This story appeared in Hack Watch News - this is a local copy of the article.
For more information about Hack Watch News see details at http://www.hackwatch.com/~kooltek


GSM SIM Emulator Released

Dateline: 0300 Hrs 25 April 1998

Hamburg Computer Chaos Club announced that they had posted the source code and excutable for a GSM SIM card emulator. The emulator (gsm_emu) runs on DOS with a SEASON type interface. The SEASON interface is the most common interface in the world for hobbyist satellite television piracy.

Though the file released contains the source and the executable, it does not include any GSM SIM ID (IMSI) or Ki. It is possible to emulate a GSM SIM with this software providing you have the IMSI and Ki from a legitimate card. The Ki can be extracted from SIMs using the standard A3/A8 algorithms using software that is available on the internet. The extraction procedure takes eight to sixteen hours and requires physical access to the card. Over-The Air attacks, though not ruled out, may not be possible using this approach as the card is challenged roughly six times a second over the eight hour period.

Some GSM operators have already declared their intent to change from this now compromised set of algorithms. Others have stated that they had not used the algorithms in the form presented and that they had opted for more secure and carefully vetted algorithms. It is believed that Vodafone, one of the leading UK GSM operators is using 3DES and a page has been set up that lists the various operators who are known not to be using the compromised versions.

The GSM MoU Association, based strangely in Dublin, came out with the usual tripe that the afflicted seem to exude when their unbreakable systems are compromised.

A press release from the GSM MoU Association on 15-04-98 referred to the "recent, unsubstantiated, reports". Well the reports turned out to be true and it looks like the GSM MoU supplied their members with duff code. No amount of blustering is going to remove the fact that A3/A8 has been compromised. Only a replacement of algorithms and the associated hardware will do that.

According to the chairman of their security group, Charles Brookson, "Our customers can be assured that GSM remains a secure technology with standards of security greater than any other mobile public network." Now this sounds exactly like the rubbish that BSkyB, News Datacom and DirecTv came out with when their systems were compromised. The security of GSM has been weakened in the interests of the Intelligence Community. The compromise of these algorithms are only the cracks in the dam. The floodburst will occur if A5 is shown to be as compromisable. Perhaps A5 may be more secure and a simple magic keyword does not exist. One thing is clear - GSM is not secure!