For release not to precede 1998 April 13, Monday
San Francisco, Monday, 13 April 1998. The Smartcard Developer Association (SDA) and two U.C. Berkeley researchers jointly announced today that digital GSM cellphones are susceptible to cloning, contrary to the belief of even the telecommunication providers that have fielded them. GSM (Groupe Speciale Mobile) is the most widely used cellphone standard in the world, with more than 79 million GSM phones in use worldwide. In contrast, there are about 58 million U.S cellphone users of all kinds both analog and digital, including some GSM.
The SDA became involved with GSM security because GSM phones have a small smartcard inside them which holds the identity of the cellphone. This small smartcard is called a SIM, for Subscriber Identification Module. The SIM must keep the identity inside a secret and uses cryptography to protect it. The SDA has organized and coordinated the activities leading to a breach in the cryptographic protection. The breach allows the extraction of the secret inside the SIM, after which the secret may be inserted into a different SIM. A cellphone with the new SIM has the same identity as the original phone.
The GSM standard was designed by an association of European cellular network operators and equipment manufacturers. The cryptographic protection is but a small part of the 130 volumes and over 6,000 pages which make up the GSM standard. Unfortunately, the cryptography was designed in secret and is still kept secret, provided to individuals at smartcard and cellphone manufacturers on a ``need-to-know'' basis.
``As shown so many times in the past, a design process conducted in secret and without public review will invariably lead to an insecure system,'' says Marc Briceno, Director of the SDA. ``Here we have yet another example of how security by obscurity is no security at all.''
The origin of the breach was when the SDA discovered the cryptographic algorithms used inside the SIM's and cellphones. The SDA first verified that the algorithms were accurate. The exact details of the algorithms were not known to the public but the verified algorithms matched the facts that were publicly known. Next the SDA brought in David Wagner and Ian Goldberg, researchers in the Internet Security, Applications, Authentication and Cryptography (ISAAC) group at the University of California, Berkeley. Within a day, Wagner and Goldberg had found a fatal cryptographic flaw in COMP128, the algorithm used to protect the identity inside the SIM. They created a system to exploit the flaw by repeatedly asking the SIM to identify itself; by processing the responses they were able to extract the secret from inside the SIM.
``There's no way that we would have been able to break the cryptography so quickly if the design had been subjected to public scrutiny,'' says David Wagner. ``Nobody is that much better than the rest of the cryptography research community.'' David Wagner was previously known for his work on the breach of CMEA, a cipher used in digital cellphones. As in this case, the cryptographers who did the work on CMEA blamed the design process for the insecurity of the system.
Almost all GSM network operators are vulnerable to the new breach. There are replacements for COMP128 permitted in the GSM system, but so far the SDA has not found a network which does not use COMP128. The SDA is currently in the process of determining which cellular networks are vulnerable. Nor are U.S. companies immune. Many U.S. networks use GSM standards in their offerings of digital PCS service, Pacific Bell among them. Indeed, it was a SIM signed up to the Pacific Bell PCS service that the ISAAC group successfully attacked.
One of the main advantages touted for the new digital services is that the phones cannot be cloned. A billboard advertisement by Pacific Bell well known in the San Francisco area portrays a sheep, presumably a cloned sheep, and a claim that the digital cellphone is different. Cloned phones are widely used in criminal ``call-sell'' operations, which sell international and long distance service from cloned telephones.
The fraud potential is exacerbated by a blind reliance of equipment engineers on the belief that the cryptography would never be broken. ``Much switching equipment never checks to see if two telephones with the same identity are on-line at the same time,'' says Yobie Benjamin, Chief Knowledge Officer at Cambridge Technology Partners.
The SDA points out that the breach may be correctable, but this cannot be known for certain at the current time. ``We anticipate that this is but the first in a family of related vulnerabilities,'' says Goldberg of the ISAAC group. Remedies cannot be adequately designed until more is known about the potential for other weaknesses. The SDA cautions that no practical over-the-air attack is known yet but that one should not be ruled out. Unlike the current breach, which requires physical possession of a SIM, an over-the-air attack would extract secrets from SIM's nestled inside their phones and without the cooperation of the owner.
Any fix of the system is certain to be expensive. ``At the least, all the SIM's would have to be reissued. A software upgrade for all the authentication centers shouldn't be ruled out'', says Bob Keyes, a consultant with Enterprise Security Services at Cambridge Technology Partners. Changes to each component would not be particularly large, but the changes in total would be extensive, affecting many different pieces of the system.
A secret design process is always fraught with peril, but the situation worsens when government agencies meddle. One of the discoveries that the SDA made about GSM security was a deliberate weakening of the confidentiality cipher used to keep eavesdroppers from listening to a conversation. This cipher, called A5, has a 64 bit key, but only 54 bits of which are used. The other ten bits are simply replaced with zeros. ``The only party who has an interest in weakening voice privacy is a national surveillance agency,'' says Briceno. ``Consumers want privacy, and the manufacturers and network operators incur no cost whatsoever by using a full-size key.''
The U.S. systems may well befall the same fate. The National Security Agency is known to have pressured the analogous U.S. standards body to weaken voice privacy. ``The U.S. systems aren't much better,'' says Phil Karn, an engineer with Qualcomm, a maker of digital CDMA cellphones. Karn has had experience in the standardization process. ``Unless consumers demand better, the situation is unlikely to change,'' he says.
The lessons for electronic commerce are clear. Only standards created in an open environment and subject to public comment are acceptable. Any other process has always led to losses for service providers and consumers alike. ``Every part of a system design requires a publicly accepted justification, without exception,'' says Eric Hughes, Chief Designer at SigNet Assurance, a company building electronic commerce infrastructure. So far the signs are encouraging. Standards such as SET, even though developed in private, are nevertheless available for public review. Companies evaluating systems need to look closely at the design process of their security components. Top management should verify these claims before final procurement. Hughes says, ``I fear that unless we have a culture where anything but open security analysis is ridiculous, we will have some spectacular and unnecessary electronic commerce catastrophes.''