Forwarded From: Aleph One <aleph1@dfw.net>
[Aleph1: Here is the real story behind the hack. BTW, you can download
the secret GSM algorithm, COMP128, from
http://www.scard.org/gsm/a3a8.txt]
http://www.wired.com/news/news/technology/story/11630.html
Cell-Phone Security Far From Airtight
by Annaliza Savage
9:59am 13.Apr.98.PDT
A group of California-based computer experts claims to have
compromised the cryptographic security behind the world's most popular
digital cell-phone system, making it possible to clone any phone using
the GSM standard.
The Smartcard Developer Association says it cracked the algorithm
used as the basis for the The Global System for Mobile Communications
(GSM) -- a digital cellular phone system that is used in about 80
million cell phones, primarily in Europe and Asia. Many US networks
are starting to implement GSM standards, too, and this attack was
launched against a card issued by Pacific Bell. If the group's
claims are true, it could lead to a recall or reissue of the smart
cards used in GSM-based phones.
"GSM is likely to face fraud problems of the same magnitude as analog
systems have had," said Marc Briceno, a member of the SDA who said
that analog systems have lost billions of dollars because of cellular
phone cloning.
GSM-based cell phones work with a small card containing an electronic
chip called a Subscriber Identity Module card. The SIM card
inserts into the back of the cellular phone and contains information
that is used to identify subscribers and their account information to
the GSM network. The SIM card must be inserted into a GSM Mobile
handset to obtain access to the network, and one of the primary
benefits of the technology is that cell phones have access to GSM
networks worldwide.
However, to clone a SIM card, a would-be cracker would have to have
physical possession of one. Unlike the cloning used in analog systems,
the crack does not yet include being able to listen in on peoples
phone calls or obtain a SIM ID via the airwaves, although the SDA has
stated that an "over-the-air attack should not be ruled out."
The SIM uses encryption to keep the identity of the phone secret, and
the encryption algorithm used on most of the GSM network is called
COMP128. The SDA was able to obtain the secret ciphers used by the GSM
network. After verifying authenticity, the group turned them over to
UC Berkeley researchers David Wagner and Ian Goldberg, who were able
to crack the COMP128 algorithm within a day. In 1995, Wagner and
Goldberg succeeded in another high-profile hack when they compromised
the crypto code used in Netscape's Navigator browser, which was
supposed to secure credit-card transactions.
"Within hours they discovered a fatal flaw," said Briceno. "The attack
that we have done is based on sending a large number of challenges to
the authorization module in the phone. The key can be deduced and
recovered in about 10 hours."
A group of hackers gathered with security and crypto experts Friday
evening at a San Francisco hacker club called New Hack City, for a
demonstration of the hack, but it never came off. Eric Hughes, a
member of the SDA and founder of the Cypherpunks cryptography group,
discussed the technical aspects of the hack, but had to give up the
planned demonstration after threats of legal action from Pac Bell and
other telephone company executives. It is illegal in the United States
to possess cellular phone cloning equipment, although legitimate
businesses are exempted. The telephone companies dispute SDA's claims
to legitimacy.
Wagner blames the ease of the crack on the secrecy with which the
ciphers were kept.
"There is no way that we would have been able to break the
cryptography so quickly if the design had been subjected to public
scrutiny," said Wagner.
The GSM standard was developed and designed by the European
Telecommunications Standard Institute, an organization that has about
500 members from 33 countries, representing administrations, network
operators, manufacturers, service providers, and users.
"There's going to be an orgy of finger pointing," said Hughes,
referring to all the engineers and other people associated with the
design of the GSM network.
The SDA say that they were able to crack the GSM network algorithm due
to weak encryption in the original design. When the system was being
designed, several European government agencies were successful in
their demands to weaken encryption standards for government
surveillance purposes.
The SDA also claimed that the GSM security cipher that keeps
eavesdroppers from listening to a conversation called A5 was also made
deliberately weaker. The A5 cipher uses a 64-bit key, but only 54 of
the bits are actually in use -- 10 of the bits have been replaced with
zeroes. The SDA's Briceno blames government interference.
"The only party who has an interest in weakening voice privacy is the
National Security Agency," he said.
The SDA said that a proper demo will be taking place soon from
somewhere outside the United States. The group has also released the
source code for COMP128 and A5 for further testing.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Dimensional Communications (www.dim.com)
Received on Tue Apr 14 13:14:36 1998