GSM Security: Security Most-wanted

GSM is by far the most widely used standard for Mobile Communication both in
India and globally. It is the fastest growing communication technology of all
times. The current global subscriber base of GSM has exceeded 1 billion and the
number is increasing.

In this vast and emerging market, we need to know if the technology by itself
is secured. Recently we have heard instances of SIM Cloning happening in India.
Such occurrences would actually inhibit the growth of this technology and would
also result in revenue leaks for the operators.

The security in GSM can be better understood if it is subdivided into the
following categories:

• Subscriber
  Identity Authentication: This involves the MSC (Mobile Switching Center)
  throwing a random number RAND (128 bit) challenge to the Mobile Phone (MS)
  to generate a signed response SRES (32 bit) using a pre-shared secret key Ki
  (128 bit) between the MS and the MSC. For this authentication, the algorithm
  used is A3. Similar computation is carried out at the MSC. If the SRES
  returned by the MS to the MSC and the SRES already computed at the MSC
  matches then the user is authenticated.
• Over-the-air Privacy : The MS uses the random number (RAND) and the
  key (Ki) to generate a session key Kc (64 bit) using A8 algorithm to encrypt
  the frames over-the-air. The algorithm used for voice encryption is A5. Each
  GSM frame is then encrypted using this Kc.
• Subscriber Identity Confidentiality: This allows mobile subscribers
  to originate calls, update their location, etc, without revealing their
  International Mobile Subscriber Identity (IMSI), which refers to the
  identity of the subscriber, to an eavesdropper over-the-air. The mechanism
  used to provide this service is based on the use of a Temporary Mobile
  Subscriber Identity (TMSI), which is updated after each successful access to
  the system.

The TMSI updating mechanism functions in the following
manner. For simplicity, assume the MS has been allocated a TMSI, denoted by
TMSIo, and the network knows the association between TMSIo and the subscriber's
IMSI. The MS identifies itself to the network by sending TMSIo. Immediately
after authentication (if this takes place), the network generates a new TMSI,
denoted TMSIn, and sends this to the MS encrypted under the key Kc. Upon receipt
of message, the MS deciphers and replaces TMSIo by TMSIn.

The Secret 'Ki'

The security of the whole GSM model is based on the secret Ki. If this key
is compromised, the whole account is compromised. Once the attacker is able to
retrieve the Ki, he can not only listen to the subscribers calls, but also place
calls billed to the original subscriber's account, because he can now
impersonate the legitimate subscriber.

• Security of the SIM card: This is achieved by
  authenticating the user credentials through the SIM inside the handset.
  However it has become so easy to "Clone" a SIM card and we have
  had recent reports of such incidents rising in India as well. Cloning can be
  achieved by copying the contents of the SIM like IMSI number and the Secret
  key Ki. However this can be done either by having physical access of the
  target SIM or through over-the-air attacks. There is a software available
  which can help "clone" a SIM. This is possible because of a
  specific vulnerability in the A3/A8 algorithm of GSM. If a SIM is subject to
  chosen-challenges (RAND), it reveals information about the Ki based on the
  responses (SRES), which the SIM returns through differential cryptanalysis.
  The attack requires about eight hours to give the desired results.

This vulnerability is also applicable in a social engineering
scenario. One can assume that a corrupt GSM dealer would clone SIM cards in this
way and then sell the cloned cards to third parties who wish to remain anonymous
and do not want to buy legitimate SIM cards. One could also try to sell a cloned
SIM to a certain person in order to be able to eavesdrop on his calls later.
These are all very realistic scenarios in which the vulnerability found in the
algorithm compromises the whole security model of the GSM system, thus leaving
the subscribers in the open with no security at all.

• Security of the communication in the air-interface:
  Over-the-air privacy is ensured by encrypting the communication using the
  Secret Key Kc. The over-the-air attack is based on the fact that the MS is
  required to respond to every challenge made by the GSM network. If the
  signal of the legitimate BTS (the GSM towers that we see normally on top of
  buildings) is over powered by a rogue BTS of the attacker, the attacker can
  bomb the target MS with challenges and re-construct the secret key from
  these responses. Again the MS has to be available to the attacker over the
  air for the whole time it takes to conduct the attack. It is not known how
  long the attack would take when conducted over the air. Estimates vary from
  eight to thirteen hours. The attack can also be performed in parts: instead
  of performing an eight-hour attack, the attacker could tease the phone for
  twenty minutes every day. Once the SIM is cloned, the SIM-clone is usable
  until the subscriber gets a new SIM, which in practice does not happen very
  often. Next time your cell phone battery goes down very fast without much
  using the phone, beware that your phone might just be answering to the
  challenges thrown by the attacker.

• Security on the GSM fixed network: This is
  achieved by securing the access of the vital databases at the AuC
  (Authentication Center) at the MSC within the GSM network. The same attack
  used in retrieving the Ki from a SIM card can be used to retrieve the Ki
  from the AuC. The AuC has to answer to requests made by the GSM network and
  return valid data to be used in MS authentication. The procedure is
  basically identical to the procedure used in the MS to access the SIM card.
  The difference is that the AuC is a lot faster in processing requests than a
  SIM card is, because it needs to process a lot more requests compared to one
  SIM card. The security of the AuC plays a big role in whether this attack is
  possible or not. Also data within the GSM fixed network travels without any
  encryption. Hence eavesdropping could be possible.

Now with the advent of GPRS and its interface with the public
Internet, it has become all the more vulnerable. Innocent subscribers could just
become victims of serious vulnerabilities inherent in the GSM system.

The Business Impact

• Revenue loss: The revenue leakage could be as high
  as 15% of the total revenue of the operator.

• Customer churn: Improper billing resulting
  out of a customer's SIM card being already cloned and used by an attacker
  can not only frustrate a customer but also result in bill reconciliation and
  subsequently customer churn.

• Impact on the Brand: the last thing any cellco
  would want is to hamper the brand image owing to such threats arising.

The Security Cordon

Security could be improved in some areas with relatively simple measures.
The operator could use alternative cryptographically secure algorithm for A3.
This would require issuing new SIM-cards to all subscribers and updating HLR
software. This would effectively disable the attacker from cloning SIM-cards.
This would also be the easiest improvement introduced here, because the network
operator can make the changes itself and does not need the support of hardware
or software manufacturers or the GSM Consortium.

Another solution would be to employ a new A5 implementation with strong
encryption so that a brute-force attack is not feasible in any case. This would
disable the attacker from recording transmitted frames and cracking them in his
spare time. This improvement would require the cooperation of the GSM
Consortium. The hardware and software manufacturers would have to release new
versions of their software and hardware that would comprise with the new A5
algorithm.

Soumyadeep Mondal Ernst
& Young , India The views expressed in the article are that of the author
and Ernst & Young does not endorse the same.