20 April 1998, Business Wire: GSM Alliance Clarifies False & Misleading Reports of Digital Phone Cloning San Francisco -- GSM Remains the Most Secure Commercial Wireless Technology Today, a coalition of wireless Personal Communications Services (PCS) providers released facts to correct some misconceptions generated by the recent claim that several California researchers had found a weakness in the security of Global System for Mobile communications (GSM) technology, the world's most popular digital wireless standard. The North American GSM Alliance, LLC - consisting of the eight largest GSM network operators in the United States and Canada - provided the following information in response to a number of erroneous published reports. 1. GSM phones are not vulnerable to cloning. Researchers only claimed that, through a process of trial and error, they figured out how to copy information from the Subscriber Identity Module (SIM) card - a unique GSM feature that contains a customer's individual network access code. Duplicating a SIM card is not like cellular cloning since the network only recognizes one copy of a GSM phone number at a time. This is an important distinction, since it does not permit would-be thieves to fraudulently capture, duplicate and utilize a customer's phone number and account information by intercepting over-the-air transmissions and deciphering the data. By contrast, information from ordinary analog cellular phones can be pulled out of the airwaves, copied and re-used multiple times. This illegal process, also known as "sniffing," is still not possible to do with GSM technology. The California group said that it needed physical access to a SIM card in order to duplicate it. While they believed copying theoretically could be done remotely, the group admitted that it was, in fact, unable to do so. 2. There is no risk to subscribers. GSM's design process and proven functionality continues to offer the strongest level of commercial wireless security. GSM customers can have the highest degree of confidence that they are protected from over-the-air cloning. In fact, thieves can more easily steal GSM phone service simply by stealing wireless handsets rather than producing counterfeit SIM cards. Once someone steals a SIM card, there's no need to copy it. The notion is as ridiculous as a someone stealing an armored car full of money, then copying the bills inside! And since the GSM networks allow only one call at a time from any phone number, having multiple copies of a SIM is worthless. As an additional level of security GSM operators have procedures in place which would quickly detect and shut down attempted use of duplicate SIM card codes on multiple phones. Nevertheless, customers should protect their wireless phones and SIM cards the same way they would protect their wallets and bank cards. Subscribers who lose their phone or SIM card should report it immediately to their wireless service company. The lost or stolen SIM can be de-activated to prevent others from using the account. 3. There is no risk of over-the-air eavesdropping. The level of encryption used by GSM makes over-the-air eavesdropping nearly impossible. So far, no one claims that they can listen to the content of conversations or monitor data transmitted over the air on the GSM network, including governments and network operators. Confidentality of GSM customer conversations remains intact and uncompromised. 4. The ability to copy a SIM card is nothing new. It was always known that this could be done. Last weekend's announcement is really no different from processes GSM providers use all the time to encode smart chips. For several years now, educational institutions and scientific laboratories have demonstrated the capability to extract data from, and copy, smart cards. But it is an extremely complex task and would not be practical for stealing wireless phone service. Besides, even if a handset or SIM card were stolen, GSM operators have the ability and technological tools to shut down fraudulent service quickly. 5. The key code which protects a subscriber identity is not "fatally flawed." This is a somewhat complicated subject. There are two different key codes: first, an authentication code - the A3 algorithm - that protects the customer's identity; second, an encryption code - the A5 algorithm - that ensures the confidentiality of conversations. It has been alleged that the authentication code (A3 algorithm) is weakened because only 54 of the 64 bits are used, with 10 bits being replaced by zeroes. In reality, those final 10 bits provide operators with added flexibility in responding to security and fraud threats. Additionally, the GSM algorithm that the researchers claimed to have broken is the "example" version provided by the international organization that governs the use of GSM technology to its approved carriers for them to create their own individual version. It may not be what is deployed in the market. Several operators have already decided to customize their codes, making them more sophisticated. There has been some confusion about the various types of code used by GSM. In addition to the 64-bit authentication cipher, there is a more powerful voice encryption code (A5 algorithm) which helps keep eavesdroppers from listening to a conversation. This code was not involved in last weekend's announcement. Also, the speculation that GSM's encryption algorithms have been deliberately weakened because of pressure by the U.S. intelligence community is absolutely false. Conclusion While no human-made technology is perfect, customers can still rely on the privacy features and security of GSM's transmission technology. It remains the most secure commercial wireless communications system available today. More than 80 million customers in 110 countries use GSM phones and not one handset has been cloned since the first commercial service was launched in 1992. North American GSM Alliance, L.L.C. is a consortium of U.S. and Canadian digital wireless PCS carriers, which helps provide seamless wireless communications for their customers, whether at home, in more than 1,000 U.S. and Canadian cities and towns, or abroad. Using Global Systems for Mobile (GSM) communications, GSM companies provide superior voice clarity, unparalleled security and leading-edge wireless voice, data and fax features for customers. Current members of the GSM Alliance include: Aerial Communications, Inc., BellSouth Mobility DCS, Cook-Inlet Western Wireless; Microcell Telecommunications Inc., Omnipoint Communications, LLC, Pacific Bell Mobile Services, Powertel, Inc., and Western Wireless, Corp., which continue to operate their own businesses and market under their own names. ----------