1 © NOKIA FILENAMs.PPT/ DATE / NN Mobile Technology Overview Ed Gibbs Technologist ISSA - September...

1 © NOKIA FILENAMs.PPT/ DATE / NN

Mobile Technology Overview

Ed Gibbs

Technologist

ISSA - September 20, 2001

Sacramento, California


Ed Gibbs Biography

• Prior: Digital Equipment Corporation, Lockheed-Martin, Dow Jones & Company, and a few start-ups that don’t exist anymore!

• Focus on Firewalls, VPN, internetworking, 802.11, Mobile Data including WAP, and carrier infrastructure

• Recently completed chapter for Eoghan Casey’s new book“Handbook of Computer Crime” to be published in

October/Nov.• Collecting digital evidence within a cellular and 802.11

network

• Contact Information:• Nokia, 313 Fairchild Drive, Mountain View, CA 94043• Mobile: +1 650-868-9091• E-mail: [email protected]


Introduction

• Why is understanding Cellular networking important?• As voice and data merge over cellular networks, you

may be tasked securing both• Wireless data handsets are inescapable

• Carrier infrastructures are very complex – to what degree should one become acquainted?

• Just the basics – that’s what we’ll cover here today• As security experts, there’s significant value in

obtaining this knowledge to prepare you for the future

• Carriers have enjoyed closed networks, opening them up to the Internet is a major challenge


Types of Cellular Networks


Analog Mobile Phone Service

• What is AMPS:• Commercially available in 1970 by Bell Telephone

Laboratories• Geographic areas are subdivided into smaller areas

which are commonly known as “cells”• Each cell has it’s own antenna that is set to operate

at distinct transmission frequencies

• Communications occur at a set frequency in each direction

• AMPS is still widely used today

7-cell pattern, each with different frequencies to avoid interference

824Mhz to 894Mhz with 30Khz of bandwidth separation per assigned channel for Transmit/Receive


Digital Advanced Mobile Phone Service

• D-AMPS is far more complex than AMPS and supports two modes of operations

• Voice traffic is digital• AMPS used for channel setup and signaling• IS-54 – Uses Time-Division Multiple Access (TDMA) to

divide the radio channels used by AMPS• IS-136 (D-AMPS 1900) supports dual-mode, dual-

band:– Dual-Mode: Analog or Digital– 800Mhz cellular frequency used by AMPS– 1900Mhz frequency spectrum – Personal

Communications Service (PCS)– Allows for pages and short message services (SMS) of

up to 239 characters


Time Division Multiple Access

• TDMA separates users by assigned time slots, which minimizes interference from other simultaneous transmissions

• Disadvantage: When changing cells (handoff), the assigned time-slot in the new cell may already be occupied however this is a capacity problem

• Transmission (uplink/downlink or send/receive) is allocated two slots:

• One used at a defined frequency for uplink• Second used at a particular frequency for downlink

• Extends battery life-time of handset by only transmitting a portion of time instead of a continuous transmission

• AT&T, Cingular (Eastern/Central US) uses TDMA• Cingular formally PacificBell uses a technology called

GSM which is not compatible with TDMA


Code Division Multiple Access

• CDMA (IS-95) offers 6-10x the capacity of TDMA and uses codes to separate users as opposed to TDMA, which uses assigned time slots

• Uses broadband spread-spectrum developed in the 1940s for military purposes and uses a direct sequence technique, with the spreading sequence based on a pseudorandom binary sequence

• Also uses the 800Mhz and 1900Mhz frequency bands.• When using 800Mhz AMPS mode, more AMPS channels

needed to obtain frequency for CDMA (operator must clear 1.23Mhz/30khz or 41 channels) to accommodate

• When in 1900Mhz mode, CDMA uses PCS

• Directly supports IP packet data protocols

• Sprint, SBC uses CDMA


Global System for Mobile Communications

• GSM developed in Europe in 1980s and became an international standard 13 years later

• There are two standards:• European: 900Mhz (International Standard)• North American – 800Mhz (900Mhz used by Government)

and 1900Mhz GSM PCS• North American GSM and European GSM are not compatible due to their

frequency• Tri-mode phones are available that operate at 800Mhz, 900Mhz, and

1900Mhz

• Uses TDMA framework but not compatible• Subdivides each radio channel into eight time slots; D-

AMPS subdivides into six time slots• Over 250 GSM Networks are presently operating in 110

countries• Data rates: 9.6Kbps to 14.4Kbps• Carriers: Pacific Bell (now Cingular), VoiceStream, and now

AT&T Wireless


GSM

• GSM uses the Subscriber Information Module (SIM card) which comes in two forms – credit card sized format and thumb tip size

• Embedded in the card is a microprocesor, ROM and RAM

• Also contains data such as:• The subscriber’s phone number which is referred to

as the MSISDN (Mobile Subscriber ISDN Number)• The IMSI (International Mobile Subscriber Identity).

The IMSI is globally unique to a particular subscriber• The subscriber’s PIN which is used to prevent

unauthorized use of the mobile device• Authentication Keys


Carrier Infrastructure


Simple Architecture

Radio Access Network

Base Station

Core Network

SwitchSubscriberInformation

BillingRecords

Network Operationsand Maintenance

To otherNetworks

Mobile Device

Radio Link


Detailed Architecture

BSC

BTS

BTS

BTS

Mobile Phone

BSC

BTS

BTS

BTS

MSC

VLR HLR

ChargingGateway

SMSc

LIG

To other networks(e.g. PSTN)

OMC

Connected to all elements inthe core network

Connectedto all BSCs

Radio Access Network

Core Network


Network Operation Parameters

• The adjunct processor handling operational issues may handle records that drill down deep into the network operation details. These records can cover such items as:

• A subscriber’s phone call attempt

• Whether the attempt was successful

• Whether the call was ended normally or was dropped

• Date and time of the call

• Signal strength of the subscriber’s mobile device as seen by the BTS

• In what cell site was the call set up

• In what cell site sector was the call set up

• Handover information

• What channel was used

• What frequency/time slot/PN number was used


Surveillance & Tracking


Methods of Tracking• AOA: By knowing the direction from which a wireless signal is

received (via the use of special antennas at the cell site), Angle of Arrival techniques calculate the location of a mobile device.

• This technology is deployed at the cell sites of the network operator.

• TDOA: Time Difference of Arrival technology uses the difference in time that it takes for a wireless signal to arrive at multiple cell sites to calculate the location of the mobile device.

• This technology is deployed at the cell sites of the network operator.

• E-OTD: Enhanced Observed Time Difference involves a mobile device receiving the signals from at least three base stations, while a special receiver in the network (at a known position) also receives these signals.

• The mobile device location is calculated by comparing the time differences of arrival of the signals from the base stations at both the mobile device and the special receiver.

• This technology is deployed at cell sites and in the mobile device itself.


Methods of Tracking

• Triangulation is a process by which the location of a radio transmitter can be determined by measuring either the radial distance, or the direction of the received signal from two or three different points

• Time delay response can be used in conjunction with triangulation to determine how far away the signal is between multiple points

• When a cell phone is turned on – it’s communicating! • Call or standby mode

• Tracking is often difficult if not impossible in some situations

• Signal reflection, distortion, weak signal, etc.


Triangulation & Timed Response

Base •X

Base•Z

Base•Y

•Cell Phone

Measured Response

Time + Direction

•


Lawful Interception

MSC/VLR

EIRHLR

Gi

Gs

Gf

Gr

GSM & UMTS

SGSN

GGSN

Gn

3GGPRS backbone

PDN

Gp


Functional Roles

Law Enforcement

Authority (LEA)

AuthorisationAuthority (AA)

Network Operator

EquipmentManufacturer

User

Host/Terminal

Target User1 2

2

4

4

3

4

5


Authorizing interceptions

Authorizing Agency (AA)

• Authorizes session using the web interface at the LIC


Enabling interceptions

Law Enforcement Agency (LEA)

• Starts interception at the LIC


E911 Update

• August 2000: FCC adopted an Order to implement the Wireless Communications and Public Safety Act of 1999 (911 Act), enacted on October 26,1999.

• Implemented in two phases:• First Phase – Reveals cell phone number and base-

station caller is using• Second Phase – Pinpoints location accurate within 50-100

meters

• October 1, 2001 Deadline will “not be met”

• All major carriers will file an extension with the FCC• Location based service and tracking software not in

place

• Only %10 of law enforcement is equipped to handle E911

• Official Web-site• http://www.fcc.gov/e911/


Steps to 3rd Generation within the US

Basic GSM data at 9.6 kbit/s & Smart messaging

1997Landline-like circuit services (HSCSD) & Interactive messaging (USSD)2000

Internet-like IP packet services for mass market (GPRS) 144Kbps2001-2002

Enhanced speed and capacity (EDGE)2002

EvolutionEvolution

New multimedia servicesMass market cost of service (WCDMA)2Mbps

2003-2005

Introduction of 3rd generation radio

Development of R

adio Technology

Development of R

adio Technology


GPRS Architecture

VPN VPN

Firewall

Firewall


WAP


Wireless Application Protocol (WAP)

• De-facto world standard for wireless information and telephony services on digital mobile phones and other wireless terminals

• "Internet in Every Pocket"• Objectives:

General environment for wireless applications Internet or Intranet-like services and content to mobile terminals Network, bearer and manufacturer independent

• WAP Forum Started 1997 by Nokia, Ericsson, Motorola and Unwired Planet Now close to 500 member companies

• WAP 1.1 (June ‘99) • The first release for commercial products

• WAP 1.2 (December ’99)


Web Server

Content

CGIScripts

etc.

WM

L D

ecks

wit

h W

ML

-Scr

ipt

WAP Gateway

WML Encoder

WMLScriptCompiler

Protocol Adapters

Client

WML

WML-Script

WTAI

Etc.

HTTPWSP/WTP

WAP System Architecture


Common WAP Deployment Scenarios

Mobile

Customer

Dial-inServer

WAPServer/Gateway

Content & ApplicationsServer (s)

Total Corporate Solution

Closed WAP Portal e.g. Operator / ISP

Business ModelTechnical Architecture

Typical WAP Enabled 'Web Destination Site'

Open WAP Portal + Content providers and Merchants

Key

Enterpr. hosted

xSP hosted


Wireless Transport Layer Security

• WTLS provides encryption from the mobile handset to the WAP Gateway

• WTLS to SSL conversion on WAP gateway must decrypt WTLS and re-encrypt to SSL

• Vulnerability: Clear-text

• Four classes:• Class 0: No Security• Class 1: Server Authentication (dh_anon)

• Available today• Class 2: Signed Server Certificate

• Available today• Class 3: Signed Client Servificate

• Coming Soon


WTLS


Wireless Identity Module (WIM)

Terminal HW

(terminal SW)

Additional chip,

"Dual chip"

Integrated reader I.e."dual slot"

External reader

• Wireless PKI Capability

• WIM has five implementation possibilities

WIM inside SIM = SWIM


WAP Modes

• The four modes for WAP communications are:

Mode UDP Port WTLS Security• Connectionless 9200 No• Connection 9201 No• Connectionless 9202 Yes• Connection 9203 Yes


Terminal

WAP Gateway Origin Server

Wireless Network

Internet

Company intranet

FIREWALL

Leased modem pool

Security in WAP

FIR

EW

AL

L

WAP Security

WAP can secure communication between terminal and WAP gateway.

For communications between gateway and origin server, other means e.g. SSL are required.

GSM Security

Internet Security


1. Choosing the movie

2. Choosing the payment method

3. Entering the PIN-code

4. Downloading tickets to the chip

5. Confirming the downloading and loyalty points

Future Example


In the Cinema:

Printing the tickets from terminal with bluetooth

EMPS: Many ways to use it


Corporate Impact


• Currently there are 350 million mobile phone subscribers. By 2003 there will be more than 1 billion! Of these, around 600m are likely to be using WAP compatible products to access the web, compared to a PC installed base of around 400m

Cellular Phones Outnumber PCs

0

200

400

600

800

1000

1200

1997 1998 1999 2000 2001 2002 2003

Cellular Subscribers.Source: EMC 1999

PC installed base. Source: Dataquest 1999


• Mobile phones are becoming media phones• WAP (Wireless Application Protocol) brings standard way to connect mobile

customers to content services

• Now near 300 million mobile phone users, by 2003 there will be more than 1 billion!

50 Milj.Users

RadioTV

WWWInternet

GSM

35 Years155

Today there are more than 150 million GSM subscribers world wide

WAP

Mobile Phone will be a new online Channel


Is you’re organization ready?

• Mobile data is here today

• Accessibility• Modems

• Internal• External

• Internet Portal

• Encryption• WTLS• SSL• VPN

• Device

• Applications


Terms

• 2G – Second Generation Phone Service – What we have today!

• 2.5G - GPRS

• 3G – Third Generation – Packet Switched Radio

• BTS – Base Transceiver Station

• BSC – Base Station Controller

• GGSN – GPRS Gateway Server Node

• HLR – Home Location Registry

• LIG – Lawful Interception Gateway

• MSC – Mobile Switching Center

• SMSc – Small Message Service Center

• PSTN – Public Switched Telephone Network

• SGSN – Serving GPRS Support Node

• VLR – Visitor Location Registry


Questions?

Thank You for listeningThank You for listeningDanke für Ihre AufmerksamkeitDanke für Ihre Aufmerksamkeit

Kiitos huomiostanneKiitos huomiostanneMuchas gracias por atenciónMuchas gracias por atenciónMerci pour votre attentionMerci pour votre attention

[email protected]

1 © NOKIA FILENAMs.PPT/ DATE / NN Mobile Technology Overview Ed Gibbs Technologist ISSA - September...

Documents

Transcript of 1 © NOKIA FILENAMs.PPT/ DATE / NN Mobile Technology Overview Ed Gibbs Technologist ISSA - September...