Monday, February 21, 2011

Does your phone warn you when it is not encrypting your calls?

Looking at the following picture, do you know what the open lock icon, near the top left corner of the screen of the Nokia phone, mean?



In short, it means that the phone call is not being encrypted. But that being the case, shouldn't the iPhone be displaying a similar icon? (the call in progress in the picture was established between the two phones). Keep on reading, and you will see that there is more to it than meets the eye.

GSM usually encrypts your calls to protect your privacy, and the same goes for your GPRS/EDGE data connections. Now, GSM has many security problems, but for the purpose of this discussion, let us concentrate on the "usually" part in the above sentence.

The GSM specification gives full control to the network to select the encryption algorithm to be used to protect the communications on the radio interface, choosing from a set of supported algorithms, which nowadays in most cases include only two choices: A5/1, which is the most commonly used encryption algorithm in GSM networks (already broken, but that's another story), and A5/0, which is an euphemism for no-encryption-at-all. Thus, the network can choose to encrypt, or not, your communications.

Most GSM operators do encrypt their subscribers' communications, but some may choose not to do it, and in some countries, like India, they may even be required by law not to use encryption. Making things even more worrisome, an attacker can very easily set up a rogue GSM base station, pretending to belong to your usual network operator, and route all your calls and data connections, unencrypted, through his base station.

So, you cannot decide whether the communication will be encrypted or not. But, could you, at least, KNOW if your communication is being encrypted or not?

The GSM specification states that you, the user, "should" be informed by your mobile device when the communication is not encrypted (3GPP Rel.9 TS 33.102-920 "3G Security Architecture" 5.5.1 Visibility):


"Although in general the security features should be transparent to the user, for certain events and according to the user's concern, greater user visibility of the operation of security features should be provided. This yields to a number of features that inform the user of security-related events, such as:
  • indication of access network encryption: the property that the user is informed whether the confidentiality of user data is protected on the radio access link, in particular when non-ciphered calls are set-up;

[...]
The ciphering indicator feature is specified in 3GPP TS 22.101 [...]"



The referenced 3GPP TS 22.101 specification (R99 22.101-3.17.0), on section 13, "Types of features of UEs", says:


"The basic mandatory UE requirements are:
[...]
- Ciphering Indicator for terminals with a suitable display;
The ciphering indicator feature allows the ME to detect that ciphering is not switched on and to indicate this to the user. The ciphering indicator feature may be disabled by the home network operator setting data in the SIM/USIM. If this feature is not disabled by the SIM, then whenever a connection is in place, which is, or becomes unenciphered, an indication shall be given to the user. Ciphering itself is unaffected by this feature, and the user can choose how to proceed;"



Interesting! So, according to the specification, our mobile devices should tell us that the communication is not encrypted and we should be allowed to choose how to proceed, unless our SIM card were configured to disable this feature. However, is that how it is in real life?

In a little experiment we did in our lab, we took 2 SIM cards from 2 different network operators, let us call them Operator1 and Operator2, and we inserted them in the phones you saw in the previous picture, an old (2004) Nokia 6230, and a more recent (2008) iPhone 3G. Then, we established a call between them, using our own base station with A5/0, that is, no encryption, and the result was the one depicted in the previous picture: the old Nokia phone displayed the open lock icon, indicating that the call was not being encrypted, while the iPhone did not show any indication of this fact.

Then, we swapped the SIM cards between the two phones, and established again a call between them. The result: this time neither the Nokia 6230 nor the iPhone 3G displayed any indication of the call not being encrypted, as you can see in the following picture:



The conclusions we can draw from this little experiment are:

  • the Nokia 6230 will show an open lock icon when a call is not encrypted, unless the SIM card disables this feature,

  • the iPhone 3G will never notify the user about a call not being encrypted,

  • the SIM card from Operator1 (inserted in the Nokia Phone in the first picture) does not disable the ciphering indicator, and

  • the SIM card from Operator2 (inserted in the Nokia Phone in the second picture) disables the ciphering indicator


Think about it for a second, and then try again to answer the question in the title of this article: does your phone warn you when it is not encrypting your calls?

<plug>
If you want to find out, bring your mobile phone and SIM card to our GSM/UMTS (2G/3G) SECURITY training course, and you will be able to test it yourself! Sessions available in English and in Spanish!
</plug>

6 comments:

Anonymous said...

Well, I'm not sure whether quoting in this case is going to make any difference. If it reads "should", there is no obligation for the implementer to have such behaviour.

Blame the standard, if you will. (Although I preferred that any implementation included this feature!)

David Perez said...

Absolutely. Since the specification reads "should", implementers can choose not to display any warning and still be compliant with the standard. However, they could just as well choose to display it, they would also be compliant, and we, the users, would have access to that critical security information. Shouldn't we, the users, be asking for that feature in the mobile devices we buy?

The good news is that for LTE it will no longer be recommended, "should", but mandatory, "shall", as specified in specification SAE (System Architecture Evolution) Security Architecture, 33.401-950:

"Although in general the security features should be transparent to the user, for certain events and according to the user's concern, greater user visibility of the operation of following security feature shall be provided: [...]"

Anonymous said...

my nokia c6-00 (the older one) always flashes the unencrypted call icon before any incoming or outgoing call. imo the best thing to do, would be to compile a list of phone models and operators that value our privacy and of those, who don't.

David Perez said...

Having such a list would certainly be great. Anybody else has a terminal that inform the user about unencrypted calls? If so, please post it here, or send us an e-mail, best if with a picture, and we will try and compile, and publish, the list.

Anonymous said...

Nokia Asha 302 shows an "opened lock" icon when you have an unencrypted connection.

Anonymous said...

There is a partial list of phones that have this feature here, although obviously firmware version and other customisations may render it invalid in some cases.

http://security.osmocom.org/trac/wiki/WillMyPhoneShowAnUnencryptetConnection

Post a Comment