US 'crack' could leave Optus and Telstra GSM mobile networks open to fraud
The 'cracking' team of David Wagner and Ian Goldberg, researchers from the Internet Security, Applications, Authentication and Cryptography (ISAAC) group at Berkeley, were able to verify the COMP128 cryptographic algorithm that the SDA had pieced together. According to a press release issued by the SDA in San Francisco on Monday 13 April 1998, Wagner and Goldberg created a system to repeatedly ask the SIM to identify itself; by processing the responses they were able to extract "the secret from inside the SIM."
The COMP128 algorithm is an instantiation of A3/A8 and each SIM contains this algorithm, an identity number and an authentication key. The authentication algorithm, A3, protects identity, while A8 is the ciphering key-generating algorithm. A5, the ciphering algorithm, is a third algorithm that resides in the phone and needs only be known by phone manufacturers and base station manufacturers. A key randomly generated from A5, and the identifying information on the SIM ensures over the air privacy of communications.
While the GSM standard allows for and encourages members to install their own security infrastructure, it appears that COMP128 is widely used worldwide.
"We know that Telstra and Optus have been confirmed to use COMP128," claimed Marc Briceno (firstname.lastname@example.org), Director of the Smartcard Developer Association. Telstra has over 1.5 million and Optus over a million GSM subscribers.
Telstra would not confirm or deny if the crack left the Telstra GSM network exposed to SIM card cloning, or if the company used the COMP128 algorithm. "Our security arrangements are confidential," a spokesperson said.
"We have a number of security mechanisms to detect and prevent fraudulent activity on our network," the spokesperson added. "We have stringent procedures around our SIM card management, and customers are always urged to report the loss or theft of their SIM card or mobile phone."
An Optus spokesperson confirmed the company uses the COMP128 algorithm as part of the "standard set by the GSM MoU Association".
"Optus views security of the network very seriously and has systems in place to best protect our network and customers. We recognise there is a very small possibility of a SIM card being cloned, yet every Optus SIM card has data stored on the card which is very difficult, if not impossible, to duplicate."
Vodafone Australia's Technical Director Jonathan Withers confirmed the GSM provider does not use COMP128, but instead relies on a private algorithm. When asked by LAN if the network would have been left exposed had they used COMP128, Withers replied: "It's a case of degree of exposure. The answer is no, but it [security] would not have been as tight as we are. Considerable effort has been made to crack this." Vodafone has over 500 000 GSM subscribers.
According to Briceno, however, just because Vodafone's algorithm is secret does not necessarily mean the network is more secure. It depends on the algorithm used and the implementation.
Need to know
COMP128 is distributed to developers on a need-to-know basis. The SDA claims the secret design of cryptography, as used for the GSM algorithm, '... will invariably lead to an insecure system."
Chris Maltby, Technical Director for Australian software development and computer security consultancy, Softway, agrees on open scrutiny to ensure the resilience of algorithms, saying that the best way to gain assurance is to have it out in the public domain.
"Unless you have it out in the public domain and subject to crypt analysis, you don't have public confidence," agreed Simon Lang, Technical Director for information security provider Zergo Asia Pacific.
Fallout over the crack has already started to occur. George Schmidt, the Vice President of Omnipoint, an eastern US-based digital mobile phone provider operating in New York, New England and Pennsylvania, was reported in the Los Angeles Times last Wednesday claiming the company was going to "personalise OmniPoint's formula". In the same report, US Cellular Telephone Industry Association spokesman Tim Ayers claimed that he "... expects most GSM operators to follow Omnipoint's lead".
The GSM MoU (Memorandum of Understanding) Association said in a media release on April 15 that they do not see a significant breach of security -- as the SIM card must be in the possession of the hacker for a "long process of trial and error". The ISAAC group claim the entire attack can be achieved in less than eight hours.
Charles Brookson, chairman of the GSM MoU Association's Security Group, argued furthermore that "... the GSM algorithm the students are claiming to have broken is the example provided to our members for them to create their own individual version". "Our customers can be assured that GSM remains a secure technology with standards greater than any other mobile public network," he said.
Remedies to the networks could include replacing SIMs in mobile phones and network software. According to a report from ISAAC and SDA: "With 80 million users [worldwide], fixing a flaw in such a widely-fielded system is likely to be quite costly."
Smartcard Developer Association ©
Australian Consolidated Press 1998. All rights reserved.
GSM MoU Association
The European Telecommunications Standards Institute
GSM Security and Encryption
Smartcard Developer Association
© Australian Consolidated Press 1998. All rights reserved.