Technical documentation

Usage of mobile devices in business simplifies, speeds up and optimizes business processes. However, it is necessary to understand that the more complicated the device is the more threats it is subjected to

Please note that the list of threats mentioned here is not full, but it contains the description of the main ways of information leakage. The full description of threat patterns can be found in «Mobile Security Reference Architecture» document, prepared by Federal CIO Council of USA and US Department of Homeland Security (May, 2013).

The descriptive information is simplified and intended only for introduction of the procedures. More detailed information or technical specifications are available in the Internet.

Basic threat patterns:

  1. LESS – Law Enforcement Support System (SORM - rus.) – a system of technical means for conducting Operational-Investigative works

Pic. 1. LESS

  1. Service Provider (Mobile Connection Operator)

Pic. 2. Service Provider

  1. Mobile devices and software producers/developers (Operating System (OS))

Pic. 3. Operating System (OS)

  1. Traffic interception in a radio channel (Intercept complexes: active, semiactive, passive and other interceptors).

Pic. 4. Traffic interception in a radio channel

 

Pic. 5. Implementation scheme

Methods of protection:

  1. Dynamic identifiers (IMSI+Ki, IMEI).
  2. Forced encryption in GSM network. Algorithm A5/1.
  3. Security policy on a SIM level. Tottoli GSM.
  4. Voice changing.
  5. Calling party number substitution.
  6. Absence of location data.
  7. Absence of billing data.
  8. Inability to establish a fact of a call between subscribers
  9. Blocking attacks at the HLR level.
  10. Interception and blocking SMS of any class, including, and so-called Silent SMS or Stels SMS, at the SMSC level.

Principles of countermeasures:

To get a mobile device or a SIM under technical control, it is necessary to know its identifiers. All communication networks around the world are controlled by the state regulatory institutions and technically connected to LESS (Law

Enforcement Support System – all information about this system is available on the Internet).

The main identifier of a mobile device is IMEI (International Mobile Equipment Identity). This parameter is passed in the network.

The main identifier of a subscriber is IMSI (International Mobile Subscriber Identity – subscriber’s individual number). This parameter is passed in the network.

Public parameter MSISDN – (Mobile Subscriber Integrated ServicesDigital Number) – a number of a mobile subscriber of a digital network with integrated services for providing connection in GSM, UMTS standards, etc. This parameter is not passed in the network, but can be compared to IMSI.

These parameters are enough to get all necessary information and to use it for analytical conclusions. Gaining these identifiers by means of LESS, intercept complexes and other mechanisms it is possible to get the following information about a subscriber:

-  By IMEI it is possible to obtain all IMSI of SIM - cards that have been used in a particular device and as a result all billing data of these SIM - cards ( Location, circle of contacts, SMS, MMS, voice, URL addresses, logins and passwords, etc).

-  By IMSI it is possible to obtain IMEIs of devices and IMSI of SIM – cards that have been used in these devices and as a result all data mentioned above.

Tottoli SIM billing data does not belong to any mobile operator as Tottoli SIM is not their property. Also, Tottoli SIM does not have MSISDN in public access

 

The process of network logon and cell selection

  1. When a mobile device with a usual SIM is switched on, the process of frequency scanning and cell selection starts. A cell with the highest level of signal is selected. Tottoli SIM works only with a cell which signal is of the second height. This provides the protection against intercept complexes
  2. After synchronization procedure, equipment identification and subscriber’s authentication in a network starts. Usual SIM performs subscriber’s authentication according to the A3 algorithm. This protocol performs SRES key computation that allows to complete the authentication procedure. To compute SRES key A3 algorithm uses IMSI and Ki parameters. In a usual SIM the IMSI parameter is ‘sewed’ in a SIM, and it is not changing. Tottoli SIM has several profiles with different IMSI+Ki parameters.

Pic.6

Pic. 7

Encryption in GSM network

Encryption level is determied by the network the subscriber is connected to. Tottoli GSM special SIM applet notifies subscribers if the network has reduced the level of encrypion.

Call

Subscribers with regular SIMs presses the call button after entering the dialing number.  At this stage, a mobile device sends ALERT signal via FACCH (Fast Associated Control Channel) to the BSS (Base Station Subsystem). Then this signal goes to MSC (Mobile Switching Center). MSC sends Address Complete message to the calling subscriber (the party that originates the call). The subscriber who made a call hears the dial tone, and the destination party hears ringing sound.

Knowing the mobile number of either subsriber A or B (MSIDIN) it is possible to get all call details of subscribers involved and even intersept the online session.

Call Through - Tottoli GSM subscriber presses the calling button. At this stage, SIM applet intercepts the call and redirects it to our service number. Dialed number gets transferred from subscriber to out PBX via signalling chanel in encrypted form. This way we deliver all outbound calls to our network service numbers. The PBX sends call further to end user.

Call Back - Tottoli GSM subscriber presses the calling button. At this stage, the call drops. Then, we send command to Tottoli GSM PBX server using encrypted channel. Tottoli GSM PBX asks the VLR of the host operator to allocate the subscriber a temporary number MSRN (Mobile Station Roaming Number) via SS7. As soon as the MSRN is allocated to our SIM, Tottoli GSM PBX initiates a call to this MSRN. As soon as subscriber A answers the call, the leg A starts and the PBX starts to call the subscriber B. As soon as subscriber B answers the call, the leg B starts. 

This call logic makes it impossible to get call statistics information from host operator's billing. Unknwn are: operator the Tottoli GSM SIM is connected to, MSISDN number of the SIM as well as IMSI, KI and IMEI which can be found by MSISDN. Even if the subscriber B is placed under control, it is impossible to understand who has been the second speaker as the session always consists of two legs and there is always Tottoli GSM PBX in between. This technology makes it impossible to define your circle of contacts. 

Take a call

A call to regular SIM occures according to the standard procedures. After the call initiation procedure and TMSI assignment (Temporary Mobile Subscriber Identity) in the VLR coverage area are done, starts the traffic termination and session is considered to be set-up. Operator's billing stores the information about a device that originates the call, the location of the call accepting device during the session, call duration, etc. A call to Tottoli GSM SIM is performed in a following way: a virtual number - DID - is assigned to SIM. The DID number gets a call from the network, translates it into a SIP protocol and routes it to Tottoli GSM PBX. In turn, the Tottoli GSM PBX defines a subscriber who has the DID and starts the call procedure described above. Thus, it is impossible to define subscriber's location as well as the relation of each subscriber as there is always Tottoli GSM PBX in between.

HLR requests

Considering the fact that public networks have standard requests for providing roaming services, hackers have a chance to organize attacks in a SS7 network. These attacks look like regular SS7 requests to HLR of SIM issuer operator. These requests are aimed at information interception (IMSI, KI, IMEI etc.). HLR is an integral part of our infrastructure, that is why we intercept any attacks and inform our subscriber about it. This is one of the PING features.

Phonetic control

Taking into consideration the fact that operators actively develop the subscriber research mechanisms by their phonetic characteristics (voice print). Tottoli GSM allows to distort subscriber’s acoustic characteristics for both inbound and outbound calls. This mechanism is very useful if a call from Tottoli GSM should be done to a regular SIM card.

Stels SMS

To control phone functions or pre-installed applications, hackers use zero class SMS that do not reveal themselves and is not leave foot prints in the phone. Such SMS are also called Silent SMS or Stels SMS. All these requests are directed to the HLR of the operator-issuer. In our case, HLR is a part of our infrastructure, so we detect all requests of that kind, block them and notify our subscribers about such attempts. This function is included in the PING mechanism.

RESUME

Tottoli GSM SIM cards do not have billing at host operators, which prevents attackers from obtaining the necessary information for analytical work (circle of contacts (call details), location, real identifiers, voice).

This became possible due to intendance of all processes on three levels: a subscriber device (phone with a modified firmware), an identification module (Tottoli GSM SIM card with special applets) and a network layer (full control on HLR, MSC and SMSC).


PS

It must be noted that all phones are proprietary devices which have their blackbox. Nobody but the manufacturer itself doesn’t know the peculiarities of the settings stored in there, and, sometimes, even the manufacturer doesn’t know all the bugs of the firmware. It is also necessary to understand that monitoring tools are constantly being improved. Analytical tools identify one-use handsets by patterns in billing: by timestamp of the first and last calls from the handset, total amount of calls and average number of unique online subscribers. With access to billing systems of all national operators, one can determine the moment subscriber got rid of one phone and started calling from the other one: by enabling the geolocation data one can identify the place of subscribers’ residence.