The present invention relates to cellular device security apparatus and methods and, more particularly, but not exclusively to a security system for protection of data and access thereto, including read and write access to configuration data, in a cellular telephony device.
A security vulnerability exists in cellular devices. In even the most secure of current devices it is currently possible to read sensitive information from a cellular device (source) and write it into a new cellular device (destination) thus making the destination device identical to the source device with regards to the cellular network. This enables the destination device to make calls, which are then billed to the source device. Such sensitive information may include device information such as the network identity of the device. It may also include personal information such as the user's personal telephone book.
Exploiting the same vulnerability it is also possible to copy sensitive information from a source device to a destination device, thus enabling an end-user device upgrade without the knowledge of the cellular provider. Likewise it is possible to steal a device in one country and sell it in another country after a new operating system has been written into the stolen device.
A cellular device contains the following unique information items that allow any particular device to be identified uniquely:
1. ESN: Electronic Serial Number. A unique number supplied by the manufacturer of the cellular device.
2. NUM: The cellular device's phone number. supplied by the cellular provider.
3. A-KEY: Authentication key. Generated, by Synacom Technologies Inc. of San Jose, Calif., USA, for each cellular device and cellular provider separately, supplied by the manufacturer and used for authenticating the identity of a cellular device by the cellular provider.
4. SSD: An identifier created by the cellular network in combination with additional information from the cellular provider's database and used to identify the cellular device when a call is being made.
These four information items are rightly regarded as being extremely sensitive. They are generally located in the cellular device along with the operating system located on the chipset.
DM (Data Mode)
The DM is a mode in which the device allows any access to the device to change settings and/or accepts commands, via its serial interface, which can be used to read and write information. Setting the device to DM enables reading and writing of data via COM, USB, IR, RF, Bluetooth and any other available interface on the cellular device. There exists a data mode entry command for causing the device to enter data mode, and a code, for example a keypad code, which is required in order to enter DM. The DM code and/or command, is typically unique for each manufacturer.
Cloning a Cellular Device:
Using data mode it is possible to clone a cellular device. The devices may be cloned using one of the following three procedures:                Reading the A-KEY, SSD, ESN and NUM information fields from a source device and writing them into a destination device.        Reading the A-KEY, ESN and NUM information fields from a source device and writing them into a destination device, and then requesting a “SSD update” operation from the cellular provider to receive a valid SSD field.        Reading the SSD, ESN and NUM information fields from a source device and writing them into a destination device.        
The A-KEY, SSD, ESN and NUM information fields are all readable from the cellular devices in one way or another.
A single cellular device can be cloned to multiple destination devices, all of which will consequently generate calls billed to the original device.
There are several techniques to read the A-KEY, SSD and the ESN information fields and to write them on a new device. One possibility comprises using a serial RS-232 or USB cable to connect the source cellular device to a personal computer and via a program to read and write these fields from the device's operating system.
The cellular devices may be divided into two basic types, devices without protection, in which the information is readable via the operating system, and devices with password protection. The password is a sixteen (16) hexadecimal digit string (which amounts to eight binary octets). Cracking this password is presumably very difficult. When the password is known, the ESN, A-KEY, SSD and NUM fields are accessible and can be read or written. The password is currently manufacturer specific, and therefore if broken once, all devices made by the same manufacturer become vulnerable.
The above-described methods for reading and writing information fields from the devices likewise enable reading and writing the device's operating system. Some devices have a protection password but it is still possible to read the operating system without knowing the protection password, and thus it is possible to obtain the password.
Hacking a Cellular Device:
Cellular devices may be categorized into two general kinds:
1. Devices without passwords: In devices where the data read and data write functions are not protected by a password, the operating system contains two separate read and write command sets: one set for upgrading the operating system and one set for reading and writing from the operating system's memory. These commands can be used directly by a hacker to read the information if the device is the source device, or to write the information if the device is the destination device.
2. Devices with passwords: A protection password is encoded into the device's operating system and thus can be obtained from the binary operating system file obtainable on the internet, by theft from the cellular providers or by reading the data from the device.
It is possible to alter the password or to use additional constantly based, countermeasures to protect the cellular device. The term “constantly based” refers typically to passwords which are different for different manufacturers, different device models, different cellular providers, different operating systems and versions etc. However a single password applies to numerous individual devices.
It is noted that the passwords themselves, as well as any additional countermeasures, can be decoded from the operating system's binary file, and the binary file has to be distributed to all the cellular providers who use cellular telephones from the given manufacturer. The passwords are thus as secure as the weakest provider.
Another method is to obtain the mobile telephone management or PST program which is used to program the cellular devices. PST is a generic term for programs produced by the manufacturers that are given to the network operators to maintain the cellular device base. The PST program may then be analyzed, thus obtaining the passwords.
Such an analysis is possible due to the fact that the PST program is a standalone program.
The DIRECTORY field of the mobile telephone, which is a location in which sensitive information is stored, is accessible for reading and writing via the operating system or keypad codes. Therefore a device's identification in the data network can be obtained and altered to identify itself as a different device.
In addition, the operating system can be replaced without a hacker being required to have any knowledge of the protection password. Such a replacement can be used to remove any new safeguards inserted into the new version of the operating system, thus leaving the device vulnerable with an old version of the operating system.
The replacement of the operating system can also be used to change the language of the operating system when a cellular device is stolen in one country and sold in another country.
As mentioned above, typically, cellular devices have at least two sets of read and write instructions: One set is for upgrading the operating system and one set is for communicating with information fields within the operating system.
A further point that is mentioned is that when sending an SMS message, the sender's phone number is a data field which may be filled manually by the user and thus a sender can appear to be someone else in the eyes of the receiver.
Cloning software is available from the following exemplary sources:
The UniCDMA cloning program is available from cdmasoftware@ukr.net;
The NVtool cloning program is available from certain forums;
The GTRAN CDMA 1× DATA CARD (800M)_PRL-Ver 3.1 program is available from certain forums;
The DM cloning program, by Qualcom, is also available from certain forums.
There is thus a widely recognized need for, and it would be highly advantageous to have, a cellular device security system in which access to the data mode is devoid of the above limitations.