[523] in Best-of-Security
BoS: Cell phone security.
daemon@ATHENA.MIT.EDU (Smart List user)
Thu Dec 25 23:12:02 1997
XDelivering-To: best-of-security@cyber.com.au
Delivering-To: best-of-security@cyber.com.au
From: Smart List user <slist@cyber.com.au>
Date: Wed, 17 Dec 1997 18:00:53 -0500 (EST)
Old-X-Originated-From: From: risks@csl.sri.com
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
Forwarded-by: Phil Agre <pagre@weber.ucsd.edu>
[For those who don't know, GSM is the dominant cellular telephone standard
in Europe, and it is also used by some companies in the United States.]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Date: Fri, 5 Dec 1997 15:29:38 -0800 (PST)
From: risks@csl.sri.com
Subject: RISKS DIGEST 19.48
RISKS-LIST: Risks-Forum Digest Friday 5 December 1997 Volume 19 : Issue 48
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Date: Wed, 26 Nov 1997 17:36:36 +0000
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
Subject: GSM hack -- operator flunks the challenge
On Friday 13th September 1996, I read in comp.risks that:
> MobilCom, a subsidiary of German TeleKom (since 100 years monopolist on
> telephone communication in Germany, with its monopoly ending in 1998)
> publicly offers 100,000 DM to a telephone hacker who is able to communicate
> at the expense of the (national) number 0171-3289966. The related chipcard
> is said to be safely stored in lawyer`s office. In an attempt to paint this
> dubious offer somewhat "politically correct", the successful hacker will
> have to donate his earnings to a social institution of his(her) choice.
This caught our attention - Cambridge University, being a registered
charity, surely qualifies as a `social institution', and 100,000 DM would
buy us a state-of-the-art triple-wavelength laser microprobe workstation for
chipcard breaking. So we had a look at GSM and found a way to hack it. We
worked out what equipment we'd need and where we could borrow it, assembled
the team, checked that the attack would work in principle, and then started
trying to find the right person in Deutsche Telekom to speak to. We needed
to know the IMSI (international mobile subscriber identification) and get
written confirmation of the challenge; otherwise the attack might have been
interpreted as an offence under Britain's Wireless Telegraphy Act.
After some chasing around, unanswered e-mails and so on, we went to a mobile
phone fraud conference in June and made contacts there which suggested some
names, leading to further unanswered correspondence, and finally a faxed
reply. Here is a translation of the original German, online at
<http://www.cl.cam.ac.uk/ftp/users/rja14/roesner.gif>:
Dear Dr Anderson
Many thanks for your fax of the 6th October 1997. Please
excuse the late reply to your fax. The matter that you mentioned did not
originate from T-Mobil but from one of our service providers, the firm
Mobilcom in Schleswig. We understand that the offer has since also been
withdrawn by them. Yours etc.
How does our attack work? Well, when a GSM phone is turned on, its identity
(the IMSI) is relayed to the authentication centre of the company that
issued it, and this centre sends back to the base station a set of five
`triples'. Each triple consists of a random challenge, a response that the
handset must return to authenticate itself, and a content key for encrypting
subsequent traffic between the mobile and the base station. The base station
then relays the random challenge to the handset. The SIMcard which
personalises the handset holds a secret issued by the authentication centre,
and it computes both the response and the content key from the random
challenge using this secret.
The vulnerability we planned to exploit is that, although there is provision
in the standard for encrypting the traffic between the base station and the
authentication centre, in practice operators leave the transmissions in
clear. This is supposedly `for simplicity' (but see below).
To break GSM, we transmit the target IMSI from a handset and intercept the
five triples as they come back on the microwave link to the base
station. Now we can give the correct response to the authentication
challenge, and encrypt the traffic with the correct key. We can do this
online with a smartcard emulator hooked up through a PC to a microwave
protocol analyser; in a less sophisticated implementation, you could load
the handset offline with the responses and content keys corresponding to
challenges 2 through 5 which will be used on the next four occasions that
you call.
The necessary microwave test set costs about $20,000 to buy, but could be
home built: it's more than an undergraduate project but much less than a
PhD, and any 23cm radio ham should be able to put one together. We would
have borrowed this, and reckoned on at most 3 person months for SIM-handset
protocol implementation, system integration, debugging and operational
testing.
Given such an apparatus, you can charge calls to essentially any GSM phone
whose IMSI you know. IMSIs can be harvested by eavesdropping, both passive
and active; `IMSI-catchers' are commercially available.
The fix for our attack is to turn on traffic encryption between the GSM base
stations. But that will not be politically acceptable, since the spooks
listen to GSM traffic by monitoring the microwave links between base
stations: these links contain not only clear keys but also clear telephony
traffic. Such monitoring was reported in the UK press last year, and now the
necessary equipment is advertised openly on the net. See for example
<http://www.gcomtech.com/>.
The RISK for intelligence agencies? Making systems like GSM give government
access to keys can have horrendous side effects (especially where this
access is via channels that aren't properly documented and evaluated). These
side effects can get you into serious conflict with powerful commercial
interests.
The RISKS for phone companies? Firstly, letting spook agencies bully you
into a bad security design with the assurance that it will only compromise
your customers' privacy, has as a likely side-effect the compromise of your
signalling and thus your revenue. (David Wagner, Bruce Schneier and John
Kelsey made this point for the US cellular system: see
<http://www.counterpane.com/cmea.html>.)
Secondly, most phone companies have no crypto expertise. Their security
managers are largely ex-policemen or accountants, and so are unable to
evaluate the security claims made by equipment manufacturers and
intelligence agency representatives.
Thirdly, by restricting parts of the security specification to people who
signed a non-disclosure agreement, the GSM consortium deprived itself of the
benefit of open scrutiny by the research community. It is this scrutiny
that has led to protocols such as SSL and SET having their holes found and
fixed. However, the global deployment of GSM ensured that many people would
be cleared to know the design, most of which can be got anyway by observing
traffic or by reverse engineering unprotected equipment. So public scrutiny
was inevitable - but only after billions of dollars' worth of equipment had
been deployed and the system could not changed. So the GSM
security-by-obscurity strategy gave them the worst of all possible
worlds. The consumer electronics industry should take note.
The specific RISK for Deutsche Telekom: responding to cynicism about GSM
security claims by putting up a reckless challenge and thus motivating an
attack.
The RISK for GSM users: that crooks running a call-sell operation will book
a very expensive phone call on your account. An established modus operandi
is to set up a conference call which their clients and counterparties join
in succession. As the bill isn't forwarded to the service provider until the
phone goes on-hook, you can end up with a five-figure bill for a call that
lasted several days and involved hundreds of overseas telephone
numbers. Some GSM operators (such as Vodafone) limit this exposure by
terminating all calls after six hours; but your IMSI can be used on a
network that doesn't do this.
And of course, as with `phantom withdrawals' from cash machines, the use of
cryptography will `prove' that you're liable for the bill.
Ross Anderson, Cambridge University Computer Laboratory
<www.cl.cam.ac.uk/users/rja14>
Acknowledgement: our research students Stefan Hild, Abida Khattak, Markus
Kuhn and Frank Stajano contributed in various ways to researching and
planning this attack. An academic paper on the subject will appear in due
course.
------------------------------
End of RISKS-FORUM Digest 19.48
************************
Standard Risks reuse disclaimer:
Reused without explicit authorization under blanket
permission granted for all Risks-Forum Digest materials.
The author(s), the RISKS moderator, and the ACM have no
connection with this reuse.
