COMMAND

    GSM (Cell phone security)

SYSTEMS AFFECTED

    GSM System

PROBLEM

    Ross Anderson posted following about GSM security.  For those  who
    don't know,  GSM is  the dominant  cellular telephone  standard in
    Europe,  and  it  is  also  used  by  some companies in the United
    States.  He and his team found a way to hack it.  You need to know
    the IMSI (international mobile subscriber identification).

    How does our attack  work?  Well, when  a GSM phone is  turned on,
    its identity (the  IMSI) is relayed  to the authentication  centre
    of the company that issued it,  and this centre sends back to  the
    base station a set of five  `triples'.  Each triple consists of  a
    random  challenge,  a  response  that  the  handset must return to
    authenticate itself, and a  content key for encrypting  subsequent
    traffic between the mobile and the base station.  The base station
    then relays  the random  challenge to  the handset.   The  SIMcard
    which  personalises  the  handset  holds  a  secret  issued by the
    authentication centre, and it  computes both the response  and the
    content key from the random challenge using this secret.

    The vulnerability they planned to exploit is that, although  there
    is provision in  the standard for  encrypting the traffic  between
    the  base  station  and  the  authentication  centre,  in practice
    operators leave the  transmissions in clear.   This is  supposedly
    `for simplicity' (but see below).

    To break GSM, they transmitted the target IMSI from a handset  and
    intercept the  five triples  as they  come back  on the  microwave
    link to the base station.   Now you can give the correct  response
    to the authentication challenge, and encrypt the traffic with  the
    correct key.   You can  do this  online with  a smartcard emulator
    hooked up  through a  PC to  a microwave  protocol analyser;  in a
    less  sophisticated  implementation,  you  could  load the handset
    offline  with  the  responses  and  content  keys corresponding to
    challenges  2  through  5  which  will  be  used  on the next four
    occasions that you call.

    The necessary microwave test set  costs about $20,000 to buy,  but
    could be home built: it's  more than an undergraduate project  but
    much less than a PhD, and any 23cm radio ham should be able to put
    one together.  Testing team would have borrowed this, and reckoned
    on   at   most   3   person   months   for   SIM-handset  protocol
    implementation,  system  integration,  debugging  and  operational
    testing.   Given  such  an  apparatus,  you  can  charge  calls to
    essentially  any  GSM  phone  whose  IMSI  you  know. IMSIs can be
    harvested   by   eavesdropping,    both   passive   and    active;
    `IMSI-catchers' are commercially available.

    Credit  goes  to  Ross  Anderson,  Cambridge  University  Computer
    Laboratory and acknowledgement  to their research  students Stefan
    Hild, Abida Khattak, Markus Kuhn and Frank Stajano contributed  in
    various ways to researching and planning this attack.  An academic
    paper on the subject will appear in due course.

SOLUTION

    The fix for this attack  is to turn on traffic  encryption between
    the  GSM  base  stations.   But  that  will  not  be   politically
    acceptable, since the spooks  listen to GSM traffic  by monitoring
    the microwave links between base stations: these links contain not
    only clear keys but also clear telephony traffic.  Such monitoring
    was reported  in the  UK press  last year,  and now  the necessary
    equipment is advertised openly on the net. See for example:

        http://www.gcomtech.com/