRYUKOV.gsmeuope. LNCS NO.org Accessed: September 2006 [25] Cloning cellular telephone. P. [24] GSME proposal regarding mobile theft and IMEI security. Universeity of Cambridge. Springer Verlag. [15]Chii-Hwa Lee. Accessed: October 2006. F (Ed) : GSM and UMTS: The creation of global mobile communication (John Willey & Sons.20020507_simcard.Enhance privacy and authentication for global system for mobile communications. A. G. Real time cryptanalysis of the alleged A5/1 on a PC. [21] PIPER.40. [14] http://www.html Accessed: October. 1998) [22] WALKER. 2002 available from http://domino. Security and Privacy in wireless communication available from http://www. Niemi.html. 2006. Boman. 2000. Dunlop and D.ibm. [19] S.[13] J.SHAMIR.SKOTOBOGATOV . WAGNER.watson. Wei-Pang Yang. M in-Shiang Hwang.com/blackcrawl/cell/gsm/gsm-secur/gsm-secur. . Technical notes Hakerscatalouge.Y May 7. M. and WRICHT. “ UMTS SECURITY” Electronics & Communication Engineering Journal .100/Services/TECH_Notes/one.html 42 . Stanley Thrones(Publisers) Ltd UK 1998. The European interest group of the GSM Association available from www. 2002) [23] K. National Chiao Thug Uni. October 2002. [18] A. YORKTOWN HEIGHTS. Berlin. Hsinchu. [20] IBM Develop Technology to Protect GSM Cell Phone ID Cards from Hackers.. N.78. GSM Europe. M: Cryptographic solutions for voice and telephony and GSM. Telecommunications Engineering 3rd edition.jp/jugyo/2005/wireless_privacy1.hackcanada. in IEEE Sympsium on Security and Privacy.SHAMIR.ac. T “Security aspect in HILLEBRAND. Optical fault Induction Attacks.com/comm/pr. Horn .

com/about/index.edu/MobilSec/posted_docs/3G_Security_Overview.vodafone. [31] Industry takes lead to halt the Mobile Phone theft. [26] Sophia Antipolis. Cannes.pdf accessed October 2006. October /November 2006 [29] 3G Security Principle. France. 3GPP.pdf Accessed: July 2006 43 .01.cs.org/ftp/tsg_sa/WG3_Security/TSGS3_06_9910/docs/AP99101_IMEI_CR_SMG10.gsmworld.gov.org/ftp/tsg_sa/WG3_Security/TSGS3_10/Docs/PDF/S3-000071.jp/english/release/2006/20060228_3e.htm Accessed: June 2006 [28] MIYA KNIGHTS. IET Communication Engineer. ETSI STC SMG10 #2/99.uiuc.3gpp.com/news/press_2004/press04_13. available from http://srg.3gpp.shtml Accessed: October 2006 [33] Vodafone KK Introduce face Recognition security features available from http://www. Mobile Phone Barring Database Launched. 3 GSM World Congress.gsmworld. The China Connection.doc accessed August 2006. 3GPP. 24th February 2004. Terminal Identity Security available from http://www.ppt Accessed October 2006 [30] Antwerpen 2000. 3-6 August 1999 available from http://www. Accessed: October 2006 [27] STREET CRIME. IMEI Security.shtml Accessed: October 2006 [32] GSM Association available from http://www. available from http://www.Accessed: October 2006.uk/stolengoods/stolengoods5.20.crimereduction. available from http://www.

2nd Edition. Telecommunications Engineering 3rd edition. GPRS & EDGE Performance.BIBLIOGHRPHY 1. GSM.G Smith. John Wiley & Sons Ltd West Sussex England 2003. 44 . Stanley Thrones(Publishers) Ltd UK 1998. Dunlop and D.Timo Halonen. 2. J.

ACRONYMS AuC AUTN AKA BTS BSC BSS CEPT CSPDN CKSN CEIR EIR EDGE ESN FEC GSM GPRS HLR HNI HSCSD ISDN IMSI IMEI LAI LAN MCC MNC MSIN ME MS MSC MAC MRSN Authentication Centre Authentication Token Authentication Key Management Base Transceiver Station Base Station Controller Base Station System Conference of Europe Post & Telegraph Circuit Switched Public Data Network Cipher Key Sequence Number Central Equipment Identity Register Equipment Identity Register Enhanced Data rate for GSM Evolution Electronic Serial Number Forward Error Control Global System for Mobile Communication General Packet Radio Service Home Location Register Home Network Identity High Speed Circuit Switched Data Integrated Services Digital Network International Mobile Subscriber Identity International Mobile Equipment Identity Location Area Identity Local Area Network Mobile Country Code Mobile Network Code Mobile Station Identification Number Mobile Equipment Mobile Station Mobile Switching Centre Medium Access Control Mobile Subscriber Roaming Number 45 .

MIN NSS OSS PAN PIN PSTN PSPDN RLC RAND SIM SRES SN TMSI USIM UMTS VLR WAN WEP 3GPP Mobile Identification Number (not sure) Network Subsystem Operation & Support System Personal Area Network Personal Identification Number Public Switched Telephone Network Packet Switched Public Data Network Radio Link Control Random Number (128 bit) Subscriber Identity Module Signed Response Serving Network Temporary Mobile Subscriber Identity Universal Subscriber Identity Module Universal Mobile Telecommunications System Visitor Location Register Wide Area Network Wire Equivalent Privacy 3G Partnership Project 46 .

sex and ethnicity? (1) Have you or a member of your family or a friend had your/their mobile phone stolen? (2) Would you prefer to keep the handset free to use with any available SIM? 47 . Note: Question number a & b are optional.Appendix: A Mobile Handset Security Survey: Mobile Phones are perhaps most attractive devices for thieves now a days because of their light weight and high price. extra page can be used to answer any question. which people are most targeted of mobile phone theft and what a layman think about handset security. In the UK Mobile Phone are used in 28 percent of robberies according to a Home Office report. This survey is being carried out by a student of London South Bank University as a demand of his Msc project on Mobile Handset Security. Please try to answer all the questions. The purpose of this survey is to access. (a) What is your name? (b) What are your age.

It is found beneath the phone battery or can be find by dialling *#06#. Handset Manufacturer16 and the Law enforcement agencies of your country have sufficient linkage to make Mobile Phone secure? (10) Is the SIM17 (Subscriber Identity Module) is secure at present? 15 It stand for International Mobile Equipment Identity. 48 . 16 World well known Handset Manufactures are Sony Erickson. Motorola.(3) Do you consider that using a Mobile Phone outside the home/office is safe? (4) What do you think how much chances are there. it is 15 digit number currently use to banned the stolen Mobile Phones . Nokia. Samsung. to get back a stolen or lost Mobile Phone? (5) Do you think that recently IMEI15 blacklist method for stolen Mobile Phone is worthy? (6) Do you always write the IMEI number and keep it safe when you get a new handset? (7) Do you register handset with Network Operator when you buy a new phone? (8) Is it difficult and expensive to unlock a stolen Mobile Phone? (9) Do you think that Network Operator. it contain programming and information. and LG. 17 It is a smart card use in every GSM Mobile phone.

8 % 28.com/news/press_2004/press04_13.8 % 5% 8 9 .66 % 3 78.3% 0% .148 6 21.(11) Do you think that today’s Mobile Phone has sufficient linkage between Handset (terminal) and SIM (Subscriber Identity Module)? (12) What do you think the most important change should be carried out in Mobile Phone to make it less attractive for thieves? Results Q NO Male Female 1 64.2% 0% % Children 20% % 25% 0% Appendix: B More than 328 mobile phone stolen in UK every day.1% 14.4% 14.128 % 45% 4 .9% 5 50% 57.33 % 7 50% 42.3 % 10 42.71 % 42.gsmworld. GSM WORLD NEWS PRESS http://www.148 2 85.14 % .57% 57.5% 7.85 % 66.285 % 57.8% 33.5 % 0% 11 57.3% 33.shtml 49 .8% .

Sign up to vote on this title
UsefulNot useful