Invasion Methods

---

Attacks on the Network Infrastructure

The transmission path in GSM is secured in a nowadays insufficient manner at the aerial interface between the mobile phone and the basic network station only. The remaining transmission path via relay and fixed network circuits is not secured by encryption of the data. Attackers who gain access to these transmission paths can record the conversation with a relatively low effort. In particular base stations that are connected with the GSM network infrastructure via micro wave relay are not a big challenge for attackers.


Attacks on the Transmission Path between the Mobile Phone and the Base Station (Classical)

In GSM networks only the mobile device authenticates at the network; the system does not include a reciprocal authentication at the mobile phone. This unilateral identification and authorization which is incomplete in security terms results to multiple possibilities for attack. If an attacker simulates with sufficient transmitting power the mobile terminal device will automatically log in to this base station and the entire transmission activity is transmitted into the GSM network by the attacker (“man in the middle attack”). The security function of the GSM networks (A5.1 and A5.2) is switched off. The contents of the call are open to the attacker.

It should be noted that this scenario is a classical attack method of the 1990ies (“IMSI catcher”).

Attacks on the Transmission Path between the Mobile Phone and the Base Station (New Methods)

Modern successors offer a large number of dangerous capacity increases and nearly unlimited possibilities for applying interception devices, in particular through:

• Minimising the devices (to the size of a laptop).
• Real time encryption of GSM calls.
• Automatic interface and data collection.
• Automatic localization of the target person.
• Automatic recording and analysing in “real time”.
• Large-scale possibilities to manipulating the speech contents.
• Control of mobile phones, even when no calls are made.
• UMTS Blocking‘ (UMTS calls are forced into the normal GSM which is easy to bug).

This new generation of mobile phones intercepts GSM networks in a “passive” or “semi-active” manner without leaving identifiable traces. Attacks and offences are not spotted or they are attributed to other causes. In respect of these problems statistics on information and communication crime are of very limited validity. The number of unreported cases is very important.

Whereas, in the past the manufacturers of such sophisticated equipment were generally located in Europe or North America and bound by severe legal obligations (sales generally limited to public authorities having security functions), during the past few years an increasing number of vendors from East Asia (particularly China), Russia, India and Ukraine have appeared on the market.

Attack on the Mobile Phone

Nowadays mobile phones are true communication artists. They are equipped with a great number of technical communication interfaces (PC, WLAN, Bluetooth) and are used as a normal portable PC in the private sector as well as for business purposes.

On the mobile phone market „smartphones“, i.e. mobile phones with a standardized operating system have had their way to a large extent. Android, Apple OS, RIM OS, Windows Mobile and Symbian have set out to conquer the mobile phone world in an unprecedented manner, supported by a widespread offer of application software which give the mobile phone similar functions to a PC.

However, thus the new generation mobile phones are exposed to a well known risk of the computer world (security race): Against the malware explosion, frequently built to a modular system (from the computer world the phenomenon of up to 250,000 newly discovered malware signatures a day is known) no appropriate measures are available. Moreover, in comparing mobile operating systems among each other and with the PC world considerable differences in quality appear.

For the time being mobile operating systems are difficult to patch and generally offer no or only insufficient administrator or rooting accounts for the user or system administrator. The authority over the mobile phone and its applications is not with the user but is divided between the manufacturer, the network provider, the operating system company and the developer of software applications.

The events discovered in November 2011 regarding the software developer Carrier IQ which now keep the United States Senate Judiciary Committee on Privacy, Technology and the Law busy throw a bad light on this security aspect.

More than 140 million smart phones sold by a number of leading world market manufacturers have been equipped with an analytic software allowing external access to sensitive proprietary information contained in the phone. This software has been deeply integrated into the firmware of the phones and can therefore be detected but not eliminated. This may partly explain the phenomenon of the unspecific data traffic (“ghost traffic”) which cannot be exactly characterised.

The use of smartphones has considerably increased, not to say raised to a higher power the requirements for product security of secure voice communication. The problem of insecure networks has been joined by the problem of malware related to the operating system, boosted by considerable shortcomings and pent-up need relating to the very security check of the mobile operating systems. It is a rule that mobile voice communication security systems which function as add-ups to commercial hardware and software have to be considered as not safe.

Smart phones can during their life times be converted into overall safe products with considerable cost only. Hence, the expense for satisfactory secure communication easily reaches the limits of an economically meaningful solution. In a public security leaflet the U.S. National Security Agency in March 2011 came to the conclusion: “A mobile phone is the enemy’s cheapest agent.”*


*NSA Customer Support, System and Network Analysis Center, Ft. Meade March 2011, www.nsa.gov“