Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!ames!netsys!vector!nobody From: tim@Athena.UUCP (Tim Dawson) Newsgroups: comp.dcom.telecom Subject: Re: Cellular Fraud Message-ID: Date: 1 Feb 89 19:21:42 GMT Sender: chip@vector.UUCP Lines: 59 Approved: telecom-request@vector.uucp X-Submissions-To: telecom@bu-cs.bu.edu X-Administrivia-To: telecom-request@vector.uucp X-TELECOM-Digest: volume 9, issue 41, message 1 In article smb@research.att.com writes: >X-TELECOM-Digest: volume 9, issue 34, message 3 > > > It is not impossible to change ESN in a phone, but is > extremely difficult since it is manufactured physically into > the unit, and is not generally documented by the manufacturer > is public domain documnets for security reasons. > >Well -- maybe it's harder today, but a couple of years ago the N.Y. Times >reported a fairly wide-spread business doctoring the id chips in phones. >They said that the oddest thing was not that it was happening, but that >it was decentralized -- lots of small-scale stuff, by lots of different >folks who knew how to operate PROM burners. They didn't find what they >expected: a few centralized shops with sophisticated crooks. > > --Steve Bellovin Steve: I made this statement based on having primary exposure to Motorola cellular phone equipment where: 1) The prom with the ESN is potted into the radio cabinet. Therefore you cannot tell what kind of prom is in use. 2) The leads coming off the prom come out on a ribbon cable in random order to plug into the motherboard, so you can't necessarily determine how to access/read the prom. 3) The format by which the data is blown into the prom is also undocumented. This prom (at least on Motorola phones) is NOT the same chip as the NAM which is readily available/documented to the world. Are you sure that the above comment did not refer to changing the Mobiles phone number, which is stored in the NAM, not with the ESN?? Also, on newer phones the ESN is burned into a prom area in the Logic Module in the phone, which is a custom LSI which handles all the functionality of the phone, making it virtually impossible to change since these devices are not alterable or available to the general public. Heck, even if somebody DID get a hold of one, they would be stuck with the ESN blown into it at manufactuing, since they are built with an ESN in them. Once again let me state that I do not know how other vendors of cellular equipment handle this, since my only knowledge base is having worked for Motorola in the Cellular product area. Also, as an additional side note, cellular systems (Motorola again) are typically set up to reject or flag multiple calls from the same ESN or Mobile number, since this an impossible situation with the concept of the unique ESN. Hence, the system operators get informed of this type of fraud in a pretty big hurry if the questionable unit is used much. Once again, I have no idea about what other vendors of Cellular Equipment do or do not do, so I could be all wet as for as they go. -- ================================================================================ Tim Dawson (...!killer!mcsd!Athena!tim) Motorola Computer Systems, Dallas, TX. "The opinions expressed above do not relect those of my employer - often even I cannot figure out what I am talking about."