ETSI Security activities in product proofing

1
ETSI Security activitiesin product proofing

• Charles Brookson
• Chairman ETSI OCG Security

2
ETSI Security activities

• ETSI has since inception has been in the lead of
  setting security standards.
• From GSM, which included authentication,
  anonymity and customer privacy, many other
  standards have built on this expertise.
• Work has included DECT, Video standards,
  Multimedia IP such as TIPHON, and subsequent
  mobile and fixed services.

3
Other activities

• Lawful interception TC LI
• Algorithms SAGE
• Smart cards platform group
• Electronic signatures

4
Product proofing

• Protection methods
• Examples
• TETRA, terminal can be disabled
• GSM, 3G Terminal Identity
• Product marking (Paint microdots etc)
• Challenges
• Denial of Service
• Commercial security only possible

5
Example of IMEI
SIM
ME
MS
Mobile Phone


IMSI MSISDN
IMEI 06
Global IMEI Strategy Forum 3G will use it
6
A very short history

• 1992 IMEI security
• 1995 Changes proposed, rejected
• 1999 3GPP/ GSMA change, June 2002 deadline
• Industry has standardised IMEI
• Rolled out to Satellite
• 3G in 3GPP, USA and Japan
• ITU taking up as a recommendation

7
Changing the IMEI?

• Clips
• Software
• Chips (internal)

http//www.hackgsm.net/body.htm
8
Equipment Identity Register EIR
COUNTRY A
CEIR and SEIR in Dublin
COUNTRY B
-White list (all mobiles) -Black list (barred
mobiles) -Grey list (local to operator)
CEIR Central EIR
SEIR Shared (by country)
EIR for each operator
9
CEIR and SEIR

• CEIR in Dublin
• Not used by many operators since 1992 (20 out of
  530)
• September 1997 date for all..
• SEIR
• New system to support legislation
• Anti theft, street crime
• But is this true? Insurance fraud?

10
Result of change of use

• Legislation
• UK Mobile Telephones (Re-programming) Bill
• creates a number of offences relating to the
  electronic identifiers of mobile wireless
  communications devices.
• In particular it will be an offence to
  re-programme the unique International Mobile
  Equipment Identity (IMEI) number which identifies
  a mobile telephone handset.
• It is also possible to interfere with the
  operation of the IMEI by the addition of a small
  electronic chip to the handset and this too will
  be made illegal.

11
How can we make it better?

• By standardised testing?
• Because there is no one method
• If we have one method, then break one, and break
  them all
• Technology and methods will change with time
• Being discussed in
• 3GPP SA3 Security Group,
• Manufacturers,
• GSM Association

12
Issues for discussion

• Not an easy balance
• Is it commercially viable?
• Is it technically feasible?
• What are we trying to protect?
• Are we using the right solution?
• What is the business model?
• Require clear objectives