From: Stewart_William_C@bns.att.com
To: cypherpunks@toad.com
Message Hash: 9f4f58f3be1cdc17c561454ea16ae85465f1a0c98bfa5d0b5d59bd73a19b4da5
Message ID: <H000029c016e55d2@MHS>
Reply To: N/A
UTC Datetime: 1997-12-06 03:50:38 UTC
Raw Date: Sat, 6 Dec 1997 11:50:38 +0800
From: Stewart_William_C@bns.att.com
Date: Sat, 6 Dec 1997 11:50:38 +0800
To: cypherpunks@toad.com
Subject: FW: GSM hack -- operator flunks the challenge
Message-ID: <H000029c016e55d2@MHS>
MIME-Version: 1.0
Content-Type: text/plain
Forwarded from RISKS
______________________
Date: Wed, 26 Nov 1997 17:36:36 +0000
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
Subject: GSM hack -- operator flunks the challenge
On Friday 13th September 1996, I read in comp.risks that:
> MobilCom, a subsidiary of German TeleKom (since 100 years monopolist
on
> telephone communication in Germany, with its monopoly ending in 1998)
> publicly offers 100,000 DM to a telephone hacker who is able to
communicate
> at the expense of the (national) number 0171-3289966. The related
chipcard
> is said to be safely stored in lawyer`s office. In an attempt to paint
this
> dubious offer somewhat "politically correct", the successful hacker
will
> have to donate his earnings to a social institution of his(her)
choice.
This caught our attention - Cambridge University, being a registered
charity, surely qualifies as a `social institution', and 100,000 DM
would
buy us a state-of-the-art triple-wavelength laser microprobe workstation
for
chipcard breaking. So we had a look at GSM and found a way to hack it.
We
worked out what equipment we'd need and where we could borrow it,
assembled
the team, checked that the attack would work in principle, and then
started
trying to find the right person in Deutsche Telekom to speak to. We
needed
to know the IMSI (international mobile subscriber identification) and
get
written confirmation of the challenge; otherwise the attack might have
been
interpreted as an offence under Britain's Wireless Telegraphy Act.
After some chasing around, unanswered e-mails and so on, we went to a
mobile
phone fraud conference in June and made contacts there which suggested
some
names, leading to further unanswered correspondence, and finally a faxed
reply. Here is a translation of the original German, online at
<<http://www.cl.cam.ac.uk/ftp/users/rja14/roesner.gif>http://www.cl.cam.
ac.
uk/ftp/users/rja14/roesner.gif>:
Dear Dr Anderson
Many thanks for your fax of the 6th October 1997. Please
excuse the late reply to your fax. The matter that you mentioned did not
originate from T-Mobil but from one of our service providers, the firm
Mobilcom in Schleswig. We understand that the offer has since also been
withdrawn by them. Yours etc.
How does our attack work? Well, when a GSM phone is turned on, its
identity
(the IMSI) is relayed to the authentication centre of the company that
issued it, and this centre sends back to the base station a set of five
`triples'. Each triple consists of a random challenge, a response that
the
handset must return to authenticate itself, and a content key for
encrypting
subsequent traffic between the mobile and the base station. The base
station
then relays the random challenge to the handset. The SIMcard which
personalises the handset holds a secret issued by the authentication
centre,
and it computes both the response and the content key from the random
challenge using this secret.
The vulnerability we planned to exploit is that, although there is
provision
in the standard for encrypting the traffic between the base station and
the
authentication centre, in practice operators leave the transmissions in
clear. This is supposedly `for simplicity' (but see below).
To break GSM, we transmit the target IMSI from a handset and intercept
the
five triples as they come back on the microwave link to the base
station. Now we can give the correct response to the authentication
challenge, and encrypt the traffic with the correct key. We can do this
online with a smartcard emulator hooked up through a PC to a microwave
protocol analyser; in a less sophisticated implementation, you could
load
the handset offline with the responses and content keys corresponding to
challenges 2 through 5 which will be used on the next four occasions
that
you call.
The necessary microwave test set costs about $20,000 to buy, but could
be
home built: it's more than an undergraduate project but much less than a
PhD, and any 23cm radio ham should be able to put one together. We would
have borrowed this, and reckoned on at most 3 person months for
SIM-handset
protocol implementation, system integration, debugging and operational
testing.
Given such an apparatus, you can charge calls to essentially any GSM
phone
whose IMSI you know. IMSIs can be harvested by eavesdropping, both
passive
and active; `IMSI-catchers' are commercially available.
The fix for our attack is to turn on traffic encryption between the GSM
base
stations. But that will not be politically acceptable, since the spooks
listen to GSM traffic by monitoring the microwave links between base
stations: these links contain not only clear keys but also clear
telephony
traffic. Such monitoring was reported in the UK press last year, and now
the
necessary equipment is advertised openly on the net. See for example
<http://www.gcomtech.com/>.
The RISK for intelligence agencies? Making systems like GSM give
government
access to keys can have horrendous side effects (especially where this
access is via channels that aren't properly documented and evaluated).
These
side effects can get you into serious conflict with powerful commercial
interests.
The RISKS for phone companies? Firstly, letting spook agencies bully you
into a bad security design with the assurance that it will only
compromise
your customers' privacy, has as a likely side-effect the compromise of
your
signalling and thus your revenue. (David Wagner, Bruce Schneier and John
Kelsey made this point for the US cellular system: see
<http://www.counterpane.com/cmea.html>.)
Secondly, most phone companies have no crypto expertise. Their security
managers are largely ex-policemen or accountants, and so are unable to
evaluate the security claims made by equipment manufacturers and
intelligence agency representatives.
Thirdly, by restricting parts of the security specification to people
who
signed a non-disclosure agreement, the GSM consortium deprived itself of
the
benefit of open scrutiny by the research community. It is this scrutiny
that has led to protocols such as SSL and SET having their holes found
and
fixed. However, the global deployment of GSM ensured that many people
would
be cleared to know the design, most of which can be got anyway by
observing
traffic or by reverse engineering unprotected equipment. So public
scrutiny
was inevitable - but only after billions of dollars' worth of equipment
had
been deployed and the system could not changed. So the GSM
security-by-obscurity strategy gave them the worst of all possible
worlds. The consumer electronics industry should take note.
The specific RISK for Deutsche Telekom: responding to cynicism about GSM
security claims by putting up a reckless challenge and thus motivating
an
attack.
The RISK for GSM users: that crooks running a call-sell operation will
book
a very expensive phone call on your account. An established modus
operandi
is to set up a conference call which their clients and counterparties
join
in succession. As the bill isn't forwarded to the service provider until
the
phone goes on-hook, you can end up with a five-figure bill for a call
that
lasted several days and involved hundreds of overseas telephone
numbers. Some GSM operators (such as Vodafone) limit this exposure by
terminating all calls after six hours; but your IMSI can be used on a
network that doesn't do this.
And of course, as with `phantom withdrawals' from cash machines, the use
of
cryptography will `prove' that you're liable for the bill.
Ross Anderson, Cambridge University Computer Laboratory
<www.cl.cam.ac.uk/users/rja14>
Acknowledgement: our research students Stefan Hild, Abida Khattak,
Markus
Kuhn and Frank Stajano contributed in various ways to researching and
planning this attack. An academic paper on the subject will appear in
due
course.
+==============================================
Return to December 1997
Return to “Stewart_William_C@bns.att.com”
1997-12-06 (Sat, 6 Dec 1997 11:50:38 +0800) - FW: GSM hack – operator flunks the challenge - Stewart_William_C@bns.att.com