THE ELECTRONIC SERIAL NUMBER: A CELLULAR 'SIEVE'? 'SPOOFERS' CAN DEFRAUD USERS AND CARRIERS by Geoffrey S. Goodfellow, Robert N. Jesse, and Andrew H. Lamothe, Jr. What's the greatest security problem with cellular phones? Is it privacy of communications? No. Although privacy is a concern, it will pale beside an even greater problem: spoofing. 'Spoofing' is the process through which an agent (the 'spoofer') pretends to be somebody he isn't by proffering false identification, usually with intent to defraud. This deception, which cannot be protected against using the current U.S. cellular standards, has the potential to create a serious problem--unless the industry takes steps to correct some loopholes in the present cellular standards. Compared to spoofing, the common security concern of privacy is not so severe. Most cellular subscribers would, at worst, be irked by having their conversational privacy violated. A smaller number of users might actually suffer business or personal harm if their confidential exchanges were compromised. For them, voice encryption equipment is becoming increasingly available if they are willing to pay the price for it. Thus, even though technology is available now to prevent an interloper from overhearing sensitive conversations, cellular systems cannot--at any cost--prevent pirates from charging calls to any account. This predicament is not new to the industry. Even though cellular provides a modern, sophisticated quality mobile communications service, it is not fundamentally much safer than older forms of mobile telephony. History of Spoofing Vulnerability The earliest form of mobile telephony, unsquelched manual Mobile Telephone Service (MTS), was vulnerable to interception and eavesdropping. To place a call, the user listened for a free channel. When he found one, he would key his microphone to ask for service: 'Operator, this is Mobile 1234; may I please have 555-7890.' The operator knew to submit a billing ticket for account number 1234 to pay for the call. So did anybody else listening to the channel--hence the potential for spoofing and fraud. Squelched channel MTS hid the problem only slightly because users ordinarily didn't overhear channels being used by other parties. Fraud was still easy for those who turned off the squelch long enough to overhear account numbers. Direct-dial mobile telephone services such as Improved Mobile Telephone Service (IMTS) obscured the problem a bit more because subscriber identification was made automatically rather than by spoken exchange between caller and operator. Each time a user originated a call, the mobile telephone transmitted its identification number to the serving base station using some form of Audio Frequency Shift Keying (AFSK), which was not so easy for eavesdroppers to understand. Committing fraud under IMTS required modification of the mobile--restrapping of jumpers in the radio unit, or operating magic keyboard combinations in later units--to reprogram the unit to transmit an unauthorized identification number. Some mobile control heads even had convenient thumb wheel switches installed on them to facilitate easy and frequent ANI (Automatic Number Identification) changes. Cellular Evolution Cellular has evolved considerably from these previous systems. Signaling between mobile and base stations uses high-speed digital techniques and involves many different types of digital messages. As before, the cellular phone contains its own Mobile Identification Number (MIN), which is programmed by the seller or service shop and can be changed when, for example, the phones sold to a new user. In addition, the U.S. cellular standard incorporates a second number, the 'Electronic Serial Number' (ESN), which is intended to uniquely and permanently identify the mobile unit. According to the Electronic Industries Association (EIA) Interim Standard IS-3-B, Cellular System Mobile Station--Land Station Compatibility Specification (July 1984), 'The serial number is a 32-bit binary number that uniquely identifies a mobile station to any cellular system. It must be factory-set and not readily alterable in the field. The circuitry that provides the serial number must be isolated from fraudulent contact and tampering. Attempts to change the serial number circuitry should render the mobile station inoperative.' The ESN was intended to solve two problems the industry observed with its older systems. First, the number of subscribers that older systems could support fell far short of the demand in some areas, leading groups of users to share a single mobile number (fraudulently) by setting several phones to send the same identification. Carriers lost individual user accountability and their means of predicting and controlling traffic on their systems. Second, systems had no way of automatically detecting use of stolen equipment because thieves could easily change the transmitted identification. In theory, the required properties of the ESN allow cellular systems to check to ensure that only the correctly registered unit uses a particular MIN, and the ESNs of stolen units can be permanently denied service ('hot-listed'). This measure is an improvement over the older systems, but vulnerabilities remain. Ease of ESN Tampering Although the concept of the unalterable ESN is laudable in theory, weaknesses are apparent in practice. Many cellular phones are not constructed so that 'attempts to change the serial number circuitry renders the mobile station inoperative.' We have personally witnessed the trivial swapping of one ESN chip for another in a unit that functioned flawlessly after the switch was made. Where can ESN chips be obtained to perform such a swap? We know of one recent case in the Washington, D.C. area in which an ESN was 'bought' from a local service shop employee in exchange for one-half gram of cocaine. Making the matter simpler, most manufacturers are using industry standard Read-Only Memory (ROM) chips for their ESNs, which are easily bought and programmed or copied. Similarly, in the spirit of research, a west coast cellular carrier copied the ESN from one manufacturer's unit to another one of the same type and model--thus creating two units with the exact same identity. The ESN Bulletin Board For many phones, ESN chips are easy to obtain, program, and install. How does a potential bootlegger know which numbers to use? Remember that to obtain service from a system, a cellular unit must transmit a valid MIN (telephone number) and (usually) the corresponding serial number stored in the cellular switch's database. With the right equipment, the ESN/MIN pair can be read right off the air because the mobile transmits it each time it originates a call. Service shops can capture this information using test gear that automatically receives and decodes the reverse, or mobile-to-base, channels. Service shops keep ESN/MIN records on file for units they have sold or serviced, and the carriers also have these data on all of their subscribers. Unscrupulous employees could compromise the security of their customers' telephones. In many ways, we predict that 'trade' in compromised ESN/MIN pairs will resemble what currently transpires in the long distance telephone business with AT&T credit card numbers and alternate long-distance carrier (such as MCI, Sprint and Alltel) account codes. Code numbers are swapped among friends, published on computer 'bulletin boards' and trafficked by career criminal enterprises. Users whose accounts are being defrauded might--or might not--eventually notice higher-than-expected bills and be reassigned new numbers when they complain to the carrier. Just as in the long distance business, however, this number 'turnover' (deactivation) won't happen quickly enough to make abuse unprofitable. Catching pirates in the act will be even tougher than it is in the wireline telephone industry because of the inherent mobility of mobile radio. Automating Fraud Computer hobbyists and electronics enthusiasts are clever people. Why should a cellular service thief 'burn ROMs' and muck with hardware just to install new IDs in his radio? No Herculean technology is required to 'hack' a phone to allow ESN/MIN programming from a keyboard, much like the IMTS phone thumb wheel switches described above. Those not so technically inclined may be able to turn to mail-order entrepreneurs who will offer modification kits for cellular fraud, much as some now sell telephone toll fraud equipment and pay-TV decoders. At least one manufacturer is already offering units with keyboard-programmable MINs. While intended only for the convenience of dealers and service shops, and thus not described in customer documentation, knowledgeable and/or determined end users will likely learn the incantations required to operate the feature. Of course this does not permit ESN modification, but easy MIN reprogrammability alone creates a tremendous liability in today's roaming environment. The Rolls Royce of this iniquitous pastime might be a 'Cellular Cache-Box.' It would monitor reverse setup channels and snarf ESN/MIN pairs off the air, keeping a list in memory. Its owner could place calls as on any other cellphone. The Cache-Box would automatically select an ESN/MIN pair from its catalog, use it once and then discard it, thus distributing its fraud over many accounts. Neither customer nor service provider is likely to detect the abuse, much less catch the perpetrator. As the history of the computer industry shows, it is not far-fetched to predict explosive growth in telecommunications and cellular that will bring equipment prices within reach of many experimenters. Already we have seen the appearance of first-generation cellular phones on the used market, and new units can be purchased for well under $1000 in many markets. How High The Loss? Subscribers who incur fraudulent charges on their bills certainly can't be expected to pay them. How much will fraud cost the carrier? If the charge is for home-system airtime only, the marginal cost to the carrier of providing that service is not as high as if toll charges are involved. In the case of toll charges, the carrier suffers a direct cash loss. The situation is at its worst when the spoofer pretends to be a roaming user. Most inter-carrier roaming agreements to date make the user's home carrier (real or spoofed) responsible for charges, who would then be out hard cash for toll and airtime charges. We have not attempted to predict the dollar losses this chicanery might generate because there isn't enough factual information information for anyone to guess responsibly. Examination of current estimates of long-distance-toll fraud should convince the skeptic. Solutions The problems we have described are basically of two types. First, the ESN circuitry in most current mobiles is not tamper-resistant, much less tamper-proof. Second and more importantly, the determined perpetrator has complete access to all information necessary for spoofing by listening to the radio emissions from valid mobiles because the identification information (ESN/MIN) is not encrypted and remains the same with each transmission. Manufacturers can mitigate the first problem by constructing mobiles that more realistically conform to the EIA requirements quoted above. The second problem is not beyond solution with current technology, either. Well-known encryption techniques would allow mobiles to identify themselves to the serving cellular system without transmitting the same digital bit stream each time. Under this arrangement, an interloper receiving one transmission could not just retransmit the same pattern and have it work a second time. An ancillary benefit of encryption is that it would reasonably protect communications intelligence--the digital portion of each transaction that identifies who is calling whom when. The drawback to any such solution is that it requires some re-engineering in the Mobile-Land Station Compatibility Specification, and thus new software or hardware for both mobiles and base stations. The complex logistics of establishing a new standard, implementing it, and retrofitting as much of the current hardware as possible certainly presents a tough obstacle, complicated by the need to continue supporting the non-encrypted protocol during a transition period, possibly forever. The necessity of solving the problem will, however, become apparent. While we presently know of no documented cases of cellular fraud, the vulnerability of the current standards and experience with similar technologies lead us to conclude that it is inevitable. Failure to take decisive steps promptly will expose the industry to a far more expensive dilemma. XXX Geoffrey S. Goodfellow is a member of the senior research staff in the Computer Science Laboratory at SRI International, 333 Ravenswood Ave., Menlo Park, CA 94025, 415/859-3098. He is a specialist in computer security and networking technology and is an active participant in cellular industry standardization activities. He has provided Congressional testimony on telecommunications security and privacy issues and has co-authored a book on the computer 'hacking' culture. Robert N. Jesse (2221 Saint Paul St., Baltimore, MD 21218, 301/243-8133) is an independent consultant with expertise in security and privacy, computer operating systems, telecommunications and technology management. He is an active participant in cellular standardization efforts. He was previously a member of the senior staff at The Johns Hopkins University, after he obtained his BES/EE from Johns Hopkins. Andrew H. Lamothe, Jr. is executive vice-president of engineering at Cellular Radio Corporation, 8619 Westwood Center Dr., Vienna, VA 22180, 703/893-2680. He has played a leading role internationally in cellular technology development. He was with Motorola for 10 years prior to joining American TeleServices, where he designed and engineered the Baltimore/Washington market trial system now operated by Cellular One. -------- A later note indicates that one carrier may be losing something like $180K per month....