Tag Archive for 'gsm'

Nov 19

SFR 3G femtocell privacy ?

in Confidentiality, In Internet and Technology. Comments Printable version Printable version

Recently Frank Esser the CIO of SFR one of the major french ISP/cellphones operator has announce that they wish to deploy 3G femtocell in their user home. A 3G femtocell is a small 3G antenna designed to improve the coverage of the 3G network  on a local site.

If someone is ready to introduce a 3G antenna at home, despite the health risk, why not. My concern is more about the uses of such antenna. SFR says that they wish to use it as a relay for all their customers in exchange of the subscription reduction. Giving up the control of GSM/3G antenna is  a huge risk, since the antenna is linked to the Internet router by an ethernet cable their is no way to prevent the owner of the antenna to snoop customer traffic.

You might argue that this is not a problem because the GSM protocol is secure… Well no, it is NOT secure. We know since 1999 that the GSM A5 encryption scheme is broken, and that any communication can be decypted in real time (You might wish to read the Shamir paper on the subject). Here it is even worst, because the attacker will be able not only to decrypt but even alter the communication because he is between the antenna and the SFR network.

Hence unless there is a strong mutual authentification between the SFR network and the antenna, then it will be a real nightmare. There is simply no way to choose which relay you use from your cellphone…  For instance you go to visit your customer to make a deal, somewhere in the midle of the negotiation you decide to call your office to decide what to do. Unfortunalty for you, you use your customer femtocell as a relay: your conversation with your boss is snooped in realtime by your customer which of course will tampers with the issue of the negotiation.

Feb 04

Does Sim Card Still Clonable ?

in Analysis and production, Hardware, Security and side-channel. Comment Printable version Printable version

It has been ten years since the first attack used to clone sim, and five year since the discolure of the last attack in the paper “Partitioning Attacks: Or how to rapidly clone some GSM cards” by J.R. Rao and Al. So in 2008 does sim cloning still possible ?

SIM Cloning the basic

To clone a SIM card you need various information easily dumpable from the SIM and a secret key stored inside a none readable part of the smart card. People often refers to it as KI.  Knowing this key and public data is sufficient to make calls, sms and receive call. The tamper-resistant smartcard is supposed to protect the key from disclosure. To be more precise the KI is used for the initialization of the A3 and A8 GSM algorithms. Theses algorithms are used to “prove” the knowledge of the key to the service provider, thus authorizing a call. They are also used to setup the “privacy” of the call but that is a different story.

The known attack

The vulnerable instantiation of the A3/A8 is called COMP128. In 1998 the ISAAC reseach group from Berkeley shows that using collisions it was possible to guess the KI in few hours. The speed of the attack was improved and the last attack known to recovers the KI is the paper cited in the introduction.

Many softwares implement this attack to extract the KI. For instance simscan can be used to extract KI used in the comp128v1

simscan

Attack Response

To prevents the extraction of the KI with the collision method the algorithm was upgraded to the COMP128V2 version. It appears that since 2003 most of providers have switched to it.

It is not currently possible to extract the comp128v2 KI. Although some sites claim to have sim analyzer based on side channels analysis. I doubt that these readers ars real, they are more likely scam. Even if side channel analysis such as power consumption have been proved efficient in hardware attack making a device that use it automatically is hard to believe (at least for civilians). User posts on forum tends to be consistent with the fact that they are fake.

esrcomplect

As additionnal protection, there is a hard limit implemented in SIM. After 65xxx authentification the sim is burned. That ensure that no brute force attack can be made. It also probably explains why sim card stop working after a couple of years.

The 3G card

3G card are refered as USIM (Universal Subscriber Identity Module). They use a new authentification algorithm based on AES. If there is a doubt about the possibility of extracting the KI from a COMP128V2, there is none about the USIM algorithm. This is a public algorithm so it has been reviewed by the scientific communauty and so far It assumed as solid.

Conclusion

I have tried the Ki extraction on a quite recent SIM card. It appears that in France providers are at least used comp128v2 and that new card are USIM. So as far as I know cloning SIM is a dying field. In few years there will be only comp128v2 and USIM around unless a new vulnerability is found. Note that not be able to clone a SIM does not mean that your conversation are not eavesdropped. Privacy is ensured by the A5 algorithm and this one is broken…