GSM Cloning

History: On April 13, 1998, the Smartcard Developer Association and the ISAAC security research group announced a flaw in the authentication codes found in digital GSM cellphones. This allows an attacker with physical access to a target phone to make an exact duplicate (a ``clone'') and to make fraudulent calls billed to the target user's account.

At the time of the announcement, we published an overview of our results, including some detailed technical information. (Note that some of this information, specifically regarding the possibility of over-the-air cloning, is now outdated. See below for more discussion.)

Press coverage: The Los Angeles Times [local copy]; The New York Times; The Associated Press; The Wall Street Journal; USA Today; Wired News; Time daily; Time magazine; The Netly News; CNN; ABC News; Wireless Daily News [local copy]; The Daily Californian.

Readers of the scard mailing list have pointed out that, in Europe, one can anonymously rent GSM cellphones quite cheaply. The prospect of those phones getting cloned is a bit worrisome.

One year later: Sadly, the GSM industry does not seem to have learned the important lesson here: `security through obscurity doesn't work'. The GSM MoU still has not recognized the dangers inherent in a secret design process; they have not opened up the design to public review, and in fact they apparently will be designing the next-generation GSM standard again using this flawed design process. With this decision, we can only expect that further flaws will be discovered in the future. I remain sharply critical of the GSM industry's approach to cryptographic design: it is, in my opinion, irresponsible to consumers and poor scientific practice to boot.

Note that the other major players in this arena have already moved to open design processes. This includes the next-generation AES standard process being shepherded by the US government, as well as the US cellular industry. The US cellular industry is an interesting case study: initially they used closed design, but after several of their cryptographic algorithms were rapidly broken by cryptographers in the open research community, to their credit they quickly moved to an open design process. The GSM industry seems slower to catch on.

Soon after our announcement, the Los Angeles Times reported that Omnipoint will change its authentication codes in response to the break, and they quote a CTIA spokesman as saying that other GSM providers are expected to follow suit. One year later, the "fixed" algorithms still remain unpublished, and I am disappointed to report that the GSM industry continues to ignore us and the rest of the expertise vested in the open scientific community. (If anyone can suggest a conduit into the GSM MoU so that we can work with them if we discover any future flaws, I'd love to hear from you.)

Over-the-air cloning: In our original announcement, we noted that we could not rule out the possibility of over-the-air attacks, but we emphasized that we had not demonstrated such an attack. At that time, we did not provide any further analysis on the resources required to mount an over-the-air attack. There was, for obvious reasons, considerable interest in the possibility of over-the-air attacks, and we had reason to suspect they might be possible, but we wanted to be extremely conservative in reporting only what we knew for certain was exploitable. That viewpoint is probably now best regarded as outdated.

Since then, extensive conversations with many knowledgeable GSM engineers has caused us to conclude that over-the-air attacks must be considered available to the sophisticated attacker in practice. We still have not attempted to build a laboratory demonstration (it would apparently be illegal to do this type of research under US law), but the GSM experts we've spoken with have confirmed that it should be possible and practical to do so. They have reported that a number of aspects of the GSM protocols combine to make it possible to mount the mathematical chosen-input attack on COMP128, if one can build a fake base station. Such a fake base station does not need to support the full GSM protocol, and it may be possible to build one with an investment of approximately $10k.

Some technical expertise is probably required to pull off the over-the-air cloning attack, and the attack requires over-the-air access to the target handset for a relatively long period of time. Therefore, this may be considered a lower level of risk than that found in old US analog systems with no authentication at all. Nonetheless, please note that it would be a mistake to underestimate the technical sophistication or the financial resources of some of today's attackers: some of them are surprisingly well-positioned to mount even relatively sophisticated and costly attacks. Therefore, we feel that the new information provides evidence that over-the-air cloning must be considered a very real threat which should not be ignored.

Primary sources: For the mathematicians and cryptographers: It seems that the COMP128 algorithm has leaked abroad to this web site (see also, e.g., here). (I was emailed this information just a day after the announcement of our results. It wasn't me; I didn't leak or export the information.) And the leaked GSM document specifying COMP128 is also available on the net, thanks to John Young.

For reference, the press release we sent out is available here. To contact the SDA, call 925-798-4042, or email Marc Briceno; to contact the ISAAC group, call 510-643-9435, or email David Wagner or Ian Goldberg.

The Cellular Telecommunications Industry Association (a US cellphone industry consortium) has issued a press release [local copy] on the subject. And the GSM industry released a press release [local copy] of their own which is also worth reading.

Also, Crossbar Security, Inc. has issued a press release where they report independent verification of our technical results. (We are not affiliated with Crossbar Security.)

Web page maintained by David Wagner on behalf of the SDA and ISAAC.