It'll Never Happen...
By Stuart Jeffrey
...or will it? CDMA cloning is unknown now but in a few years time it may not be - especially if operators avoid the authentication process. A proactive strategy is required to prevent CDMA cloning fraud.
While cloning is not currently a problem on cdmaOne networks, there are many indications that it will spread to digital technology within the next few years. If digital carriers are caught unprepared, they could experience the sort of heavy revenue losses that have hit analog operators which have lost three to five per cent of their yearly revenues to cloning fraud.
A preventative strategy will allow CDMA operators to avoid disaster. Waiting until cloning is a problem will allow only one choice: spending years reacting to and recovering from fraud.
It is important to separate fact from the marketing hyperbole that touts digital technology as 'unclonable'. Digital CDMA networks were designed with an inherent authentication system but many operators are delaying activation because of the additional A-key management and provisioning that authentication requires. When running, authentication is a strong deterrent to cloning fraud, but without it the network and customers are vulnerable to cloning.
Without authentication, subscriber calls will not be protected by voice encryption either. The cellular authentication and voice encryption (CAVE) algorithm controls the voice privacy mask and signaling message encryption key. The shared secret data (SSD), which is a calculation of the A-key, the electronic serial number (ESN), and a random number, is a parameter in the CAVE algorithm. The SSD calculation results in two separate values, SSD_A and SSD_B. SSD_A is designated for authentication while SSD_B is designated for encryption algorithms. Without an A-key, neither SSD_A or SSD_B can be generated1.
Digital technology is not 'unclonable'. If authentication is not activated it is possible to clone a CDMA phone - more complicated and more expensive than to clone an analog subscriber, but certainly possible.
Cloning any wireless phone, digital or analog, entails stealing the identification numbers that are programmed into a legitimate subscriber's handset and programming them into a second phone. The identification numbers include the mobile identification number (MIN) and the ESN.
On analog networks, a cloner uses a radio scanner that tunes to the cellular control channel to record a legitimate subscriber's MIN and ESN as they are transmitted over the air. It is not as easy to access a CDMA subscriber's MIN and ESN because they are overlaid by the base station spreading code while they are transmitted through the air. A CDMA cloner would first have to tap into a base station pilot frequency to obtain the spreading code before accessing the MIN and ESN.
However, the test equipment used legitimately by technicians can also be used to clone a phone. Since the microprocessors in the handsets know the spreading codes, a clever hacker could disassemble an off-the-shelf CDMA phone and interconnect it to a personal computer thereby converting a standard cell phone into a CDMA scanner.
Cloning is facilitated by TIA/EIA IS-95 standards which are available to anyone willing to pay for them. Although these standards were designed for the benefit of wireless professionals, they also serve as a complete 'cookbook' for cloners because they include all the protocol information.
CDMA is a complex radio technology but this should not be regarded as a comfort in itself. Fraud is big business for cloners; they will not just disappear as analog operators increasingly deploy cloning fraud prevention technology. Fraudsters do not give up when a roadblock is thrown in their way; instead they put their energy into devising a new mode of attack.
The Yankee Group predicted in a February 1998 report that by 2002, just four years from now, CDMA operators will have 92 million subscribers worldwide. This is 86 million more subscribers than CDMA operators had at the close of 19972. This is obviously encouraging for the CDMA community; the downside, however, is that criminals will have heightened motivation to direct their attention to that technology.
When it first appeared, cloning fraud caught analog operators completely off-guard and it is still a major problem; even those operators who have deployed fraud prevention tools are vulnerable to cloning via roaming partners who do not have it or who use a different type of fraud prevention technology.
CDMA operators are fortunate in that fully developed
resources are available to prevent cloning fraud today. A-key management
and provisioning systems are small additions to the inherent authentication
features, but they are critical to the process of authentication.
A-key management systems will allow operators to generate random A-keys or provide for the secure transmission of pre-programmed A-keys from the manufacturer using electronic data interchange (EDI).
Currently some operators are taking a short-cut in their authentication deployment by loading default (all zero) A-keys into handsets. Default A-keys are as effective as having no A-key. Cloners can easily detect that default A-keys are in use and can fully exploit the network. If operators wish to implement authentication in the future, legacy handsets programmed with default A-keys will inconvenience subscribers who will have to have a new A-key loaded. Random A-keys are important to the authentication process and an A-key management system will facilitate the secure generation of random A-keys.
If a carrier's log of A-key and ESN pairs falls into the wrong hands, the entire process of authentication is compromised. This is why A-key storage is critical. A-keys can be stored on the network, but, for heightened security, A-keys should be stored off the network in an A-key management system to limit the number of people who have access to the storage area.
Point-of-sale A-key programming devices automatically load A-keys into handsets and transmit the A-key to the A-key management system. Programming devices eliminate the need for store clerks to program the A-key manually. The benefit of automatic programming is two-fold: firstly it protects the A-key from being compromised because nobody sees it, and secondly automatic programming eliminates human errors that inconvenience customers by causing authentication failures.
Authentication provisioning includes educating customer care representatives about the authentication process so they are able to troubleshoot if a legitimate subscriber is denied service due to an authentication-related failure.
Authentication is the most effective tool the industry has to prevent cloning fraud. Since most CDMA networks come equipped with authentication hardware and software, there are only minimal additions that operators need to make their authentication systems fully functional.
At a time when there are innumerable issues that need immediate attention and cloning has not occurred on CDMA systems it may be tempting to delay authentication activation. However, the difference between having an authentication feature and actually running authentication is huge - so huge in fact that it could mean the difference between retaining or losing millions of dollars. The way to deal with cloning fraud is to make use of the solutions that are available today because once cloning fraud strikes it is simply too late.
Stuart Jeffery is vice president, business development of Synacom Technology, Inc whose portfolio of products includes wireless authentication products and interworking gateways for roaming between GSM and ANSI-41 technologies. E-mail: Stu@synacom.com
1: Gallagher, Michael D. and Randall A. Snyder. Mobile Telecommunications Networking with IS-41 McGraw Hill: New York, 1997, pages 185-186.
2: Yankee Group Around the World: Global Trends of the Cellular/PCS Market Report Vol. 2 No. 7. February, 1998.
A guide to authentication
Authentication is a process by which identical calculations are performed in both the network and the mobile phone. Each subscriber is given a unique numeric code called the authentication key (A-key) that is permanently programmed in both the handset and the operator's network before activation. The A-key is not transmitted over the air, so cloners cannot intercept it with a radio scanner. To authenticate a call, the network's authentication center (AC) initiates a calculation in both the network and the subscriber's handset. The parameters of the calculation include the A-key, the subscriber's mobile identification number (MIN) and a random number. A legitimate handset will produce the same calculated result as the network. The handset's result is compared with the network's result; if the results match, the phone is not a 'clone' and the call is allowed. The authentication process is transparent to subscribers.