San Francisco, Monday, 13 April 1998. The Smartcard Developer
Association (SDA) and two U.C. Berkeley researchers jointly announced
today that digital GSM cellphones are susceptible to cloning, contrary
to the belief of even the telecommunication providers that have
fielded them. GSM (Groupe Sp&#233ciale Mobile) is the most widely used
cellphone standard in the world, with more than 79 million GSM phones
in use worldwide. In contrast, there are about 58 million U.S
cellphone users of all kinds both analog and digital, including some
GSM.

The SDA became involved with GSM security because GSM phones have a
small smartcard inside them which holds the identity of the cellphone.
This small smartcard is called a SIM, for Subscriber Identification
Module. The SIM must keep the identity inside a secret and uses
cryptography to protect it. The SDA has organized and coordinated the
activities leading to a breach in the cryptographic protection. The
breach allows the extraction of the secret inside the SIM, after which
the secret may be inserted into a different SIM. A cellphone with the
new SIM has the same identity as the original phone.

The GSM standard was designed by an association of European cellular
network operators and equipment manufacturers. The cryptographic
protection is but a small part of the 130 volumes and over 6,000 pages
which make up the GSM standard. Unfortunately, the cryptography was
designed in secret and is still kept secret, provided to individuals
at smartcard and cellphone manufacturers on a ``need-to-know'' basis.

``As shown so many times in the past, a design process conducted in
secret and without public review will invariably lead to an insecure
system,'' says Marc Briceno, Director of the SDA. ``Here we have yet
another example of how security by obscurity is no security at all.''

The origin of the breach was when the SDA discovered the cryptographic
algorithms used inside the SIM's and cellphones. The SDA first
verified that the algorithms were accurate. The exact details of the
algorithms were not known to the public but the verified algorithms
matched the facts that were publicly known. Next the SDA brought in
David Wagner and Ian Goldberg, researchers in the Internet Security,
Applications, Authentication and Cryptography (ISAAC) group at the
University of California, Berkeley. Within a day, Wagner and Goldberg
had found a fatal cryptographic flaw in COMP128, the algorithm used to
protect the identity inside the SIM. They created a system to exploit
the flaw by repeatedly asking the SIM to identify itself; by
processing the responses they were able to extract the secret from
inside the SIM.

``There's no way that we would have been able to break the
cryptography so quickly if the design had been subjected to public
scrutiny,'' says David Wagner. ``Nobody is that much better than the
rest of the cryptography research community.'' David Wagner was
previously known for his work on the breach of CMEA, a cipher used in
digital cellphones. As in this case, the cryptographers who did the
work on CMEA blamed the design process for the insecurity of the
system.

Serious Implications, Possible Remedies

Almost all GSM network operators are vulnerable to the new breach.
There are replacements for COMP128 permitted in the GSM system, but so
far the SDA has not found a network which does not use COMP128. The
SDA is currently in the process of determining which cellular networks
are vulnerable. Nor are U.S. companies immune. Many U.S. networks use
GSM standards in their offerings of digital PCS service, Pacific Bell
among them. Indeed, it was a SIM signed up to the Pacific Bell PCS
service that the ISAAC group successfully attacked.

One of the main advantages touted for the new digital services is that
the phones cannot be cloned. A billboard advertisement by Pacific Bell
well known in the San Francisco area portrays a sheep, presumably a
cloned sheep, and a claim that the digital cellphone is different.
Cloned phones are widely used in criminal ``call-sell'' operations,
which sell international and long distance service from cloned
telephones.

The fraud potential is exacerbated by a blind reliance of equipment
engineers on the belief that the cryptography would never be broken.
``Much switching equipment never checks to see if two telephones with
the same identity are on-line at the same time,'' says Yobie Benjamin,
Chief Knowledge Officer at Cambridge Technology Partners.

The SDA points out that the breach may be correctable, but this cannot
be known for certain at the current time. ``We anticipate that this is
but the first in a family of related vulnerabilities,'' says Goldberg
of the ISAAC group. Remedies cannot be adequately designed until more
is known about the potential for other weaknesses. The SDA cautions
that no practical over-the-air attack is known yet but that one should
not be ruled out. Unlike the current breach, which requires physical
possession of a SIM, an over-the-air attack would extract secrets from
SIM's nestled inside their phones and without the cooperation of the
owner.

Any fix of the system is certain to be expensive. ``At the least, all
the SIM's would have to be reissued. A software upgrade for all the
authentication centers shouldn't be ruled out'', says Bob Keyes, a
consultant with Enterprise Security Services at Cambridge Technology
Partners. Changes to each component would not be particularly large,
but the changes in total would be extensive, affecting many different
pieces of the system.

Indications of Government Interference

A secret design process is always fraught with peril, but the
situation worsens when government agencies meddle. One of the
discoveries that the SDA made about GSM security was a deliberate
weakening of the confidentiality cipher used to keep eavesdroppers
from listening to a conversation. This cipher, called A5, has a 64 bit
key, but only 54 bits of which are used. The other ten bits are simply
replaced with zeros. ``The only party who has an interest in weakening
voice privacy is a national surveillance agency,'' says Briceno.
``Consumers want privacy, and the manufacturers and network operators
incur no cost whatsoever by using a full-size key.''

The U.S. systems may well befall the same fate. The National Security
Agency is known to have pressured the analogous U.S. standards body to
weaken voice privacy. ``The U.S. systems aren't much better,'' says
Phil Karn, an engineer with Qualcomm, a maker of digital CDMA
cellphones. Karn has had experience in the standardization process.
``Unless consumers demand better, the situation is unlikely to
change,'' he says.

The lessons for electronic commerce are clear. Only standards created
in an open environment and subject to public comment are acceptable.
Any other process has always led to losses for service providers and
consumers alike. ``Every part of a system design requires a publicly
accepted justification, without exception,'' says Eric Hughes, Chief
Designer at SigNet Assurance, a company building electronic commerce
infrastructure. So far the signs are encouraging. Standards such as
SET, even though developed in private, are nevertheless available for
public review. Companies evaluating systems need to look closely at
the design process of their security components. Top management should
verify these claims before final procurement. Hughes says, ``I fear
that unless we have a culture where anything but open security
analysis is ridiculous, we will have some spectacular and unnecessary
electronic commerce catastrophes.''

Press Contacts

Smartcard Developer Association

Marc Briceno
Voice: +1 925-798-4042
Email: marc@scard.org

ISAAC Research Group

David Wagner and Ian Goldberg
Voice: +1 510-643-9435
Email: daw@cs.berkeley.edu, iang@cs.berkeley.edu
See: http://www.scard.org/press/19980413-01/