Saturday, January 3, 2009

Numb3rs "Frienemies"

It has been a while since Numb3rs has dealt with an information security topic so badly that it warranted my attention and "Frienemies" does not disappoint.

The episode begins with a botched robbery of a high school--it seems that a bunch of would-be laptop thieves were stopped by a vigilante group called Vanguard. On the way out of the school, a member of the Vanguards drops a cellphone on the gym floor. The FBI bags the phone as evidence and sends it back to the lab for analysis.

Being true to form, the writers follow this up with the ever popular "explain it in English" scene:

FBI Geek
: Someone scraped off the MIN...and the ESN.
FBI Agent: Translation?
FBI Geek: The MIN is the phone number, the ESN is the electronic serial number.

For those of you who are not familiar with cell phone cloning, the MIN, or Mobile Identification Number, and the ESN are the two pieces of information cell phone providers use to identify a phone when it connects to their networks. If you copy both the MIN and ESN to another phone, that second phone will be indistinguishable from the first. However, this only applies to cell phone networks that use CDMA, such a Verizon and Sprint. More on that later.

Both the MIN and ESN are electronic and embedded in the memory of the cell phone, so they can be removed--or changed in the case of cloning--by removing the memory chip or overwriting the memory location in which they are stored. The cell phone manufacturers have tried to make this more difficult, but a knowledgeable attacker can still accomplish it with the right hardware and software. Manufacturers also put stickers printed with the ESN on the phone to make it easier to find, but scraping off that sticker will not erase or change it.

The scraped off ESN

The FBI, being completely stumped but the low tech approach to hiding the ESN, bring the cell phone over to CalSci for further analysis. Charlie and Amita, being avid Wikipedia readers*, explain to the FBI that they can extract the data from the cell phone with a cold boot attack, "also know as a cold ghosting attack [or] iceman attack."

Amita freezing the memory chip with an upside down can of liquid air.
Notice that the sticker is no longer scraped off.

What Amita freezes and subsequently pulls out of the cell phone is a SIM card, which are used almost exclusively in GSM cellphone networks, not CDMA. There are many technical differences between CDMA and GSM, but the most important here is how subscribers are identified on the network.

GSM uses small smart cards, known as a SIMs, to perform subscriber authentication. A unique cryptographic key, known as the Individual Subscriber Key, is programmed into the SIM and is used in a series of cryptographic challenges and responses to authenticate the subscriber to the network. This explains why the FBI could not find the MIN/ESN combination (hint: the phone never had one.)

SIMs, like other smart cards, use non-volatile memory to allow for long term storage of data without the need for a power source. As we know from my previous write up on cold boot attacks, cooling is only needed if you want to read data from volatile memory. In other words, Amita simply needed to remove the SIM card and put it into the reader--freezing it would have made no difference at all.

Better yet, Amita or the FBI could have simply read the 18-digit serial number off of the SIM card to figure out what account the phone was linked to. The writers could have even had Charlie figure out a missing part of the serial number by using the check digit, which would have had the extra benefit of adding one of those the layman explanations of complex mathematical subjects with cool graphics.

* I bet you are wondering how I know that Charlie and Amita read Wikipedia? Simple: it is the only place outside of a somewhat obscure Microsoft technical publication that refers to the cold boot attack as "iceman."