[prev in list] [next in list] [prev in thread] [next in thread] 

List:       best-of-security
Subject:    BoS: From cold war to cell wars
From:       Julian Assange <proff () suburbia ! net>
Date:       1995-12-28 19:28:49
[Download RAW message or body]

Date: Sun, 26 Nov 1995 23:39:53 PST
From: Tad Cook <tad@ssc.com>
Newsgroups: comp.dcom.telecom
Subject: Stalking Cellular Bandits

Once-top-secret spy technology used in battle to foil cellular bandits

                    FROM COLD WAR TO CELL WARS

By Lee Gomes
Mercury News Staff Writer

THE COLD WAR is over, but there's no rest for the weary. Now, some of
the same people who helped defeat the "Evil Empire" are hard at work
against a new enemy. And what a wild crew is this latest batch of bad
guys: Dr. Who, ColdFire, OleBuzzard, Cool8.

In one of Silicon Valley's most remarkable defense conversion stories,
a group of engineers from ESL Inc., the ultra top-secret but somewhat
stodgy Pentagon sub-contractor in Sunnyvale, has become the nucleus of
a hot high-tech start-up in one of the nation's most sizzling markets:
cellular telephones.

Using sophisticated technology originally developed to keep tabs on
the communications from Soviet submarines and ships, Corsair
Communications Inc. is doing battle with a new and altogether domestic
opponent: cellular phone pirates.

In just six months of operation, Corsair's "RF fingerprinting" system
has become the bane of cell phone thieves in much of Los Angeles, its
first major test. It's done so well, in fact, that telecommunications
experts say the system could represent a major new defensive
capability in the war against "cloned phones," a multi-billion dollar
annual scam as well as the biggest growth industry in the underground
economy.

That would come not a moment too soon for Barbara Grossman, an Apple
Computer sales representative who, like untold thousands of other
cellular phone users, has been ripped off by cellular bandits. In
fact, Grossman has had it happen twice just in the last 18 months.
Once, she got a bill for $600 in calls she didn't make; the other
time, it was for a whopping $11,000.

While Grossman said her carrier promptly and without any questions
reversed the charges, she had to deal with all the logistics of a new
telephone number, like informing friends and family.

"It was a real annoyance," she said.

Corsair's "PhonePrint" is aimed at ending that annoyance by taking
advantage of a simple technical insight. In the same way that
individual people will have slightly different handwriting or
fingerprints, any two radio transmitters will send out a radio
frequency, or RF, signal in slightly different ways.

If you can learn the "fingerprints" of all the different transmitters
used by your opponent, something both Americans and Soviets tried as
part of their Cold War espionage arsenal, you'll know a lot, such as
whether a given transmission is from the massive aircraft carrier
Admiral Kuznetsov or the lowly supply ship Ivan Kucherenko.

Decades of research

ESL, which was bought by TRW Inc. in the late 1970s, worked on RF
fingerprinting at the Pentagon's behest for decades. And the same
techniques that were applied against the Soviet Navy can now be used
against big-city cell-phone fraud because cellular phones are radio
transmitters, too.

In fact, two cell phones that roll off the same high-tech assembly
line one after another will have enough subtle differences -- such as
in the tolerances of their various resistors and capacitors -- that
the signals they emit will be completely distinguishable from each
other, as long as you know what to look for. And that's become the
chink in the armor of phone cloning, currently the state of the art in
cell phone fraud.

In normal cellular operations, a phone trying to call someone first
sends two numbers to the receiver at the nearest cell site: its own
telephone number, and a special electronic serial number that's
hard-wired into it.

But because the current cellular system was designed years ago without
any apparent regard for either privacy or security matters, those
numbers are transmitted unencrypted over open airwaves. Thus, it's a
simple matter to grab them out of the air and to then reprogram them
into a second phone. The equipment to do both, though illegal in
California, is sold in a booming gray market.

The second phone can then be used freely and for free -- at least
until the rightful owner of the pair of numbers gets a monthly
statement and notices all the calls that he or she never made. At that
point, the cell carrier cuts off service, forcing the owner to get a
new phone number.

TRW, realizing the commercial potential of the technology for the cell
phone business, created a new business unit called TRW Wireless
Communications in 1993 to try to sell it.

Clash of cultures

At first, the business went nowhere. But rather than giving up, TRW
shopped the idea around to the local venture capital community, and
found believers at Kleiner, Perkins, Caufield & Byers.

Kevin Compton, the Kleiner Perkins partner who is chairman of the
Corsair board, said the earlier incarnation of the company didn't work
because of a "mismatch of cultures. A group with a traditional
military bent who was moving at government rates of speed was trying
to enter a very rapidly moving business."

That changed when the unit was spun off last year into a separate
company, and when new managers were brought directly in from the
cellular industry, including Mary Ann Byrnes, a Cellular One veteran,
as president.

(At the Compton household, Corsair is something of a family affair;
wife Gayla thought up the name, a reference both to a famous pirate
ship and a W.W. II fighter plane.)

After two rounds of investments, the second of which, worth $8.8
million, was just concluded, venture capitalists and private investors
own 60 percent of the firm; the other 40 percent is split between TRW
and Corsair's employees.

Corsair's system puts the equivalent of a 486 computer with 20
megabytes of RAM and a 540 megabyte hard drive into each cell site.
(While usually hidden from users, these sites are the backbone of a
cellular system, containing both transmitters and receivers as well as
a triangular antenna. There are about 500 cell sites in the Bay Area,
divided between two cellular providers, and roughly twice as many in
Los Angeles.)

The system builds a data base of the fingerprints for each phone,
through normal usage. Then, when it notices a mismatch between an RF
fingerprint and pair of numbers, it assumes the pair of numbers have
been illegally entered into a second phone. The call is simply not put
through.

How effective is Corsair's technology? The system has been fully
operational since summer in more than 100 of the Los Angeles cell
sites with the highest fraud rate, and Melissa May, a spokeswoman for
cell carrier Airtouch, said the company is "impressed with the
results. We think both the company and our customers have benefited."

Corsair's computers prepare daily reports about its effectiveness, and
while the company doesn't want the exact numbers publicized, they show
it blocking tens of thousands of clone calls a day -- on a daily
caller volume of well over 500,000.

A full-scale deployment of Corsair in a market the size of Los Angeles
would cost, the company says, several million dollars -- though Corsair 
says carriers will quickly recoup their losses because of the sheer
scope of the problem.  Phillip Redman, who covers telecommunications
for the Yankee Group in Boston, said cell phone fraud can cost U.S.
carriers as much as $2 billion a year.

Easy pickin's

So, exactly how hard is it to get a cloned phone?

Not very, according to a 21-year-old Los Angeles resident who goes by
the name of "Motorola," and who is not, it scarcely needs saying,
affiliated with the cellular phone manufacturer of the same name.
"In fact, I'm talking to you on one right now," he said in a recent
interview.

As "Motorola" described it -- his views were echoed by people inside the 
industry -- big cities abound in cloned phones and in the pairs of 
numbers 
needed to activate them.

The trash containers outside the offices of cellular providers are a
frequent target: Paper records have been known to contain pairs.
Employees inside the industry are bribed to turn over the numbers. And
most commonly, cell pirates just drive around mining numbers out of
the air -- sometimes collecting hundreds or thousands in a single
cross-country jaunt.

And where to buy a cloned phone? That too, said "Motorola," is not
hard; a good place to start is in small electronics or hot rod shops.

"Usually, the guys there are up to their eyeballs in something," he
said.  "Just start chit-chatting. Ask about `chipped' phones. They say
`chipped' phones, even though that's not the correct terminology. They
should be called `clones.' People haven't been putting chips in phones
in years."

Complex criminal web

Law enforcement officials and others say the sociology of cell fraud
is rather complex, involving different social circles with very little
contact with each other. "Motorola" and his friends, the hackers with
colorful "handles," are this world's brain trust.

One of their favorite methods of transmitting information is -- surprise, 
surprise -- the Internet. Many, like "Motorola," even have their own 
World 
Wide Web home pages.

Most hackers aren't in it for the money, but instead for the kick
involved in doing something both technical and verboten. They also
delight in tormenting carriers.

Far more venal, though, are the clone phone entrepreneurs who build
thriving businesses with the hacker's discoveries. Cell fraud has
become so lucrative that some drug dealers have switched careers,
attracted by the absence of stiff prison penalties associated with the
drug trade. The San Jose man who cloned Grossman's phone, and who is
now behind bars, was said by prosecutors to have taken in nearly $2
million.

Until now, cell-phone fraud has been most commonly associated with
large inner-city immigrant communities, where people often want to
call a far-away home. So advanced are some of these businesses that
for a set fee, say $75, cloners will guarantee cellular service -- to
the point of sending out a runner with a new pair of numbers whenever
the phone is shut off.

But the view at Corsair is that cell phone fraud is very rapidly
moving into the middle class. "We're starting to see all kinds of
people use it, from college students to real estate agents," said Bill
Taliaferro, the firm's director of communications.

Airtouch says it is committed to eventually using RF fingerprinting in
more markets besides L.A., though the company said it does not yet
know which company it will buy the added units from. RF fingerprinting
is so hot that Corsair already has two competitors, though analysts
say Corsair is benefiting from its head start during the Cold War.

Head start

"From a technical perspective, Corsair is way ahead," said John Lo, a
telecommunications specialist at Pittiglio, Rabin, Todd & McGrath, a
consulting firm.

Mike McKinley, an ESL veteran in Corsair's R&D department, said some
of the elements in RF technology are so difficult to master that "you
wouldn't get it right the first 10 times you try it."

(The mere fact that McKinley was being interviewed was another sign of
the changes for the former ESL workers, some of whom previously
couldn't talk about their work even with their families.)

Corsair technicians like Bob Stoddard, who know all about the world of
counter-counter intelligence, spend much of their time looking for
holes in their system. To change a fingerprint, they've tried putting
phones in freezers or using them with drained batteries or dropping
them on the floor, but none of them beat it.

Evolution of fraud

But cell pirates turned to cloning phones in the first place only
after other fraud methods were shut off to them. With so much money at
stake, a similar evolution is expected again. Corsair, in fact, knows
what it will be -- a technique known as "roaming," but one which
actually works to the company's advantage.

If all cell sites in Los Angeles have RF fingerprinting (Airtouch's
competitor, L.A. Cellular, is testing the system as well) then it will
be impossible to gets pairs of numbers from L.A. That will force
pirates to do their shopping elsewhere; getting serial numbers from
low-crime areas where carriers haven't installed RF fingerprinting,
and then selling them back in areas where people are clamoring for
them, like Los Angeles.

Ultimately, then, to be effective, the technology will need to be
deployed on a nationwide basis, with all 600 of the companies staying
in touch.

Analysts like International Data Corp.'s Iain Gillott expect that to
happen eventually, and for carriers to continue using some of their
existing anti-fraud system, such as "profiling" software that spots
unusual usage in the same way the computers at credit card companies
do. With full deployment, he said, high-tech fraud like cloning may
well abate.

But not all fraud. There will be "subscription fraud," in which cell
thieves impersonate legitimate customers. And there will always be
old-fashioned bribery of inside employees.

"If the CIA has problems with this, so will cellular companies,"
Gillott said.

But even if it's not a complete solution, Corsair's technology seems
to be enough to impress current cellular users, who are tired of
bracing for a surprise every time they open their monthly phone bill.

"It's seamless to the user and it blocks out the bad guys," said
Grossman, the pirate's victim, when Corsair was described to her. "I
like that very much."


Published 11/26/95 in the {San Jose Mercury News.}

[prev in list] [next in list] [prev in thread] [next in thread]