GSM Cloning

History: On April 13, 1998, the Smartcard Developer Association and the ISAAC security research group announced a flaw in the authentication codes found in digital GSM cellphones. This allows an attacker with physical access to a target phone to make an exact duplicate (a ``clone'') and to make fraudulent calls billed to the target user's account.

At the time of the announcement, we published an overview of our results, including some detailed technical information. (Note that some of this information, specifically regarding the possibility of over-the-air cloning, is now outdated. See below for more discussion.)

Press coverage: The Los Angeles Times [local copy]; The New York Times; The Associated Press; The Wall Street Journal; USA Today; Wired News; Time daily; Time magazine; The Netly News; CNN; ABC News; Wireless Daily News [local copy]; The Daily Californian.

Readers of the scard mailing list have pointed out that, in Europe, one can anonymously rent GSM cellphones quite cheaply. The prospect of those phones getting cloned is a bit worrisome.

Three years later: Indications are that the GSM industry is taking steps to repair the security weaknesses in the GSM cryptographic algorithms. A patched version of COMP128 is now available (called COMP128-2), although it remains unpublished.

Most importantly, the GSM industry appears to have at least partially learned the important lesson here: `security through obscurity doesn't work'. The next-generation replacement for GSM, called 3GPP, will use algorithms developed based on principles from the research literature. The 3GPP cryptographic algorithms have been published for scientists to study, which gives the research community a chance to give early warning of any potential weaknesses and also to gain confidence in the 3GPP ciphers. I am strongly supportive of this effort.

Note that the other major players in this arena moved some time ago to open design processes. This includes the next-generation AES standard process being shepherded by the US government, as well as the US cellular industry. The US cellular industry is an interesting case study: initially they used closed design, but after several of their cryptographic algorithms were rapidly broken by cryptographers in the open research community, to their credit they quickly moved to an open design process. I am glad that the GSM/3GPP industry has recognized the benefits of this approach.

I also understand that the GSM Association has agreed to develop a new, stronger voice encryption cipher called A5/3, apparently based on Kasumi (a block cipher which was developed based on principles from the research literature). It will apparently become mandatory to support A5/3 at some point in the future. I strongly support the GSM Association's efforts to repair the ailing series of voice privacy algorithms and provide robust voice privacy protection for the future.

Further information on cryptographic algorithms in GSM and 3GPP may be found at several web pages:

Over-the-air cloning: In our original announcement, we noted that we could not rule out the possibility of over-the-air attacks, but we emphasized that we had not demonstrated such an attack. At that time, we did not provide any further analysis on the resources required to mount an over-the-air attack. There was, for obvious reasons, considerable interest in the possibility of over-the-air attacks, and we had reason to suspect they might be possible, but we wanted to be extremely conservative in reporting only what we knew for certain was exploitable. That viewpoint is probably now best regarded as outdated.

Since then, extensive conversations with many knowledgeable GSM engineers has caused us to conclude that over-the-air attacks must be considered available to the sophisticated attacker in practice. We still have not attempted to build a laboratory demonstration (it would apparently be illegal to do this type of research under US law), but the GSM experts we've spoken with have confirmed that it should be possible and practical to do so. They have reported that a number of aspects of the GSM protocols combine to make it possible to mount the mathematical chosen-input attack on COMP128, if one can build a fake base station. Such a fake base station does not need to support the full GSM protocol, and it may be possible to build one with an investment of approximately $10k.

Some technical expertise is probably required to pull off the over-the-air cloning attack, and the attack requires over-the-air access to the target handset for a relatively long period of time. Therefore, this may be considered a lower level of risk than that found in old US analog systems with no authentication at all. Nonetheless, please note that it would be a mistake to underestimate the technical sophistication or the financial resources of some of today's attackers: some of them are surprisingly well-positioned to mount even relatively sophisticated and costly attacks. Therefore, we feel that the new information provides evidence that over-the-air cloning must be considered a very real threat which should not be ignored.

Primary sources: For the mathematicians and cryptographers: It seems that the COMP128 algorithm has leaked abroad to this web site (see also, e.g., here). (I was emailed this information just a day after the announcement of our results. It wasn't me; I didn't leak or export the information.) And the leaked GSM document specifying COMP128 is also available on the net, thanks to John Young.

For reference, the press release we sent out is available here. To contact the SDA, call 925-798-4042, or email Marc Briceno; to contact the ISAAC group, email David Wagner or Ian Goldberg.

The Cellular Telecommunications Industry Association (a US cellphone industry consortium) has issued a press release [local copy] on the subject. And the GSM industry released a press release [local copy] of their own which is also worth reading.

Also, Crossbar Security, Inc. has issued a press release where they report independent verification of our technical results. (We are not affiliated with Crossbar Security.)

Web page maintained by David Wagner on behalf of the SDA and ISAAC.