120 likes | 241 Views
ETSI Security activities in product proofing. Charles Brookson Chairman ETSI OCG Security. ETSI Security activities. ETSI has since inception has been in the lead of setting security standards.
E N D
ETSI Security activitiesin product proofing Charles Brookson Chairman ETSI OCG Security
ETSI Security activities • ETSI has since inception has been in the lead of setting security standards. • From GSM, which included authentication, anonymity and customer privacy, many other standards have built on this expertise. • Work has included DECT, Video standards, Multimedia IP such as TIPHON, and subsequent mobile and fixed services.
Other activities • Lawful interception TC LI • Algorithms SAGE • Smart cards platform group • Electronic signatures
Product proofing • Protection methods • Examples • TETRA, terminal can be disabled • GSM, 3G Terminal Identity • Product marking (Paint microdots etc) • Challenges • Denial of Service • Commercial security only possible
Example of IMEI SIM ME MS Mobile Phone + = IMSI MSISDN IMEI *#06# Global IMEI Strategy Forum 3G will use it
A very short history • 1992 IMEI security • 1995 Changes proposed, rejected • 1999 3GPP/ GSMA change, June 2002 deadline • Industry has standardised IMEI • Rolled out to Satellite • 3G in 3GPP, USA and Japan • ITU taking up as a recommendation
Changing the IMEI? • Clips • Software • Chips (internal) http://www.hackgsm.net/body.htm
Equipment Identity Register EIR COUNTRY A CEIR and SEIR in Dublin COUNTRY B -White list (all mobiles) -Black list (barred mobiles) -Grey list (local to operator) CEIR Central EIR SEIR Shared (by country) EIR for each operator
CEIR and SEIR • CEIR in Dublin • Not used by many operators since 1992 (20 out of 530) • September 1997 date for all…….. • SEIR • New system to support legislation • Anti theft, street crime • But is this true? Insurance fraud?
Result of change of use • Legislation • UK Mobile Telephones (Re-programming) Bill • creates a number of offences relating to the electronic identifiers of mobile wireless communications devices. • In particular it will be an offence to re-programme the unique International Mobile Equipment Identity (IMEI) number which identifies a mobile telephone handset. • It is also possible to interfere with the operation of the IMEI by the addition of a small electronic chip to the handset and this too will be made illegal.
How can we make it better? • By standardised testing? • Because there is no one method • If we have one method, then break one, and break them all • Technology and methods will change with time • Being discussed in • 3GPP SA3 Security Group, • Manufacturers, • GSM Association
Issues for discussion • Not an easy balance • Is it commercially viable? • Is it technically feasible? • What are we trying to protect? • Are we using the right solution? • What is the business model? • Require clear objectives