What is preventing us from sniffing the mobile phone communication?

For telecommunications, check out GSM, CDMA, TDMA, and EDGE. The two competing protocols in the United States are GSM and CDMA. The resources linked below are lacking when it comes to CDMA, but using site:defcon.org and site:blackhat.com in your Google searches will turn up some presentations.

For interception of GSM, I refer you to a white paper Intercepting GSM traffic from the BlackHat conference:

  • Intercepting GSM traffic - Black Hat Briefing - Washington D.C., Feb 2008

Abstract: This talk is about GSM security. We will explain the security, technology and protocols of a GSM network. We will further present a solution to build a GSM scanner for 900 USD. The second part of the talk reveals a practical solution to crack the GSM encryption A5/1.

The corresponding video of the presentation:

  • DeepSec 2007: Intercepting GSM traffic

Also a talk on cellular privacy and the Android platform:

  • DEFCON 19: Cellular Privacy: A Forensic Analysis of Android Network Traffic (w speaker)

and a whitepaper on the Lawful Interception for 3G and 4G Networks (though see first comment on this answer):

  • Lawful Interception for 3G and 4G Networks - White Paper by AQSACOM

This document will first provide a brief description of the various evolutions of public mobile networks that have been commercially deployed, followed by a discussion on the evolution toward the newer “long term evolution” technologies. We then discuss possible configurations for lawful interception of the evolving mobile networks, followed by descriptions of approaches to 3G / 4G interception solutions now available from Aqsacom.

And a SANS article on GSM security:

  • The GSM Standard: an overview of its security

Also note that smart phones typically just automatically connect to networks with SSIDs it remembers. Sniff the airwaves for beacons that it is sending out and set up an evil access point with a matching SSID. Launch a remote attack across the network or man in the middle the device and launch a client-side attack appropriate to the device.


Like any other secured communication, it could be possible to decode the GSM/CDMA wireless traffic; question is how tough it is and how much infrastructure cost is required to decode them. Coming to a simple answer though much details and analysis have already been posted here, it is difficult to intercept them because:

  1. There exist a secure element in the Mobile Equipment called as the SIM. The device is a smart card which consist of a secret key. The secret key is initialized into the SIM card in the process of personalization by the telco. The shared secret is known only to the telco and the SIM itself.
  2. In the initial handshake protocol in which the Mobile device registers into the telco network, there exists a challenge response protocol in which the identity of the SIM is established to the telco. After this process in conjunction with the Mobile Equipment a session key is derived and the entire communication is encrypted using some variants of the A5 algorithm.

This is how the communication is secured and how it cannot be intercepted. The ecosystem is designed in such a way that the handshake happens at some regular interval and so the session key keeps changing.

Even if one attacker had to create a tempered Mobile equipment, it is impossible to extract the secret key from the smart card.

With the advent of high capability crypto smart cards and higher bandwidths , the security model is changed to mutual authentication, in which case the network authenticates the card and the card also authenticates the network (telco) using combination of symmetric and asymmetric encryption and signing processes.

The above context was more with respect to GSM technology. In CDMA, it uses some technique called frequency hopping spread spectrum using which a data pipe takes more bandwidth and space than actually it would have had required; thus scattering the data as dust particle (just explanation). So for an interceptor it becomes tough to regenerate the actual data from some reference data from the scattered data.

As far as your other question regarding 802.11 standards for mobile devices, AFAIK the standards are same for any device which want to use 802.11 weather it is a mobile or a simple laptop device. The security requirement is imposed by the 802.11 routers.

What exactly is SIM (Subscriber Identity Module) Card?

SIM (Subscriber Identity Module) is a specialized smart card in a form factor which can be inserted into a mobile device. Smart Card is not a secret password but a slave computer device (simple explanation). Unlike thumb drives which we use for storing data; SIM card doesn't allow an external entity to directly access the memory in the chip. SIM card acts as a computer in a sense the other computer (reader or mobile equipment) is needed to have a protocol for communication. There are standards like ISO-7816-4 which provides commands interface using which an external reader can communicate with the smart card.

How does SIM Card play role in Establishing connection between Phone & Network Operator?

Now I will try to explain the basic steps again how the security is established in the entire life cycle of SIM and secure mobile communication:

  1. When the telco initializes the SIM card, it inserts a secret key into the SIM card using ISO-7816 command set. The security of the key file is such that it cannot be read. The SIM card will only allow operation like encipher or signing using the file. When the manufacturer of the SIM card ships the smart card to the telco, it initialized it with a initialization key which it secretly shares with the telco. The SIM shall allow loading of the key file by telco only if the telco could prove that it have the initialization key or the pin. In this way telco have full control over the SIM. In the process of initialization of SIM by telco, telco maps a serial number in its system and the same number is printed on the back side of the SIM (for example). This number is used by telco at latter stage to map and activate a SIM card. Technically the printed serial number enables the telco to fetch the secret key for activating the SIM and informing the same to its validation systems.

  2. When the SIM is inserted on to the Mobile Equipment, the mobile equipment scans for available networks present in air in the 900/1800/1900 channel. It talks to the desired network to let it register to the network. The mobile sends the unique SIM ID to the network. The network sends a challenge to the mobile device. Using ISO-7816 command specification, the mobile equipment constructs the required command for authentication request which also consist of the challenge received by the equipment from the network. The SIM card using the secret key encrypts the challenge and sends it as a response to the ISO 7816 command to the equipment. The response is passed to the network by the mobile equipment. The network validates the response as it also possesses the secret key in its system mapped with the unique SIM identifier. Based on the validation the network either grants registration or denies registration to the mobile equipment in the network. The further process of generation of session key is slightly complex and is beyond the scope of this context. The SIM is not required any more by the equipment. In regular intervals the network shall ask the equipment to re-do challenge response in which case SIM shall again be used. For this reason if you have a mobile device in which SIM can be removed without removing battery you mobile shall continue to operate for a finite period of time.

How does Manual & Automatic Registration of Network Work?

Now coming to the issue of manual and automatic registration. When the telco initializes the SIM it writes one more read only file in the SIM which contains the network ID. This helps the mobile to detect the preference in which it should select the network provider from the list of available network providers to which it should make the first attempt to register.

In case the file is not available, the mobile will make an attempt in a sequential manner with the list of network providers. The mobile also maintains a history record of the SIM ID and network to which it registered, which helps it to fasten the process when the equipment is restarted for judging the network to which the request for registration to sent first.

How WiFI Security differs from GSM Security?

Now coming to the WIFI and 802.11 communications using the mobile device. Here SIM is not part of any communication or authentication. In-fact you can connect to the WIFI without the SIM present in the device. The security guidelines for WIFI are provided in WIFI specifications. Based on the security rules configured in the router, the clients have to authenticate and have the channel of communication secured and encrypted or non secured. Mobile device just contains the client hardware and software to use a WIFI network in addition to the GSM radio.

Further Reading:

  1. SIM Card Security - A Seminar Work by Sheng He - Explains the structure & Working of SIM Card.
  2. Security Architecture of Wireless Cellular Network Technologies: 2G Mobile Telephony Cellular Network (GSM)
  3. GSM Security - Brief (4-page) overview of Security in GSM

you're right, wireless communications are all around us. We can detect them, but they are encrypted.

3G security seems to be based around the concepts of secure authentication and encrypted communication.

Here's an interesting article on the subject.

3G Security Architecture There are five different sets of features that are part of the architecture: Network Access Security: This feature enables users to securely access services provided by the 3G network. This feature is responsible for providing identity confidentiality, authentication of users, confidentiality, integrity and mobile equipment authentication. User Identity confidentiality is obtained by using a temporary identity called the International Mobile User Identity. Authentication is achieved using a challenge response method using a secret key. Confidentiality is obtained by means of a secret Cipher Key (CK) which is exchanged as part of the Authentication and Key Agreement Process (AKA). Integrity is provided using an integrity algorithm and an integrity key (IK). Equipment identification is achieved using the International Mobile Equipment Identifier (IMEI).