'The GSM Security Technical Whitepaper for 2002'


 Thursday January 10, 2002

 Researched, Written,
 and Compiled by:
 
          The Clone - [email protected]
                     RT - [email protected]

     Web-site: www.nettwerked.net


  • A Brief Introduction to GSM
  • The purpose of GSM Security
  • GSM Encryption Algorithms
  • GSM's Security Limitations
  • A5 - Encryption Implementation
  • GSM Security News Articles
  • GSM Security Technical Papers
  • Conclusion A Brief Introduction to GSM: Global System for Mobile communication (GSM) is a globally accepted standard for digital cellular communication. GSM is the name of a standardization group that was established in 1982 in an effort to create a common European mobile telephone standard that would formulate specifications for a pan-European mobile cellular radio system operating at 900 MHz. Today over 400 million people worldwide use GSM mobile phones to communicate with each other, via voice and short-message-service (SMS) text. This papers purpose was written to teach the masses currently known GSM Security Vulnerabilities, and to address concerns over some recently talked about (theoretical) GSM security vulnerabilities. We feel we need to address all security concerns in good faith, therefore this white paper was written to enlighten wireless carriers and end users. Please feel free to send all updates, questions, and concerns to The Clone and RT at their e-mail addresses (located on the top of the page). The purpose of GSM Security: Since all cases of GSM fraud against a specific wireless carrier will result in a substantial loss to the operator. This substantial loss may include the following: No direct financial loss, where the result is lost customers and increase in use of the system with no revenue. Direct financial loss, where money is paid out to others, such as other networks, carriers and operators of 'Value Added Networks' such as Premium Rate service lines. Potential embarrassment, where customers may move to another service because of the lack of security. Failure to meet legal and regulatory requirements, such as License conditions, Companies Acts or Data Protection Legislation. GSM Encryption Algorithms: A3 - The GSM authentication algorithm "placeholders" used in the GSM system. A5 - GSM stream cipher algorithm (GSM) / There are a series of implementations named A5/1, A5/2, ... The A5/1 is known as the strong over-the-air voice-privacy algorithm. A5/x (A5/2 ...) are weaker implementations targeted at foreign markets out side of Europe. There is also an A5/0 algorithm, which encloses no encryption at all. The A5 algorithm used for encrypting the over-the-air transmission channel is vulnerable against known-plain-text and divide-and-conquer attacks and the intentionally reduced key space is small enough to make a brute-force attack feasible as well. COMP 128 - one-way function that is currently used in most GSM networks for A3 and A8. Unfortunately the COMP128 algorithm is broken so that it gives away information about its arguments when queried appropriately. The COMP128 algorithm used in most GSM networks as the A3/A8 algorithm has been proved faulty so that the secret key Ki can be reverse-engineered at the SIM level (2^19 queries), and over-the-air in approximately eight hours. COMP 128-2 - COMP128-2 algorithm out (revised A3/A8 reference algorithm) GSM's Security Limitations: Existing cellular systems have a number of potential weaknesses
    that were considered in the security requirements for GSM. The security for GSM has to be appropriate for the system operator and customer: The operators of the system wish to ensure that they could issue bills to the right people,
      and that the services cannot be compromised. The customer requires some privacy against traffic being overheard.    The countermeasures are designed to: make the radio path as secure as the fixed network, which implies anonymity and
      confidentiality to protect against eavesdropping; have strong authentication, to protect the operator against billing fraud; prevent operators from compromising each others' security, whether inadvertently or
      because of competitive pressures.    The security processes must not: significantly add to the delay of the initial call set up or subsequent communication; increase the bandwidth of the channel, allow for increased error rates, or error propagation; add excessive complexity to the rest of the system, must be cost effective. The designs of an operator's GSM system should take into account, the environment
    and have secure procedures such as: the generation and distribution of keys, exchange of information between operators, the confidentiality of the algorithms.    Descriptions of the functions of the services: The security services provided by GSM are: Anonymity So that it is not easy to identify the user of the system. Authentication So the operator knows who is using the system for billing purposes. Signaling Protection So that sensitive information on the signaling channel, such as
      telephone numbers, is protected over the radio path. User Data Protection So that user data passing over the radio path is protected.   Anonymity Anonymity is provided by using temporary identifiers. When a user first switches on his/her
    radio set, the real identity is used, and a temporary identifier is then issued. From then on
    the temporary identifier is used. Only by tracking the user is it possible to determine the
    temporary identity being used.   Authentication Authentication is used to identify the user (or holder of a Smart Card) to the network operator.
    It uses a technique that can be described as a "Challenge and Response", based on encryption. Authentication is performed by a challenge and response mechanism. A random challenge is
    issued to the mobile, the mobile encrypts the challenge using the authentication algorithm (A3)
    and the key assigned to the mobile, and sends a response back. The operator can check that,
    given the key of the mobile, the response to the challenge is correct. Eavesdropping the radio channel reveals no useful information, as the next time a new random
    challenge will be used. Authentication can be provided using this process. A random number is
    generated by the network and sent to the mobile. The mobile use the Random number R as the
    input (Plaintext) to the encryption, and, using a secret key unique to the mobile Ki, transforms
    this into a response Signed RESponse (SRES) (Ciphertext) which is sent back to the network. The network can check that the mobile really has the secret key by performing the same SRES
    process and comparing the responses with what it receives from the mobile.   Implementation and Roaming The authentication algorithm A3 is an operator option, and is implemented within the smart card
    (known as the Subscriber Interface Module or SIM). So that the operators may inter-work without
    revealing the authentication algorithms and mobile keys (Ki) to each other, GSM allows triplets of
    challenges (R), responses (SRES) and communication keys (Kc) to be sent between operators
    over the connecting networks. The A5 series algorithms are contained within the mobile equipment, as they have to be sufficiently
    fast and are therefore hardware. There are two defined algorithms used in GSM known as A5/1 and
    A5/2. The enhanced Phase 1 specifications developed by ETSI allows for inter-working between mo-
    biles containing A5/1, A5/2 and unencrypted networks. These algorithms can all be built using a few
    thousand transistors, and usually takes a small area of a chip within the mobile.   World-wide use of the algorithms There are now three different possibilities for GSM, unencrypted, and use of the A5/1 algorithm or
    the A5/2 algorithm to secure the data. This arose because the GSM standard was designed for
    Western Europe, and export regulations did not allow the use of the original technology outside
    Europe. The uses of the algorithms in the network operator's infrastructure are controlled by the
    GSM Memorandum of Understanding Group (MoU) according to the formula below: The present A5/1 algorithm can be used by countries which are members of CEPT. The algorithm A5/2 is intended for any operators in countries that do not fall into the above category. Export controls on mobiles are minimal, and the next generation of mobiles will support A5/1, A5/2
    and no encryption. The protocols to support the various forms of A5 (up to seven) are available in GSM.   Loss areas There are a number of areas that can be exploited, the most likely intention of all the techniques is
    the ability to make money at the lowest cost possible.   Technical fraud Technical fraud is where a weakness of the system is exploited to make free calls. For example,
    Call Forwarding or Conference Call facilities may be used to give reduced price services to customers
    from a stolen mobile. These are often known as 'Call Sales Offices'. Hackers and phreakers are often
    able to gain access and exploit a weakness in the switching or billing system and gain the ability to
    make calls or financial advantage. In some cases hackers and phreakers can take over the entire
    billing system and routing system; thus causing convenience for customers and carriers.   Procedural fraud Procedural fraud results from the exploitation of business processes, where a flaw or weakness can
    be used to gain money. It may be possible for example to get free calls from a stolen mobile, and
    sell the calls on for a lower cost than any legitimate network operator. This can be minimized by designing processes so that losses can be stopped by the use of correct and up to date policies, and by taking the opportunity to create a fraud away from the attacker or employee.   Comparison with other frauds Many of the techniques that can be used to commit fraud on telecommunications networks can also
    be used for a mobile network. Analogue mobile phone systems (AMPS) were subject to being eaves- dropped (with conventional RF-Scanners available at electronics shops and Radio Shack), and the
    phones could be cloned (ESN snarfing over thin-air) so that bills were paid by the owner of the original mobile phone. Existing cellular systems have a number of potential weaknesses that were
    considered in the security requirements for GSM. Networks such as GSM, with international roaming and interactions with other operators (carriers), offer other opportunities for exploitation. GSM has been designed to offer various technical solutions to prevent misuse, such as strong authentication, together with anonymity and encryption of the signaling and data over the radio. However, all systems are depen- dent on secure management deployment and special procedures; lapses in these areas have severe impact on the resilience of the business process to fraud. For example; many carriers still make use of the COMP128 encryption algorithm for both A3 (the authentication algorithm to prevent phone cloning) and A8 (the voice-privacy key-generation algorithm), which is fine for securing against simple over-the-air attacks. However we have determined, that the COMP128's voice-encryption algorithms only encrypt voice between the GSM wireless phone and the base station. It does not encrypt voice within the phone network, nor does it encrypt end to end. It only encrypts the over-the-air portion of the transmission. The attack on COMP128 takes just 2^19 queries to the GSM smart-card chip, which takes approximately 8 hours over the air. This attack can be tested on as many simultaneous phones in radio range as your rogue base station has channels.
    A5 - Encryption Implementation The documentation we have, which arrived anonymously in two brown envelopes, is incomplete; we do not know the feedback taps of registers 2 and 3, but we do know from the chip's gate count that they have at most 6 feedback taps between them. The following implementation of A5 is due to Mike Roe, and all comments and queries should be sent to him. /* * In writing this program, I've had to guess a few pices of information: * * 1. Which bits of the key are loaded into which bits of the shift register * 2. Which order the frame sequence number is shifted into the SR (MSB * first or LSB first) * 3. The position of the feedback taps on R2 and R3 (R1 is known). * 4. The position of the clock control taps. These are on the `middle' one, * I've assumed to be 9 on R1, 11 on R2, 11 on R3. */ /* * Look at the `middle' stage of each of the 3 shift registers. * Either 0, 1, 2 or 3 of these 3 taps will be set high. * If 0 or 1 or one of them are high, return true. This will cause each of * the middle taps to be inverted before being used as a clock control. In * all cases either 2 or 3 of the clock enable lines will be active. Thus, * at least two shift registers change on every clock-tick and the system * never becomes stuck. */ static int threshold(r1, r2, r3) unsigned int r1; unsigned int r2; unsigned int r3; { int total; total = (((r1 >> 9) & 0x1) == 1) + (((r2 >> 11) & 0x1) == 1) + (((r3 >> 11) & 0x1) == 1); if (total > 1) return (0); else return (1); } unsigned long clock_r1(ctl, r1) int ctl; unsigned long r1; { unsigned long feedback; /* * Primitive polynomial x**19 + x**5 + x**2 + x + 1 */ ctl ^= ((r1 >> 9) & 0x1); if (ctl) { feedback = (r1 >> 18) ^ (r1 >> 17) ^ (r1 >> 16) ^ (r1 >> 13); r1 = (r1 << 1) & 0x7ffff; if (feedback & 0x01) r1 ^= 0x01; } return (r1); } unsigned long clock_r2(ctl, r2) int ctl; unsigned long r2; { unsigned long feedback; /* * Primitive polynomial x**22 + x**9 + x**5 + x + 1 */ ctl ^= ((r2 >> 11) & 0x1); if (ctl) { feedback = (r2 >> 21) ^ (r2 >> 20) ^ (r2 >> 16) ^ (r2 >> 12); r2 = (r2 << 1) & 0x3fffff; if (feedback & 0x01) r2 ^= 0x01; } return (r2); } unsigned long clock_r3(ctl, r3) int ctl; unsigned long r3; { unsigned long feedback; /* * Primitive polynomial x**23 + x**5 + x**4 + x + 1 */ ctl ^= ((r3 >> 11) & 0x1); if (ctl) { feedback = (r3 >> 22) ^ (r3 >> 21) ^ (r3 >> 18) ^ (r3 >> 17); r3 = (r3 << 1) & 0x7fffff; if (feedback & 0x01) r3 ^= 0x01; } return (r3); } int keystream(key, frame, alice, bob) unsigned char *key; /* 64 bit session key */ unsigned long frame; /* 22 bit frame sequence number */ unsigned char *alice; /* 114 bit Alice to Bob key stream */ unsigned char *bob; /* 114 bit Bob to Alice key stream */ { unsigned long r1; /* 19 bit shift register */ unsigned long r2; /* 22 bit shift register */ unsigned long r3; /* 23 bit shift register */ int i; /* counter for loops */ int clock_ctl; /* xored with clock enable on each shift register */ unsigned char *ptr; /* current position in keystream */ unsigned char byte; /* byte of keystream being assembled */ unsigned int bits; /* number of bits of keystream in byte */ unsigned int bit; /* bit output from keystream generator */ /* Initialise shift registers from session key */ r1 = (key[0] | (key[1] << 8) | (key[2] << 16) ) & 0x7ffff; r2 = ((key[2] >> 3) | (key[3] << 5) | (key[4] << 13) | (key[5] << 21)) & 0x3fffff; r3 = ((key[5] >> 1) | (key[6] << 7) | (key[7] << 15) ) & 0x7fffff; /* Merge frame sequence number into shift register state, by xor'ing it * into the feedback path */ for (i=0;i> 1; } /* Run shift registers for 100 clock ticks to allow frame number to * be diffused into all the bits of the shift registers */ for (i=0;iBob key stream */ ptr = alice; bits = 0; byte = 0; for (i=0;i> 18) ^ (r2 >> 21) ^ (r3 >> 22)) & 0x01; byte = (byte << 1) | bit; bits++; if (bits == 8) { *ptr = byte; ptr++; bits = 0; byte = 0; } } if (bits) *ptr = byte; /* Run shift registers for another 100 bits to hide relationship between * Alice->Bob key stream and Bob->Alice key stream. */ for (i=0;iAlice key stream */ ptr = bob; bits = 0; byte = 0; for (i=0;i> 18) ^ (r2 >> 21) ^ (r3 >> 22)) & 0x01; byte = (byte << 1) | bit; bits++; if (bits == 8) { *ptr = byte; ptr++; bits = 0; byte = 0; } } if (bits) *ptr = byte; return (0); } GSM Security News Articles:
  • Mobile Computing Online: Cracking GSM's Security Code (date unknown)
  • ZDNet News: Cell phone flaw opens security hole (Sept 18, 2000) GSM Security Technical Papers: Miscellaneous: Berkeley Website: GSM Cloning Department of Computer Science and Engineering: GSM Interception SIM Card Technology: SIM Cards: At the Heart of Digital Wireless Security (.pdf / 1,842 KB) Conclusion: We have contacted several people from the GSM Association (www.gsm.org) and asked about receiving spec and source for the updated COMP128-2 encryption algorithm. We are now awaiting approval, and will post all relevant info about COMP128-2 in later releases of this GSM security paper. Also, we're doing extensive research involving security vulnerabilities with EIR databases the contain all known IMEIs (International Mobile Equipment Identity) numbers, as well as physical vulnerabilities that allow software and hardware IMEI cloning. This information will be made available on the next release of this GSM paper as well.
  • This document is Copyright © 2002 by Nettwerked.
    And by the other respective owners.