Paik highlights in this paper several scenarios where the weaknesses of the global system for mobile communications (GSM) second-generation (2G) standard can be exploited by an adversary for malicious purposes.
Specifically, he elaborates on three categories of attacks. Message replay attacks are conducted by an attacker by capturing messages in transit and then replaying them after a certain period of time. Paik mentions that the GSM 2G standard for encryption (A 5/1) is rarely used--especially in developing countries, due to certain existing laws--and therefore, the protection of messages through encryption and integrity checks is not implemented all the time. The second type of attack is spoofing, where the subscriber identity module (SIM) card of a GSM handset can be cloned, or spoofed. This is possible due to the absence of a mechanism to verify the authenticity of a SIM card in developing countries such as India, where the Information Technology (IT) Act of 2000 mandates that no encryption must be used anywhere in the country. The third type of attack, denial of service (DoS), may be achieved by using a fictitious carrier for the GSM network, with all GSM handsets being associated with it, rather than the actual GSM network.
All of the above-mentioned attacks are based on the assumption that the attackers are well organized and sophisticated enough to possess the hardware and software resources needed to successfully launch the attacks. With the introduction of the GSM third-generation (3G) standard, and with possible enforcement of authentication and encryption laws in third-world countries, mobile applications deemed critical, such as mobile banking, can operate in a more secure environment.
The paper can be thought of as a wake-up call for countries that still rely heavily on the GSM 2G standard. In addition, the need to enforce encryption and authentication, particularly for sensitive applications such as banking and e-commerce, needs to be addressed through laws that can be implemented for such communication standards.