cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Mobile Phone Hacking a "Deadly Serpent" in modern era of Technology

1241
Views
15
Helpful
0
Comments
Beginner

[toc:faq]

What is Mobile Phone hacking?

According to Wikipedia

 "Phone hacking is the practice of intercepting telephone calls or voicemail messages, often by accessing the voicemail messages of a mobile phone without the consent of the phone's owner. The term came to prominence during the News International phone hacking scandal, in which it was alleged (and in some cases proved in court) that the British tabloid newspaper the News of the World had been involved in the interception of voicemail messages of the British Royal Family, other public figures and cases related to murders."

 

Statistics:

There are roughly 10 billion GSM subscribers worldwide. It is estimated that worldwide mobile phone fraud will reach $40 billion dollars in a few years. US Law enforcement agents have found that 80% of drug dealers arrested in US have used cloned mobile phones.Ironically, Pablo Escobar the top Columbian drug dealer was tracked down through monitoring of his mobile phone activity.

Two aspects relevant to a Forensic Analyst:

  1. Has the phone been used for a criminal act?
  2. Can the phone be used to secure a conviction?

 

Low-tech Fraud and associated issues:

  • Call forwarding to premium rate numbers
  • Bogus registration details
  • Roaming fraud
  • Terminal theft
  • Multiple forwarding, conference calls

 

Countermeasures for Low-Tech Frauds:

Low-Tech frauds are seen under the type of frauds which involve illegitimate actions to gain access or the desired object by using Fake signature or fake ID's etc. Few exapmles of Low-Tech frauds are mentioned below:

  1. Cheque fraud incident is one of the largest cases in past year
  2. High volume of lower value frauds in contrast with previous years  
  3. Usage of Disappearing ink.
  4. Social Engineering


A Fraud Management system is implemented which looks for:

  1. Multiple calls at the same time.
  2. Explicit disparity in revenue being paid to other parties.
  3. Explicit disparity call duration ranging from very short to very long calls.
  4. Alteration in customer usage patterns, perhaps signaling that the device is no longer in use by its authentic user and could have been stolen or abused.
  5. One may closely watch the usage patterns of the customer during a probationary period. This may provide valuable information, leads or observations that may assist further investigation.

 

Issues in GSM Security:

  1. GSM Security is limited to access security – communications and signaling traffic in the fixed active attacks, whereby some network elements (e.g. BTS: Base Station network are not protected)
  2. GSM network may be compromised if it connects to an already compromised network.
  3. Any Lawful interception is given thought after much contemplation and discussion
  4. In most cases Terminal identity may not be trustworthy.
  5. Cryptographic mechanism up gradation remains an intricate process.
  6. User visibility remains a major concern (e.g. doesn’t know if encrypted or not)

 

GSM Cloning simple but deadly:

Cloning process could be defined when the subscriber information is copied from one mobile device to another device in order to obtain free call or Terrorism activities. Device which is cloned will be the exact replica of the original device used for cloning but the bill will be genrated for only the legitimate user. Attacker enjoys the free calls.

 

GSM Networks and Associated Attacks:

  1. Eavesdropping. This is the capacity of the intruder to listen in on the signals and data connections associated with other users. The requisite equipment in question is a modified MS.
  2. User Impersonation: This is the when the intruder sends signals and/or user data to the network, in an attempt to make the network believe that they were sent by an authentically. The required equipment is again a modified MS.
  3. Network impersonation: Herein, the intruder sends signals and/or user data to the target user, in an attempt to trick the victim into believing that the communication has been sent by a genuine network .The required equipment is modified BTS.
  4. Man-in-the-middle. This is the when the intruder stands in between the target user and a genuine network and has the capacity to listen in, adjust, erase, rearrange, rerun, and spoof signal user data messages exchanged between any two parties. The required equipment is modified BTS in combination with a modified MS.
  5. Compromising Authentication in a network. The Attacker will use a compromised authentication system. This data may have been compromised by analyzing the End points/Nodes of a system or Sniffing the Signals traveling in the network.

 

De-Registration:

  1. It refers to an attack that necessitates an adapted MS and thereby takes advantage of the network’s inability to authenticate the messages it takes delivery of over a radio interface.
  2. The intruder in question manages to spoof a de-registration request (IMSI detach) to the network.
  3. The network de-registers the user from the visited location area and instructs the HLR to do the same. Thereafter, the user is subsequently unreachable on account of terminated mobile services.
  4. 3G: Integrity protection of critical signalling messages protects against this attack. More specifically, data authentication and replay inhibition of the de-registration request allows the serving network to verify that the de-registration request is legitimate.

 

Location update spoofing:

  1. An attack that requires a modified MS and exploits the weakness that the network cannot authenticate the messages it receives over the radio interface.
  2. The user spoofs a location update request in a different location area from the one in which the user is roaming.
  3. The network registers in the new location area and the target user will be paged in that new area.
  4. The user is subsequently unreachable for mobile terminated services.
  5. 3G: Integrity protection of critical signalling messages protects against this attack. More specifically, data authentication and replay inhibition of the location update request allows the serving network to verify that the location update request is legitimate.

 

 

Identity Caching: The Passive Way

  1. A passive attack requiring an altered MS and taking advantage of the loophole that a network may sometimes end up requesting the user to send his identity in clear text .
  2. 3G: The identity discretion mechanism neutralizes this attack. The use of short-term individuality allocated by the serving network makes passive listening -in unproductive since the user must now stay for a new registration or a mismatch in the serving network database, before the attacker is in a position to capture the user’s permanent identity in plaintext.
  3. The inefficiency of this attack given the likely rewards to the attacker would make this scenario unlikely.

 

Identity Caching: The Active Way

  1. This is an active attack that necessitates an altered BTS and exploits the limitation of the network to refrain from sending requests to the MS for its permanent user identity in clear text..
  2. In this situation, the intruder intruder cleverly lures the target user to camp on its false BTS and afterward requests the target user to send his/her PUI (permanent user identity) in cleartext conceivably by compeling him to undertake a new registration procedure or by asserting a temporary identity mismatch due to database failure.
  3. 3G: The identity discretion mechanism offsets this attack by using an encryption key which is common to a group of users. This enables the users to protect their identity in the event of a new registration request or a temporary database failure in the serving network.

 

Suppressing Encryption:

  1. It refers to an attack that necessitated a modified BTS and takes advantage of the MS’ handicap to authenticate messages received over a radio interface.
  2. Once again, the target user is lured into camping on the false BTS. When the intruder or the target user initiates a service, the intruder disables encryption. He achieves this by spoofing the cipher mode command.
  3. The intruder in question continues to maintain the call as per his need, or for as long as it may be necessary to keep his network hidden.
  4. 3G: A binding cipher mode command, with message authentication, and replay inhibition, facilitates the mobile to validate that encryption has not been suppressed by an attacker.
  5. It is an attack that needs a modified BTS/MS and levers the handicap of the network due to which it fails to authenticate messages received over a radio interface.
  6. Once again the target user is lured into camping on the false BTS/MS. This time, at the time of call set up, the false BTS/MS quietly modifies the ciphering capacity of the MS and makes it appear as if a genuine incompatibility were in existence between the network and the mobile station in question.
  7. Hereafter, the network may agree to establish an un-ciphered connection. This paves way for the intruder to cut in and impersonate the network to a target user.
  8. 3G: A mobile station classmark with message authentication and replay inhibition allows the network to verify that encryption has not been suppressed by an attacker.

 

Hijacking Outgoing Calls:

  1. This attack requires a modified BTS/MS. While the target user unknowingly ends up camping on the false base station, the intruder tactfully pages the user for an incoming call.
  2. As expected, the user accepts the call and initiates a call set up procedure which in turn allows the intruder to intervene between the serving network and the user. He modifies the signaling elements such that the serving network is tricked into having reason to believe that the target user wants to set up a mobile originated call. The network does not enable encryption. After authentication the intruder cuts the connection with the target user, and subsequently uses the connection with the network to make fraudulent calls on the target user’s subscription.
  3. 3G: Integrity protection of critical signalling messages protects against this attack. More specifically, data authentication and replay inhibition of the connection set-up request allows the serving network to verify that the request is legitimate.
  4. In addition, periodic integrity protected messages during a connection helps protect against hijacking of un-enciphered connections after the initial connection establishment.

 

Hijacking Outgoing calls with Encryption enabled:

  1. The attack requires a modified BTS/MS. In addition to the previous attack this time the intruder endeavors to suppress encryptions by amending the message in which the MS informs the network of its ciphering capabilities.
  2. 3G: Integrity protection of critical signaling messages protects against this attack. More specifically, data authentication and replay inhibition of the MS station class mark and the connection set-up request helps prevent suppression of encryption and allows the serving network to verify that the request is legitimate.

 

Hijacking Incoming calls:

  1. This attack requires a modified BTS/MS. As the target user camps on the false base station, simultaneously, an associate of the intruder makes a call to the target user’s number.
  2. The intruder in question acts as a relay point between the network and the target user till the time authentication and call set up has been completed . The network does not deploy any encryption.
  3. After authentication and call set-up the intruder releases the target user, and afterward uses the connection to answer the call made by his associate. The target user now will have to pay for the roaming leg.
  4. 3G: Integrity protection of critical signalling messages protects against this attack. More specifically, data authentication and replay inhibition of the connection accept message allows the serving network to verify that the request is legitimate.
  5. In addition, periodic integrity protected messages during a connection helps protect against hijacking of un-enciphered connections after the initial connection establishment.

 

Hijacking Incoming calls with Encryption enabled:

  1. This attack requires a modified BTS/MS. In addition to the previous attack this time the intruder has to suppress encryption.
  2. 3G: Integrity protection of critical signaling messages protects against this attack. More specifically, data authentication and replay inhibition of the MS station class mark and the connection accept message helps prevent suppression of encryption and allows the serving network to verify that the connection accept is legitimate.

 

Related Info:

Wikipedia