GSM security - Twente Student Conference on IT

<strong>GSM</strong> <strong>security</strong>
Christian Kröger
University of <strong>Twente</strong>
P.O. Box 217, 7500AE Enschede
The Netherlands
christian.kroeger@gmail.com
ABSTRACT
In this paper we will give a general overview over the state
of <strong>GSM</strong> <strong>security</strong> and the practicality of an attack on the
A5/1 algorithm used for encrypting 2G <strong>GSM</strong> communication.
First we give a general introduction to the development
of <strong>GSM</strong>, afterwards we present our research
questions and the current state of the art. Furthermore
we describe the test environment used for our research.
After having had some trouble with the software necessary
for the practical aspect of this paper, we shifted our
focus to discuss the recent state of the art in attacking
<strong>GSM</strong> encryption and what measures should be taken to
make it harder to actually break the encryption in used,
too guarantee more secure communication.
Keywords
<strong>GSM</strong>, 2G, mobile phone, mobile communication, <strong>security</strong>,
A5/1, USRP
1. INTRODUCTION
The ”Group Spéciale Mobile” was created in 1982 to develop
a standard for an European mobile telephone system.
After some development time the first <strong>GSM</strong> network
was established in Finland and ”by the end of 1993, <strong>GSM</strong>
had broken through the 1 million-subscriber barrier with
the next million already on the horizon.”[9] At this time
<strong>GSM</strong> was already operating in 48 countries and it was still
rapidly growing. In the year 2007 there were already 2.5
billion <strong>GSM</strong> users.[8]
Another source states the following as of June 2006:
”While it took just 12 years for the industry to
reach the first billion connections. The second
billion has been achieved in just two and a half
years boosted by the phenomenal take up of
mobile in emerging markets such as China, India,
Africa and Latin America, which accounted
for 82% of the second billion subscribers.”[10]
Research in this area is important, because of this ever
increasing and very wide spread use of mobile phones and
mobile communication including average mobile phones,
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies
are not made or distributed for profit or commercial advantage and that
copies bear this notice and the full citation on the first page. To copy otherwise,
or republish, to post on servers or to redistribute to lists, requires
prior specific permission and/or a fee.
14 th <strong>Twente</strong> <strong>Student</strong> <strong>Conference</strong> on IT January 21 st , 2011, Enschede,
The Netherlands.
Copyright 2011, University of <strong>Twente</strong>, Faculty of Electrical Engineering,
Mathematics and Computer Science.
smart phones etc.. In today’s world it is even possible to
buy your train tickets via your mobile phone or to do online
banking and TAN generation, so there is not just the
money involved you need to pay for your phone calls, but
also for all these different things. Another aspect is, that
in general people value their privacy. As a result of this
a user does not want another person to be able to eavesdrop
on their private conversations and SMS. Therefore
it is obvious, that <strong>security</strong> in cellular networks is a very
important issue, that just becomes even more important.
There are different <strong>security</strong> mechanisms involved, when
dealing with the <strong>security</strong> of mobile phones. First of all,
there is the <strong>security</strong> of the radio communication between
the mobile phone and the base station and a second thing
is the <strong>security</strong>, of the SIM-card itself and the key stored
on it.
<strong>GSM</strong> itself can use different encryption algorithms, of which
several are already broken and therefore not really secure,
as can be seen in the related work part of this paper. The
old A5/2 encryption algorithm has even been discouraged
from being implemented in mobile devices as of the 1 st
July of 2006.
But in this paper we are not going to discuss the topic
and possibilities of copying a SIM-card. Instead of this we
are focusing on the <strong>security</strong> of the radio communication
itself, because it is much easier to passively listen to radio
communication than getting your hands on mobile devices
without getting noticed. The method of listening to the
radio communication instead of cloning SIM-cards is also
more likely to be used in the real world, because it is by
far easier to just listen to a wide variety of phone traffic
than one imagines, as this paper will show.
If someone wants to listen to somebody else’s mobile communication,
there are different ways to achieve that goal.
First of all, one can try to break the encryption used between
the mobile phone and the <strong>GSM</strong> network.
A second possibility is to set up a fake base station. Using
your own base station enables you, once a mobile device
connects to it, to actively choose which encryption is used
while that phone is connected to that specific base station.
1
The main focus of the research in this paper will be the
practicality of the first kind of attack on <strong>GSM</strong>, thus the
decryption of <strong>GSM</strong> traffic.
The paper starts with the research questions we intended
to address, after that it gives a brief overview of the <strong>GSM</strong>
1 The different encryption techniques can be found in the
part on <strong>GSM</strong> <strong>security</strong> architecture.

Figure 1. basic <strong>GSM</strong> architecture, found on
http://www.privateline.com/PCS/<strong>GSM</strong>/tarch6a.gif
architecture. With that knowledge in mind we describe
the current related work and building on top of this new
knowledge we introduce possible attacks on the <strong>GSM</strong> communication,
which allows malevolent people to listen to
the private conversations of others. After that we give a
overview over the tests we tried to do in order to show,
how simple or complex it might be to eavesdrop on <strong>GSM</strong>
communication. Finally we conclude our paper by answering
the research questions and giving a conclusion on the
overall <strong>security</strong> of <strong>GSM</strong>.
2. RESEARCH QUESTIONS
The research questions for this paper are the following:
1. What is the current state of the safety of the <strong>GSM</strong>
algorithms
2. How much effort does it take to break current <strong>GSM</strong>
<strong>security</strong>(and to listen to a phone call or intercept an
SMS for example)
3. Is it possible to decrypt a phone call with the current
commodity hardware and available (open source) software
4. If so, is the decryption taking place in ”real-time” or
something close to it, or does it take several minutes
or even hours
5. Is UMTS equally vulnerable or are the <strong>security</strong> features
and algorithms used better
3. <strong>GSM</strong> SECURITY ARCHITECTURE
The <strong>GSM</strong> architecture can be divided into three parts,
the mobile station, the Base Station Subsystem and the
Network Subsystem.
• The mobile station contains the SIM-card, which is
necessary to identify the user to the network.
• The Base Station Subsystem is in charge of the radio
link with the mobile device and has a lot of rights
from the perspective of the mobile device (more on
this in the part on attacks against <strong>GSM</strong> communication).
• ”The Network Subsystem performs the switching of
calls between mobile users and between mobile and
fixed network”[12] and contains the hardware necessary
to authenticate users in the network.
This architecture can be seen in figure 1.
After a channel between the Base Station Subsystem and
the mobile device is established, the device sends its TIMSI
or IMSI to the network to make its identity know. Preferably
the TIMSI is used for this, because it is enhancing
the privacy of the system. After that the authentication
of the mobile device starts, with the network sending a
random challenge (RAND) to the mobile device.
This RAND is used by the mobile device in conjunction
with the secret key, which is stored on the SIM, to calculate
a result. After calculating the result, it is sent back
to the network. Meanwhile the network has calculated
the response as well, because it also knows the secret key,
which is stored in its AuC. If the response send by the device
matches the one calculated by the network, the device
is successfully authenticated to the network, otherwise the
authentication is rejected and the device can not connect.
In <strong>GSM</strong> there is no authentication in the reverse direction(from
network to mobile device).
There are essentially 4 different algorithms possible to use
to secure <strong>GSM</strong> communication. These are called A5/0 up
to A5/3, of those 4 algorithms one does not offer any encryption
at all, one is discouraged to be used, and therefore
should not be encountered when monitoring <strong>GSM</strong> communication.
The other 2 algorithms are the ones mainly used
today.
Below you will find a short, general and historical overview
over the <strong>GSM</strong> algorithms, their <strong>security</strong> is evaluated in the
part on related work.
3.1 A5/0
When this encryption cipher is chosen, the communication
between BSS and mobile device is not encrypted at all.
3.2 A5/1
This is the most widely used algorithm, and also the main
focus of current research and therefore also the main focus
of this paper. This algorithm is a stream cipher developed
in 1987.
3.3 A5/2
This is a weak encryption algorithm, which has been discouraged
from being used. It took actually quite along
time to phase out of this. The <strong>GSM</strong>A itself stated in a
meeting on the 12 th of September 2006:
”The risk of operators continuing to demand
A5/2 device support stems from the possibility
that some operators may not upgrade their
networks to support stronger algorithms in a
timely manner. The emergence of devices without
A5/2 support will mean that encryption
will not be possible on networks that have not
upgraded their BSS infrastructure to support
A5/1 and/or A5/3. However, because of the
nature of the attack, and the fact that A5/2
does not offer a higher level of protection than
A5/0, it is deemed preferable that these networks
run with no encryption rather than use
the compromised A5/2 protocol.”[2]
This actually shows how weak they themselves deemed the
<strong>security</strong> of this algorithm, which was actually designed to
be weak. The A5/2 algorithm is also a stream cipher,
which was developed a little while after A5/1 as a deliberately
weakened version of it, due to export restrictions
on cryptography.

3.4 A5/3
This is an algorithm called KASUMI, which is a block cipher
instead of a stream cipher. KASUMI has already
been specified in 2002[1], but interestingly enough, the
<strong>GSM</strong>A was still discussing how to test A5/3 in 2009 ”Recent
joint meetings with the Mobile Manufacturers (EICTA)
had discussed forthcoming tests to check A5/3 functions”.
[3] Later that year ”Successful tests were made on A5/3
enabled BTS equipment in Switzerland, with 10 handsets
from 7 manufacturers being tested on a live network.”[4]
So it took them 7 years to test the A5/3 algorithm and
hardware, which is not really fast. We expect that after
these successful test, this algorithm will be more and more
become the standard algorithm, as it is also used in UMTS
and GPRS and because it is a more secure algorithm compared
to A5/1.
Most <strong>GSM</strong> networks also use frequency hopping, which
makes it harder to follow the signal, but if one has a good
enough hardware, it is even possible to monitor the whole
frequency band at the same time, and thus there is no
problem any more.
4. RELATED WORK
In their text ”A Man-in-the-Middle Attack on UMTS”[15]
Ulrike Meyer and Susanne Wetzel describe an attack on
the cellular network, because of the interoperability of
<strong>GSM</strong> and UMTS. Such an attack is possible, because current
mobile phones need to work in both networks, that is
due to the fact that <strong>GSM</strong> is a lot better deployed than the
UMTS network. The phones’ communication can be attacked
when it uses <strong>GSM</strong>, which it will do, if the <strong>GSM</strong> antenna
receives a stronger signal than the UMTS antenna.
This is a problem due to backwards compatibility. This
backwards compatibility exists, because there still is no
UMTS connectivity everywhere, so <strong>GSM</strong> can be used as a
fall back if UMTS is not available.
This reminds of weaknesses in software development, which
appear due to the interoperability of new and old software
and the backwards compatibility of newer software, which
compromises the whole <strong>security</strong> concept of the newer system,
because the old one is still there and attackable.
In [7] Barkan et al. describe A5/2 and give a general
<strong>GSM</strong> <strong>security</strong> background. They also describe an attack
on A5/2 and specify how it is possible to use this attack
to even attack A5/1 and A5/3. This attack can also be
used against A5/1 and A5/3 due to fact that all these encryption
methods use the same key. Therefore an attacker
is able to break A5/3 or can impersonate a cell phone to
a base station, if he manages to get the real phone to use
A5/2. After that he can capture the phone call and use
this data to derive the A5/2 key.
Biryukov et al. describe a possible attack on the A5/1 algorithm
in their paper ”Real Time Cryptanalysis of A5/1
on a PC”[5] presented during the Fast Software Encryption
Workshop in 2000. The attack is based on a reverse
engineered version of the A5/1 algorithm, this stream cipher
is also explained in this paper.
In his presentation during the BlackHat conference in 2010[11],
Karsten Nohl presented the state of the art of cracking
the A5/1 encryption and discussed how his implementation
worked, using rainbow tables to use less storage space
and computing everything using multiple GPUs. The conclusion
of this presentation is, that it is possible to break
A5/1 on commodity hardware, if all the optimizations he
presented are used.
In [13] Dunkelman, Shamir and Keller show that they can
break KASUMI (the A5/3 algorithm), which is a variation
of MISTY, with a related key attack and a PC. Therefore
they conclude that the changes made to move ”from
MISTY to KASUMI resulted in a much weaker cryptosystem.”[13]
They conclude by saying that this attack may
”not be applicable to the specific way in which KASUMI
is used as the A5/3 encryption algorithm”, because ”the
new attack uses both related keys and chosen messages”.
This leads to the conclusion, that cell phones should only
use A5/3 even though it is not completely secure and a
new algorithm should be chosen.
The reason to use A5/3 is, that even if you use A5/1, it is
probably possible to derive the key using Karsten Nohl’s
rainbow tables. Once the key is derived all communication
can be broken, because man-in-the-middle attacks are
possible against all algorithms if one is in possession of the
key. The issue here is is, that all of the encryption algorithms
use the same key. The attacker just has to get
a legitimate key by convincing the phone to use A5/1 or
even better A5/2 for a short amount of time.
Furthermore there is the chance, that even more weaknesses
will be found in KASUMI, due to the changes made
by the <strong>GSM</strong> Association. Another possibility is that a better
way to exploit the current weaknesses of KASUMI may
be found, because it already shows first weaknesses. As a
result of this KASUMI might become breakable, which has
already happened to A5/1 and A5/2.
5. ATTACKS ON <strong>GSM</strong> COMMUNICATION
Based on the related work, we are going to describe possible
attacks in more detail in this part of our paper.
There are different possibilities to decrypt <strong>GSM</strong> communication
if one chooses to do so.
5.1 Cloning the SIM-card
This attack can be characterized as a more active attack,
because the attacker needs to either get his hands on the
mobile device to clone the SIM-card or to get the data
from the AuC servers of the users network operator.
With that data, the users key and IMSI, the attacker is in
state to listen to the users communication, because once
he managed to eavesdrop on the initial connection establishment
between mobile device and BSS he knows the
RAND and can thus calculate the session key, using the
stolen secret key.
Due to the fact that the authentication works based on a
pre-shared key, which is on the SIM-card and a challengeresponse
based on that very key and on a plain-text RAND
challenge, an attacker could even impersonate another person,
if he manages to get that key.
5.2 Passive capturing packets
This attack is a passive way of listening too someone’s call
and was intended to be the main concern of this paper,
but due to the problems we encountered while trying to
set up the hard- and software for our tests, we did not
manage to execute this attack ourself.
As we describe this way of eavesdropping in a more detailed
way in the section Test environment, this will only
be a short overview.
This attack works against A5/1 and A5/2. A5/3 is currently
to strong for this kind of passive attack.

During his talk on the 27C3 2 Karsten Nohl has shown, that
this attack can even be executed using 2 old Motorola mobile
phones. The phone costs were approximately 10 Euro
each, with the need of two phones.
For this to work Karsten Nohl and Sylvain Munaut upgraded
the phones to Open Source firmware using OsmocommBB
software. To demonstrate this technique they
called themselves during the presentation and used these
patched phones to demonstrate a live decryption of their
phone call. 3
5.3 Fake base station
Once someone uses a fake base station, his possibilities to
attack become even more potent.
A fake base station enables the attacker to choose which
cipher is used during the communication and therefore to
choose weaker or none encryption at all. To achieve this
the user needs to connect to the fake station, but this
is easily done, as Chris Paget points out in his talk during
Defcon 18[6]. The reason, that convincing the phone
to connect to the fake station is easy, is: essentially the
phone tries to connect to the strongest signal. This might
in reality be the real base station or the fake one. But
according to Paget the base station can transmit a signal
telling the mobile phone, that the station’s signal is
stronger than it is in reality and the phone believes this
without doubt. 4
So one can convince the phone to use no encryption and
thus go for a man-in-the-middle attack, but this also enables
an attacker to break the strong A5/3 cipher, which
can be seen in figure 2.
This attack works as follows:
1. The eavesdropper captures a A5/3 encrypted call,
including the initial RAND.
2. The attacker uses his fake base station to ask the
users phone to reuse the same RAND with the weak
A5/1 cipher.
3. The attacker uses Nohl’s rainbow-tables, which are
downloadable via bit-torrent, to derive the key and
finally uses that key to decrypt the first call, which
was A5/3 encrypted.
The reason this works is, that it is simple to capture the
RAND and that all the encryption algorithms on a mobile
phone use the same secret key and they always use
the same algorithm to determine what the temporary key
is. And the temporary key is solely based on the secret
key and the RAND. Furthermore the software necessary
to execute this attack is already readily available as Open
Source Software.
The downside of this attack is, that it is an active attack
and as such might be noticed. But on the other hand it
enables the attacker to even break A5/3.
6. TEST ENVIRONMENT
Setting up the hardware for this task proofed significantly
easier than managing to install and run the necessary
hardware drivers and the rest of the software.
2 27 th Chaos Communication Congress
3 the slides can be found via [14] and the videos can be
found via media.ccc.de
4 This has to do with the fact that the network does not
need to identify itself to the mobile devices.
Figure 2. Picture of a way to decipher a A5/3 call,
from Karsten Nohl during 26C3
6.1 Hardware
For the evaluation in this paper we used special hardware,
developed by Ettus Research 5 , which is called USRP (Universal
Software Radio Peripheral). The USRP is a small
device, which is just a little bigger than an average 3,5”
external HDD.
For our research we used a USRP version 1, the device
is equipped with the DBSRX1 daughterboard, which allows
the USRP to receive signals from 800 MHz up to 2.4
GHz. Due to the fact, that <strong>GSM</strong> in Europe uses frequencies
around 900 MHz and 1.8 GHz this should be sufficient
for the tests. The used antenna can receive signals from
900 MHz up to 2.6 GHz.
The USRP1 has to be connected to a computer, which is
simple to do, because it is done via a USB-cable.
After attaching the DBSRX board to the USRP1, closing
the USRP, connecting the antenna to the USRP and
finally connecting the USRP to the computer, the hardware
was already set up.
6.2 Software
The programs used for this research are called Airprobe 6
and GNU Radio 7 , which are completely Open Source.
GNU Radio is a SDR (Software Defined Radio) As with
all software-defined radio systems, reconfigurability is the
key feature. Instead of purchasing multiple expensive radios,
a single more generic radio is purchased, which feeds
into powerful signal processing software (GNU Radio, in
this case). ”As with all software-defined radio systems,
reconfigurability is the key feature. Instead of purchasing
multiple expensive radios, a single more generic radio
is purchased, which feeds into powerful signal processing
software (GNU Radio, in this case).” 8 Due to the computers
we had at hand, we first decided to use this software
on Windows, but during this we encountered a couple of
problems and thus decided to do the rest of the research
using Ubuntu 10.10 (more on the problems can be found
in the problem subsection).
The installation of GNU Radio on Ubuntu was fast and
easy, because there are packages included in the Ubuntu
sources since version 9.04 of Ubuntu 9 . These packages are
easy to install via the standard package managing software
usable in Ubuntu, such as Synaptic or apt-get.
That makes the step of installing GNU Radio a lot easier
5 www.ettus.com
6 www.airprobe.org
7 www.gnuradio.org
8 from http : //en.wikipedia.org/wiki/GNU Radio
9 Version 3.2 of GNU Radio

and a lot faster, because there is no longer the need to
compile everything on your own machine. So all in all the
Hardware was easier to setup than the software to install.
For the purpose of our tests we decided to use the newest
version of GNU Radio, which is version 3.30. On a Windows
system, there are essentially two ways to install GNU
Radio. Both of them are based upon installing a Unix like
environment.
The first program is Cygwin, which failed during the make
process of the software, due to not being able to find some
files.
The second software is MinGw together with the MSYS
shell, which had more initial problems than Cygwin, but
with which it was finally possible to compile GNU Radio
and the USRP drivers for Windows.
Through the combination of these programs, it is possible
to grab the data packages of a phone call and to break the
A5/1 algorithm using the Kraken software and its rainbow
tables. The data passed from Airprobe to the Kraken program
is analysed using rainbow tables to finally derive the
encryption key of the communication. Using this key it
is possible to decrypt the communication itself and thus
listen to the phone call or reading the SMS sent.
6.3 Problems
We encountered different problems during the installation
of the software and first initial tests. On the used operating
systems, we faced diverse problems, some of which we
managed to solve others we could not solve.
This part is split in a sub-part concerning Windows errors
and another concerning problems encountered when using
Ubuntu. At first we used Windows, but after we faced the
problems mentioned bellow we decided to conduct our further
research using Ubuntu, which unfortunately resulted
in a different set of problems we could not solve either.
6.3.1 Windows
During the installation of the software and first initial
tests, we encountered a couple of problems. These problems
did mainly occur on our Windows XP machine, which
we initially used to set up the software.
The compile problems we faced using MinGw with MSYS
could be solved by adding a few ”#include” commands to
different parts of the program code. Furthermore we had
to explicitly add the lpthread library to FFTW 10 while
configuring it, otherwise it would not work and without
this working it was not possible to build the GNU Radio
software itself. For making the USRP Windows driver a
software called SDCC was necessary 11 . At first we just
used the newest version of the software, available from the
software’s homepage, but this resulted in errors, because
the new version used a different naming scheme for the files
installed. This different naming system resulted in GNU
Radio not finding the necessary files to build the USRP
Windows driver. Therefore we used an older version of the
program 12 .
After connecting the USRP to our Windows machine and
successfully installing the Driver, we tried running a few
test Python scripts, which were included in the GNU Radio
software. Sadly these tests failed, with the error message
that the computer is unable to write to the USRP
device. From this we concluded that there might be a
10 ”FFTW is a C subroutine library for computing the discrete
Fourier transform” take from www.fftw.org
11 SDCC (Small Device C Compiler) is a C compiler, which
can build programs for different microprocessors.
12 2.9 instead of 3.0
problem with the driver, even though it compiled without
error messages, or that the USRP itself might have a defect.
This seems to be a problem of the Windows driver as
the USRP seems to work under Ubuntu using GNU Radio.
Despite that problem we tried to install Airprobe on Windows
as well, because GNU Radio compiled. But here we
encountered problems even earlier than during our later
tests using Ubuntu. Some problems occurred due to the
difference in the Windows and Unix linefeed, as well as a
couple of missing header files and again missing ”#include”
commands in the source code.
6.3.2 Ubuntu
Setting up GNU Radio on Ubuntu was an easy task due
to the readily available packages, which just had to be installed.
This was a lot easier and faster installation than
the one on Windows, because we did not even need to
compile our own software.
As for Airprobe, we followed the build instructions, which
do not mention, which packages are necessary to install
the software, but after some testing we found out, that
autoconf, automake, libpcap and a couple of other packages
are necessary to build the software.
Unfortunately we encountered a segmentation fault, when
trying to use Airprobe with sample data provided by the
software’s homepage. This error seems to be related to a
problem using the Python GTK interface. Up until now
there has been no reaction to a post on the mailing-list as
well as a new error report on the projects homepage.
7. DISCUSSION
As the tests with the hardware were more complex than
anticipated, especially those huge software problems were
unexpected, this part is going to focus more on the recent
developments in the related work and on the theoretical
attacks and weaknesses of the <strong>GSM</strong> <strong>security</strong> architecture
and algorithms.
After giving this overview of how <strong>GSM</strong> <strong>security</strong> works,
what the current state of the art is and describing possible
attack scenarios, we are going to explicitly answer the
research questions now.
What is the current state of the safety of the <strong>GSM</strong>
algorithms
The answer to this question has to be divided into two
parts, as there is a difference between active and passive
attacks.
For passive attacks A5/3 is still save and the rest of the
algorithms is broken.
Using active attacks it is even possible to break A5/3 as
can be seen in the section on attacks on <strong>GSM</strong> communication.
How much effort does it take to break current
<strong>GSM</strong> <strong>security</strong>(and to listen to a phone call or intercept
an SMS for example)
Once the attacker manages to really set up the hardware
and software in a working manner, the effort is negligible,
as can be seen by the demonstration of Karsten Nohl and
Sylvain Munaut during the 27C3. As both the call and
the SMS use the same encryption algorithm, there is not
really a difference in the <strong>security</strong> of both.
Is it possible to decrypt a phone call with the
current commodity hardware and available (open
source) software

This is possible as well, as all the software mentioned in
this paper is Open Source Software(Airprobe, GNU Radio,
OsmocommBB, etc.). And it even works on commodity
hardware, because Sylvain Munaut and Karsten Nohl just
used a normal laptop to decrypt their call, so the attacker
does not even need a fast pc.
If so, is the decryption taking place in ”real-time”
or something close to it, or does it take several
minutes or even hours
This has to be split into two parts again, the A5/1 decryption
using Karsten Nohl’s rainbow tables is pretty close
to real-time, because it can calculate the key during or
shortly after the call.
The attack on A5/3 using a fake base station takes longer,
because after the initial call is completed, the mobile device
needs to connect to the fake base station first to do
the authentication procedure using the same RAND but
the weaker A5/1 algorithm.
Is UMTS equally vulnerable or are the <strong>security</strong>
features and algorithms used better
The UMTS <strong>security</strong> is better as it has a longer authentication
key, but more importantly UMTS uses mutual authentication,
thus the network identifies itself to the mobile
user, which does not happen in <strong>GSM</strong> and the user
authenticates himself to the network. But a problem is,
that the user does not have a guaranteed UMTS connection
and there are not a lot of mobile phones, which give
the user the opportunity to choose that he wants to only
connect to UMTS networks. And due to the possibility of
the attacker using a fake base station he can convince the
mobile phone that his signal is stronger, which will eventually
result in the phone connecting to that fake station.
If this fake base station than decides to not use UMTS,
but to use <strong>GSM</strong> instead, most mobile phones will switch to
<strong>GSM</strong> and thus be vulnerable again. The same thing happens
if there are just legitimate <strong>GSM</strong> and UMTS base stations
in the vicinity and the <strong>GSM</strong> signal is stronger than
the UMTS signal, when that happens the mobile phone
will switch to <strong>GSM</strong> even without the need of a fake base
station.
7.1 Possible <strong>security</strong> enhancements
• A more regular change of the session key, which gives
the attacker less known data.
• Randomization of control message padding, which
significantly reduces the known text in these messages.
According to [14], this was already specified
in 2008 and should thus ”be implemented with high
priority”.
• Switching to UMTS so that the network has to authenticate
itself or update <strong>GSM</strong> in such a way that it
can authenticate itself, which both is not very likely,
because it is expensive and time consuming.
• Regular changes of the TMSI, such that it is harder
to follow a specific mobile phone’s communication.
• On modern mobile phones, the user could install
software to additionally encrypt his calls, but this
requires both sides of the call to use that additional
encryption software.
• A system to easily upgrade the encryption algorithm
and other <strong>security</strong> features would also be nice to
have.
8. CONCLUSION
All in all one can say that the current <strong>security</strong> systems
of <strong>GSM</strong> are flawed and need to be changed. It can be
seen that the <strong>GSM</strong>A itself knows about a lot, if not all
of the problems, but the organization is slow to adopt to
the problems at hand, which becomes obvious by the fact
that it took them 7 years to test A5/3, close to 12 years
to address COMP128 problems etc.
In its current state <strong>GSM</strong> should be treated as an insecure
channel, comparable to today’s internet, therefore one
should be careful about which data is sent via <strong>GSM</strong> and
which should not be send or which should just be send
taking additional <strong>security</strong> measures.
9. REFERENCES
[1] 3GPP. Specification of the A5/3 Encryption
Algorithms for <strong>GSM</strong> and ECSD, and the GEA3
Encryption Algorithm for GPRS. Website of the
<strong>GSM</strong>A, 2002.
http://www.gsmworld.com/documents/
design evaluation report.pdf.
[2] 3GPP. Withdrawal of a5/2 from handsets deadline.
Website of 3GPP, 9 2006.
http://www.3gpp.org/ftp/tsg sa/
wg3 <strong>security</strong>/TSGS3 45 Ashburn/Docs/S3-
060751.zip.
[3] 3GPP. Final meeting report for 3gpp wg sa3
meeting: 54. Website of 3GPP, 2009.
http : //www.3gpp.org/ftp/tsg sa/W G3 Security/
TSGS3 54 Florence/Report/
SA354 final meeting report v002.doc.
[4] 3GPP. FINAL Meeting Report for TSG SA WG3
meeting: 57. Website of 3GPP, 11 2009.
http : //www.3gpp.org/ftp/tsg sa/W G3 Security/
T SGS3 57 Dublin/Report/F INALMeetingReport SA3 57.zip.
[5] Alex Biryukov, Adi Shamir and David Wagner. Real
Time Cryptanalysis of A5/1 on a PC. Fast Software
Encryption Workshop, 2000.
[6] Chris Paget. Practical Cellphone Spying. In Defcon
18, 2010.
[7] Elad Barkan, Eli Biham, Nathan Keller. Instant
Ciphertext-Only Cryptanalysis of <strong>GSM</strong> Encrypted
Communication. 2003.
http://cryptome.org/gsm-crack-bbk.pdf.
[8] Elena Balan. 2.5 Billion <strong>GSM</strong> Global Subscribers.
Website, 06 2007. http://news.softpedia.com/news/

2-5-Billion-<strong>GSM</strong>-Global-Subscribers-56848.shtml,
visited 24.09.10.
[9] emory.edu. History and Timeline of <strong>GSM</strong>. Website
of emory.edu, http://www.emory.edu/BUSINESS/
et/P98/gsm/history.html, visited on 24.09.10.
[10] <strong>GSM</strong>A. <strong>GSM</strong> mobile phone technology adds another
billion connections in just 30 months. Website of the
<strong>GSM</strong>A, 06 2006.
http://www.gsmworld.com/newsroom/pressreleases/2047.htm,
visited on
25.09.10.
[11] Karsten Nohl. Attacking phone privacy. In
BlackHat, 2010.
[12] Levent Ertaul, Basar Kasim. <strong>GSM</strong> Security. In
Proceedings of the 2005 International <strong>Conference</strong> on
Wireless Networks, June 2005. via
http://www.mcs.csueastbay.edu/ lertaul/ICW3016.pdf.
[13] Orr Dunkelman and Nathan Keller and Adi Shamir.
A Practical-Time Attack on the A5/3 Cryptosystem
Used in Third Generation <strong>GSM</strong> Telephony.
Cryptology ePrint Archive, Report 2010/013, 2010.
http://eprint.iacr.org/ part of CRYPTO2010.
[14] Sylvain Munaut, Karsten Nohl. Wideband gsm
sniffing. 2010. https://events.ccc.de/congress/2010/
Fahrplan/attachments/1783 101228.27C3.<strong>GSM</strong>-
Sniffing.Nohl Munaut.pdf.
[15] Ulrike Meyer, Susanne Wetzel. A manin-the-Middle
Attack on UMTS. ACM Workshop on
Wireless Security, 2004.
APPENDIX
A. GLOSSARY
• A5/0,1,2,3: the encryption algorithms used for <strong>GSM</strong>
communication
• MS: Mobile Station, the Mobile Station consists of
the mobile equipment (subsequently called mobile device
or mobile phone) and the SIM-card
• BSS: Base Station Subsystem, responsible for handling
traffic between the mobile device and the network
switching subsystem
• IMSI: International Mobile Subscriber Identity used
to uniquely identify a user
• TIMSI: temporary identification used instead of IMSI
for privacy reasons
• SIM: The Subscriber Identity Module contains a unique
key, a microprocessor and an IMSI to generate the
temporary keys used in <strong>GSM</strong> and to authenticate the
user to the network.
• AuC: Stores all the keys of provider
• rainbow-tables: a precomputed lookup table offering
a time-memory tradeoff used (in this case)to recover
the session key