IP: GSM Interception

[Dave Farber <farber@cis.upenn.edu>]

>Date: Wed, 23 Jun 1999 14:32:49 -0700
>From: Babu Mengelepouti <dialtone@vcn.bc.ca>
>
>
>
>Well, it is only a matter of time before any system gets cracked.  And
>the first one to sell a device gets the biggest markup!
>
>
>   Subject: GSM Cellular Phones Increasingly Unreliable   
>   From Intelligence Newsletter, 06/10/99
>
>Over the past six months a roaring trade has sprung up on back-street
>markets for equipment to intercept cellular telephone calls that had
>once been reserved for government intelligence and law enforcement
>agencies. The risk that GSM networks are being broken into for
>espionage purposes with widely-available equipment and modest skills
>is now very real.
>
>Intelligence Newsletter has been able to identify web sites that sell
>interception equipment by mail-order. Elsewhere, components required
>to manufacture such devices are to be found in many electronics stores
>in Europe and the United States. The industry itself has pointed the
>way. We have obtained a leaflet from the British company G-Com Tech
>which provides a detailed rundown of the GSTA-1400 system. The firm
>describes the system, reserved for governments, as one of the best
>"official" devices to record GSM communications at a cost of between
>$245,000 and $327,000 depending on the model.
>
>Systems sold on the black market run along the same lines as such
>products, and sometimes simply copy them. The system consists
>invariably of a portable computer equipped with deciphering software
>connected to a GSM or fixed 2Mbits/second telephone. Tracking the
>target line with a clone of its SIM (Subscriber Identification
>Module), the system can usually decipher the signal in just 2.5
>minutes.  The breakthrough came in April, 1998 when two researchers
>from the University of Berkley in California demonstrated it was
>possible to clone a SIM card. David Wagner and Ian Goldberg, who both
>belong to the Internet Security Applications Authentification and
>Cryptography Group (ISAAC), carried out a successful series of attacks
>against the Comp128 algorithm.
>
>The latter forms the basis of algorithms created by the manufacturers
>of GSM, the A3 and A8, which encrypt information contained inside a
>SIM card. According to the American Smartcard Developers Association
>(SDA) the system developed by Wagner and Goldberg can turn out cloned
>cards that GSM operators can't distinguish from real ones. At the same
>time, the SDA identified a partial flaw in the symmetric-type A5
>algorithm which protects data transmission between the operator and
>user. According to SDA director Marc Briceno, although A5 has a 64 bit
>key only 54 are actually used, probably to facilitate eavesdropping by
>an intelligence agency.
>
>Late last December in Berlin an experimental system devised by
>"private researchers" was presented to a conference of hackers
>belonging to the Chaos Computer Club (CCC). It took advantage of flaws
>in the A3,A5 and A8 algorithms to conduct interceptions. Since then a
>number of make-shift versions have made their way to the public,
>mainly through the Internet. According to a military intelligence
>specialist, the system aims initially to intercept a call by
>electromagnetic wave to record the authentification information each
>cellular phone sends to its operator when switched on. Next, the
>deciphering software allows the user to read the targeted line's SIM
>card. Subsequently a clone is made with a Smartcard Reader Writer, a
>smart-card manufacturing machine sold on the open market.
>
>Some illicit cloning systems even use special Smartcartd Reader
>Writers that can reproduce the 30 smart card standards that exist in
>the world and are used, for instance, to make bank cards.  Once the
>SIM card has been cloned the system detects and monitors communications
>in real time without -- theoretically -- the operator or user knowing
>about it. The fact that encryption used in GSM is relatively easy to
>crack has obviously contributed to the upsurge in cloning. But
>electronics stores that sell devices that read and reproduce cards
>have also played a part in the rise of such systems. Some companies
>have sized up the danger that cloning represents to the market and are
>preparing new products. For one, the Schlumberger group's R&D division
>is currently working on making a more tamper-proof SIM card.