GSM security - Twente Student Conference on IT
GSM security - Twente Student Conference on IT
GSM security - Twente Student Conference on IT
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<str<strong>on</strong>g>GSM</str<strong>on</strong>g> <str<strong>on</strong>g>security</str<strong>on</strong>g><br />
Christian Kröger<br />
University of <str<strong>on</strong>g>Twente</str<strong>on</strong>g><br />
P.O. Box 217, 7500AE Enschede<br />
The Netherlands<br />
christian.kroeger@gmail.com<br />
ABSTRACT<br />
In this paper we will give a general overview over the state<br />
of <str<strong>on</strong>g>GSM</str<strong>on</strong>g> <str<strong>on</strong>g>security</str<strong>on</strong>g> and the practicality of an attack <strong>on</strong> the<br />
A5/1 algorithm used for encrypting 2G <str<strong>on</strong>g>GSM</str<strong>on</strong>g> communicati<strong>on</strong>.<br />
First we give a general introducti<strong>on</strong> to the development<br />
of <str<strong>on</strong>g>GSM</str<strong>on</strong>g>, afterwards we present our research<br />
questi<strong>on</strong>s and the current state of the art. Furthermore<br />
we describe the test envir<strong>on</strong>ment used for our research.<br />
After having had some trouble with the software necessary<br />
for the practical aspect of this paper, we shifted our<br />
focus to discuss the recent state of the art in attacking<br />
<str<strong>on</strong>g>GSM</str<strong>on</strong>g> encrypti<strong>on</strong> and what measures should be taken to<br />
make it harder to actually break the encrypti<strong>on</strong> in used,<br />
too guarantee more secure communicati<strong>on</strong>.<br />
Keywords<br />
<str<strong>on</strong>g>GSM</str<strong>on</strong>g>, 2G, mobile ph<strong>on</strong>e, mobile communicati<strong>on</strong>, <str<strong>on</strong>g>security</str<strong>on</strong>g>,<br />
A5/1, USRP<br />
1. INTRODUCTION<br />
The ”Group Spéciale Mobile” was created in 1982 to develop<br />
a standard for an European mobile teleph<strong>on</strong>e system.<br />
After some development time the first <str<strong>on</strong>g>GSM</str<strong>on</strong>g> network<br />
was established in Finland and ”by the end of 1993, <str<strong>on</strong>g>GSM</str<strong>on</strong>g><br />
had broken through the 1 milli<strong>on</strong>-subscriber barrier with<br />
the next milli<strong>on</strong> already <strong>on</strong> the horiz<strong>on</strong>.”[9] At this time<br />
<str<strong>on</strong>g>GSM</str<strong>on</strong>g> was already operating in 48 countries and it was still<br />
rapidly growing. In the year 2007 there were already 2.5<br />
billi<strong>on</strong> <str<strong>on</strong>g>GSM</str<strong>on</strong>g> users.[8]<br />
Another source states the following as of June 2006:<br />
”While it took just 12 years for the industry to<br />
reach the first billi<strong>on</strong> c<strong>on</strong>necti<strong>on</strong>s. The sec<strong>on</strong>d<br />
billi<strong>on</strong> has been achieved in just two and a half<br />
years boosted by the phenomenal take up of<br />
mobile in emerging markets such as China, India,<br />
Africa and Latin America, which accounted<br />
for 82% of the sec<strong>on</strong>d billi<strong>on</strong> subscribers.”[10]<br />
Research in this area is important, because of this ever<br />
increasing and very wide spread use of mobile ph<strong>on</strong>es and<br />
mobile communicati<strong>on</strong> including average mobile ph<strong>on</strong>es,<br />
Permissi<strong>on</strong> to make digital or hard copies of all or part of this work for<br />
pers<strong>on</strong>al or classroom use is granted without fee provided that copies<br />
are not made or distributed for profit or commercial advantage and that<br />
copies bear this notice and the full citati<strong>on</strong> <strong>on</strong> the first page. To copy otherwise,<br />
or republish, to post <strong>on</strong> servers or to redistribute to lists, requires<br />
prior specific permissi<strong>on</strong> and/or a fee.<br />
14 th <str<strong>on</strong>g>Twente</str<strong>on</strong>g> <str<strong>on</strong>g>Student</str<strong>on</strong>g> <str<strong>on</strong>g>C<strong>on</strong>ference</str<strong>on</strong>g> <strong>on</strong> <strong>IT</strong> January 21 st , 2011, Enschede,<br />
The Netherlands.<br />
Copyright 2011, University of <str<strong>on</strong>g>Twente</str<strong>on</strong>g>, Faculty of Electrical Engineering,<br />
Mathematics and Computer Science.<br />
smart ph<strong>on</strong>es etc.. In today’s world it is even possible to<br />
buy your train tickets via your mobile ph<strong>on</strong>e or to do <strong>on</strong>line<br />
banking and TAN generati<strong>on</strong>, so there is not just the<br />
m<strong>on</strong>ey involved you need to pay for your ph<strong>on</strong>e calls, but<br />
also for all these different things. Another aspect is, that<br />
in general people value their privacy. As a result of this<br />
a user does not want another pers<strong>on</strong> to be able to eavesdrop<br />
<strong>on</strong> their private c<strong>on</strong>versati<strong>on</strong>s and SMS. Therefore<br />
it is obvious, that <str<strong>on</strong>g>security</str<strong>on</strong>g> in cellular networks is a very<br />
important issue, that just becomes even more important.<br />
There are different <str<strong>on</strong>g>security</str<strong>on</strong>g> mechanisms involved, when<br />
dealing with the <str<strong>on</strong>g>security</str<strong>on</strong>g> of mobile ph<strong>on</strong>es. First of all,<br />
there is the <str<strong>on</strong>g>security</str<strong>on</strong>g> of the radio communicati<strong>on</strong> between<br />
the mobile ph<strong>on</strong>e and the base stati<strong>on</strong> and a sec<strong>on</strong>d thing<br />
is the <str<strong>on</strong>g>security</str<strong>on</strong>g>, of the SIM-card itself and the key stored<br />
<strong>on</strong> it.<br />
<str<strong>on</strong>g>GSM</str<strong>on</strong>g> itself can use different encrypti<strong>on</strong> algorithms, of which<br />
several are already broken and therefore not really secure,<br />
as can be seen in the related work part of this paper. The<br />
old A5/2 encrypti<strong>on</strong> algorithm has even been discouraged<br />
from being implemented in mobile devices as of the 1 st<br />
July of 2006.<br />
But in this paper we are not going to discuss the topic<br />
and possibilities of copying a SIM-card. Instead of this we<br />
are focusing <strong>on</strong> the <str<strong>on</strong>g>security</str<strong>on</strong>g> of the radio communicati<strong>on</strong><br />
itself, because it is much easier to passively listen to radio<br />
communicati<strong>on</strong> than getting your hands <strong>on</strong> mobile devices<br />
without getting noticed. The method of listening to the<br />
radio communicati<strong>on</strong> instead of cl<strong>on</strong>ing SIM-cards is also<br />
more likely to be used in the real world, because it is by<br />
far easier to just listen to a wide variety of ph<strong>on</strong>e traffic<br />
than <strong>on</strong>e imagines, as this paper will show.<br />
If some<strong>on</strong>e wants to listen to somebody else’s mobile communicati<strong>on</strong>,<br />
there are different ways to achieve that goal.<br />
First of all, <strong>on</strong>e can try to break the encrypti<strong>on</strong> used between<br />
the mobile ph<strong>on</strong>e and the <str<strong>on</strong>g>GSM</str<strong>on</strong>g> network.<br />
A sec<strong>on</strong>d possibility is to set up a fake base stati<strong>on</strong>. Using<br />
your own base stati<strong>on</strong> enables you, <strong>on</strong>ce a mobile device<br />
c<strong>on</strong>nects to it, to actively choose which encrypti<strong>on</strong> is used<br />
while that ph<strong>on</strong>e is c<strong>on</strong>nected to that specific base stati<strong>on</strong>.<br />
1<br />
The main focus of the research in this paper will be the<br />
practicality of the first kind of attack <strong>on</strong> <str<strong>on</strong>g>GSM</str<strong>on</strong>g>, thus the<br />
decrypti<strong>on</strong> of <str<strong>on</strong>g>GSM</str<strong>on</strong>g> traffic.<br />
The paper starts with the research questi<strong>on</strong>s we intended<br />
to address, after that it gives a brief overview of the <str<strong>on</strong>g>GSM</str<strong>on</strong>g><br />
1 The different encrypti<strong>on</strong> techniques can be found in the<br />
part <strong>on</strong> <str<strong>on</strong>g>GSM</str<strong>on</strong>g> <str<strong>on</strong>g>security</str<strong>on</strong>g> architecture.
Figure 1. basic <str<strong>on</strong>g>GSM</str<strong>on</strong>g> architecture, found <strong>on</strong><br />
http://www.privateline.com/PCS/<str<strong>on</strong>g>GSM</str<strong>on</strong>g>/tarch6a.gif<br />
architecture. With that knowledge in mind we describe<br />
the current related work and building <strong>on</strong> top of this new<br />
knowledge we introduce possible attacks <strong>on</strong> the <str<strong>on</strong>g>GSM</str<strong>on</strong>g> communicati<strong>on</strong>,<br />
which allows malevolent people to listen to<br />
the private c<strong>on</strong>versati<strong>on</strong>s of others. After that we give a<br />
overview over the tests we tried to do in order to show,<br />
how simple or complex it might be to eavesdrop <strong>on</strong> <str<strong>on</strong>g>GSM</str<strong>on</strong>g><br />
communicati<strong>on</strong>. Finally we c<strong>on</strong>clude our paper by answering<br />
the research questi<strong>on</strong>s and giving a c<strong>on</strong>clusi<strong>on</strong> <strong>on</strong> the<br />
overall <str<strong>on</strong>g>security</str<strong>on</strong>g> of <str<strong>on</strong>g>GSM</str<strong>on</strong>g>.<br />
2. RESEARCH QUESTIONS<br />
The research questi<strong>on</strong>s for this paper are the following:<br />
1. What is the current state of the safety of the <str<strong>on</strong>g>GSM</str<strong>on</strong>g><br />
algorithms<br />
2. How much effort does it take to break current <str<strong>on</strong>g>GSM</str<strong>on</strong>g><br />
<str<strong>on</strong>g>security</str<strong>on</strong>g>(and to listen to a ph<strong>on</strong>e call or intercept an<br />
SMS for example)<br />
3. Is it possible to decrypt a ph<strong>on</strong>e call with the current<br />
commodity hardware and available (open source) software<br />
4. If so, is the decrypti<strong>on</strong> taking place in ”real-time” or<br />
something close to it, or does it take several minutes<br />
or even hours<br />
5. Is UMTS equally vulnerable or are the <str<strong>on</strong>g>security</str<strong>on</strong>g> features<br />
and algorithms used better<br />
3. <str<strong>on</strong>g>GSM</str<strong>on</strong>g> SECUR<strong>IT</strong>Y ARCH<strong>IT</strong>ECTURE<br />
The <str<strong>on</strong>g>GSM</str<strong>on</strong>g> architecture can be divided into three parts,<br />
the mobile stati<strong>on</strong>, the Base Stati<strong>on</strong> Subsystem and the<br />
Network Subsystem.<br />
• The mobile stati<strong>on</strong> c<strong>on</strong>tains the SIM-card, which is<br />
necessary to identify the user to the network.<br />
• The Base Stati<strong>on</strong> Subsystem is in charge of the radio<br />
link with the mobile device and has a lot of rights<br />
from the perspective of the mobile device (more <strong>on</strong><br />
this in the part <strong>on</strong> attacks against <str<strong>on</strong>g>GSM</str<strong>on</strong>g> communicati<strong>on</strong>).<br />
• ”The Network Subsystem performs the switching of<br />
calls between mobile users and between mobile and<br />
fixed network”[12] and c<strong>on</strong>tains the hardware necessary<br />
to authenticate users in the network.<br />
This architecture can be seen in figure 1.<br />
After a channel between the Base Stati<strong>on</strong> Subsystem and<br />
the mobile device is established, the device sends its TIMSI<br />
or IMSI to the network to make its identity know. Preferably<br />
the TIMSI is used for this, because it is enhancing<br />
the privacy of the system. After that the authenticati<strong>on</strong><br />
of the mobile device starts, with the network sending a<br />
random challenge (RAND) to the mobile device.<br />
This RAND is used by the mobile device in c<strong>on</strong>juncti<strong>on</strong><br />
with the secret key, which is stored <strong>on</strong> the SIM, to calculate<br />
a result. After calculating the result, it is sent back<br />
to the network. Meanwhile the network has calculated<br />
the resp<strong>on</strong>se as well, because it also knows the secret key,<br />
which is stored in its AuC. If the resp<strong>on</strong>se send by the device<br />
matches the <strong>on</strong>e calculated by the network, the device<br />
is successfully authenticated to the network, otherwise the<br />
authenticati<strong>on</strong> is rejected and the device can not c<strong>on</strong>nect.<br />
In <str<strong>on</strong>g>GSM</str<strong>on</strong>g> there is no authenticati<strong>on</strong> in the reverse directi<strong>on</strong>(from<br />
network to mobile device).<br />
There are essentially 4 different algorithms possible to use<br />
to secure <str<strong>on</strong>g>GSM</str<strong>on</strong>g> communicati<strong>on</strong>. These are called A5/0 up<br />
to A5/3, of those 4 algorithms <strong>on</strong>e does not offer any encrypti<strong>on</strong><br />
at all, <strong>on</strong>e is discouraged to be used, and therefore<br />
should not be encountered when m<strong>on</strong>itoring <str<strong>on</strong>g>GSM</str<strong>on</strong>g> communicati<strong>on</strong>.<br />
The other 2 algorithms are the <strong>on</strong>es mainly used<br />
today.<br />
Below you will find a short, general and historical overview<br />
over the <str<strong>on</strong>g>GSM</str<strong>on</strong>g> algorithms, their <str<strong>on</strong>g>security</str<strong>on</strong>g> is evaluated in the<br />
part <strong>on</strong> related work.<br />
3.1 A5/0<br />
When this encrypti<strong>on</strong> cipher is chosen, the communicati<strong>on</strong><br />
between BSS and mobile device is not encrypted at all.<br />
3.2 A5/1<br />
This is the most widely used algorithm, and also the main<br />
focus of current research and therefore also the main focus<br />
of this paper. This algorithm is a stream cipher developed<br />
in 1987.<br />
3.3 A5/2<br />
This is a weak encrypti<strong>on</strong> algorithm, which has been discouraged<br />
from being used. It took actually quite al<strong>on</strong>g<br />
time to phase out of this. The <str<strong>on</strong>g>GSM</str<strong>on</strong>g>A itself stated in a<br />
meeting <strong>on</strong> the 12 th of September 2006:<br />
”The risk of operators c<strong>on</strong>tinuing to demand<br />
A5/2 device support stems from the possibility<br />
that some operators may not upgrade their<br />
networks to support str<strong>on</strong>ger algorithms in a<br />
timely manner. The emergence of devices without<br />
A5/2 support will mean that encrypti<strong>on</strong><br />
will not be possible <strong>on</strong> networks that have not<br />
upgraded their BSS infrastructure to support<br />
A5/1 and/or A5/3. However, because of the<br />
nature of the attack, and the fact that A5/2<br />
does not offer a higher level of protecti<strong>on</strong> than<br />
A5/0, it is deemed preferable that these networks<br />
run with no encrypti<strong>on</strong> rather than use<br />
the compromised A5/2 protocol.”[2]<br />
This actually shows how weak they themselves deemed the<br />
<str<strong>on</strong>g>security</str<strong>on</strong>g> of this algorithm, which was actually designed to<br />
be weak. The A5/2 algorithm is also a stream cipher,<br />
which was developed a little while after A5/1 as a deliberately<br />
weakened versi<strong>on</strong> of it, due to export restricti<strong>on</strong>s<br />
<strong>on</strong> cryptography.
3.4 A5/3<br />
This is an algorithm called KASUMI, which is a block cipher<br />
instead of a stream cipher. KASUMI has already<br />
been specified in 2002[1], but interestingly enough, the<br />
<str<strong>on</strong>g>GSM</str<strong>on</strong>g>A was still discussing how to test A5/3 in 2009 ”Recent<br />
joint meetings with the Mobile Manufacturers (EICTA)<br />
had discussed forthcoming tests to check A5/3 functi<strong>on</strong>s”.<br />
[3] Later that year ”Successful tests were made <strong>on</strong> A5/3<br />
enabled BTS equipment in Switzerland, with 10 handsets<br />
from 7 manufacturers being tested <strong>on</strong> a live network.”[4]<br />
So it took them 7 years to test the A5/3 algorithm and<br />
hardware, which is not really fast. We expect that after<br />
these successful test, this algorithm will be more and more<br />
become the standard algorithm, as it is also used in UMTS<br />
and GPRS and because it is a more secure algorithm compared<br />
to A5/1.<br />
Most <str<strong>on</strong>g>GSM</str<strong>on</strong>g> networks also use frequency hopping, which<br />
makes it harder to follow the signal, but if <strong>on</strong>e has a good<br />
enough hardware, it is even possible to m<strong>on</strong>itor the whole<br />
frequency band at the same time, and thus there is no<br />
problem any more.<br />
4. RELATED WORK<br />
In their text ”A Man-in-the-Middle Attack <strong>on</strong> UMTS”[15]<br />
Ulrike Meyer and Susanne Wetzel describe an attack <strong>on</strong><br />
the cellular network, because of the interoperability of<br />
<str<strong>on</strong>g>GSM</str<strong>on</strong>g> and UMTS. Such an attack is possible, because current<br />
mobile ph<strong>on</strong>es need to work in both networks, that is<br />
due to the fact that <str<strong>on</strong>g>GSM</str<strong>on</strong>g> is a lot better deployed than the<br />
UMTS network. The ph<strong>on</strong>es’ communicati<strong>on</strong> can be attacked<br />
when it uses <str<strong>on</strong>g>GSM</str<strong>on</strong>g>, which it will do, if the <str<strong>on</strong>g>GSM</str<strong>on</strong>g> antenna<br />
receives a str<strong>on</strong>ger signal than the UMTS antenna.<br />
This is a problem due to backwards compatibility. This<br />
backwards compatibility exists, because there still is no<br />
UMTS c<strong>on</strong>nectivity everywhere, so <str<strong>on</strong>g>GSM</str<strong>on</strong>g> can be used as a<br />
fall back if UMTS is not available.<br />
This reminds of weaknesses in software development, which<br />
appear due to the interoperability of new and old software<br />
and the backwards compatibility of newer software, which<br />
compromises the whole <str<strong>on</strong>g>security</str<strong>on</strong>g> c<strong>on</strong>cept of the newer system,<br />
because the old <strong>on</strong>e is still there and attackable.<br />
In [7] Barkan et al. describe A5/2 and give a general<br />
<str<strong>on</strong>g>GSM</str<strong>on</strong>g> <str<strong>on</strong>g>security</str<strong>on</strong>g> background. They also describe an attack<br />
<strong>on</strong> A5/2 and specify how it is possible to use this attack<br />
to even attack A5/1 and A5/3. This attack can also be<br />
used against A5/1 and A5/3 due to fact that all these encrypti<strong>on</strong><br />
methods use the same key. Therefore an attacker<br />
is able to break A5/3 or can impers<strong>on</strong>ate a cell ph<strong>on</strong>e to<br />
a base stati<strong>on</strong>, if he manages to get the real ph<strong>on</strong>e to use<br />
A5/2. After that he can capture the ph<strong>on</strong>e call and use<br />
this data to derive the A5/2 key.<br />
Biryukov et al. describe a possible attack <strong>on</strong> the A5/1 algorithm<br />
in their paper ”Real Time Cryptanalysis of A5/1<br />
<strong>on</strong> a PC”[5] presented during the Fast Software Encrypti<strong>on</strong><br />
Workshop in 2000. The attack is based <strong>on</strong> a reverse<br />
engineered versi<strong>on</strong> of the A5/1 algorithm, this stream cipher<br />
is also explained in this paper.<br />
In his presentati<strong>on</strong> during the BlackHat c<strong>on</strong>ference in 2010[11],<br />
Karsten Nohl presented the state of the art of cracking<br />
the A5/1 encrypti<strong>on</strong> and discussed how his implementati<strong>on</strong><br />
worked, using rainbow tables to use less storage space<br />
and computing everything using multiple GPUs. The c<strong>on</strong>clusi<strong>on</strong><br />
of this presentati<strong>on</strong> is, that it is possible to break<br />
A5/1 <strong>on</strong> commodity hardware, if all the optimizati<strong>on</strong>s he<br />
presented are used.<br />
In [13] Dunkelman, Shamir and Keller show that they can<br />
break KASUMI (the A5/3 algorithm), which is a variati<strong>on</strong><br />
of MISTY, with a related key attack and a PC. Therefore<br />
they c<strong>on</strong>clude that the changes made to move ”from<br />
MISTY to KASUMI resulted in a much weaker cryptosystem.”[13]<br />
They c<strong>on</strong>clude by saying that this attack may<br />
”not be applicable to the specific way in which KASUMI<br />
is used as the A5/3 encrypti<strong>on</strong> algorithm”, because ”the<br />
new attack uses both related keys and chosen messages”.<br />
This leads to the c<strong>on</strong>clusi<strong>on</strong>, that cell ph<strong>on</strong>es should <strong>on</strong>ly<br />
use A5/3 even though it is not completely secure and a<br />
new algorithm should be chosen.<br />
The reas<strong>on</strong> to use A5/3 is, that even if you use A5/1, it is<br />
probably possible to derive the key using Karsten Nohl’s<br />
rainbow tables. Once the key is derived all communicati<strong>on</strong><br />
can be broken, because man-in-the-middle attacks are<br />
possible against all algorithms if <strong>on</strong>e is in possessi<strong>on</strong> of the<br />
key. The issue here is is, that all of the encrypti<strong>on</strong> algorithms<br />
use the same key. The attacker just has to get<br />
a legitimate key by c<strong>on</strong>vincing the ph<strong>on</strong>e to use A5/1 or<br />
even better A5/2 for a short amount of time.<br />
Furthermore there is the chance, that even more weaknesses<br />
will be found in KASUMI, due to the changes made<br />
by the <str<strong>on</strong>g>GSM</str<strong>on</strong>g> Associati<strong>on</strong>. Another possibility is that a better<br />
way to exploit the current weaknesses of KASUMI may<br />
be found, because it already shows first weaknesses. As a<br />
result of this KASUMI might become breakable, which has<br />
already happened to A5/1 and A5/2.<br />
5. ATTACKS ON <str<strong>on</strong>g>GSM</str<strong>on</strong>g> COMMUNICATION<br />
Based <strong>on</strong> the related work, we are going to describe possible<br />
attacks in more detail in this part of our paper.<br />
There are different possibilities to decrypt <str<strong>on</strong>g>GSM</str<strong>on</strong>g> communicati<strong>on</strong><br />
if <strong>on</strong>e chooses to do so.<br />
5.1 Cl<strong>on</strong>ing the SIM-card<br />
This attack can be characterized as a more active attack,<br />
because the attacker needs to either get his hands <strong>on</strong> the<br />
mobile device to cl<strong>on</strong>e the SIM-card or to get the data<br />
from the AuC servers of the users network operator.<br />
With that data, the users key and IMSI, the attacker is in<br />
state to listen to the users communicati<strong>on</strong>, because <strong>on</strong>ce<br />
he managed to eavesdrop <strong>on</strong> the initial c<strong>on</strong>necti<strong>on</strong> establishment<br />
between mobile device and BSS he knows the<br />
RAND and can thus calculate the sessi<strong>on</strong> key, using the<br />
stolen secret key.<br />
Due to the fact that the authenticati<strong>on</strong> works based <strong>on</strong> a<br />
pre-shared key, which is <strong>on</strong> the SIM-card and a challengeresp<strong>on</strong>se<br />
based <strong>on</strong> that very key and <strong>on</strong> a plain-text RAND<br />
challenge, an attacker could even impers<strong>on</strong>ate another pers<strong>on</strong>,<br />
if he manages to get that key.<br />
5.2 Passive capturing packets<br />
This attack is a passive way of listening too some<strong>on</strong>e’s call<br />
and was intended to be the main c<strong>on</strong>cern of this paper,<br />
but due to the problems we encountered while trying to<br />
set up the hard- and software for our tests, we did not<br />
manage to execute this attack ourself.<br />
As we describe this way of eavesdropping in a more detailed<br />
way in the secti<strong>on</strong> Test envir<strong>on</strong>ment, this will <strong>on</strong>ly<br />
be a short overview.<br />
This attack works against A5/1 and A5/2. A5/3 is currently<br />
to str<strong>on</strong>g for this kind of passive attack.
During his talk <strong>on</strong> the 27C3 2 Karsten Nohl has shown, that<br />
this attack can even be executed using 2 old Motorola mobile<br />
ph<strong>on</strong>es. The ph<strong>on</strong>e costs were approximately 10 Euro<br />
each, with the need of two ph<strong>on</strong>es.<br />
For this to work Karsten Nohl and Sylvain Munaut upgraded<br />
the ph<strong>on</strong>es to Open Source firmware using OsmocommBB<br />
software. To dem<strong>on</strong>strate this technique they<br />
called themselves during the presentati<strong>on</strong> and used these<br />
patched ph<strong>on</strong>es to dem<strong>on</strong>strate a live decrypti<strong>on</strong> of their<br />
ph<strong>on</strong>e call. 3<br />
5.3 Fake base stati<strong>on</strong><br />
Once some<strong>on</strong>e uses a fake base stati<strong>on</strong>, his possibilities to<br />
attack become even more potent.<br />
A fake base stati<strong>on</strong> enables the attacker to choose which<br />
cipher is used during the communicati<strong>on</strong> and therefore to<br />
choose weaker or n<strong>on</strong>e encrypti<strong>on</strong> at all. To achieve this<br />
the user needs to c<strong>on</strong>nect to the fake stati<strong>on</strong>, but this<br />
is easily d<strong>on</strong>e, as Chris Paget points out in his talk during<br />
Defc<strong>on</strong> 18[6]. The reas<strong>on</strong>, that c<strong>on</strong>vincing the ph<strong>on</strong>e<br />
to c<strong>on</strong>nect to the fake stati<strong>on</strong> is easy, is: essentially the<br />
ph<strong>on</strong>e tries to c<strong>on</strong>nect to the str<strong>on</strong>gest signal. This might<br />
in reality be the real base stati<strong>on</strong> or the fake <strong>on</strong>e. But<br />
according to Paget the base stati<strong>on</strong> can transmit a signal<br />
telling the mobile ph<strong>on</strong>e, that the stati<strong>on</strong>’s signal is<br />
str<strong>on</strong>ger than it is in reality and the ph<strong>on</strong>e believes this<br />
without doubt. 4<br />
So <strong>on</strong>e can c<strong>on</strong>vince the ph<strong>on</strong>e to use no encrypti<strong>on</strong> and<br />
thus go for a man-in-the-middle attack, but this also enables<br />
an attacker to break the str<strong>on</strong>g A5/3 cipher, which<br />
can be seen in figure 2.<br />
This attack works as follows:<br />
1. The eavesdropper captures a A5/3 encrypted call,<br />
including the initial RAND.<br />
2. The attacker uses his fake base stati<strong>on</strong> to ask the<br />
users ph<strong>on</strong>e to reuse the same RAND with the weak<br />
A5/1 cipher.<br />
3. The attacker uses Nohl’s rainbow-tables, which are<br />
downloadable via bit-torrent, to derive the key and<br />
finally uses that key to decrypt the first call, which<br />
was A5/3 encrypted.<br />
The reas<strong>on</strong> this works is, that it is simple to capture the<br />
RAND and that all the encrypti<strong>on</strong> algorithms <strong>on</strong> a mobile<br />
ph<strong>on</strong>e use the same secret key and they always use<br />
the same algorithm to determine what the temporary key<br />
is. And the temporary key is solely based <strong>on</strong> the secret<br />
key and the RAND. Furthermore the software necessary<br />
to execute this attack is already readily available as Open<br />
Source Software.<br />
The downside of this attack is, that it is an active attack<br />
and as such might be noticed. But <strong>on</strong> the other hand it<br />
enables the attacker to even break A5/3.<br />
6. TEST ENVIRONMENT<br />
Setting up the hardware for this task proofed significantly<br />
easier than managing to install and run the necessary<br />
hardware drivers and the rest of the software.<br />
2 27 th Chaos Communicati<strong>on</strong> C<strong>on</strong>gress<br />
3 the slides can be found via [14] and the videos can be<br />
found via media.ccc.de<br />
4 This has to do with the fact that the network does not<br />
need to identify itself to the mobile devices.<br />
Figure 2. Picture of a way to decipher a A5/3 call,<br />
from Karsten Nohl during 26C3<br />
6.1 Hardware<br />
For the evaluati<strong>on</strong> in this paper we used special hardware,<br />
developed by Ettus Research 5 , which is called USRP (Universal<br />
Software Radio Peripheral). The USRP is a small<br />
device, which is just a little bigger than an average 3,5”<br />
external HDD.<br />
For our research we used a USRP versi<strong>on</strong> 1, the device<br />
is equipped with the DBSRX1 daughterboard, which allows<br />
the USRP to receive signals from 800 MHz up to 2.4<br />
GHz. Due to the fact, that <str<strong>on</strong>g>GSM</str<strong>on</strong>g> in Europe uses frequencies<br />
around 900 MHz and 1.8 GHz this should be sufficient<br />
for the tests. The used antenna can receive signals from<br />
900 MHz up to 2.6 GHz.<br />
The USRP1 has to be c<strong>on</strong>nected to a computer, which is<br />
simple to do, because it is d<strong>on</strong>e via a USB-cable.<br />
After attaching the DBSRX board to the USRP1, closing<br />
the USRP, c<strong>on</strong>necting the antenna to the USRP and<br />
finally c<strong>on</strong>necting the USRP to the computer, the hardware<br />
was already set up.<br />
6.2 Software<br />
The programs used for this research are called Airprobe 6<br />
and GNU Radio 7 , which are completely Open Source.<br />
GNU Radio is a SDR (Software Defined Radio) As with<br />
all software-defined radio systems, rec<strong>on</strong>figurability is the<br />
key feature. Instead of purchasing multiple expensive radios,<br />
a single more generic radio is purchased, which feeds<br />
into powerful signal processing software (GNU Radio, in<br />
this case). ”As with all software-defined radio systems,<br />
rec<strong>on</strong>figurability is the key feature. Instead of purchasing<br />
multiple expensive radios, a single more generic radio<br />
is purchased, which feeds into powerful signal processing<br />
software (GNU Radio, in this case).” 8 Due to the computers<br />
we had at hand, we first decided to use this software<br />
<strong>on</strong> Windows, but during this we encountered a couple of<br />
problems and thus decided to do the rest of the research<br />
using Ubuntu 10.10 (more <strong>on</strong> the problems can be found<br />
in the problem subsecti<strong>on</strong>).<br />
The installati<strong>on</strong> of GNU Radio <strong>on</strong> Ubuntu was fast and<br />
easy, because there are packages included in the Ubuntu<br />
sources since versi<strong>on</strong> 9.04 of Ubuntu 9 . These packages are<br />
easy to install via the standard package managing software<br />
usable in Ubuntu, such as Synaptic or apt-get.<br />
That makes the step of installing GNU Radio a lot easier<br />
5 www.ettus.com<br />
6 www.airprobe.org<br />
7 www.gnuradio.org<br />
8 from http : //en.wikipedia.org/wiki/GNU Radio<br />
9 Versi<strong>on</strong> 3.2 of GNU Radio
and a lot faster, because there is no l<strong>on</strong>ger the need to<br />
compile everything <strong>on</strong> your own machine. So all in all the<br />
Hardware was easier to setup than the software to install.<br />
For the purpose of our tests we decided to use the newest<br />
versi<strong>on</strong> of GNU Radio, which is versi<strong>on</strong> 3.30. On a Windows<br />
system, there are essentially two ways to install GNU<br />
Radio. Both of them are based up<strong>on</strong> installing a Unix like<br />
envir<strong>on</strong>ment.<br />
The first program is Cygwin, which failed during the make<br />
process of the software, due to not being able to find some<br />
files.<br />
The sec<strong>on</strong>d software is MinGw together with the MSYS<br />
shell, which had more initial problems than Cygwin, but<br />
with which it was finally possible to compile GNU Radio<br />
and the USRP drivers for Windows.<br />
Through the combinati<strong>on</strong> of these programs, it is possible<br />
to grab the data packages of a ph<strong>on</strong>e call and to break the<br />
A5/1 algorithm using the Kraken software and its rainbow<br />
tables. The data passed from Airprobe to the Kraken program<br />
is analysed using rainbow tables to finally derive the<br />
encrypti<strong>on</strong> key of the communicati<strong>on</strong>. Using this key it<br />
is possible to decrypt the communicati<strong>on</strong> itself and thus<br />
listen to the ph<strong>on</strong>e call or reading the SMS sent.<br />
6.3 Problems<br />
We encountered different problems during the installati<strong>on</strong><br />
of the software and first initial tests. On the used operating<br />
systems, we faced diverse problems, some of which we<br />
managed to solve others we could not solve.<br />
This part is split in a sub-part c<strong>on</strong>cerning Windows errors<br />
and another c<strong>on</strong>cerning problems encountered when using<br />
Ubuntu. At first we used Windows, but after we faced the<br />
problems menti<strong>on</strong>ed bellow we decided to c<strong>on</strong>duct our further<br />
research using Ubuntu, which unfortunately resulted<br />
in a different set of problems we could not solve either.<br />
6.3.1 Windows<br />
During the installati<strong>on</strong> of the software and first initial<br />
tests, we encountered a couple of problems. These problems<br />
did mainly occur <strong>on</strong> our Windows XP machine, which<br />
we initially used to set up the software.<br />
The compile problems we faced using MinGw with MSYS<br />
could be solved by adding a few ”#include” commands to<br />
different parts of the program code. Furthermore we had<br />
to explicitly add the lpthread library to FFTW 10 while<br />
c<strong>on</strong>figuring it, otherwise it would not work and without<br />
this working it was not possible to build the GNU Radio<br />
software itself. For making the USRP Windows driver a<br />
software called SDCC was necessary 11 . At first we just<br />
used the newest versi<strong>on</strong> of the software, available from the<br />
software’s homepage, but this resulted in errors, because<br />
the new versi<strong>on</strong> used a different naming scheme for the files<br />
installed. This different naming system resulted in GNU<br />
Radio not finding the necessary files to build the USRP<br />
Windows driver. Therefore we used an older versi<strong>on</strong> of the<br />
program 12 .<br />
After c<strong>on</strong>necting the USRP to our Windows machine and<br />
successfully installing the Driver, we tried running a few<br />
test Pyth<strong>on</strong> scripts, which were included in the GNU Radio<br />
software. Sadly these tests failed, with the error message<br />
that the computer is unable to write to the USRP<br />
device. From this we c<strong>on</strong>cluded that there might be a<br />
10 ”FFTW is a C subroutine library for computing the discrete<br />
Fourier transform” take from www.fftw.org<br />
11 SDCC (Small Device C Compiler) is a C compiler, which<br />
can build programs for different microprocessors.<br />
12 2.9 instead of 3.0<br />
problem with the driver, even though it compiled without<br />
error messages, or that the USRP itself might have a defect.<br />
This seems to be a problem of the Windows driver as<br />
the USRP seems to work under Ubuntu using GNU Radio.<br />
Despite that problem we tried to install Airprobe <strong>on</strong> Windows<br />
as well, because GNU Radio compiled. But here we<br />
encountered problems even earlier than during our later<br />
tests using Ubuntu. Some problems occurred due to the<br />
difference in the Windows and Unix linefeed, as well as a<br />
couple of missing header files and again missing ”#include”<br />
commands in the source code.<br />
6.3.2 Ubuntu<br />
Setting up GNU Radio <strong>on</strong> Ubuntu was an easy task due<br />
to the readily available packages, which just had to be installed.<br />
This was a lot easier and faster installati<strong>on</strong> than<br />
the <strong>on</strong>e <strong>on</strong> Windows, because we did not even need to<br />
compile our own software.<br />
As for Airprobe, we followed the build instructi<strong>on</strong>s, which<br />
do not menti<strong>on</strong>, which packages are necessary to install<br />
the software, but after some testing we found out, that<br />
autoc<strong>on</strong>f, automake, libpcap and a couple of other packages<br />
are necessary to build the software.<br />
Unfortunately we encountered a segmentati<strong>on</strong> fault, when<br />
trying to use Airprobe with sample data provided by the<br />
software’s homepage. This error seems to be related to a<br />
problem using the Pyth<strong>on</strong> GTK interface. Up until now<br />
there has been no reacti<strong>on</strong> to a post <strong>on</strong> the mailing-list as<br />
well as a new error report <strong>on</strong> the projects homepage.<br />
7. DISCUSSION<br />
As the tests with the hardware were more complex than<br />
anticipated, especially those huge software problems were<br />
unexpected, this part is going to focus more <strong>on</strong> the recent<br />
developments in the related work and <strong>on</strong> the theoretical<br />
attacks and weaknesses of the <str<strong>on</strong>g>GSM</str<strong>on</strong>g> <str<strong>on</strong>g>security</str<strong>on</strong>g> architecture<br />
and algorithms.<br />
After giving this overview of how <str<strong>on</strong>g>GSM</str<strong>on</strong>g> <str<strong>on</strong>g>security</str<strong>on</strong>g> works,<br />
what the current state of the art is and describing possible<br />
attack scenarios, we are going to explicitly answer the<br />
research questi<strong>on</strong>s now.<br />
What is the current state of the safety of the <str<strong>on</strong>g>GSM</str<strong>on</strong>g><br />
algorithms<br />
The answer to this questi<strong>on</strong> has to be divided into two<br />
parts, as there is a difference between active and passive<br />
attacks.<br />
For passive attacks A5/3 is still save and the rest of the<br />
algorithms is broken.<br />
Using active attacks it is even possible to break A5/3 as<br />
can be seen in the secti<strong>on</strong> <strong>on</strong> attacks <strong>on</strong> <str<strong>on</strong>g>GSM</str<strong>on</strong>g> communicati<strong>on</strong>.<br />
How much effort does it take to break current<br />
<str<strong>on</strong>g>GSM</str<strong>on</strong>g> <str<strong>on</strong>g>security</str<strong>on</strong>g>(and to listen to a ph<strong>on</strong>e call or intercept<br />
an SMS for example)<br />
Once the attacker manages to really set up the hardware<br />
and software in a working manner, the effort is negligible,<br />
as can be seen by the dem<strong>on</strong>strati<strong>on</strong> of Karsten Nohl and<br />
Sylvain Munaut during the 27C3. As both the call and<br />
the SMS use the same encrypti<strong>on</strong> algorithm, there is not<br />
really a difference in the <str<strong>on</strong>g>security</str<strong>on</strong>g> of both.<br />
Is it possible to decrypt a ph<strong>on</strong>e call with the<br />
current commodity hardware and available (open<br />
source) software
This is possible as well, as all the software menti<strong>on</strong>ed in<br />
this paper is Open Source Software(Airprobe, GNU Radio,<br />
OsmocommBB, etc.). And it even works <strong>on</strong> commodity<br />
hardware, because Sylvain Munaut and Karsten Nohl just<br />
used a normal laptop to decrypt their call, so the attacker<br />
does not even need a fast pc.<br />
If so, is the decrypti<strong>on</strong> taking place in ”real-time”<br />
or something close to it, or does it take several<br />
minutes or even hours<br />
This has to be split into two parts again, the A5/1 decrypti<strong>on</strong><br />
using Karsten Nohl’s rainbow tables is pretty close<br />
to real-time, because it can calculate the key during or<br />
shortly after the call.<br />
The attack <strong>on</strong> A5/3 using a fake base stati<strong>on</strong> takes l<strong>on</strong>ger,<br />
because after the initial call is completed, the mobile device<br />
needs to c<strong>on</strong>nect to the fake base stati<strong>on</strong> first to do<br />
the authenticati<strong>on</strong> procedure using the same RAND but<br />
the weaker A5/1 algorithm.<br />
Is UMTS equally vulnerable or are the <str<strong>on</strong>g>security</str<strong>on</strong>g><br />
features and algorithms used better<br />
The UMTS <str<strong>on</strong>g>security</str<strong>on</strong>g> is better as it has a l<strong>on</strong>ger authenticati<strong>on</strong><br />
key, but more importantly UMTS uses mutual authenticati<strong>on</strong>,<br />
thus the network identifies itself to the mobile<br />
user, which does not happen in <str<strong>on</strong>g>GSM</str<strong>on</strong>g> and the user<br />
authenticates himself to the network. But a problem is,<br />
that the user does not have a guaranteed UMTS c<strong>on</strong>necti<strong>on</strong><br />
and there are not a lot of mobile ph<strong>on</strong>es, which give<br />
the user the opportunity to choose that he wants to <strong>on</strong>ly<br />
c<strong>on</strong>nect to UMTS networks. And due to the possibility of<br />
the attacker using a fake base stati<strong>on</strong> he can c<strong>on</strong>vince the<br />
mobile ph<strong>on</strong>e that his signal is str<strong>on</strong>ger, which will eventually<br />
result in the ph<strong>on</strong>e c<strong>on</strong>necting to that fake stati<strong>on</strong>.<br />
If this fake base stati<strong>on</strong> than decides to not use UMTS,<br />
but to use <str<strong>on</strong>g>GSM</str<strong>on</strong>g> instead, most mobile ph<strong>on</strong>es will switch to<br />
<str<strong>on</strong>g>GSM</str<strong>on</strong>g> and thus be vulnerable again. The same thing happens<br />
if there are just legitimate <str<strong>on</strong>g>GSM</str<strong>on</strong>g> and UMTS base stati<strong>on</strong>s<br />
in the vicinity and the <str<strong>on</strong>g>GSM</str<strong>on</strong>g> signal is str<strong>on</strong>ger than<br />
the UMTS signal, when that happens the mobile ph<strong>on</strong>e<br />
will switch to <str<strong>on</strong>g>GSM</str<strong>on</strong>g> even without the need of a fake base<br />
stati<strong>on</strong>.<br />
7.1 Possible <str<strong>on</strong>g>security</str<strong>on</strong>g> enhancements<br />
• A more regular change of the sessi<strong>on</strong> key, which gives<br />
the attacker less known data.<br />
• Randomizati<strong>on</strong> of c<strong>on</strong>trol message padding, which<br />
significantly reduces the known text in these messages.<br />
According to [14], this was already specified<br />
in 2008 and should thus ”be implemented with high<br />
priority”.<br />
• Switching to UMTS so that the network has to authenticate<br />
itself or update <str<strong>on</strong>g>GSM</str<strong>on</strong>g> in such a way that it<br />
can authenticate itself, which both is not very likely,<br />
because it is expensive and time c<strong>on</strong>suming.<br />
• Regular changes of the TMSI, such that it is harder<br />
to follow a specific mobile ph<strong>on</strong>e’s communicati<strong>on</strong>.<br />
• On modern mobile ph<strong>on</strong>es, the user could install<br />
software to additi<strong>on</strong>ally encrypt his calls, but this<br />
requires both sides of the call to use that additi<strong>on</strong>al<br />
encrypti<strong>on</strong> software.<br />
• A system to easily upgrade the encrypti<strong>on</strong> algorithm<br />
and other <str<strong>on</strong>g>security</str<strong>on</strong>g> features would also be nice to<br />
have.<br />
8. CONCLUSION<br />
All in all <strong>on</strong>e can say that the current <str<strong>on</strong>g>security</str<strong>on</strong>g> systems<br />
of <str<strong>on</strong>g>GSM</str<strong>on</strong>g> are flawed and need to be changed. It can be<br />
seen that the <str<strong>on</strong>g>GSM</str<strong>on</strong>g>A itself knows about a lot, if not all<br />
of the problems, but the organizati<strong>on</strong> is slow to adopt to<br />
the problems at hand, which becomes obvious by the fact<br />
that it took them 7 years to test A5/3, close to 12 years<br />
to address COMP128 problems etc.<br />
In its current state <str<strong>on</strong>g>GSM</str<strong>on</strong>g> should be treated as an insecure<br />
channel, comparable to today’s internet, therefore <strong>on</strong>e<br />
should be careful about which data is sent via <str<strong>on</strong>g>GSM</str<strong>on</strong>g> and<br />
which should not be send or which should just be send<br />
taking additi<strong>on</strong>al <str<strong>on</strong>g>security</str<strong>on</strong>g> measures.<br />
9. REFERENCES<br />
[1] 3GPP. Specificati<strong>on</strong> of the A5/3 Encrypti<strong>on</strong><br />
Algorithms for <str<strong>on</strong>g>GSM</str<strong>on</strong>g> and ECSD, and the GEA3<br />
Encrypti<strong>on</strong> Algorithm for GPRS. Website of the<br />
<str<strong>on</strong>g>GSM</str<strong>on</strong>g>A, 2002.<br />
http://www.gsmworld.com/documents/<br />
design evaluati<strong>on</strong> report.pdf.<br />
[2] 3GPP. Withdrawal of a5/2 from handsets deadline.<br />
Website of 3GPP, 9 2006.<br />
http://www.3gpp.org/ftp/tsg sa/<br />
wg3 <str<strong>on</strong>g>security</str<strong>on</strong>g>/TSGS3 45 Ashburn/Docs/S3-<br />
060751.zip.<br />
[3] 3GPP. Final meeting report for 3gpp wg sa3<br />
meeting: 54. Website of 3GPP, 2009.<br />
http : //www.3gpp.org/ftp/tsg sa/W G3 Security/<br />
TSGS3 54 Florence/Report/<br />
SA354 final meeting report v002.doc.<br />
[4] 3GPP. FINAL Meeting Report for TSG SA WG3<br />
meeting: 57. Website of 3GPP, 11 2009.<br />
http : //www.3gpp.org/ftp/tsg sa/W G3 Security/<br />
T SGS3 57 Dublin/Report/F INALMeetingReport SA3 57.zip.<br />
[5] Alex Biryukov, Adi Shamir and David Wagner. Real<br />
Time Cryptanalysis of A5/1 <strong>on</strong> a PC. Fast Software<br />
Encrypti<strong>on</strong> Workshop, 2000.<br />
[6] Chris Paget. Practical Cellph<strong>on</strong>e Spying. In Defc<strong>on</strong><br />
18, 2010.<br />
[7] Elad Barkan, Eli Biham, Nathan Keller. Instant<br />
Ciphertext-Only Cryptanalysis of <str<strong>on</strong>g>GSM</str<strong>on</strong>g> Encrypted<br />
Communicati<strong>on</strong>. 2003.<br />
http://cryptome.org/gsm-crack-bbk.pdf.<br />
[8] Elena Balan. 2.5 Billi<strong>on</strong> <str<strong>on</strong>g>GSM</str<strong>on</strong>g> Global Subscribers.<br />
Website, 06 2007. http://news.softpedia.com/news/
2-5-Billi<strong>on</strong>-<str<strong>on</strong>g>GSM</str<strong>on</strong>g>-Global-Subscribers-56848.shtml,<br />
visited 24.09.10.<br />
[9] emory.edu. History and Timeline of <str<strong>on</strong>g>GSM</str<strong>on</strong>g>. Website<br />
of emory.edu, http://www.emory.edu/BUSINESS/<br />
et/P98/gsm/history.html, visited <strong>on</strong> 24.09.10.<br />
[10] <str<strong>on</strong>g>GSM</str<strong>on</strong>g>A. <str<strong>on</strong>g>GSM</str<strong>on</strong>g> mobile ph<strong>on</strong>e technology adds another<br />
billi<strong>on</strong> c<strong>on</strong>necti<strong>on</strong>s in just 30 m<strong>on</strong>ths. Website of the<br />
<str<strong>on</strong>g>GSM</str<strong>on</strong>g>A, 06 2006.<br />
http://www.gsmworld.com/newsroom/pressreleases/2047.htm,<br />
visited <strong>on</strong><br />
25.09.10.<br />
[11] Karsten Nohl. Attacking ph<strong>on</strong>e privacy. In<br />
BlackHat, 2010.<br />
[12] Levent Ertaul, Basar Kasim. <str<strong>on</strong>g>GSM</str<strong>on</strong>g> Security. In<br />
Proceedings of the 2005 Internati<strong>on</strong>al <str<strong>on</strong>g>C<strong>on</strong>ference</str<strong>on</strong>g> <strong>on</strong><br />
Wireless Networks, June 2005. via<br />
http://www.mcs.csueastbay.edu/ lertaul/ICW3016.pdf.<br />
[13] Orr Dunkelman and Nathan Keller and Adi Shamir.<br />
A Practical-Time Attack <strong>on</strong> the A5/3 Cryptosystem<br />
Used in Third Generati<strong>on</strong> <str<strong>on</strong>g>GSM</str<strong>on</strong>g> Teleph<strong>on</strong>y.<br />
Cryptology ePrint Archive, Report 2010/013, 2010.<br />
http://eprint.iacr.org/ part of CRYPTO2010.<br />
[14] Sylvain Munaut, Karsten Nohl. Wideband gsm<br />
sniffing. 2010. https://events.ccc.de/c<strong>on</strong>gress/2010/<br />
Fahrplan/attachments/1783 101228.27C3.<str<strong>on</strong>g>GSM</str<strong>on</strong>g>-<br />
Sniffing.Nohl Munaut.pdf.<br />
[15] Ulrike Meyer, Susanne Wetzel. A manin-the-Middle<br />
Attack <strong>on</strong> UMTS. ACM Workshop <strong>on</strong><br />
Wireless Security, 2004.<br />
APPENDIX<br />
A. GLOSSARY<br />
• A5/0,1,2,3: the encrypti<strong>on</strong> algorithms used for <str<strong>on</strong>g>GSM</str<strong>on</strong>g><br />
communicati<strong>on</strong><br />
• MS: Mobile Stati<strong>on</strong>, the Mobile Stati<strong>on</strong> c<strong>on</strong>sists of<br />
the mobile equipment (subsequently called mobile device<br />
or mobile ph<strong>on</strong>e) and the SIM-card<br />
• BSS: Base Stati<strong>on</strong> Subsystem, resp<strong>on</strong>sible for handling<br />
traffic between the mobile device and the network<br />
switching subsystem<br />
• IMSI: Internati<strong>on</strong>al Mobile Subscriber Identity used<br />
to uniquely identify a user<br />
• TIMSI: temporary identificati<strong>on</strong> used instead of IMSI<br />
for privacy reas<strong>on</strong>s<br />
• SIM: The Subscriber Identity Module c<strong>on</strong>tains a unique<br />
key, a microprocessor and an IMSI to generate the<br />
temporary keys used in <str<strong>on</strong>g>GSM</str<strong>on</strong>g> and to authenticate the<br />
user to the network.<br />
• AuC: Stores all the keys of provider<br />
• rainbow-tables: a precomputed lookup table offering<br />
a time-memory tradeoff used (in this case)to recover<br />
the sessi<strong>on</strong> key