The GSM Security Technical Whitepaper for 2002
'The GSM Security Technical Whitepaper for 2002'
Thursday January 10, 2002
Researched, Written,
and Compiled by:
The Clone -
Web-site: www.nettwerked.net
A Brief Introduction to GSM
The purpose of GSM Security
GSM Encryption Algorithms
GSM's Security Limitations
A5 - Encryption Implementation
GSM Security News Articles
GSM Security Technical Papers
Conclusion
A Brief Introduction to GSM:
Global System for Mobile communication (GSM) is a globally accepted standard for
digital cellular communication. GSM is the name of a standardization group that was
established in 1982 in an effort to create a common European mobile telephone standard
that would formulate specifications for a pan-European mobile cellular radio system
operating at 900 MHz. Today over 400 million people worldwide use GSM mobile phones
to communicate with each other, via voice and short-message-service (SMS) text.
This papers purpose was written to teach the masses currently known GSM Security
Vulnerabilities, and to address concerns over some recently talked about (theoretical)
GSM security vulnerabilities. We feel we need to address all security concerns in good faith,
therefore this white paper was written to enlighten wireless carriers and end users. Please
feel free to send all updates, questions, and concerns to The Clone and RT at their e-mail
addresses (located on the top of the page).
The purpose of GSM Security:
Since all cases of GSM fraud against a specific wireless carrier will result in a
substantial loss to the operator. This substantial loss may include the following:
· No direct financial loss, where the result is lost customers and
increase in use of the system with no revenue.
· Direct financial loss, where money is paid out to others, such as
other networks, carriers and operators of 'Value Added Networks'
such as Premium Rate service lines.
· Potential embarrassment, where customers may move to another
service because of the lack of security.
· Failure to meet legal and regulatory requirements, such as
License conditions, Companies Acts or Data Protection Legislation.
GSM Encryption Algorithms:
A3 - The GSM authentication algorithm "placeholders" used in the GSM system.
A5 - GSM stream cipher algorithm (GSM) / There are a series
of implementations named A5/1, A5/2, ... The A5/1 is known
as the strong over-the-air voice-privacy algorithm.
A5/x (A5/2 ...) are weaker implementations targeted at
foreign markets out side of Europe. There is also an A5/0
algorithm, which encloses no encryption at all. The A5
algorithm used for encrypting the over-the-air transmission
channel is vulnerable against known-plain-text and divide-and-conquer
attacks and the intentionally reduced key space is small enough to make
a brute-force attack feasible as well.
COMP 128 - one-way function that is currently used in most GSM
networks for A3 and A8. Unfortunately the COMP128
algorithm is broken so that it gives away information
about its arguments when queried appropriately.
The COMP128 algorithm used in most GSM networks as the
A3/A8 algorithm has been proved faulty so that the secret
key Ki can be reverse-engineered at the SIM level (2^19 queries),
and over-the-air in approximately eight hours.
COMP 128-2 - COMP128-2 algorithm out (revised A3/A8 reference algorithm)
GSM's Security Limitations:
Existing cellular systems have a number of potential weaknesses
that were considered in the security requirements for GSM.
The security for GSM has to be appropriate for the system operator and customer:
· The operators of the system wish to ensure that they could issue bills to the right people,
and that the services cannot be compromised.
· The customer requires some privacy against traffic being overheard.
The countermeasures are designed to:
· make the radio path as secure as the fixed network, which implies anonymity and
confidentiality to protect against eavesdropping;
· have strong authentication, to protect the operator against billing fraud;
· prevent operators from compromising each others' security, whether inadvertently or
because of competitive pressures.
The security processes must not:
· significantly add to the delay of the initial call set up or subsequent communication;
· increase the bandwidth of the channel,
· allow for increased error rates, or error propagation;
· add excessive complexity to the rest of the system,
· must be cost effective.
The designs of an operator's GSM system should take into account, the environment
and have secure procedures such as:
· the generation and distribution of keys,
· exchange of information between operators,
· the confidentiality of the algorithms.
Descriptions of the functions of the services:
The security services provided by GSM are:
· Anonymity So that it is not easy to identify the user of the system.
· Authentication So the operator knows who is using the system for billing purposes.
· Signaling Protection So that sensitive information on the signaling channel, such as
telephone numbers, is protected over the radio path.
· User Data Protection So that user data passing over the radio path is protected.
Anonymity
Anonymity is provided by using temporary identifiers. When a user first switches on his/her
radio set, the real identity is used, and a temporary identifier is then issued. From then on
the temporary identifier is used. Only by tracking the user is it possible to determine the
temporary identity being used.
Authentication
Authentication is used to identify the user (or holder of a Smart Card) to the network operator.
It uses a technique that can be described as a "Challenge and Response", based on encryption.
Authentication is performed by a challenge and response mechanism. A random challenge is
issued to the mobile, the mobile encrypts the challenge using the authentication algorithm (A3)
and the key assigned to the mobile, and sends a response back. The operator can check that,
given the key of the mobile, the response to the challenge is correct.
Eavesdropping the radio channel reveals no useful information, as the next time a new random
challenge will be used. Authentication can be provided using this process. A random number is
generated by the network and sent to the mobile. The mobile use the Random number R as the
input (Plaintext) to the encryption, and, using a secret key unique to the mobile Ki, transforms
this into a response Signed RESponse (SRES) (Ciphertext) which is sent back to the network.
The network can check that the mobile really has the secret key by performing the same SRES
process and comparing the responses with what it receives from the mobile.
Implementation and Roaming
The authentication algorithm A3 is an operator option, and is implemented within the smart card
(known as the Subscriber Interface Module or SIM). So that the operators may inter-work without
revealing the authentication algorithms and mobile keys (Ki) to each other, GSM allows triplets of
challenges (R), responses (SRES) and communication keys (Kc) to be sent between operators
over the connecting networks.
The A5 series algorithms are contained within the mobile equipment, as they have to be sufficiently
fast and are therefore hardware. There are two defined algorithms used in GSM known as A5/1 and
A5/2. The enhanced Phase 1 specifications developed by ETSI allows for inter-working between mo-
biles containing A5/1, A5/2 and unencrypted networks. These algorithms can all be built using a few
thousand transistors, and usually takes a small area of a chip within the mobile.
World-wide use of the algorithms
There are now three different possibilities for GSM, unencrypted, and use of the A5/1 algorithm or
the A5/2 algorithm to secure the data. This arose because the GSM standard was designed for
Western Europe, and export regulations did not allow the use of the original technology outside
Europe. The uses of the algorithms in the network operator's infrastructure are controlled by the
GSM Memorandum of Understanding Group (MoU) according to the formula below:
· The present A5/1 algorithm can be used by countries which are members of CEPT.
· The algorithm A5/2 is intended for any operators in countries that do not fall into the above category.
Export controls on mobiles are minimal, and the next generation of mobiles will support A5/1, A5/2
and no encryption. The protocols to support the various forms of A5 (up to seven) are available in GSM.
Loss areas
There are a number of areas that can be exploited, the most likely intention of all the techniques is
the ability to make money at the lowest cost possible.
Technical fraud
Technical fraud is where a weakness of the system is exploited to make free calls. For example,
Call Forwarding or Conference Call facilities may be used to give reduced price services to customers
from a stolen mobile. These are often known as 'Call Sales Offices'. Hackers and phreakers are often
able to gain access and exploit a weakness in the switching or billing system and gain the ability to
make calls or financial advantage. In some cases hackers and phreakers can take over the entire
billing system and routing system; thus causing convenience for customers and carriers.
Procedural fraud
Procedural fraud results from the exploitation of business processes, where a flaw or weakness can
be used to gain money. It may be possible for example to get free calls from a stolen mobile, and
sell the calls on for a lower cost than any legitimate network operator. This can be minimized by
designing processes so that losses can be stopped by the use of correct and up to date policies,
and by taking the opportunity to create a fraud away from the attacker or employee.
Comparison with other frauds
Many of the techniques that can be used to commit fraud on telecommunications networks can also
be used for a mobile network. Analogue mobile phone systems (AMPS) were subject to being eaves-
dropped (with conventional RF-Scanners available at electronics shops and Radio Shack), and the
phones could be cloned (ESN snarfing over thin-air) so that bills were paid by the owner of the
original mobile phone. Existing cellular systems have a number of potential weaknesses that were
considered in the security requirements for GSM. Networks such as GSM, with international roaming
and interactions with other operators (carriers), offer other opportunities for exploitation. GSM has been
designed to offer various technical solutions to prevent misuse, such as strong authentication, together
with anonymity and encryption of the signaling and data over the radio. However, all systems are depen-
dent on secure management deployment and special procedures; lapses in these areas have severe
impact on the resilience of the business process to fraud. For example; many carriers still make use of
the COMP128 encryption algorithm for both A3 (the authentication algorithm to prevent phone cloning) and
A8 (the voice-privacy key-generation algorithm), which is fine for securing against simple over-the-air attacks.
However we have determined, that the COMP128's voice-encryption algorithms only encrypt voice between
the GSM wireless phone and the base station. It does not encrypt voice within the phone network, nor does
it encrypt end to end. It only encrypts the over-the-air portion of the transmission. The attack on COMP128
takes just 2^19 queries to the GSM smart-card chip, which takes approximately 8 hours over the air. This
attack can be tested on as many simultaneous phones in radio range as your rogue base station has channels.
A5 - Encryption Implementation
The documentation we have, which arrived anonymously in two brown envelopes,
is incomplete; we do not know the feedback taps of registers 2 and 3, but we
do know from the chip's gate count that they have at most 6 feedback taps
between them. The following implementation of A5 is due to Mike Roe, and all
comments and queries should be sent to him.
/*
* In writing this program, I've had to guess a few pices of information:
*
* 1. Which bits of the key are loaded into which bits of the shift register
* 2. Which order the frame sequence number is shifted into the SR (MSB
* first or LSB first)
* 3. The position of the feedback taps on R2 and R3 (R1 is known).
* 4. The position of the clock control taps. These are on the `middle' one,
* I've assumed to be 9 on R1, 11 on R2, 11 on R3.
*/
/*
* Look at the `middle' stage of each of the 3 shift registers.
* Either 0, 1, 2 or 3 of these 3 taps will be set high.
* If 0 or 1 or one of them are high, return true. This will cause each of
* the middle taps to be inverted before being used as a clock control. In
* all cases either 2 or 3 of the clock enable lines will be active. Thus,
* at least two shift registers change on every clock-tick and the system
* never becomes stuck.
*/
static int threshold(r1, r2, r3)
unsigned int r1;
unsigned int r2;
unsigned int r3;
{
int total;
total = (((r1 >> 9) & 0x1) == 1) +
(((r2 >> 11) & 0x1) == 1) +
(((r3 >> 11) & 0x1) == 1);
if (total > 1)
return (0);
else
return (1);
}
unsigned long clock_r1(ctl, r1)
int ctl;
unsigned long r1;
{
unsigned long feedback;
/*
* Primitive polynomial x**19 + x**5 + x**2 + x + 1
*/
ctl ^= ((r1 >> 9) & 0x1);
if (ctl)
{
feedback = (r1 >> 18) ^ (r1 >> 17) ^ (r1 >> 16) ^ (r1 >> 13);
r1 = (r1 << 1) & 0x7ffff;
if (feedback & 0x01)
r1 ^= 0x01;
}
return (r1);
}
unsigned long clock_r2(ctl, r2)
int ctl;
unsigned long r2;
{
unsigned long feedback;
/*
* Primitive polynomial x**22 + x**9 + x**5 + x + 1
*/
ctl ^= ((r2 >> 11) & 0x1);
if (ctl)
{
feedback = (r2 >> 21) ^ (r2 >> 20) ^ (r2 >> 16) ^ (r2 >> 12);
r2 = (r2 << 1) & 0x3fffff;
if (feedback & 0x01)
r2 ^= 0x01;
}
return (r2);
}
unsigned long clock_r3(ctl, r3)
int ctl;
unsigned long r3;
{
unsigned long feedback;
/*
* Primitive polynomial x**23 + x**5 + x**4 + x + 1
*/
ctl ^= ((r3 >> 11) & 0x1);
if (ctl)
{
feedback = (r3 >> 22) ^ (r3 >> 21) ^ (r3 >> 18) ^ (r3 >> 17);
r3 = (r3 << 1) & 0x7fffff;
if (feedback & 0x01)
r3 ^= 0x01;
}
return (r3);
}
int keystream(key, frame, alice, bob)
unsigned char *key; /* 64 bit session key */
unsigned long frame; /* 22 bit frame sequence number */
unsigned char *alice; /* 114 bit Alice to Bob key stream */
unsigned char *bob; /* 114 bit Bob to Alice key stream */
{
unsigned long r1; /* 19 bit shift register */
unsigned long r2; /* 22 bit shift register */
unsigned long r3; /* 23 bit shift register */
int i; /* counter for loops */
int clock_ctl; /* xored with clock enable on each shift register */
unsigned char *ptr; /* current position in keystream */
unsigned char byte; /* byte of keystream being assembled */
unsigned int bits; /* number of bits of keystream in byte */
unsigned int bit; /* bit output from keystream generator */
/* Initialise shift registers from session key */
r1 = (key[0] | (key[1] << 8) | (key[2] << 16) ) & 0x7ffff;
r2 = ((key[2] >> 3) | (key[3] << 5) | (key[4] << 13) | (key[5] << 21)) & 0x3fffff;
r3 = ((key[5] >> 1) | (key[6] << 7) | (key[7] << 15) ) & 0x7fffff;
/* Merge frame sequence number into shift register state, by xor'ing it
* into the feedback path
*/
for (i=0;i> 1;
}
/* Run shift registers for 100 clock ticks to allow frame number to
* be diffused into all the bits of the shift registers
*/
for (i=0;iBob key stream */
ptr = alice;
bits = 0;
byte = 0;
for (i=0;i> 18) ^ (r2 >> 21) ^ (r3 >> 22)) & 0x01;
byte = (byte << 1) | bit;
bits++;
if (bits == 8)
{
*ptr = byte;
ptr++;
bits = 0;
byte = 0;
}
}
if (bits)
*ptr = byte;
/* Run shift registers for another 100 bits to hide relationship between
* Alice->Bob key stream and Bob->Alice key stream.
*/
for (i=0;iAlice key stream */
ptr = bob;
bits = 0;
byte = 0;
for (i=0;i> 18) ^ (r2 >> 21) ^ (r3 >> 22)) & 0x01;
byte = (byte << 1) | bit;
bits++;
if (bits == 8)
{
*ptr = byte;
ptr++;
bits = 0;
byte = 0;
}
}
if (bits)
*ptr = byte;
return (0);
}
GSM Security News Articles:
Mobile Computing Online: Cracking GSM's Security Code (date unknown)
ZDNet News: Cell phone flaw opens security hole (Sept 18, 2000)
GSM Security Technical Papers:
Miscellaneous:
Berkeley Website: GSM Cloning
Department of Computer Science and Engineering: GSM Interception
SIM Card Technology:
SIM Cards: At the Heart of Digital Wireless Security (.pdf / 1,842 KB)
Conclusion:
We have contacted several people from the GSM Association
(www.gsm.org) and asked about receiving spec and source
for the updated COMP128-2 encryption algorithm. We are
now awaiting approval, and will post all relevant info about
COMP128-2 in later releases of this GSM security paper.
Also, we're doing extensive research involving security
vulnerabilities with EIR databases the contain all known
IMEIs (International Mobile Equipment Identity) numbers,
as well as physical vulnerabilities that allow software
and hardware IMEI cloning. This information will be made
available on the next release of this GSM paper as well.
This document is Copyright © 2002 by Nettwerked.
And by the other respective owners.