IP: GSM Interception

[Dave Farber <farber () cis upenn edu>]

> Date: Wed, 23 Jun 1999 14:32:49 -0700
> From: Babu Mengelepouti <dialtone () vcn bc ca>
>
>
>
> Well, it is only a matter of time before any system gets cracked.  And
> the first one to sell a device gets the biggest markup!
>
>
>   Subject: GSM Cellular Phones Increasingly Unreliable   
>   From Intelligence Newsletter, 06/10/99
>
> Over the past six months a roaring trade has sprung up on back-street
> markets for equipment to intercept cellular telephone calls that had
> once been reserved for government intelligence and law enforcement
> agencies. The risk that GSM networks are being broken into for
> espionage purposes with widely-available equipment and modest skills
> is now very real.
>
> Intelligence Newsletter has been able to identify web sites that sell
> interception equipment by mail-order. Elsewhere, components required
> to manufacture such devices are to be found in many electronics stores
> in Europe and the United States. The industry itself has pointed the
> way. We have obtained a leaflet from the British company G-Com Tech
> which provides a detailed rundown of the GSTA-1400 system. The firm
> describes the system, reserved for governments, as one of the best
> "official" devices to record GSM communications at a cost of between
> $245,000 and $327,000 depending on the model.
>
> Systems sold on the black market run along the same lines as such
> products, and sometimes simply copy them. The system consists
> invariably of a portable computer equipped with deciphering software
> connected to a GSM or fixed 2Mbits/second telephone. Tracking the
> target line with a clone of its SIM (Subscriber Identification
> Module), the system can usually decipher the signal in just 2.5
> minutes.  The breakthrough came in April, 1998 when two researchers
> from the University of Berkley in California demonstrated it was
> possible to clone a SIM card. David Wagner and Ian Goldberg, who both
> belong to the Internet Security Applications Authentification and
> Cryptography Group (ISAAC), carried out a successful series of attacks
> against the Comp128 algorithm.
>
> The latter forms the basis of algorithms created by the manufacturers
> of GSM, the A3 and A8, which encrypt information contained inside a
> SIM card. According to the American Smartcard Developers Association
> (SDA) the system developed by Wagner and Goldberg can turn out cloned
> cards that GSM operators can't distinguish from real ones. At the same
> time, the SDA identified a partial flaw in the symmetric-type A5
> algorithm which protects data transmission between the operator and
> user. According to SDA director Marc Briceno, although A5 has a 64 bit
> key only 54 are actually used, probably to facilitate eavesdropping by
> an intelligence agency.
>
> Late last December in Berlin an experimental system devised by
> "private researchers" was presented to a conference of hackers
> belonging to the Chaos Computer Club (CCC). It took advantage of flaws
> in the A3,A5 and A8 algorithms to conduct interceptions. Since then a
> number of make-shift versions have made their way to the public,
> mainly through the Internet. According to a military intelligence
> specialist, the system aims initially to intercept a call by
> electromagnetic wave to record the authentification information each
> cellular phone sends to its operator when switched on. Next, the
> deciphering software allows the user to read the targeted line's SIM
> card. Subsequently a clone is made with a Smartcard Reader Writer, a
> smart-card manufacturing machine sold on the open market.
>
> Some illicit cloning systems even use special Smartcartd Reader
> Writers that can reproduce the 30 smart card standards that exist in
> the world and are used, for instance, to make bank cards.  Once the
> SIM card has been cloned the system detects and monitors communications
> in real time without -- theoretically -- the operator or user knowing
> about it. The fact that encryption used in GSM is relatively easy to
> crack has obviously contributed to the upsurge in cloning. But
> electronics stores that sell devices that read and reproduce cards
> have also played a part in the rise of such systems. Some companies
> have sized up the danger that cloning represents to the market and are
> preparing new products. For one, the Schlumberger group's R&D division
> is currently working on making a more tamper-proof SIM card.