29 December 2009. GSM A5 Files Published on Cryptome
20 April 1998: Link to GSM consortium
statement
Link to 1988 GSM security
study
19 April 1998: Link to A5 crack file
17 April 1998: Add Dave Emery and Marc
Briceno messages.
Link to GSM Interception site
and update Masson message
14 April 1998: Link to NYT report on GSM's deliberate weakness
13 April 1998
Date: Fri, 17 Apr 1998 16:38:09 +0200 From: masson <interception@ii-mel.com> To: jya@pipeline.com Subject: GSM: CRACKING & TRACING Today, to clone a SIM card is possible, but a voice decryption of an air-interception GSM is still impossible (except GSM operators or goverments). "The experts" able to crack a conversation GSM (air-interception) had no mention about security bursts, transport bursts, TDMA, about A5-1/A8 key, sparse matrix technique, also. The "demonstration" in MOBILE EUROPE magazine (crack A5) 4.93 was a failure. Eventual private phreakers generate more official taps. Only a State is able to crack an air-interception conversation GSM with NEC-SX4, CRAY T3E also. And case by case. On the other hand, you have a real scandal with trace GSM (TraceLogRecord; Log control permits to trace record to be stored; Target Cell list; Trace Control; Activate Equipment Trace). This facility may be used by subscriber administration and network management , e.g. following a customer complaint or an suspicion of equipment malfunction by the operator or at the request of the police (GSM 12.08 version 4.5.0 September 97) Each GSM is traced cell by cell. A back-up is kept: SFR : 15 days Detemobil: 2 days Swisscom: 6 months More infos see: http://www.ii-mel.com/interception/europegb.html http://www.ii-mel.com/interception/belgiquegb.html http://www.dejanews.com (keyword = location GSM title = interception) C.Masson Pobox505 Lausanne interceptionm@usa.net
Date: Thu, 16 Apr 1998 21:40:30 -0400 From: Dave Emery <die@die.com> To: Marc Briceno <marc@cryptsoft.com> Cc: cypherpunks@toad.com Subject: Re: GSM cellphones cloned---Threats? On Thu, Apr 16, 1998 at 05:50:36AM +1000, Marc Briceno wrote: > > Several radio enineers I talked with speculated that it /might/ even be > possible to modify a standard GSM phone to act as a rouge "key reaper" > base station. I am not a radio engineer and have no way to verify this > claim. The modifications would be fairly major and rather difficult on a surface mount high density low cost phone PC board. A lot of the stuff required is in ASICs in a typical phone, and they are not in general easily adapted to playing a different role even if the full design database and phone schematics are available to the hacker which it would not be. On the other hand, some of the components of a standard GSM phone could be used to fill a number of functions in such an animal, and a couple of partially stripped GSM phone PC cards would certainly be useful as part of such. I would see such a probe base station as a briefcase size object run by a laptop or powerful palmtop spliced into two or three hacked up phone PC cards with some added signal processing logic in a FPGA or two (and maybe an added RF modem chip as well). Of course some older phone designs might be less ASIC intensive and more adaptable, although the 1.9 ghz PCS US versions are mostly pretty recent. And there may be some universal multi-standard brand that is much more software configured than others and might be an easier jumping off place - I certainly have not investigated this at all (nor do I expect to). On another topic - privacy... Your break suggests that A3/A8 may have been deliberately weakened to allow such SIM probing. Intelligence agencies are not in general interested in cloning, but for those without access to whatever magic hardware (or software) exists for cracking A5/1 at low cost in real time, the ability to once recover the SIM secret allows easy listening to all subsequent calls from that phone (or SIM) with no required cracking hardware time or access. And this is very valuable in lots of situations, such as covert operations out of hotels in foreign places where having highly classified A5 cracking boxes in tow would be a significant security risk. And for countries with GSM phone systems interested in spying on visiting diplomats, heads of state, or trade delegations who are using their GSM phones in a roaming mode and depending on the fact the GSM home switching office does not disclose their long term secret, such probing can be quietly concealed in the real traffic of a legitimate base station. The secrets recovered can then be used to crack traffic back in the visitor's home country where he may be trusting his local system to be secure. And the ability to probe the phones of visiting dignitaries from nearby hotel rooms and recover their secrets must be awfully useful to many even third rate intelligence operations - this allows listening to all their subsequent traffic without requiring an A5/1 cracking capability at all - let alone one that works real time from low cost portable units. And even if there is some sanity test in GSM phone firmware that would catch or prevent enough probes to crack the SIM secret, your physical access method allows black bag jobs to recover the SIM secret of phones left poorly guarded for a few hours. This alone is very obviously of great use to intelligence types (at least unless there is some hardware backdoor in the SIM to allow the readout in seconds rather than hours). -- Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
Date: Thu, 16 Apr 1998 06:03:27 +1000 (EST) From: Marc Briceno <marc@cryptsoft.com> To: cypherpunks@algebra.com Subject: GSM provider to issue new SIM's Let's hope that new cipher will be chosen in an open design procedure. With full public review. Omnipoint is of course the very same company that only yesterday said that there was no problem and that they were sleeping as sound a baby. Right. ----------------------------------------------------------------- From http://www.latimes.com/HOME/NEWS/BUSINESS/t000035457.1.html Bethesda, Md.-based Omnipoint Corp. said it plans to change the mathematical formulas used in its wireless phone service after two UC Berkeley researchers discovered a way to break the code that protects it. Omnipoint Executive Vice President George Schmitt said he's going to personalize Omnipoint's formula for identifying phones rather than use the general formulas of the global system for mobile communications, or GSM, digital wireless standard. Tim Ayers, a spokesman for the Cellular Telephone Industry Assn., said he expects most GSM operators to follow Omnipoint's lead. [...] _________________________________________________________________ -- Marc Briceno <marc@scard.org> http://www.scard.org
Date: Thu, 16 Apr 1998 05:50:36 +1000 (EST) From: Marc Briceno <marc@cryptsoft.com> To: cypherpunks@algebra.com Subject: Re: GSM cellphones cloned---Threats? > Date: Wed, 15 Apr 1998 19:35:17 +0200 (MET DST) > From: Anonymous <nobody@replay.com> > To: cypherpunks@cyberpass.net > Subject: Re: GSM cellphones cloned---Threats? > > Declan McCullagh: > > http://cgi.pathfinder.com/netly/continue/0,1027,1898,00.html > > > Phillips claimed that digital ID > > sniffing cannot be done over the air -- which, of course, contradicts > > what eminent cryptographers and security experts say. > > No, it doesn't. No one other than Declan has claimed that the technique > can be extended to an over the air attack. They require access to > the chip. From http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.html: Numerous radio engineers I have talked with over the last few days assure me the attack can be extended over the air. Afer all, our attack works by asking the SIM to identify itself and analyzing the response. A legitimate base station also asks a GSM phone to identify itself once a GSM phone first roams into the coverage area of the base station. Which is why the authentication code was put into the SIM in the first place. We didn't have a base station. We had a smartcard reader. So we used a smartcard reader, rather than a base station. Several radio enineers I talked with speculated that it /might/ even be possible to modify a standard GSM phone to act as a rouge "key reaper" base station. I am not a radio engineer and have no way to verify this claim. -- Marc Briceno <marc@scard.org> http://www.scard.org
13 April 1998
From David Wagner, "Berkeley researcher": For more information see the GSM Cloning Web site:
http://www.isaac.cs.berkeley.edu/isaac/gsm.html
Date: Mon, 13 Apr 1998 09:36:03 +0200 (CEST) From: Lucky Green <shamrock@cypherpunks.to> To: cypherpunks@algebra.com, cryptography@c2.net Subject: GSM cellphones cloned The Smartcard Developer Association (SDA) and two U.C. Berkeley researchers jointly announced today that digital GSM cellphones are susceptible to cloning, contrary to the belief of even the telecommunication providers that have fielded them. [...] One of the discoveries that the SDA made about GSM security was a deliberate weakening of the confidentiality cipher used to keep eavesdroppers from listening to a conversation. This cipher, called A5, has a 64 bit key, but only 54 bits of which are used. The other ten bits are simply replaced with zeros. [...] See http://www.scard.org/ for more info. [Special thanks to Tim Hudson for authoring the smartcard interface code that made our work possible. We wouldn't have achieved what we did it with out it]. -- Lucky Green <shamrock@cypherpunks.to> PGP v5 encrypted email preferred. "Tonga? Where the hell is Tonga? They have Cypherpunks there?"
Date: Mon, 13 Apr 1998 08:49:36 -0700 (PDT) From: Declan McCullagh <declan@well.com> To: cypherpunks@cyberpass.net Subject: TIME Magazine on GSM cell phone crack [Check out p22 of this week's issue for a cute graphic of an exploding Motorola MicroTAC Select 6000 cell phone. --Declan] ****** TIME Magazine April 20, 1998 Page 22 http://www.pathfinder.com/time/magazine/1998/dom/980420/notebook.techwatch.levit24.html CODEBREAKERS CRACKED Thought your new digital cell phone was safe from high-tech thieves? Guess again. Silicon Valley cypherpunks have broken the proprietary encryption technology used in 80 million GSM (Global System for Mobile communications) phones nationwide, including Motorola MicroTAC, Ericsson GSM 900 and Siemens D1900 models. Now crooks scanning the airwaves can remotely tap into a call and duplicate the owner's digital ID. "We can clone the phones," brags Marc Briceno, who organized the cracking. His advice: manufacturers should stick to publicly vetted codes that a bunch of geeks can't crack in their spare time. --By Declan McCullagh/Washington
The Wall Street Journal, April 13, 1998, pp. A3, A12. Flaw Is Found in Digital Phone System That May Let Hackers Get Free Service By Jared Sandberg Computer-security engineers said they have found a weakness in the world's most pervasive digital cellular phone technology, a flaw some fear could eventually allow unscrupulous hackers to obtain free service by impersonating legitimate customers. A software developer and two graduate students said they can extract key security information from so-called GSM digital cellular phones, a technology in use by almost 80 million people world-wide. The breach is notable because such phone systems, unlike older analog cellular networks, were believed to be practically tamperproof. The security information is contained in a "subscriber identification module," or SIM card, a credit card-like device inserted into digital cellular phones that identifies each customer to the telephone system. The engineers said they could copy the card and store its information on a computer or a device as simple as a hand-held electronic organizer. When the computer is connected to a phone, the cellular network believes it is being used by an authentic customer. Key Unlocks Security "Once you've recovered the key, all of the security in the system has been compromised," said one of the security experts, David Wagner, a 23-year-old graduate student at the University of California at Berkeley. "What else will be found if other people looked at it?" But some industry observers said the weakness will have negligible impact. The three experts haven't found a way to extract the security codes as they are being transmitted through the airwaves from a telephone to the network -- the "cloning" problem of analog phone systems -- though such a system may someday be devised. Instead, their technique requires that they be in possession of a SIM card. "It doesn't damage the integrity of the system nor does it put customers or operators at risk," said George Schmitt president of Omnipoint Communications Inc., one of this country's GSM operators. Still, cryptography experts at universities make a sport of cracking some of the most popular technologies. Microsoft Corp., Netscape Communications Corp. and Sun Microsystems Inc. have all been strafed by campus cryptographers. "There's a lot of glee at poking holes in the overblown statements" of corporations, said Eric Hughes, founder of Simple Access Inc., an electronic-commerce company in San Francisco that hosted the announcement by the three who cracked the GSM code. Track Record of Poking Holes The latest hacking handiwork marks at least a hat trick for Mr. Wagner and his cohort Ian Goldberg, who have become famous for cracking purportedly secure code. In the fall of 1996, the duo discovered a flaw in the technology of Netscape's Web browser software that protects the privacy of credit-card purchases. Then Mr. Goldberg followed by breaching the relatively weak encryption code that the U.S. government lets companies export. Marc Briceno, 36 years old, director of the Smart Card Developers Association, which represents companies that write software for cards similar to those used in GSM phones, began trying to piece together one of the GSM technology's secret algorithms in January. Mr. Briceno received a document detailing part of the so-called COMP128 algorithm that had been leaked by a researcher, he said. After spending several months filling the holes in the algorithm, he took it to Messrs. Wagner and Goldberg. Within two hours, the two had found a flaw in the algorithm, and they developed software that would challenge the algorithm to see if it could produce other keys to the security system. Using a computer and a jerry-built smart-card reader, they discovered that they could challenge the algorithm and deduce a cryptographic key. That would allow them to use a handheld computer to emulate the subscriber identification module and place calls with it. The engineers didn't rule out that their technique could lead someone to devise a device that would steal this information from the airwaves, so that having the card in the first place wouldn't be necessary. On Saturday, the engineers gathered in San Francisco to demonstrate their findings. But, said Mr. Briceno: "We have been informed by counsel that mere possession of this software might be a federal offense. Unfortunately, there will be no demo today. [End]