FW: GSM hack -- operator flunks the challenge

[Stewart_William_C@bns.att.com]

Forwarded from RISKS
______________________

Date: Wed, 26 Nov 1997 17:36:36 +0000 
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> 
Subject: GSM hack -- operator flunks the challenge

On Friday 13th September 1996, I read in comp.risks that:
> MobilCom, a subsidiary of German TeleKom (since 100 years monopolist
on 
> telephone communication in Germany, with its monopoly ending in 1998) 
> publicly offers 100,000 DM to a telephone hacker who is able to
communicate 
> at the expense of the (national) number 0171-3289966. The related
chipcard 
> is said to be safely stored in lawyer`s office. In an attempt to paint
this 
> dubious offer somewhat "politically correct", the successful hacker
will 
> have to donate his earnings to a social institution of his(her)
choice.
This caught our attention - Cambridge University, being a registered 
charity, surely qualifies as a `social institution', and 100,000 DM
would 
buy us a state-of-the-art triple-wavelength laser microprobe workstation
for 
chipcard breaking. So we had a look at GSM and found a way to hack it.
We 
worked out what equipment we'd need and where we could borrow it,
assembled 
the team, checked that the attack would work in principle, and then
started 
trying to find the right person in Deutsche Telekom to speak to. We
needed 
to know the IMSI (international mobile subscriber identification) and
get 
written confirmation of the challenge; otherwise the attack might have
been 
interpreted as an offence under Britain's Wireless Telegraphy Act.
After some chasing around, unanswered e-mails and so on, we went to a
mobile 
phone fraud conference in June and made contacts there which suggested
some 
names, leading to further unanswered correspondence, and finally a faxed

reply. Here is a translation of the original German, online at 
<<http://www.cl.cam.ac.uk/ftp/users/rja14/roesner.gif>http://www.cl.cam.
ac.
uk/ftp/users/rja14/roesner.gif>:
Dear Dr Anderson
Many thanks for your fax of the 6th October 1997. Please 
excuse the late reply to your fax. The matter that you mentioned did not

originate from T-Mobil but from one of our service providers, the firm 
Mobilcom in Schleswig. We understand that the offer has since also been 
withdrawn by them. Yours etc.
How does our attack work? Well, when a GSM phone is turned on, its
identity 
(the IMSI) is relayed to the authentication centre of the company that 
issued it, and this centre sends back to the base station a set of five 
`triples'. Each triple consists of a random challenge, a response that
the 
handset must return to authenticate itself, and a content key for
encrypting 
subsequent traffic between the mobile and the base station. The base
station 
then relays the random challenge to the handset. The SIMcard which 
personalises the handset holds a secret issued by the authentication
centre, 
and it computes both the response and the content key from the random 
challenge using this secret.
The vulnerability we planned to exploit is that, although there is
provision 
in the standard for encrypting the traffic between the base station and
the 
authentication centre, in practice operators leave the transmissions in 
clear. This is supposedly `for simplicity' (but see below).
To break GSM, we transmit the target IMSI from a handset and intercept
the 
five triples as they come back on the microwave link to the base 
station. Now we can give the correct response to the authentication 
challenge, and encrypt the traffic with the correct key. We can do this 
online with a smartcard emulator hooked up through a PC to a microwave 
protocol analyser; in a less sophisticated implementation, you could
load 
the handset offline with the responses and content keys corresponding to

challenges 2 through 5 which will be used on the next four occasions
that 
you call.
The necessary microwave test set costs about $20,000 to buy, but could
be 
home built: it's more than an undergraduate project but much less than a

PhD, and any 23cm radio ham should be able to put one together. We would

have borrowed this, and reckoned on at most 3 person months for
SIM-handset 
protocol implementation, system integration, debugging and operational 
testing.
Given such an apparatus, you can charge calls to essentially any GSM
phone 
whose IMSI you know. IMSIs can be harvested by eavesdropping, both
passive 
and active; `IMSI-catchers' are commercially available.
The fix for our attack is to turn on traffic encryption between the GSM
base 
stations. But that will not be politically acceptable, since the spooks 
listen to GSM traffic by monitoring the microwave links between base 
stations: these links contain not only clear keys but also clear
telephony 
traffic. Such monitoring was reported in the UK press last year, and now
the 
necessary equipment is advertised openly on the net. See for example 
<http://www.gcomtech.com/>.
The RISK for intelligence agencies? Making systems like GSM give
government 
access to keys can have horrendous side effects (especially where this 
access is via channels that aren't properly documented and evaluated).
These 
side effects can get you into serious conflict with powerful commercial 
interests.
The RISKS for phone companies? Firstly, letting spook agencies bully you

into a bad security design with the assurance that it will only
compromise 
your customers' privacy, has as a likely side-effect the compromise of
your 
signalling and thus your revenue. (David Wagner, Bruce Schneier and John

Kelsey made this point for the US cellular system: see 
<http://www.counterpane.com/cmea.html>.)
Secondly, most phone companies have no crypto expertise. Their security 
managers are largely ex-policemen or accountants, and so are unable to 
evaluate the security claims made by equipment manufacturers and 
intelligence agency representatives.
Thirdly, by restricting parts of the security specification to people
who 
signed a non-disclosure agreement, the GSM consortium deprived itself of
the 
benefit of open scrutiny by the research community. It is this scrutiny 
that has led to protocols such as SSL and SET having their holes found
and 
fixed. However, the global deployment of GSM ensured that many people
would 
be cleared to know the design, most of which can be got anyway by
observing 
traffic or by reverse engineering unprotected equipment. So public
scrutiny 
was inevitable - but only after billions of dollars' worth of equipment
had 
been deployed and the system could not changed. So the GSM 
security-by-obscurity strategy gave them the worst of all possible 
worlds. The consumer electronics industry should take note.
The specific RISK for Deutsche Telekom: responding to cynicism about GSM

security claims by putting up a reckless challenge and thus motivating
an 
attack.
The RISK for GSM users: that crooks running a call-sell operation will
book 
a very expensive phone call on your account. An established modus
operandi 
is to set up a conference call which their clients and counterparties
join 
in succession. As the bill isn't forwarded to the service provider until
the 
phone goes on-hook, you can end up with a five-figure bill for a call
that 
lasted several days and involved hundreds of overseas telephone 
numbers. Some GSM operators (such as Vodafone) limit this exposure by 
terminating all calls after six hours; but your IMSI can be used on a 
network that doesn't do this.
And of course, as with `phantom withdrawals' from cash machines, the use
of 
cryptography will `prove' that you're liable for the bill.
Ross Anderson, Cambridge University Computer Laboratory 
<www.cl.cam.ac.uk/users/rja14>
Acknowledgement: our research students Stefan Hild, Abida Khattak,
Markus 
Kuhn and Frank Stajano contributed in various ways to researching and 
planning this attack. An academic paper on the subject will appear in
due 
course.





+==============================================