Date: 12/28/97 6:29:26 AM From: Smart List user Subject: BoS: Cell phone security. To: (""@LOCAL) Forwarded-by: Phil Agre [For those who don't know, GSM is the dominant cellular telephone standard in Europe, and it is also used by some companies in the United States.] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Fri, 5 Dec 1997 15:29:38 -0800 (PST) From: risks@csl.sri.com Subject: RISKS DIGEST 19.48 RISKS-LIST: Risks-Forum Digest Friday 5 December 1997 Volume 19 : Issue 48 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Wed, 26 Nov 1997 17:36:36 +0000 From: Ross Anderson Subject: GSM hack -- operator flunks the challenge On Friday 13th September 1996, I read in comp.risks that: > MobilCom, a subsidiary of German TeleKom (since 100 years monopolist on > telephone communication in Germany, with its monopoly ending in 1998) > publicly offers 100,000 DM to a telephone hacker who is able to communicate > at the expense of the (national) number 0171-3289966. The related chipcard > is said to be safely stored in lawyer`s office. In an attempt to paint this > dubious offer somewhat "politically correct", the successful hacker will > have to donate his earnings to a social institution of his(her) choice. This caught our attention - Cambridge University, being a registered charity, surely qualifies as a `social institution', and 100,000 DM would buy us a state-of-the-art triple-wavelength laser microprobe workstation for chipcard breaking. So we had a look at GSM and found a way to hack it. We worked out what equipment we'd need and where we could borrow it, assembled the team, checked that the attack would work in principle, and then started trying to find the right person in Deutsche Telekom to speak to. We needed to know the IMSI (international mobile subscriber identification) and get written confirmation of the challenge; otherwise the attack might have been interpreted as an offence under Britain's Wireless Telegraphy Act. After some chasing around, unanswered e-mails and so on, we went to a mobile phone fraud conference in June and made contacts there which suggested some names, leading to further unanswered correspondence, and finally a faxed reply. Here is a translation of the original German, online at : Dear Dr Anderson Many thanks for your fax of the 6th October 1997. Please excuse the late reply to your fax. The matter that you mentioned did not originate from T-Mobil but from one of our service providers, the firm Mobilcom in Schleswig. We understand that the offer has since also been withdrawn by them. Yours etc. How does our attack work? Well, when a GSM phone is turned on, its identity (the IMSI) is relayed to the authentication centre of the company that issued it, and this centre sends back to the base station a set of five `triples'. Each triple consists of a random challenge, a response that the handset must return to authenticate itself, and a content key for encrypting subsequent traffic between the mobile and the base station. The base station then relays the random challenge to the handset. The SIMcard which personalises the handset holds a secret issued by the authentication centre, and it computes both the response and the content key from the random challenge using this secret. The vulnerability we planned to exploit is that, although there is provision in the standard for encrypting the traffic between the base station and the authentication centre, in practice operators leave the transmissions in clear. This is supposedly `for simplicity' (but see below). To break GSM, we transmit the target IMSI from a handset and intercept the five triples as they come back on the microwave link to the base station. Now we can give the correct response to the authentication challenge, and encrypt the traffic with the correct key. We can do this online with a smartcard emulator hooked up through a PC to a microwave protocol analyser; in a less sophisticated implementation, you could load the handset offline with the responses and content keys corresponding to challenges 2 through 5 which will be used on the next four occasions that you call. The necessary microwave test set costs about $20,000 to buy, but could be home built: it's more than an undergraduate project but much less than a PhD, and any 23cm radio ham should be able to put one together. We would have borrowed this, and reckoned on at most 3 person months for SIM-handset protocol implementation, system integration, debugging and operational testing. Given such an apparatus, you can charge calls to essentially any GSM phone whose IMSI you know. IMSIs can be harvested by eavesdropping, both passive and active; `IMSI-catchers' are commercially available. The fix for our attack is to turn on traffic encryption between the GSM base stations. But that will not be politically acceptable, since the spooks listen to GSM traffic by monitoring the microwave links between base stations: these links contain not only clear keys but also clear telephony traffic. Such monitoring was reported in the UK press last year, and now the necessary equipment is advertised openly on the net. See for example . The RISK for intelligence agencies? Making systems like GSM give government access to keys can have horrendous side effects (especially where this access is via channels that aren't properly documented and evaluated). These side effects can get you into serious conflict with powerful commercial interests. The RISKS for phone companies? Firstly, letting spook agencies bully you into a bad security design with the assurance that it will only compromise your customers' privacy, has as a likely side-effect the compromise of your signalling and thus your revenue. (David Wagner, Bruce Schneier and John Kelsey made this point for the US cellular system: see .) Secondly, most phone companies have no crypto expertise. Their security managers are largely ex-policemen or accountants, and so are unable to evaluate the security claims made by equipment manufacturers and intelligence agency representatives. Thirdly, by restricting parts of the security specification to people who signed a non-disclosure agreement, the GSM consortium deprived itself of the benefit of open scrutiny by the research community. It is this scrutiny that has led to protocols such as SSL and SET having their holes found and fixed. However, the global deployment of GSM ensured that many people would be cleared to know the design, most of which can be got anyway by observing traffic or by reverse engineering unprotected equipment. So public scrutiny was inevitable - but only after billions of dollars' worth of equipment had been deployed and the system could not changed. So the GSM security-by-obscurity strategy gave them the worst of all possible worlds. The consumer electronics industry should take note. The specific RISK for Deutsche Telekom: responding to cynicism about GSM security claims by putting up a reckless challenge and thus motivating an attack. The RISK for GSM users: that crooks running a call-sell operation will book a very expensive phone call on your account. An established modus operandi is to set up a conference call which their clients and counterparties join in succession. As the bill isn't forwarded to the service provider until the phone goes on-hook, you can end up with a five-figure bill for a call that lasted several days and involved hundreds of overseas telephone numbers. Some GSM operators (such as Vodafone) limit this exposure by terminating all calls after six hours; but your IMSI can be used on a network that doesn't do this. And of course, as with `phantom withdrawals' from cash machines, the use of cryptography will `prove' that you're liable for the bill. Ross Anderson, Cambridge University Computer Laboratory Acknowledgement: our research students Stefan Hild, Abida Khattak, Markus Kuhn and Frank Stajano contributed in various ways to researching and planning this attack. An academic paper on the subject will appear in due course. ------------------------------ End of RISKS-FORUM Digest 19.48 ************************ Standard Risks reuse disclaimer: Reused without explicit authorization under blanket permission granted for all Risks-Forum Digest materials. The author(s), the RISKS moderator, and the ACM have no connection with this reuse.