SprintPCS security?

[Guest]

Archived from groups: alt.cellular.sprintpcs (More info?)

Greetings all,

I'm a recent convert from (Verizon|Cingular|T-Mobile|Nextel|Back To
T-Mobile) to SprintPCS.

I'm mildly concerned about the possibility of eavesdropping of calls
over the air. I seem to recall (when I was using Verizon, about three or
four years ago) that there was some sort of in-call encryption option
that could encrypt one's conversations to reduce eavesdropping. I don't
seem to recall that Verizon ever supported it in my area, but it was an
option on the phone.

Does Sprint offer any sort of privacy-enhancing service such as this, or
is one limited to the frequency-hopping benefits of CDMA?

I have no reason to suspect that anyone would be monitoring my calls,
but in today's society it is wise to be prudent.

Cheers!

--
Pete Stephenson
HeyPete.com

 

[Guest]

Archived from groups: alt.cellular.sprintpcs (More info?)

Since your phone emissions look like broadband noise it's difficult for
anyone
to tell which, among the different phone conversations occuring to the
cell sector,
is your conversation. It's just a bunch of broadband noise all jumbled
up together.

It'd be much more feasible for someone to put a tiny "bug" on your
phone,
or to bribe someone who has access to the landline side of the SPCS
infrastructure
to tap your call.

 

[Guest]

Archived from groups: alt.cellular.sprintpcs (More info?)

On Sun, 05 Dec 2004 23:44:53 -0800, Pete Stephenson wrote:

> Greetings all,
>
> I'm a recent convert from (Verizon|Cingular|T-Mobile|Nextel|Back To
> T-Mobile) to SprintPCS.
>
> I'm mildly concerned about the possibility of eavesdropping of calls
> over the air. I seem to recall (when I was using Verizon, about three or
> four years ago) that there was some sort of in-call encryption option
> that could encrypt one's conversations to reduce eavesdropping. I don't
> seem to recall that Verizon ever supported it in my area, but it was an
> option on the phone.
>
> Does Sprint offer any sort of privacy-enhancing service such as this, or
> is one limited to the frequency-hopping benefits of CDMA?
>
> I have no reason to suspect that anyone would be monitoring my calls,
> but in today's society it is wise to be prudent.
>
> Cheers!

Calls in cdma are not encrypted but the design of cdma makes it near
impossible to eavesdrop on. The voice channels between the tower and the
phone are keyed with three things which are a code, your esn, and the
current time. For someone to recreate the call they would have to sniff
all cdma traffic on the paging channel to figure out the code given to
your phone and then maybe figure out the difference, exactly, between the
phone's internal clock and the tower's clock which initializes the phone's
clock at power on, following this then figure out what the phone's esn is
which never gets sent out over the air. To do all this requires some very
expensive/flexible radio equipment and then requires you to brute
force a 11digit number. There are some possibilities of attacks on the
cdma protocol, or ways to switch the phone to analog mode remotely
but such options require you to transmit with enough power to override the
tower and again very complex radio equipment.

So if someone wants to eavesdrop on your call and the data is so valuable
or incriminating for them to try. Then it would be quicker(and cheaper) to
physically break into the tower/repeating station or directly tap the
lines at your cdma provider.

 

[Guest]

Archived from groups: alt.cellular.sprintpcs (More info?)

Pete Stephenson wrote:

> Does Sprint offer any sort of privacy-enhancing service such as this, or
> is one limited to the frequency-hopping benefits of CDMA?

Actually, Sprint is using probably one of the more secure interfaces,
even though there's no overt encryption layer beyond the CDMA air
interface itself.

One important thing to note is that the flavor of CDMA being implemented
by Sprint isn't frequency hopping. Instead, portions of the speech in
the conversation are broken up into discrete chunks and simultaneously
broadcast or a wide spectrum across the carrier's frequency band. If you
hit across one portion, it's not enough to decipher what is being said,
and likewise, if you jam one portion of the conversation, the vast
majority of the conversation will still be intelligible to the parties
who legitimately should be hearing it (you and whoever you're speaking
to). What portions are broadcast where (known as the "code mask") change
from one call to the next and are based on psuedorandom keys which are
never broadcast over the air.

Steven Den Beste's CDMA FAQ ( http://tinyurl.com/4yhg8 ) explains it better:

"When you speak into your CDMA phone, your voice is digitized and
compressed into 50 digital packets per second. These are then spread,
interleaved, passed through a Viterbi forward-error-correction encoder,
scrambled using the Walsh code for the channel you've been assigned,
scrambled again with the short code, possibly encrypted, scrambled yet
again with a modified version of the long code and then transmitted in
quadrature with spread spectrum. The creepy voyeur with his FM scanner
can't even pick up spread spectrum, and if he had the right receiver it
would just sound like a very high frequency hiss (well beyond the range
of human hearing) bearing no resemblance whatever to your voice."


So, to eavesdrop successfully on a call, you would need to know:

1. The phones' ESN, MDN and MSID combinations.

2. The authentication key being used (also a pseudorandom number that
changes from call to call)

3. The shadow mask values (Walsh code, long code and Short code)

4. You would have to correctly guess at what modulo of #3 and #4 the
phone is currently using or will use next.

If you don't have all of these elements, then all you hear is white
noise, if that.

And if you want to hazard a guess at the iterations of walsh, short and
long code in use at the time the call is initiated, it's the worst
lottery ever: the Walsh code can be any of 64^64 values (the actual
number is 116 digits long), the short code can be any of 32,768 values
and repeats every 26 1/3 milliseconds, and the long code (are you ready
for this?) is comprised of 1,099,511,627,776 values and repeats once
every 41.4 *days*.

And all of that is BEFORE any overt encryption is added to the mix.
Needless to say, Sprint has yet to find a reason to justify the use of
any additional encryption layers.

> I have no reason to suspect that anyone would be monitoring my calls,
> but in today's society it is wise to be prudent.

To again paraphrase Steve: If there is someone out there with the desire
and means to successfully eavesdrop on your CDMA calls over the air,
then you have way more important things to worry about than just this.

--
E-mail fudged to thwart spammers.
Transpose the c's and a's in my e-mail address to reply.

 

[Guest]

Archived from groups: alt.cellular.sprintpcs (More info?)

In article <Pp%sd.2505$73.1936@fe62.usenetserver.com>,
Isaiah Beard <sacredpoet@sacredpoet.com> wrote:

> And all of that is BEFORE any overt encryption is added to the mix.
> Needless to say, Sprint has yet to find a reason to justify the use
> of any additional encryption layers.

Ah, excellent. Muchos thanks.

It's been quite some time since I've been on a CDMA network and I was a
bit rusty. I did recall that my old Verizon Nokia had that option, but
it was never possible to actually enable it.

I was wondering (possibly hoping) that such a feature were enabled by
default now. Indeed, it would seem to be unnecessary.

> To again paraphrase Steve: If there is someone out there with the
> desire and means to successfully eavesdrop on your CDMA calls over
> the air, then you have way more important things to worry about than
> just this.

Quite so. That would be a good time to start running, no?

--
Pete Stephenson
HeyPete.com