GSM security Christian Kröger University of Twente P.O. Box 217, 7500AE Enschede The Netherlands christian.kroeger@gmail.com ABSTRACT In this paper we will give a general overview over the state of GSM security and the practicality of an attack on the A5/1 algorithm used for encrypting 2G GSM communication. First we give a general introduction to the development of GSM, afterwards we present our research questions and the current state of the art. Furthermore we describe the test environment used for our research. After having had some trouble with the software necessary for the practical aspect of this paper, we shifted our focus to discuss the recent state of the art in attacking GSM encryption and what measures should be taken to make it harder to actually break the encryption in used, too guarantee more secure communication. Keywords GSM, 2G, mobile phone, mobile communication, security, A5/1, USRP 1. INTRODUCTION The Group Spéciale Mobile was created in 1982 to develop a standard for an European mobile telephone system. After some development time the first GSM network was established in Finland and by the end of 1993, GSM had broken through the 1 million-subscriber barrier with the next million already on the horizon. [9] At this time GSM was already operating in 48 countries and it was still rapidly growing. In the year 2007 there were already 2.5 billion GSM users.[8] Another source states the following as of June 2006: While it took just 12 years for the industry to reach the first billion connections. The second billion has been achieved in just two and a half years boosted by the phenomenal take up of mobile in emerging markets such as China, India, Africa and Latin America, which accounted for 82% of the second billion subscribers. [10] Research in this area is important, because of this ever increasing and very wide spread use of mobile phones and mobile communication including average mobile phones, Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. 14 th Twente Student Conference on IT January 21 st, 2011, Enschede, The Netherlands. Copyright 2011, University of Twente, Faculty of Electrical Engineering, Mathematics and Computer Science. smart phones etc.. In today s world it is even possible to buy your train tickets via your mobile phone or to do online banking and TAN generation, so there is not just the money involved you need to pay for your phone calls, but also for all these different things. Another aspect is, that in general people value their privacy. As a result of this a user does not want another person to be able to eavesdrop on their private conversations and SMS. Therefore it is obvious, that security in cellular networks is a very important issue, that just becomes even more important. There are different security mechanisms involved, when dealing with the security of mobile phones. First of all, there is the security of the radio communication between the mobile phone and the base station and a second thing is the security, of the SIM-card itself and the key stored on it. GSM itself can use different encryption algorithms, of which several are already broken and therefore not really secure, as can be seen in the related work part of this paper. The old A5/2 encryption algorithm has even been discouraged from being implemented in mobile devices as of the 1 st July of 2006. But in this paper we are not going to discuss the topic and possibilities of copying a SIM-card. Instead of this we are focusing on the security of the radio communication itself, because it is much easier to passively listen to radio communication than getting your hands on mobile devices without getting noticed. The method of listening to the radio communication instead of cloning SIM-cards is also more likely to be used in the real world, because it is by far easier to just listen to a wide variety of phone traffic than one imagines, as this paper will show. If someone wants to listen to somebody else s mobile communication, there are different ways to achieve that goal. First of all, one can try to break the encryption used between the mobile phone and the GSM network. A second possibility is to set up a fake base station. Using your own base station enables you, once a mobile device connects to it, to actively choose which encryption is used while that phone is connected to that specific base station. 1 The main focus of the research in this paper will be the practicality of the first kind of attack on GSM, thus the decryption of GSM traffic. The paper starts with the research questions we intended to address, after that it gives a brief overview of the GSM 1 The different encryption techniques can be found in the part on GSM security architecture.
Figure 1. basic GSM architecture, found on http://www.privateline.com/pcs/gsm/tarch6a.gif architecture. With that knowledge in mind we describe the current related work and building on top of this new knowledge we introduce possible attacks on the GSM communication, which allows malevolent people to listen to the private conversations of others. After that we give a overview over the tests we tried to do in order to show, how simple or complex it might be to eavesdrop on GSM communication. Finally we conclude our paper by answering the research questions and giving a conclusion on the overall security of GSM. 2. RESEARCH QUESTIONS The research questions for this paper are the following: 1. What is the current state of the safety of the GSM algorithms? 2. How much effort does it take to break current GSM security(and to listen to a phone call or intercept an SMS for example)? 3. Is it possible to decrypt a phone call with the current commodity hardware and available (open source) software? 4. If so, is the decryption taking place in real-time or something close to it, or does it take several minutes or even hours? 5. Is UMTS equally vulnerable or are the security features and algorithms used better? 3. GSM SECURITY ARCHITECTURE The GSM architecture can be divided into three parts, the mobile station, the Base Station Subsystem and the Network Subsystem. The mobile station contains the SIM-card, which is necessary to identify the user to the network. The Base Station Subsystem is in charge of the radio link with the mobile device and has a lot of rights from the perspective of the mobile device (more on this in the part on attacks against GSM communication). The Network Subsystem performs the switching of calls between mobile users and between mobile and fixed network [12] and contains the hardware necessary to authenticate users in the network. This architecture can be seen in figure 1. After a channel between the Base Station Subsystem and the mobile device is established, the device sends its TIMSI or IMSI to the network to make its identity know. Preferably the TIMSI is used for this, because it is enhancing the privacy of the system. After that the authentication of the mobile device starts, with the network sending a random challenge (RAND) to the mobile device. This RAND is used by the mobile device in conjunction with the secret key, which is stored on the SIM, to calculate a result. After calculating the result, it is sent back to the network. Meanwhile the network has calculated the response as well, because it also knows the secret key, which is stored in its AuC. If the response send by the device matches the one calculated by the network, the device is successfully authenticated to the network, otherwise the authentication is rejected and the device can not connect. In GSM there is no authentication in the reverse direction(from network to mobile device). There are essentially 4 different algorithms possible to use to secure GSM communication. These are called A5/0 up to A5/3, of those 4 algorithms one does not offer any encryption at all, one is discouraged to be used, and therefore should not be encountered when monitoring GSM communication. The other 2 algorithms are the ones mainly used today. Below you will find a short, general and historical overview over the GSM algorithms, their security is evaluated in the part on related work. 3.1 A5/0 When this encryption cipher is chosen, the communication between BSS and mobile device is not encrypted at all. 3.2 A5/1 This is the most widely used algorithm, and also the main focus of current research and therefore also the main focus of this paper. This algorithm is a stream cipher developed in 1987. 3.3 A5/2 This is a weak encryption algorithm, which has been discouraged from being used. It took actually quite along time to phase out of this. The GSMA itself stated in a meeting on the 12 th of September 2006: The risk of operators continuing to demand A5/2 device support stems from the possibility that some operators may not upgrade their networks to support stronger algorithms in a timely manner. The emergence of devices without A5/2 support will mean that encryption will not be possible on networks that have not upgraded their BSS infrastructure to support A5/1 and/or A5/3. However, because of the nature of the attack, and the fact that A5/2 does not offer a higher level of protection than A5/0, it is deemed preferable that these networks run with no encryption rather than use the compromised A5/2 protocol. [2] This actually shows how weak they themselves deemed the security of this algorithm, which was actually designed to be weak. The A5/2 algorithm is also a stream cipher, which was developed a little while after A5/1 as a deliberately weakened version of it, due to export restrictions on cryptography.
3.4 A5/3 This is an algorithm called KASUMI, which is a block cipher instead of a stream cipher. KASUMI has already been specified in 2002[1], but interestingly enough, the GSMA was still discussing how to test A5/3 in 2009 Recent joint meetings with the Mobile Manufacturers (EICTA) had discussed forthcoming tests to check A5/3 functions. [3] Later that year Successful tests were made on A5/3 enabled BTS equipment in Switzerland, with 10 handsets from 7 manufacturers being tested on a live network. [4] So it took them 7 years to test the A5/3 algorithm and hardware, which is not really fast. We expect that after these successful test, this algorithm will be more and more become the standard algorithm, as it is also used in UMTS and GPRS and because it is a more secure algorithm compared to A5/1. Most GSM networks also use frequency hopping, which makes it harder to follow the signal, but if one has a good enough hardware, it is even possible to monitor the whole frequency band at the same time, and thus there is no problem any more. 4. RELATED WORK In their text A Man-in-the-Middle Attack on UMTS [15] Ulrike Meyer and Susanne Wetzel describe an attack on the cellular network, because of the interoperability of GSM and UMTS. Such an attack is possible, because current mobile phones need to work in both networks, that is due to the fact that GSM is a lot better deployed than the UMTS network. The phones communication can be attacked when it uses GSM, which it will do, if the GSM antenna receives a stronger signal than the UMTS antenna. This is a problem due to backwards compatibility. This backwards compatibility exists, because there still is no UMTS connectivity everywhere, so GSM can be used as a fall back if UMTS is not available. This reminds of weaknesses in software development, which appear due to the interoperability of new and old software and the backwards compatibility of newer software, which compromises the whole security concept of the newer system, because the old one is still there and attackable. In [7] Barkan et al. describe A5/2 and give a general GSM security background. They also describe an attack on A5/2 and specify how it is possible to use this attack to even attack A5/1 and A5/3. This attack can also be used against A5/1 and A5/3 due to fact that all these encryption methods use the same key. Therefore an attacker is able to break A5/3 or can impersonate a cell phone to a base station, if he manages to get the real phone to use A5/2. After that he can capture the phone call and use this data to derive the A5/2 key. Biryukov et al. describe a possible attack on the A5/1 algorithm in their paper Real Time Cryptanalysis of A5/1 on a PC [5] presented during the Fast Software Encryption Workshop in 2000. The attack is based on a reverse engineered version of the A5/1 algorithm, this stream cipher is also explained in this paper. In his presentation during the BlackHat conference in 2010[11], Karsten Nohl presented the state of the art of cracking the A5/1 encryption and discussed how his implementation worked, using rainbow tables to use less storage space and computing everything using multiple GPUs. The conclusion of this presentation is, that it is possible to break A5/1 on commodity hardware, if all the optimizations he presented are used. In [13] Dunkelman, Shamir and Keller show that they can break KASUMI (the A5/3 algorithm), which is a variation of MISTY, with a related key attack and a PC. Therefore they conclude that the changes made to move from MISTY to KASUMI resulted in a much weaker cryptosystem. [13] They conclude by saying that this attack may not be applicable to the specific way in which KASUMI is used as the A5/3 encryption algorithm, because the new attack uses both related keys and chosen messages. This leads to the conclusion, that cell phones should only use A5/3 even though it is not completely secure and a new algorithm should be chosen. The reason to use A5/3 is, that even if you use A5/1, it is probably possible to derive the key using Karsten Nohl s rainbow tables. Once the key is derived all communication can be broken, because man-in-the-middle attacks are possible against all algorithms if one is in possession of the key. The issue here is is, that all of the encryption algorithms use the same key. The attacker just has to get a legitimate key by convincing the phone to use A5/1 or even better A5/2 for a short amount of time. Furthermore there is the chance, that even more weaknesses will be found in KASUMI, due to the changes made by the GSM Association. Another possibility is that a better way to exploit the current weaknesses of KASUMI may be found, because it already shows first weaknesses. As a result of this KASUMI might become breakable, which has already happened to A5/1 and A5/2. 5. ATTACKS ON GSM COMMUNICATION Based on the related work, we are going to describe possible attacks in more detail in this part of our paper. There are different possibilities to decrypt GSM communication if one chooses to do so. 5.1 Cloning the SIM-card This attack can be characterized as a more active attack, because the attacker needs to either get his hands on the mobile device to clone the SIM-card or to get the data from the AuC servers of the users network operator. With that data, the users key and IMSI, the attacker is in state to listen to the users communication, because once he managed to eavesdrop on the initial connection establishment between mobile device and BSS he knows the RAND and can thus calculate the session key, using the stolen secret key. Due to the fact that the authentication works based on a pre-shared key, which is on the SIM-card and a challengeresponse based on that very key and on a plain-text RAND challenge, an attacker could even impersonate another person, if he manages to get that key. 5.2 Passive capturing packets This attack is a passive way of listening too someone s call and was intended to be the main concern of this paper, but due to the problems we encountered while trying to set up the hard- and software for our tests, we did not manage to execute this attack ourself. As we describe this way of eavesdropping in a more detailed way in the section Test environment, this will only be a short overview. This attack works against A5/1 and A5/2. A5/3 is currently to strong for this kind of passive attack.
During his talk on the 27C3 2 Karsten Nohl has shown, that this attack can even be executed using 2 old Motorola mobile phones. The phone costs were approximately 10 Euro each, with the need of two phones. For this to work Karsten Nohl and Sylvain Munaut upgraded the phones to Open Source firmware using OsmocommBB software. To demonstrate this technique they called themselves during the presentation and used these patched phones to demonstrate a live decryption of their phone call. 3 5.3 Fake base station Once someone uses a fake base station, his possibilities to attack become even more potent. A fake base station enables the attacker to choose which cipher is used during the communication and therefore to choose weaker or none encryption at all. To achieve this the user needs to connect to the fake station, but this is easily done, as Chris Paget points out in his talk during Defcon 18[6]. The reason, that convincing the phone to connect to the fake station is easy, is: essentially the phone tries to connect to the strongest signal. This might in reality be the real base station or the fake one. But according to Paget the base station can transmit a signal telling the mobile phone, that the station s signal is stronger than it is in reality and the phone believes this without doubt. 4 So one can convince the phone to use no encryption and thus go for a man-in-the-middle attack, but this also enables an attacker to break the strong A5/3 cipher, which can be seen in figure 2. This attack works as follows: 1. The eavesdropper captures a A5/3 encrypted call, including the initial RAND. 2. The attacker uses his fake base station to ask the users phone to reuse the same RAND with the weak A5/1 cipher. 3. The attacker uses Nohl s rainbow-tables, which are downloadable via bit-torrent, to derive the key and finally uses that key to decrypt the first call, which was A5/3 encrypted. The reason this works is, that it is simple to capture the RAND and that all the encryption algorithms on a mobile phone use the same secret key and they always use the same algorithm to determine what the temporary key is. And the temporary key is solely based on the secret key and the RAND. Furthermore the software necessary to execute this attack is already readily available as Open Source Software. The downside of this attack is, that it is an active attack and as such might be noticed. But on the other hand it enables the attacker to even break A5/3. 6. TEST ENVIRONMENT Setting up the hardware for this task proofed significantly easier than managing to install and run the necessary hardware drivers and the rest of the software. 2 27 th Chaos Communication Congress 3 the slides can be found via [14] and the videos can be found via media.ccc.de 4 This has to do with the fact that the network does not need to identify itself to the mobile devices. Figure 2. Picture of a way to decipher a A5/3 call, from Karsten Nohl during 26C3 6.1 Hardware For the evaluation in this paper we used special hardware, developed by Ettus Research 5, which is called USRP (Universal Software Radio Peripheral). The USRP is a small device, which is just a little bigger than an average 3,5 external HDD. For our research we used a USRP version 1, the device is equipped with the DBSRX1 daughterboard, which allows the USRP to receive signals from 800 MHz up to 2.4 GHz. Due to the fact, that GSM in Europe uses frequencies around 900 MHz and 1.8 GHz this should be sufficient for the tests. The used antenna can receive signals from 900 MHz up to 2.6 GHz. The USRP1 has to be connected to a computer, which is simple to do, because it is done via a USB-cable. After attaching the DBSRX board to the USRP1, closing the USRP, connecting the antenna to the USRP and finally connecting the USRP to the computer, the hardware was already set up. 6.2 Software The programs used for this research are called Airprobe 6 and GNU Radio 7, which are completely Open Source. GNU Radio is a SDR (Software Defined Radio) As with all software-defined radio systems, reconfigurability is the key feature. Instead of purchasing multiple expensive radios, a single more generic radio is purchased, which feeds into powerful signal processing software (GNU Radio, in this case). As with all software-defined radio systems, reconfigurability is the key feature. Instead of purchasing multiple expensive radios, a single more generic radio is purchased, which feeds into powerful signal processing software (GNU Radio, in this case). 8 Due to the computers we had at hand, we first decided to use this software on Windows, but during this we encountered a couple of problems and thus decided to do the rest of the research using Ubuntu 10.10 (more on the problems can be found in the problem subsection). The installation of GNU Radio on Ubuntu was fast and easy, because there are packages included in the Ubuntu sources since version 9.04 of Ubuntu 9. These packages are easy to install via the standard package managing software usable in Ubuntu, such as Synaptic or apt-get. That makes the step of installing GNU Radio a lot easier 5 www.ettus.com 6 www.airprobe.org 7 www.gnuradio.org 8 from http : //en.wikipedia.org/wiki/gnu Radio 9 Version 3.2 of GNU Radio
and a lot faster, because there is no longer the need to compile everything on your own machine. So all in all the Hardware was easier to setup than the software to install. For the purpose of our tests we decided to use the newest version of GNU Radio, which is version 3.30. On a Windows system, there are essentially two ways to install GNU Radio. Both of them are based upon installing a Unix like environment. The first program is Cygwin, which failed during the make process of the software, due to not being able to find some files. The second software is MinGw together with the MSYS shell, which had more initial problems than Cygwin, but with which it was finally possible to compile GNU Radio and the USRP drivers for Windows. Through the combination of these programs, it is possible to grab the data packages of a phone call and to break the A5/1 algorithm using the Kraken software and its rainbow tables. The data passed from Airprobe to the Kraken program is analysed using rainbow tables to finally derive the encryption key of the communication. Using this key it is possible to decrypt the communication itself and thus listen to the phone call or reading the SMS sent. 6.3 Problems We encountered different problems during the installation of the software and first initial tests. On the used operating systems, we faced diverse problems, some of which we managed to solve others we could not solve. This part is split in a sub-part concerning Windows errors and another concerning problems encountered when using Ubuntu. At first we used Windows, but after we faced the problems mentioned bellow we decided to conduct our further research using Ubuntu, which unfortunately resulted in a different set of problems we could not solve either. 6.3.1 Windows During the installation of the software and first initial tests, we encountered a couple of problems. These problems did mainly occur on our Windows XP machine, which we initially used to set up the software. The compile problems we faced using MinGw with MSYS could be solved by adding a few #include commands to different parts of the program code. Furthermore we had to explicitly add the lpthread library to FFTW 10 while configuring it, otherwise it would not work and without this working it was not possible to build the GNU Radio software itself. For making the USRP Windows driver a software called SDCC was necessary 11. At first we just used the newest version of the software, available from the software s homepage, but this resulted in errors, because the new version used a different naming scheme for the files installed. This different naming system resulted in GNU Radio not finding the necessary files to build the USRP Windows driver. Therefore we used an older version of the program 12. After connecting the USRP to our Windows machine and successfully installing the Driver, we tried running a few test Python scripts, which were included in the GNU Radio software. Sadly these tests failed, with the error message that the computer is unable to write to the USRP device. From this we concluded that there might be a 10 FFTW is a C subroutine library for computing the discrete Fourier transform take from www.fftw.org 11 SDCC (Small Device C Compiler) is a C compiler, which can build programs for different microprocessors. 12 2.9 instead of 3.0 problem with the driver, even though it compiled without error messages, or that the USRP itself might have a defect. This seems to be a problem of the Windows driver as the USRP seems to work under Ubuntu using GNU Radio. Despite that problem we tried to install Airprobe on Windows as well, because GNU Radio compiled. But here we encountered problems even earlier than during our later tests using Ubuntu. Some problems occurred due to the difference in the Windows and Unix linefeed, as well as a couple of missing header files and again missing #include commands in the source code. 6.3.2 Ubuntu Setting up GNU Radio on Ubuntu was an easy task due to the readily available packages, which just had to be installed. This was a lot easier and faster installation than the one on Windows, because we did not even need to compile our own software. As for Airprobe, we followed the build instructions, which do not mention, which packages are necessary to install the software, but after some testing we found out, that autoconf, automake, libpcap and a couple of other packages are necessary to build the software. Unfortunately we encountered a segmentation fault, when trying to use Airprobe with sample data provided by the software s homepage. This error seems to be related to a problem using the Python GTK interface. Up until now there has been no reaction to a post on the mailing-list as well as a new error report on the projects homepage. 7. DISCUSSION As the tests with the hardware were more complex than anticipated, especially those huge software problems were unexpected, this part is going to focus more on the recent developments in the related work and on the theoretical attacks and weaknesses of the GSM security architecture and algorithms. After giving this overview of how GSM security works, what the current state of the art is and describing possible attack scenarios, we are going to explicitly answer the research questions now. What is the current state of the safety of the GSM algorithms? The answer to this question has to be divided into two parts, as there is a difference between active and passive attacks. For passive attacks A5/3 is still save and the rest of the algorithms is broken. Using active attacks it is even possible to break A5/3 as can be seen in the section on attacks on GSM communication. How much effort does it take to break current GSM security(and to listen to a phone call or intercept an SMS for example)? Once the attacker manages to really set up the hardware and software in a working manner, the effort is negligible, as can be seen by the demonstration of Karsten Nohl and Sylvain Munaut during the 27C3. As both the call and the SMS use the same encryption algorithm, there is not really a difference in the security of both. Is it possible to decrypt a phone call with the current commodity hardware and available (open source) software?
This is possible as well, as all the software mentioned in this paper is Open Source Software(Airprobe, GNU Radio, OsmocommBB, etc.). And it even works on commodity hardware, because Sylvain Munaut and Karsten Nohl just used a normal laptop to decrypt their call, so the attacker does not even need a fast pc. If so, is the decryption taking place in real-time or something close to it, or does it take several minutes or even hours? This has to be split into two parts again, the A5/1 decryption using Karsten Nohl s rainbow tables is pretty close to real-time, because it can calculate the key during or shortly after the call. The attack on A5/3 using a fake base station takes longer, because after the initial call is completed, the mobile device needs to connect to the fake base station first to do the authentication procedure using the same RAND but the weaker A5/1 algorithm. Is UMTS equally vulnerable or are the security features and algorithms used better? The UMTS security is better as it has a longer authentication key, but more importantly UMTS uses mutual authentication, thus the network identifies itself to the mobile user, which does not happen in GSM and the user authenticates himself to the network. But a problem is, that the user does not have a guaranteed UMTS connection and there are not a lot of mobile phones, which give the user the opportunity to choose that he wants to only connect to UMTS networks. And due to the possibility of the attacker using a fake base station he can convince the mobile phone that his signal is stronger, which will eventually result in the phone connecting to that fake station. If this fake base station than decides to not use UMTS, but to use GSM instead, most mobile phones will switch to GSM and thus be vulnerable again. The same thing happens if there are just legitimate GSM and UMTS base stations in the vicinity and the GSM signal is stronger than the UMTS signal, when that happens the mobile phone will switch to GSM even without the need of a fake base station. 7.1 Possible security enhancements A more regular change of the session key, which gives the attacker less known data. Randomization of control message padding, which significantly reduces the known text in these messages. According to [14], this was already specified in 2008 and should thus be implemented with high priority. Switching to UMTS so that the network has to authenticate itself or update GSM in such a way that it can authenticate itself, which both is not very likely, because it is expensive and time consuming. Regular changes of the TMSI, such that it is harder to follow a specific mobile phone s communication. On modern mobile phones, the user could install software to additionally encrypt his calls, but this requires both sides of the call to use that additional encryption software. A system to easily upgrade the encryption algorithm and other security features would also be nice to have. 8. CONCLUSION All in all one can say that the current security systems of GSM are flawed and need to be changed. It can be seen that the GSMA itself knows about a lot, if not all of the problems, but the organization is slow to adopt to the problems at hand, which becomes obvious by the fact that it took them 7 years to test A5/3, close to 12 years to address COMP128 problems etc. In its current state GSM should be treated as an insecure channel, comparable to today s internet, therefore one should be careful about which data is sent via GSM and which should not be send or which should just be send taking additional security measures. 9. REFERENCES [1] 3GPP. Specification of the A5/3 Encryption Algorithms for GSM and ECSD, and the GEA3 Encryption Algorithm for GPRS. Website of the GSMA, 2002. http://www.gsmworld.com/documents/ design evaluation report.pdf. [2] 3GPP. Withdrawal of a5/2 from handsets deadline. Website of 3GPP, 9 2006. http://www.3gpp.org/ftp/tsg sa/ wg3 security/tsgs3 45 Ashburn/Docs/S3-060751.zip. [3] 3GPP. Final meeting report for 3gpp wg sa3 meeting: 54. Website of 3GPP, 2009. http : //www.3gpp.org/ftp/tsg sa/w G3 Security/ TSGS3 54 Florence/Report/ SA354 final meeting report v002.doc. [4] 3GPP. FINAL Meeting Report for TSG SA WG3 meeting: 57. Website of 3GPP, 11 2009. http : //www.3gpp.org/ftp/tsg sa/w G3 Security/ T SGS3 57 Dublin/Report/F INALMeetingReport SA3 57.zip. [5] Alex Biryukov, Adi Shamir and David Wagner. Real Time Cryptanalysis of A5/1 on a PC. Fast Software Encryption Workshop, 2000. [6] Chris Paget. Practical Cellphone Spying. In Defcon 18, 2010. [7] Elad Barkan, Eli Biham, Nathan Keller. Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication. 2003. http://cryptome.org/gsm-crack-bbk.pdf. [8] Elena Balan. 2.5 Billion GSM Global Subscribers. Website, 06 2007. http://news.softpedia.com/news/
2-5-Billion-GSM-Global-Subscribers-56848.shtml, visited 24.09.10. [9] emory.edu. History and Timeline of GSM. Website of emory.edu,? http://www.emory.edu/business/ et/p98/gsm/history.html, visited on 24.09.10. [10] GSMA. GSM mobile phone technology adds another billion connections in just 30 months. Website of the GSMA, 06 2006. http://www.gsmworld.com/newsroom/pressreleases/2047.htm, visited on 25.09.10. [11] Karsten Nohl. Attacking phone privacy. In BlackHat, 2010. [12] Levent Ertaul, Basar Kasim. GSM Security. In Proceedings of the 2005 International Conference on Wireless Networks, June 2005. via http://www.mcs.csueastbay.edu/ lertaul/icw3016.pdf. [13] Orr Dunkelman and Nathan Keller and Adi Shamir. A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony. Cryptology eprint Archive, Report 2010/013, 2010. http://eprint.iacr.org/ part of CRYPTO2010. [14] Sylvain Munaut, Karsten Nohl. Wideband gsm sniffing. 2010. https://events.ccc.de/congress/2010/ Fahrplan/attachments/1783 101228.27C3.GSM- Sniffing.Nohl Munaut.pdf. [15] Ulrike Meyer, Susanne Wetzel. A manin-the-middle Attack on UMTS. ACM Workshop on Wireless Security, 2004. APPENDIX A. GLOSSARY A5/0,1,2,3: the encryption algorithms used for GSM communication MS: Mobile Station, the Mobile Station consists of the mobile equipment (subsequently called mobile device or mobile phone) and the SIM-card BSS: Base Station Subsystem, responsible for handling traffic between the mobile device and the network switching subsystem IMSI: International Mobile Subscriber Identity used to uniquely identify a user TIMSI: temporary identification used instead of IMSI for privacy reasons SIM: The Subscriber Identity Module contains a unique key, a microprocessor and an IMSI to generate the temporary keys used in GSM and to authenticate the user to the network. AuC: Stores all the keys of provider rainbow-tables: a precomputed lookup table offering a time-memory tradeoff used (in this case)to recover the session key