FREE ELECTRONIC LIBRARY - Dissertations, online materials

Pages:   || 2 |

« ...»

-- [ Page 1 ] --

Security Principles

Related to

Handset Theft

Table of Contents












Change control – This document is under the shared revision control of GSMA, representing the operator community and EICTA representing the manufacturer community.

EICTA CCIG Doc Ref: Eicta Doc: 04cc100 GSMA Doc Ref: Security Principles Related to Handset Theft 3.0.0 Security Principles Related to Handset Theft 3.0.0 Page 2 of 10 Glossary of Terms A shared EIR (SEIR) is effectively a piece of common EIR equipment run by or on behalf of a group of operators, most probably as a national grouping.

The Central EIR (CEIR), hosted by GSMA, maintains information on the eligibility for access to networks by Mobile Equipment Types. The CEIR interconnects with Equipment Identity Registers (EIR) through out the world so that a common set of data is maintained and available to participating operators.

Other commonly used terms are defined in the ETSI standard GSM 01.04 version 8.0.0 Release 1999 which is available to download at;

http://www.3gpp.org/ftp/Specs/html-info/0104.htm Security Principles Related to Handset Theft 3.0.0 Page 3 of 10

1. Introduction The IMEI was originally introduced, as a unique terminal identity, for type approval reasons, in order that non-type approved terminals could be prevented from connecting to GSM networks. Nowadays, the IMEI is used to identify mobile station equipment on mobile networks in order to be able to take measures against the use of stolen equipment or equipment whose use can not be tolerated under Article 7 of the R&TTE directive (within Europe), or an appropriate regulatory requirement in other markets. Additionally, the IMEI can be used to allow infrastructure to load appropriate patches and adaptations to avoid interworking issues.

All reasonable efforts should be made to protect the integrity of the IMEI value and the write access to the value should only be available by a mechanism determined by the manufacturer. Despite the need for GSM terminals to have unique identities, in practice IMEIs have been tampered with. The GSM specifications (e.g. ETSI/3GPP spec 122.016) were changed in Nov 1999 to provide that;

“The IMEI is incorporated in an MS module which is contained within the MS equipment. The IMEI shall not be changed after the ME’s final production process. It shall resist tampering, i.e. manipulation and change, by any means (e.g. physical, electrical and software).

NOTE: This requirement is valid for new GSM MEs type approved after 1st June 2002. However, this requirement is applicable to all UEs of UMTS from start of production.

–  –  –

Evidence provided by GSM operators indicates that, while most handset manufacturers have made progress to protect the IMEI, improvement is required by the manufacturing community as a whole.

–  –  –

Handset theft has emerged as a serious and growing cause for concern in the cellular industry and the GSM Association’s Board has indicated its commitment to tackle the issue head on. The GSM Association is undertaking a concerted drive to extend the use of Equipment Identity Registers (CEIR & EIR) across the global GSM operator community to ensure stolen handsets can be barred from networks by using the handsets’ IMEI numbers.

While the EIR was originally specified as a tool to bar network access to certain handsets its effectiveness is largely dependent on a secure implementation of the IMEI. Therefore, it should be realised that the use of CEIR/SEIR/EIRs does not represent the finite solution to handset theft and CEIR/SEIR/EIR deployment should be complemented by the efforts of the handset manufacturing community to ensure that all handsets delivered to market incorporate appropriate security features. The enhancement of IMEI integrity should be designed to ensure that EIRs/CEIRs/SEIRs work more effectively.

1.2 Improved IMEI Integrity Principles

Although GSM TS 122.016 clearly mandates that IMEIs should not be changeable after June 2002, the specification does not indicate any details on implementation characteristics. In order not to stifle innovation, the GSM Association and EICTA do not propose to mandate a Security Principles Related to Handset Theft 3.0.0 Page 4 of 10 standardised way to achieve IMEI integrity but it is desirous to set out handset security principles to provide guidance to handset manufacturers and to provide operators with a set of high level criteria against which handset security can be assessed.

1.3 Improved Regional Theft Guard Principles Having studied the handset theft issue, EICTA-CCIG and the GSM Association believe that the aim of greatly reducing handset theft would be achieved more effectively if an additional mechanism were added to the solution. We believe this is necessary to counter the export of stolen handsets outside of the EU.

If we assume that, in the future, many networks are connected to the CEIR and that IMEI integrity is improved so that IMEIs are proportionally resistant to change, there will still be a market in stolen handsets. The CEIR and secure IMEI only address the use of stolen handsets within those markets connected to the CEIR. Despite the best efforts of the GSM Association, it is not anticipated that all networks around the world will connect to the CEIR.

Since handsets are commodity items there is an expectation that handsets stolen in territories connected to the CEIR will be shipped to networks not connected to the CEIR, maintaining a viable international trade in stolen handsets.

To address this, EICTA CCIG, the GSM Association, and its Members are considering ways that can bolster the security offered by the CEIR and the secure IMEI implementation. We would like to investigate a concept called 'Regional Theft Guard'. Regional Theft Guard would lock a handset so that it would only function with SIM cards from operators operating within a certain geographic area. It is anticipated that, generally, this geographic territory would correspond to a nation state. Consequently if the handset is stolen it will not be possible to simply export it since it will refuse to accept SIM Cards from operators based in other territories. We believe that this is achievable using existing technology understood by the industry. It is intended to ensure that any solution proposed does not affect free circulation of handsets, the use a legitimate customer may make of their handset, or adversely influence competition.

Unfortunately, it has not been possible to complete investigations into the details of this proposal in the available time and, consequently, GSMA and EICTA will work on the Regional Theft Guard proposal and update the document once we have completed our investigations.

It is acknowledged that security is not absolute and the GSMA is not looking for guarantees that deployed security measures will never be broken. However, this document describes a number of high level measures that should be implemented to protect the IMEI,

–  –  –

The following handset security principles are provided to help handset manufactures develop a comprehensive security architecture that facilitates the deployment of a range of solutions to protect the platform on which IMEI mechanism is stored.

–  –  –

Principle 1 – Uploading, downloading and storage of executable code and sensitive data related to the IMEI implementation Mechanisms should be implemented that are capable of;

 Validating the integrity of software resident on the platform e.g.

 Detecting any alterations to data and/or software used for security purposes  Prohibiting operations designed to disable or bypass protection mechanisms  Maintaining trace logs of attempts to alter data and/or software Manufacturers will consider how trace logs could be implemented without major impacts on memory or other resources.

Principle 2 – Protection of components’ executable code and sensitive data related to the IMEI implementation Mechanisms should be implemented to protect the executable code and sensitive data related to the IMEI implementation contents of various components against unauthorised modification. The data paths, from hardware data storage to emitted frames that include the IMEI to be presented to the radio interface, that handle sensitive data should be secured to ensure the IMEI value sent to the mobile network interface is unchanged and matches the IMEI value originally set by the handset manufacturer during the final production process, regardless of subscriber behaviour.

The processing chain should be securely controlled and the control mechanism should be protected e.g. by using security buses.

Principle 3 – Protection against exchange of data/software between devices In the absence of any relationship between hardware and software, data and software can be exchanged between handsets and this is one of the reasons why different handsets can contain the same IMEI. Therefore, the handset should incorporate a robust link between the handset hardware1 and software to prevent cloning of components from one device to another. Data should be bound to the platform and protected from being exported to other handsets, possibly by using encryption keys or by linking the serial number of the micro-processor to the OTP ROM that contains the boot code.

It is accepted that, for logistical reasons, the software to be loaded to the terminal may be a ‘vanilla’ software that only gets secured to the terminal by the loading process (potentially by the terminal itself). This would allow terminals to have software upgraded in bulk using USB hubs etc. thus minimising the impact on the Manufacturer or Manufacturer Agent. It is not expected that each device will need to be programmed with an individual software that needs to be compiled on the ‘programming PC’ with the terminal’s IMEI or similar.

–  –  –

Principle 4 – Protection of executable code and sensitive data related to the IMEI implementation from external attacks In order to mitigate the threat posed by malicious software, and to reduce the risk of reverse engineering, executable code and sensitive data related to the IMEI implementation should be inaccessible from outside of the handset.

In particular:

 Mere ciphering of secret information increases the risk of reverse engineering attacks as the handset needs the cipher value in clear form in order to check the secret information. The attacker then only needs to identify and extract the necessary ciphering elements and the ciphering method is then known for all handsets.

 All secret information pertaining to the IMEI implementation should be stored in hashed form to prevent observation and alteration if a software implementation is used and/or by using a hardened ciphering component in the case of a hardware implementation.

 There are various occasions on which data entered from outside the handset is validated by the handset. Mechanisms should be implemented in such a way that the information necessary to generate the data in the correct form is not accessible

in software or readable hardware on the handset. An illustrative example includes:

 If downloaded software is integrity protected with a symmetric algorithm, and the key for the algorithm is also stored in software on the handset, then this key allows the attacker to add valid integrity protection to other software.

Acceptable implementations could include measures such as:

 Storing one-way hashes of passwords (although these passwords need to be long enough to prevent exhaustive search)  Integrity protecting software using public key algorithms, so that the verification key is different from the signing key.

 Implementing symmetric keys in unreadable hardware.

External access should be controlled in both read and write modes in a similar manner to how firewalls work. The handset could include a security controller (i.e. a trusted security kernel) which analyses the legitimacy of incoming queries. It should not be possible to have read access to "security parameters" from any extension port of the handset and no direct read access to the contents of the various internal resources should be permitted.

Domains could be implemented to facilitate the creation of a dedicated service applications zone which is reserved for the subscriber's use with domain separation protecting sensitive data of one process from being attacked by another process.

Strong access control mechanisms should be implemented to ensure that only authorised access to internal resources is permitted.2 2 The implementation of this principle should not adversely affect the handset download function (subject to the terminal’s security policy) of Java middlets or applets.

Security Principles Related to Handset Theft 3.0.0 Page 7 of 10 Principle 5 – Prevention of download of a previous software version The ability to download previous software versions could allow malicious attackers to circumvent implemented fixes and rollback to a previous software version should be prohibited, over the air or by rollback on the platform. A PKI solution could be deployed to ensure superseded software versions cannot be re-enabled.

It is accepted that there may be logistical reasons why a rollback to a previous software version is desired; for example if the latest software version introduced a (non-security related) flaw and the previous software version had no major flaws.

Options for implementation are to be identified and are at the discretion of the manufacturers.

Pages:   || 2 |

Similar works:

«Journal of Artificial General Intelligence 4(2) 1-22, 2013 Submitted 2013-04-09 DOI: 10.2478/jagi-2013-0002 Accepted 2013-17-08 Conceptual Commitments of the LIDA Model of Cognition FRANKLIN@MEMPHIS.EDU Stan Franklin SFSTRAIN@MEMPHIS.EDU Steve Strain RMCCALL@MEMPHIS.EDU Ryan McCall Fedex Institute of Technology 301 The University of Memphis Memphis, TN 38152, USA BAARSBJ@ GMAIL.COM Bernard Baars 6615 Fisher Ave. Falls Church, VA 22046, USA Editor: Pei Wang Abstract Significant debate on...»

«Cardiac Department Cardiac Catheterisation Information for parents and carers You have recently been informed that your child requires a cardiac catheter. The information in this booklet aims to answer any questions you may have about the procedure and will cover the following main areas: What is a cardiac catheterisation?  Where will the catheterisation be performed?  Admission for catheterisation  Going home after cardiac catheterisation  Should you have any questions about any of...»

«Autoencoders, Minimum Description Length and Helmholtz Free Energy Geoffrey E. Hinton Richard S. Zemel Department of Computer Science Computational Neuroscience Laboratory University of Toronto The Salk Institute 6 King's College Road 10010 North Torrey Pines Road Toronto M5S lA4, Canada La Jolla, CA 92037 Abstract An autoencoder network uses a set of recognition weights to convert an input vector into a code vector. It then uses a set of generative weights to convert the code vector into an...»

«Cataracts and Visual-Axis Opacities John P Berdahl M.D. and Thomas W. Samuelson M.D. Section of Late Postoperative Complications of Filtering Surgery.Introduction: The goal of glaucoma surgery is to prevent further loss of visual field or visual acuity. Glaucoma surgery (with the exception of combined cataract surgery) is not intended to improve either visual field or visual acuity. Obviously this expectation must the clearly explained to patient. Conversely, glaucoma surgery ideally should not...»


«QUT Digital Repository: http://eprints.qut.edu.au/ Jayawardena, Kasun P. and Broadhurst, Roderic (2007) Online Child Sex Solicitation: Exploring the feasibility of a research ‘sting’. International Journal of Cyber Criminology 1(2):pp. 228-248. © Copyright 2007 International Journal of Cyber Criminology This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by-ncsa/2.5/in/), which permits unrestricted use,...»

«Catalogue 63 New Century Antiquarian Books Late Spring 2012 BEAN, C.E.W. (editor). [1] The Anzac Book. Written and Illustrated in Gallipoli by the Men of Anzac. London, Cassell and Co., 1916. Quarto, pp. xvi, 170 + frontispiece and ten other coloured plates, and one folding plate, very numerous leaves of plates included in the pagination; original publisher’s blue cloth with pictorial onlay by David Barker, 1918 owner’s inscription on the endpaper; with the inevitable cheap paper...»

«LIM COLLEGE INTERNATIONAL STUDENT GRADUATE ADMISSIONS PROCESS Please read the following information carefully before you begin your application process. This information will answer most of your questions regarding the application, enrollment and student visa process. For detailed program information contact your Admissions Counselor, they can assist with any questions regarding the degree programs offered at LIM College. I. Admissions The following documents are required to apply to an LIM...»

«i Efficacy of Math Support Programs Investigating the Efficacy of Support Programs for Eighth Grade Algebra I Students in the San Dieguito Union High School District A Thesis Presented to the Faculty of California State University, San Marcos by Brittany E. Buchel Michael Buchel & Melissa S. Griffen Spring 2002 Approved by: ~Ll=~=Date ~lDWN&&~ 5J1I,1VV Date Efficacy of Math Support Programs 11 ACKNOWLEDGEMENTS We offer our gratitude to the San Dieguito Union High School District, our families,...»

«Building Models of Regular Scenes from Structure-and-Motion Anton van den Hengel, Anthony Dick, Thorsten Thorm¨ hlen, Ben Ward a School of Computer Science, University of Adelaide, AUSTRALIA http://www.cs.adelaide.edu.au/~vision/ Philip H. S. Torr∗ Department of Computing, Oxford Brookes University, UK http://cms.brookes.ac.uk/staff/PhilipTorr/ Abstract This paper describes a method for generating a model-based reconstruction of a scene from image data. The method uses the camera models and...»

«Study of the Effect of a Flu Pandemic on Insured Mortality Using the Delphi Method Project Oversight Group Tom Edwalds, Chair Scott Cochran Robert Gleeson Max Rudolph Bill Sayre Jan Schuh, SOA staff Ronora Stryker, SOA staff, Principal Investigator May 2007 Please direct questions and comments to: Ronora Stryker SOA Research Actuary rstryker@soa.org ©2007 Society of Actuaries TABLE OF CONTENTS Introduction 1 Summary of Individual Responses 2 Question 1 2 Question 2 4 Question 3 5 Question 4 6...»

«Katz CV/1 Curriculum Vitae STEPHEN KATZ (updated 2/25/2016) Professor, Modern Hebrew language and literature Borns Jewish Studies Program; Professor, Department of Near Eastern Languages and Cultures 1011 E. 3rd Street, Goodbody Hall 326, Indiana University Bloomington, IN 47405; Phone: 812: 855-4744; email: katzs@indiana.edu http://www.indiana.edu/~jsp/faculty/profile_sKatz.shtml http://www.indiana.edu/~nelc/people/katz.shtml Married to Eileen Feldman Katz (B.A., Hunter College) Children:...»

<<  HOME   |    CONTACTS
2016 www.dissertation.xlibx.info - Dissertations, online materials

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.