1994-01-10 - Re: Crypto not being used where needed

Header Data

From: pat@tstc.edu (Patrick E. Hykkonen)
To: pdn@dwroll.dw.att.com (Philippe Nave)
Message Hash: 8f35ea2cb8a9df758d122000a95314e123ee236afea0ff939ce13cfb73bc413e
Message ID: <9401101936.AA03275@tstc.edu>
Reply To: <9401101839.AA27426@toad.com>
UTC Datetime: 1994-01-10 19:36:34 UTC
Raw Date: Mon, 10 Jan 94 11:36:34 PST

Raw message

From: pat@tstc.edu (Patrick E. Hykkonen)
Date: Mon, 10 Jan 94 11:36:34 PST
To: pdn@dwroll.dw.att.com (Philippe Nave)
Subject: Re: Crypto not being used where needed
In-Reply-To: <9401101839.AA27426@toad.com>
Message-ID: <9401101936.AA03275@tstc.edu>
MIME-Version: 1.0
Content-Type: text/plain

> Although I sincerely agree that the data should be encrypted, is it really
> that easy to intercept cellular phone calls? I thought you had to go to 
> considerably more effort than programming a scanner to pick up these 
> transmissions - I don't know much about cellular phones, but I thought they
> hopped frequencies and so forth such that it was a real pain to listen in.

Technically it is that easy.  Cellular phones only "hop frequencies"
when they are mobile.  In other words as I am driving along the
highway my phone is changing frequencies as I change cells.  If I am
stationary, however, my phone will most likely stay on one frequency
within that cell.  However, the MTSO (Mobile Telephone Switching
Office) may command my phone to change to a different frequency if
another user moves into my cell and the MTSO "decides" that my current
frequency would be better allocated to the other user.

In any case, there are two solutions to tracking the frequency of a
particular cellular user.  First, and most expensive.  Get the users
ESN (Electronic Serial Number) from the phone and listen in on the
control channel.  I do not know how the control data is modulated on
the control frequency, but once you can decode that data you can "see"
the MTSO command the phone to change frequencies and cells.  Secondly,
simply get a frequency counter and a yagi antenna.  By pointing the
antenna at the cellular antenna you should be able to get the
frequency the phone is currently on.  When the phone switches
frequencies, simply follow the same procedure.  Labor intensive, but
cheap!  Note, these are general ideas based on what I know about
cellular.  I am most definetely *not* an expert on cellular technology.

> The reason I ask is that I have a buddy who works for local law enforcement.
> His group is about to roll out a network of laptops in their cars, linked
> by modem to the AS/400 that serves as their gateway to NCIC. We've talked
> about how easy it is to intercept/spoof transmissions in the clear on a 
> single channel, but we both figured it would be considerably more difficult
> to intercept cellular calls. Given the level of understanding of the fuzz,
> they'll probably slap a Hayes modem on their Barney Fife Cop Car Radios
> anyway, and I'll gleefully try to trap their transmissions.... just as an
> exercise, of course, to educate them as to the error of their ways...
> Seriously, folks, this issue is a valid one. If [insert favorite bogeyman
> here] can dial a scanner and pick up credit card numbers, vehicle and
> driver's license data, and criminal histories, our privacy is due for
> another beating. The way I got my friend's attention was to ask whether the
> police department is liable for revealing private information - in other
> words, if Charles Manson grabs my license data off the cops' data net, can
> I sue the cops? 

I would be willing to bet that it would be "fairly" easy for the
average techie to be able to intercept and decode your PD's data.  And
only a "little" more difficult to spoof one of the mobile data
terminals.  If they are using off-the-shelf hardware then you can
assume that you could buy the same hardware!

Pat Hykkonen ** N5NPL ** pat@tstc.edu ** CNSA ** (817) 867-4831
"The pen is mightier than the sword!  And my pen is bigger than your pen!"
				- Jason Henderson, the emenintly quotable