-Caveat Lector- from: http://cryptome.org/gsm-joke.htm Click Here: <A HREF="http://cryptome.org/gsm-joke.htm">GSM Security Questions< /A> ----- 21 October 1999 ------------------------------------------------------------------------ Date: Wed, 20 Oct 1999 11:21:03 +0000 From: "R J Bignell" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: GSM security questions I have been asked by a client to comment on the "security" of GSM communications used on the major UK networks (Vodafone, Orange, Cellnet), in particular on the ability for data to be eavesdropped or phones to be cloned without the true owner's knowledge. I know that GSM has been designed to prevent these sorts of attacks, but I also did a quick web search and found various items of test kit and tools to copy SIM cards. There are three "flavours" of GSM encryption in the standard (none, A5/1 and A5/2) - which networks implement which algorithms ? Is the choice or use of algorithm different on different manufacturers phones ? My client's focus is particularly on data since they are looking at a new application where data normally held within the corporate network's boundaries will be accessible from executives' mobiles. Does anyone on the list have any information or URLs they could point me to for background information, does anyone have any examples of successful (or unsuccessful) attacks ? Thanks in advance, -- R J Bignell [EMAIL PROTECTED] ------------------------------------------------------------------------ Date: Wed, 20 Oct 1999 14:04:02 +0200 (MET DST) From: Ralf-Philipp Weinmann <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: GSM security questions Have a look at http://www.scard.org for A5/1 example code and information on COMP128 (comp128 is the ref implementation for A3/A8 supplied by the ETSI GSM MoU and has been broken) -rpw ------------------------------------------------------------------------ Date: Thu, 21 Oct 1999 04:14:01 +0200 (CEST) From: Marc Briceno <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: RE: GSM security questions R J Bignell wrote: > I have been asked by a client to comment on the "security" of GSM > communications used on the major UK networks (Vodafone, Orange, > Cellnet), in particular on the ability for data to be eavesdropped or > phones to be cloned without the true owner's knowledge. GSM security, to sum it up, is a joke. I know, because I am the person that reverse engineered the GSM algorithms. This includes COMP128, the authentication algorithm used by the overwhelming majority of GSM providers (not Vodaphone, btw, though that fact should not be taken as an indication that the authentication Vodaphone is using, but refuses to disclose, is any more secure than COMP128). GSM phones are subject to cloning. This includes cloning over the air. > I know that GSM has been designed to prevent these sorts of attacks, That statement is incorrect. GSM was specifially and provably designed with multiple deliberate security compromises built-in, but the plan was to allow for cloning/eavesdropping attacks to only be performed by governmnt agencies and their friends. But of course a backdoor that is good for the GCHQ and the NSA tends to be a backdoor that's just as good for your client's competition or 16 year old Joe Hacker. Even assuming for a moment the set of your client's competition is disjoint from the set of law-enforcement agencies, intelligence agencies, and their friends and business partners worldwide. > but I also did a quick web search and found various items of test kit > and tools to copy SIM cards. There are three "flavours" of GSM > encryption in the standard (none, A5/1 and A5/2) - which networks > implement which algorithms ? Is the choice or use of algorithm > different on different manufacturers phones ? The choice of over-the-air voice privacy algorithms does not depend on the manufacturer of the phone, but on the provider that operates the base station into which your mobile equipment is logged in. Or, alternatively, any interested party playing man-in-the-middle and their choice of encryption algorithm. As a rule of thumb, ETSI memembers use A5/1, Australia, a few European countries not members of the EU at the time GSM was first fielded use A5/2, and countries considered to disreputable to receive base stations capable of crypto use no crypto at all. Whichever algorithm is used makes little difference from the viewpoint of an attacker. The best currently known attack against A5/1 is just a tad below 2^40th. I suspect even better attacks exist, but once an attack against a cipher goes below 40 bits, the cipher is generally considered broken, period, so few crypto experts will continue looking for better attacks. A5/5 provides even less security. Our current attack against A5/2 takes 15 miliseconds (measured) on a standard Pentium II class machine. This could be sped up with a bit of work, but why bother? In the context of a phone call, 15 milisecond breaks are realtime. How hard is it to perfom these attacks? Well, the GSM MOU and their licensees will tell you figures in the man-years and tens of thousands of dollars. Suffice to say that I figured out the algorithms during evenings and on weekends over the course of a few months on a budget of well below $100. The breaks then took Ian Goldberg and David Wagner, my colleagues in this project, 2 hours (COMP128) and 2 days (A5/2, and that included coding up the attack) to find. > My client's focus is particularly on data since they are looking at a > new application where data normally held within the corporate > network's boundaries will be accessible from executives' mobiles. For this application, the security afforded by GSM is irrelevant. Your clients required end-to-end encryption and authentication, which even the best over-the-air encryption could not provide. > Does anyone on the list have any information or URLs they could point > me to for background information, does anyone have any examples of > successful (or unsuccessful) attacks ? http://www.scard.org Have fun, --Marc Briceno ------------------------------------------------------------------------ From: [EMAIL PROTECTED] (David Wagner) Newsgroups: isaac.lists.ukcrypto Subject: Re: GSM security questions Date: 20 Oct 1999 16:56:12 -0700 In article <[EMAIL PROTECTED]>, R J Bignell <[EMAIL PROTECTED]> wrote: > Does anyone on the list have any information or URLs they could point > me to for background information, does anyone have any examples of > successful (or unsuccessful) attacks ? There is some information at http://www.isaac.cs.berkeley.edu/isaac/gsm.html Many of the GSM cryptographic algorithms have serious weaknesses. There are also several other web sites with some information on GSM, but many aspects of the system are not public. Note that the actual security may (in practice) depend less on the cryptographic algorithms and more on implementation details at the providers of interest. It seems that at least some GSM networks have features that allow one to easily bypass the crypto and readily obtain free service. Even if the cryptographic algorithms were fixed to be secure, you shouldn't assume that the resulting system will necessarily resist attack. In other words: the answer may depend greatly on which provider you're interested in, and on your threat model; the details matter. ------------------------------------------------------------------------ Date: Thu, 21 Oct 1999 07:25:33 -0400 To: [EMAIL PROTECTED] From: John Young <[EMAIL PROTECTED]> Subject: RE: GSM security questions There is another deliberately weakened cryptosystem in widely-used mobile phones: the CAVE algorithm employed by many US systems. This deficiency was reportedly arranged by the NSA, a story fairly well-known among cryptographers, and quite well-known and obeyed by telco operators, equipment manufacturers and the principal trade organizations. John Perry Barlow first wrote about this in 1992: http://jya.com/puzzle.htm More recent information: http://jya.com/tr453.htm Supposedly stronger systems for both GSM and CAVE are in the works but not much has appeared in public about how that struggle is going. Those who know are presumably bound by NDA and promises of contracts not to tell. The IETF public debate on wiretapping is an exception. ----- Aloha, He'Ping, Om, Shalom, Salaam. Em Hotep, Peace Be, Omnia Bona Bonis, All My Relations. Adieu, Adios, Aloha. Amen. Roads End DECLARATION & DISCLAIMER ========== CTRL is a discussion and informational exchange list. Proselyzting propagandic screeds are not allowed. Substance—not soapboxing! These are sordid matters and 'conspiracy theory', with its many half-truths, misdirections and outright frauds is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRL gives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credeence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://home.ease.lsoft.com/archives/CTRL.html http:[EMAIL PROTECTED]/ ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om
