Cryptography Reference
In-Depth Information
Cloned Cell Phones
Authentication, generation of session keys, and exchange of encrypted data
together represent a rather complex cryptographic protocol. Is it secure? Up
to April 13, 1998, the answer was generally 'yes'. On that day, a spectacu-
lar successful attack against the GSM authentication was published jointly by
Marc Briceno, Director of SDA (Smartcard Developer Association) and the
two Berkeley graduate students, Ian Goldberg and David Wagner. (The same
Goldberg and Wagner who discovered the weak key generation in Netscape,
as you will recall from Section 5.1.4.)
In some way that cannot be reproduced, as usual, the standard versions of the
A3 and A8 algorithms kept secret had somehow 'escaped'. The two algorithms
together are sometimes also called COMP128. Goldberg and Wagner discovered
a flaw in COMP128 that could be exploited by a so-called
chosen-challenge
attack
: a SIM card is 'fed' with many chosen
SRAND
values and its replies
are then studied. After a sufficient number of trials, the secret value
Ki
can
be computed, and with it both the response,
SRES
, and the session key,
Kc
,
for any request,
SRAND
. Now, if an intruder stealthily analyzes somebody
else's SIM card, he can use a regular computer (that knows
Ki
and has A3
and A8 implemented) to simulate the SIM card without the mobile network
provider noticing it. In other words, the intruder can make phone calls at another
customer's expense. You can find details on our Web site in the
txt/gsm
directory
(in addition,
algor/A5/a3a8.c
contains the COMP128 implementation in C).
The attack mentioned above is real. It was demonstrated by Chaos Computer
Club (CCC) in Hamburg, Germany, using a D2 card (see [SpiegClon]). But
let's not panic just yet. The attack is not that simple in practice. Computing
Ki
requires roughly 150 000
SRAND
requests, and since a SIM card is no
supercomputer, it will take about 8 hours. This is the time somebody needs to
have your cell phone and card without you noticing it. Only then would they
be able to run up your account. If you notice that your phone's gone earlier
and have your card and/or phone locked, nothing could actually happen.
That's not all. The SIM card is protected by a four-digit to eight-digit PIN,
as we know. The handset normally locks after three faulty PIN entries, and to
access the network, you have to enter your eight-digit super-PIN. You can try
it with this number ten times at most. If all of these attempts fail, all you can
do is visit your phone dealer, taking all your documents along. So it's really
useless to steal a GSM cell phone!
