|TSG-SA WG3 (Security) meeting #6 S3-99296
Sophia Antipolis, 29th September – 1st October 1999
Title: Security mechanisms for the IMEI
Document for: Discussion
The original purpose of the IMEI is to be able to identify and prevent the use of stolen equipment and equipment which should not be allowed in a network for technical reasons. Mobile equipment identities are managed via black, white and grey lists in the Equipment identity register (EIR) and the Central Equipment Identity Register CEIR. The security of the IMEI is vital to the intended operation of the EIR and CEIR.
Future 3GPP purposes for the IMEI may include operator dependent services based on IMEI, legal interception of pre-paid users, aid in fraud investigation and higher security for terminal applications. This new usage of the IMEI is still to be specified.
IMEI security has not been handled adequately by the GSM core specifications. This has lead to new requirements on the security of the IMEI, which are manifested as change requests to GSM 02.09, GSM 02.16, GSM 03.03, and GSM 11.10. The new formulation on IMEI security is, and I quote the change request: “It shall not be possible to change the IMEI after the ME’s final production process. It shall resist tempering by any means (e.g. physical, electrical or software)”.
New use cases for the IMEI, for instance providing special services based on IMEI, will create new requirements. These new requirements on the IMEI should be stated explicitly before any technical solution is discussed.
The new formulation on IMEI security doesn’t state anything regarding signalling of the IMEI between the MS and the network. Our proposal is that secure signalling of the IMEI between the MS and the network in R99 should be done using the existing integrity protection mechanisms. The 3GPP integrity protection provides sufficient security of the IMEI during transportation from the MS to the network. Protection of the IMEI from secure storage to transportation is achieved by preventing unauthorised changes to the TE software. If the software can not be protected then the TE can not be trusted in any case. A detailed specification of the software protection mechanism seems a bit drastic, as this is highly implementation dependent. Protecting the IMEI against a malicious TE is a much harder if not impossible issue to solve and should be postponed to future releases.
Secure storage based on the change requests to the GSM core specifications and secure signalling based on existing integrity protection mechanisms is adequate for the original usage of the IMEI, blacklisting of stolen equipment. Furthermore, the discussions of IMEI security should be carried out assuming the existence of security mechanisms that guarantee the integrity of the TE software. Finally, new usage of the IMEI should be clearly defined and should result in new requirements preceding any debate on technical solutions.