Global system for mobile communications (GSM) and general packet radio service (GPRS) use encryption and security protocols to protect the privacy and integrity of the data they transmit. In this paper, new methods for attacking this encryption and security are presented. The described attacks are easy to apply, and do not require knowledge of the conversation. Moreover, they can even break into GSM networks that use “unbreakable” ciphers.
The paper is organized into ten sections. In Section 2, a short description of the A5/2 encryption algorithm is given, along with a description of the way it is used.
After a detailed description of the Goldberg, Wagner, and Green (GWG), known as the plaintext attack, Section 3 presents a known plaintext attack on A5/2, an improved variant of the GWG attack. Namely, given a keystream divided into frames and respective frame numbers, the attack recovers the session key. The last subsection is dedicated to an optimized implementation of this attack. It uses precomputed tables stored in computer memory, and requires slightly more data compared to the previous attack. Here, however, the 64-bit session key is found in few milliseconds of central processing unit (CPU) time. This attack is improved in Section 4 to a ciphertext-only attack on A5/2. This improved method supports enhancing the GWG plaintext attack and the Petrovi&cacute, Fúster-Sabater attack (see http://eprint.iacr.org) to a ciphertext-only attack.
Section 5 discusses the problem of withstanding errors in reception. After a short introduction on how radio reception errors can be corrected, a method to apply the optimized attack with the presence of erasures is developed.
A passive ciphertext-only attack on A5/1 is described in Section 6, as a generalization of the attack defined in Section 4. Both can be adapted to other ciphers, as long as the network performs error correction before encryption. Implementations of this ciphertext-only passive attack on A5/1 under various GSM channels and various parameters of the time-memory-data tradeoff are discussed and compared.
Section 7 is dedicated to several attacks based on flaws in the GSM call-establishment protocol. Through these flaws, an attacker can compromise any GSM encrypted communication based on his or her ability to break one weak cipher in the GSM family. The time complexity of these attacks is the same time complexity as for breaking the weak cipher. After a listing of protocol flaws used by the attacks, four types of attacks are proposed: the class-mark attack (7.1), recovering the session key of past or future conversations (7.2), the man-in-the-middle attack (7.3), and attacks on GPRS (7.4).
A discussion concerning the implications of the attacks under several attack scenarios is developed in Section 8. Four scenarios for the attacks are presented here: call wire tapping, call hijacking, altering of data messages (Short message service (SMS)), and call theft-dynamic cloning. Finally, several ways of identifying and isolating a specific victim are described in Section 9.
Section 10 summarizes the paper. Appendix A presents an improved version of GWG’s attack to a ciphertext-only attack. Appendix B provides a technical background on GSM.
The authors’ opinion is that the ciphertext-only attacks presented in this paper are possible because the error-correction codes are employed before the encryption; in the case of GSM, this order reduces the security of the system. As a result of the initial publication of the attacks depicted in this paper, the GSM-association security group, together with the GSM-security working group, are working to remove the A5/2 algorithm from handsets.