29 December 2009. GSM A5 Files Published on Cryptome
21 October 1999
Date: Wed, 20 Oct 1999 11:21:03 +0000
From: "R J Bignell" <rjb@pierconsulting.com>
To: ukcrypto@maillist.ox.ac.uk
Subject: GSM security questions
I have been asked by a client to comment on the "security" of GSM communications used on the major UK networks (Vodafone, Orange, Cellnet), in particular on the ability for data to be eavesdropped or phones to be cloned without the true owner's knowledge.
I know that GSM has been designed to prevent these sorts of attacks, but I also did a quick web search and found various items of test kit and tools to copy SIM cards. There are three "flavours" of GSM encryption in the standard (none, A5/1 and A5/2) - which networks implement which algorithms ? Is the choice or use of algorithm different on different manufacturers phones ?
My client's focus is particularly on data since they are looking at a new application where data normally held within the corporate network's boundaries will be accessible from executives' mobiles.
Does anyone on the list have any information or URLs they could point me to for background information, does anyone have any examples of successful (or unsuccessful) attacks ?
Thanks in advance,
--
R J Bignell
rjb@pierconsulting.com
Date: Wed, 20 Oct 1999 14:04:02 +0200 (MET DST)
From: Ralf-Philipp Weinmann
<weinmann@rbg.informatik.tu-darmstadt.de>
To: ukcrypto@maillist.ox.ac.uk
Subject: Re: GSM security questions
Have a look at http://www.scard.org for A5/1 example code and information on COMP128 (comp128 is the ref implementation for A3/A8 supplied by the ETSI GSM MoU and has been broken)
-rpw
Date: Thu, 21 Oct 1999 04:14:01 +0200 (CEST)
From: Marc Briceno <marc@scard.org>
To: ukcrypto@maillist.ox.ac.uk
Subject: RE: GSM security questions
R J Bignell wrote:
> I have been asked by a client to comment on the "security" of GSM
> communications used on the major UK networks (Vodafone, Orange,
> Cellnet), in particular on the ability for data to be eavesdropped or
> phones to be cloned without the true owner's knowledge.
GSM security, to sum it up, is a joke. I know, because I am the person that reverse engineered the GSM algorithms. This includes COMP128, the authentication algorithm used by the overwhelming majority of GSM providers (not Vodaphone, btw, though that fact should not be taken as an indication that the authentication Vodaphone is using, but refuses to disclose, is any more secure than COMP128). GSM phones are subject to cloning. This includes cloning over the air.
> I know that GSM has been designed to prevent these sorts of attacks,
That statement is incorrect. GSM was specifially and provably designed with multiple deliberate security compromises built-in, but the plan was to allow for cloning/eavesdropping attacks to only be performed by governmnt agencies and their friends. But of course a backdoor that is good for the GCHQ and the NSA tends to be a backdoor that's just as good for your client's competition or 16 year old Joe Hacker. Even assuming for a moment the set of your client's competition is disjoint from the set of law-enforcement agencies, intelligence agencies, and their friends and business partners worldwide.
> but I also did a quick web search and found various items of test kit
> and tools to copy SIM cards. There are three "flavours" of GSM
> encryption in the standard (none, A5/1 and A5/2) - which networks
> implement which algorithms ? Is the choice or use of algorithm
> different on different manufacturers phones ?
The choice of over-the-air voice privacy algorithms does not depend on the manufacturer of the phone, but on the provider that operates the base station into which your mobile equipment is logged in. Or, alternatively, any interested party playing man-in-the-middle and their choice of encryption algorithm. As a rule of thumb, ETSI memembers use A5/1, Australia, a few European countries not members of the EU at the time GSM was first fielded use A5/2, and countries considered to disreputable to receive base stations capable of crypto use no crypto at all.
Whichever algorithm is used makes little difference from the viewpoint of an attacker. The best currently known attack against A5/1 is just a tad below 2^40th. I suspect even better attacks exist, but once an attack against a cipher goes below 40 bits, the cipher is generally considered broken, period, so few crypto experts will continue looking for better attacks.
A5/5 provides even less security. Our current attack against A5/2 takes 15 miliseconds (measured) on a standard Pentium II class machine. This could be sped up with a bit of work, but why bother? In the context of a phone call, 15 milisecond breaks are realtime.
How hard is it to perfom these attacks? Well, the GSM MOU and their licensees will tell you figures in the man-years and tens of thousands of dollars. Suffice to say that I figured out the algorithms during evenings and on weekends over the course of a few months on a budget of well below $100. The breaks then took Ian Goldberg and David Wagner, my colleagues in this project, 2 hours (COMP128) and 2 days (A5/2, and that included coding up the attack) to find.
> My client's focus is particularly on data since they are looking at
a
> new application where data normally held within the corporate
> network's boundaries will be accessible from executives' mobiles.
For this application, the security afforded by GSM is irrelevant. Your clients required end-to-end encryption and authentication, which even the best over-the-air encryption could not provide.
> Does anyone on the list have any information or URLs they could point
> me to for background information, does anyone have any examples of
> successful (or unsuccessful) attacks ?
Have fun,
--Marc Briceno
From: daw@cs.berkeley.edu (David Wagner)
Newsgroups: isaac.lists.ukcrypto
Subject: Re: GSM security questions
Date: 20 Oct 1999 16:56:12 -0700
In article <1191-Wed20Oct1999112103+0000-rjb@pierconsulting.com>, R J Bignell <ukcrypto@maillist.ox.ac.uk> wrote:
> Does anyone on the list have any information or URLs they could point
> me to for background information, does anyone have any examples of
> successful (or unsuccessful) attacks ?
There is some information at
http://www.isaac.cs.berkeley.edu/isaac/gsm.html
Many of the GSM cryptographic algorithms have serious weaknesses.
There are also several other web sites with some information on GSM, but many aspects of the system are not public.
Note that the actual security may (in practice) depend less on the cryptographic algorithms and more on implementation details at the providers of interest. It seems that at least some GSM networks have features that allow one to easily bypass the crypto and readily obtain free service. Even if the cryptographic algorithms were fixed to be secure, you shouldn't assume that the resulting system will necessarily resist attack.
In other words: the answer may depend greatly on which provider you're interested in, and on your threat model; the details matter.