Solutions to the GSM Security Weaknesses †

Mohsen Toorani ‡ Ali Asghar Beheshti Shirazi

School of Electrical Engineering, Iran University of Science and Technology

Tehran, Iran

Abstract GSM security flaws, and some applicable solutions to

improve the security of currently available GSM
Recently, the mobile industry has experienced an systems. This paper is organized as follows. Section 2
extreme increment in number of its users. The GSM briefly introduces the security attributes of the GSM.
network with the greatest worldwide number of users Section 3 challenges the GSM security. The security of
succumbs to several security vulnerabilities. Although GSM transport channels is briefly described in section
some of its security problems are addressed in its 4. Section 5 provides some practical solutions to
upper generations, there are still many operators improve the security of GSM, and section 6 gives the
using 2G systems. This paper briefly presents the most conclusions.
important security flaws of the GSM network and its
transport channels. It also provides some practical
solutions to improve the security of currently available
2G systems.

1. Introduction
The Mobile communications has experienced a
great acceptance among the human societies. It has
influenced and revolutionized different aspects of the
human life. With a mobile handset, anyone can be
accessed anywhere. At the beginning of 2007, the
worldwide number of mobile users reached to 2.83
billion people where 2.28 billion users out of them (i.e.
80.5%) were using the Global Service for Mobile
communications (GSM) [1]. The GSM system and its
building blocks are depicted in Figure 1. The GSM has Figure 1. GSM Architecture
experienced gradual improvements that leaded to
several versions such as GSM1800, HSCSD (High
Speed Circuit Switched Data), EDGE (Enhanced Data
2. Security Architecture of the GSM
rates for GSM Evolution), and GPRS (General Packet The security architecture of GSM was originally
Radio Service). The GSM improvements are continued intended to provide security services such as
to 3G systems such as UMTS. It is believed that the anonymity, authentication, and confidentiality of user
GSM has many inherent security flaws and some of its data and signaling information [5]. The security goals
security flaws are addressed in the upper generations of GSM are as follows:
such as UMTS. However, many operators especially in • Authentication of mobile users for the network,
the developing countries are still using the traditional
• Confidentiality of user data and signaling
GSM network that succumbs to several security flaws.
information,
Although the GSM security is considered in some
• Anonymity of subscriber's identity,
literatures [2-4], they did not present a complete
• Using SIM (Subscriber Identity Module) as a
security evaluation or even propose solutions. This
security module.
paper provides a brief and complete review of the

†
Copyright © 2008 IEEE. Reprinted from the Proceedings of the 2nd International Conference on Next Generation Mobile Applications,
Services, and Technologies (NGMAST'08), pp.576-581, University of Glamorgan, Cardiff, UK, Sep. 2008 [DOI 10.1109/NGMAST.2008.88].
This material is posted here with permission of the IEEE. Internal or personal use of this material is permitted. However, permission to
reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be
obtained from the IEEE by writing to pubs-permissions@ieee.org.
‡
ResearcherID: A-9528-2009
 The Mobile Station (MS) consists of the Mobile GSM standards. A5/1 is stronger but it is subject to
Equipment (ME), and the SIM card. The SIM is a export control and can be used by those countries that
cryptographic smart card with the GSM specific are members of CEPT. A5/2 is deliberately weakened
applications loaded onto it. As a smart card, it has to be deployed by the other countries. The use of such
some inherent security functions specified to smart algorithms is controlled by the GSM Memorandum of
cards [6]. Its operating system and chip hardware have Understanding (MoU). A5/3 is a block cipher based on
several security attributes. SIM includes all the the Kasumi algorithm that is defined by the 3GPP at
necessary information to access the subscriber's 2002 and can be supported on dual-mode phones that
account. IMSI and Ki are stored on every SIM. IMSI is are capable of working on both 2G and 3G systems.
the International Mobile Subscriber Identity with at The GSM authentication, session key generation, and
most 15 digits uniquely devoted to every mobile encryption processes are depicted in Figure 2.
subscriber in the world. Ki (Individual subscriber
authentication Key) is a random 128-bits number that
is the root cryptographic key used for generating
session keys, and authenticating the mobile users to the
network. Ki is strictly protected and is stored on the
subscriber's SIM, and AuC. The SIM is itself protected
by an optional Personal Identification Number (PIN).
Each user is requested to enter the PIN unless this
feature is deactivated by the user. After a number of
invalid attempts that is usually 3 times, the SIM locks Figure 2. GSM Authentication, Session key
out the PIN, and the PUK (PIN UnlocK) is then generation, and Ciphering
requested. If the PUK is also incorrectly entered for a
number of times that is usually 10 times, the SIM The anonymity in the GSM is provided by replacing
refuses local accesses to its privileged information and the use of IMSI with a 32-bit Temporarily Mobile
authentication functions, and makes itself useless. Subscriber Identity (TMSI). TMSI is typically handled
Authentication and confidentiality of user data are by the VLR, is valid in a particular Location Area
in deposit of the secrecy of IMSI and Ki. With (LA), and will be updated at least in every location
disclosure of such numbers, anyone can impersonate a update procedure. It is also stored on the subscriber's
legitimate user. A3 and A8 algorithms are also SIM and prevents an eavesdropper to track a particular
implemented on every SIM. This means that each subscriber.
operator can determine and change such algorithms
independent of other operators and hardware 3. Challenges to the GSM Security
manufacturers. Therefore, the authentication will work
when a user is roaming on other countries or operators The openness of wireless communications makes
since the local network will query the HLR of the the communicating parties more vulnerable to the
home network for the results and does not need to security threats. Although GSM tried to harden the
know the A3/A8 algorithm of the home network. A3 is interception by using several techniques such as
mainly used for authenticating users to the network frequency hopping, the real-time interception of the
while A8 is used for generating the session key of exchanged information is completely practical [7].
encryption Kc. The network sends a random challenge Currently, there are commercial equipments capable of
to the user so that SIM produces Kc and SRES. After simultaneously intercepting several collocated
user authentication, the network can order the phone to subscribers [8]. While GSM was intended to be a
start the encryption by using the generated session key secure wireless system and considered the user
Kc. authentication and over-the-air encryption, it is
The cryptographic algorithms are implemented on completely vulnerable to several attacks, each of them
the hardware of mobile phones. The network can aiming a part of network. Hereunder, the most
choose from up to 7 different encryption algorithms (or important security flaws of the GSM are briefly listed.
the mode of no ciphering) but it should choose an Several practical scenarios can also be deployed to
algorithm that is implemented on the phones. A class- misuse such vulnerabilities that are neglected for the
mark message has been earlier specified the phone's case of brevity.
capabilities to the network. Three algorithms are 1) Unilateral authentication and vulnerability to the
generally available: A5/1, A5/2, and A5/3. A5/1 and man-in-the-middle attack: This is the network that
A5/2 are two stream ciphers originally defined by the authenticates users. The user does not authenticate
network so the attacker can use a false BTS with the target user without any physical access to the SIM.
same mobile network code as the subscriber's This can be accomplished by sending several
legitimate network to impersonate himself and perform challenges over the air to the SIM and analyzing the
a man-in-the-middle attack. The attacker can then responses. However, this approach may take several
perform several scenarios to modify or fabricate the hours. The attacker can also extract IMSI using an
exchanged data. At the designing phase of the GSM approach that will be explained later. After finding Ki
protocols, this kind of attack seemed impractical due to and IMSI of the target subscriber, the attacker can
costly required equipments. Currently, this kind of clone the SIM and make and receive calls and other
attack is completely applicable due to the decreased services such as SMS in the name of the victim
costs. subscriber. However, the attacker will encounter with a
2) Flaws in implementation of A3/A8 algorithms: slight problem. The GSM network allows only one
Although the GSM architecture allows operator to SIM to access to the network at any given time so if
choose any algorithm for A3 and A8, many operators the attacker and the victim subscriber try to access
used COMP128 (or COMP128-1) that was secretly from different locations, the network will realize
developed by the GSM association. The structure of existence of duplicated cards and disables the affected
COMP128 was finally discovered by reverse account.
engineering and some revealed documentations, and 5) Flaws in cryptographic algorithms: Both A5/1
many security flaws were subsequently discovered. In and A5/2 algorithms were developed in secret. The
addition to the fact that COMP128 makes revealing Ki output of A5/1 is the XOR of three LFSRs. An
possible especially when specific challenges are efficient attack to A5/1 that can be used for a real-time
introduced, it deliberately sets ten rightmost bits of Kc cryptanalysis on a PC includes two kinds of attacks
equal to zero that makes the deployed cryptographic [10]: The former that requires the first two minutes of
algorithms 1024 times weaker and more vulnerable, eavesdropped encrypted conversation is capable of
due to the decreased keyspace. Some GSM network extracting the ciphering key in about one second, while
operators tried another new algorithm for the A3/A8, the latter just needs two seconds of encrypted
called COMP128-2. COMP128-2 was also secretly conversation to extract the ciphering key in several
designed and inherited the problem of decreased minutes. A5/2 is the deliberately weakened variant of
keyspace. Despite of such important problem, no other A5/1. An efficient attack to A5/2 requires less than one
problems are reported so far. However, we can second of encrypted conversation to extract the
prospect for new discovered vulnerabilities in the ciphering key in less than one second on a PC [11].
future as it is secretly designed. An improved version 6) Short range of protection: The encryption is only
of COMP128-2, called COM128-3, is also proposed accomplished over the airway path between MS and
that generates 64 bits of session key and resolves the BTS. There is not any protection over other parts of
problem of decreased keyspace. network and the information is clearly sent over the
3) SIM card cloning: Another important challenge is fixed parts. This is a major exposure for the GSM,
to derive the root key Ki from the subscriber's SIM. In especially when the communication between BTS and
April 1998, the Smartcard Developer Association BSC is performed over the wireless links that have
(SDA) and the ISAAC research group could find an potential vulnerabilities for interception. In some
important vulnerability in the COMP128 algorithm countries, the encryption facility of the air interface is
that helped them to extract Ki in eight hours by not activated at all. There are also security problems on
sending many challenges to the SIM. Subsequently, the GSM backbone. The deployed Signaling System
some other schemes were proposed that were based on no.7 (SS7) has also several security vulnerabilities.
the chosen challenges and were capable of extracting The messages in the current SS7 system is so that they
Ki in fewer times. Ultimately, a side-channel attack, can be modifies or even fabricated into the global SS7
called partitioning attack, was proposed by the IBM system in an uncontrolled manner [12]. SS7
researchers that makes attacker capable of extracting incorporates very limited authentication procedures
Ki if he could access the subscriber's SIM just for one since it was originally designed for the closed
minute [9]. The attacker can then clone the SIM and telecommunication communities. The interconnection
use it for his fraudulent purposes. The COMP128 with Internet can also have its potential vulnerabilities.
algorithm needs large lookup tables that would leak Additional vulnerabilities will be arisen when SS7
some important information via the side channels when systems are interconnected using the Internet. Remote
it is implemented on a small SIM. management of the GSM backbone elements that can
4) Over-the-air cracking: It is feasible to misuse the be conducted by connecting them to the IP networks
vulnerability of COMP128 for extracting the Ki of the can also introduce additional vulnerabilities. If the
HLR and AuC are physically separated, it can be a Application Protocol (WAP), and the voice channel.
new point of vulnerability since the authentication There are also some newer services such as Enhanced
triplets may be obtained from AuC by masquerading as Messaging Service (EMS) and Multimedia Messaging
another system entity, e.g. a HLR. Unauthorized Service (MMS) that have been added in the GSM
accesses to HLR, AuC, and MSC will also cause upgrades. The security flaws described in the previous
several problems. section are commonly applicable to all the services and
7) Lack of user visibility: The ciphering is controlled transport channels since they aim all the exchanged
by the BTS. The user is not alerted when the ciphering data and signaling information. However, in addition
mode is deactivated. A false BTS can also deactivate to such common flaws, some of GSM transport
the ciphering mode and force MS to send data in an channels have some extra problems and vulnerabilities.
unencrypted manner. The SMS messaging has some extra security
8) Leaking the user anonymity: Whenever a vulnerabilities due to its store-and-forward attribute,
subscriber enters a location area for the first time or and the problem of fake SMS that can be conducted
when the mapping table between the subscriber's via the Internet. When a user is roaming, the SMS
TMSI and IMSI is lost, the network requests the content passes through different networks and perhaps
subscriber to clearly declare the IMSI. This can be the Internet that exposes it to various vulnerabilities
misused to fail the user's anonymity and can be and attacks. Another concern is arisen when an
accomplished by sending an IDENTITY REQUEST adversary gets access to the phone and reads the
command from a false BTS to the MS of the target previous unprotected messages. The USSD that is a
user to find the corresponding IMSI. session-oriented technology is also vulnerable to
9) Vulnerability to the DoS attack: A single attacker attacks since the messages are not encrypted and
is capable of disabling an entire GSM cell via a Denial secured on the GSM backbone.
of Service (DoS) attack. The attacker can send the The WAP allows ME to connect to the Internet. The
CHANNEL REQUEST message to the BSC for WAP Gateway that resides between MS and Web
several times but he/she does not complete the protocol server in the WAP architecture and acts as an
and requests another signaling channel. Since the interpreter between the Internet protocols (HTTP,
number of signaling channels is limited, this leads to a SSL/TLS, and UDP/TCP/IP) and the corresponding
DoS attack. It is feasible since the call setup protocol WAP protocols (WSP/WTP, WTLS, and WDP),
performs the resource allocations without adequate introduces an additional security flaw in some
authentication. This attack is economical since it does implementations that is referred to as the WAP gap.
not have any charge for the attacker. It can also be Other concerns are arisen from security problems of
used for many practical situations such as terrorist the Internet as a huge uncontrolled network that is in
attacks [13]. contradiction with assumptions of the GSM security
10) Absence of integrity protection: Although the architecture in which the core network is assumed as a
GSM security architecture considers authentication and secure and controlled environment. The web servers
confidentiality, there is no provision for any integrity may also download and execute malicious applets at
protection of information [2]. Therefore, the recipient the client (ME) so the safety of applets and other
cannot verify that a certain message was not tampered downloaded programs is another concern.
with.
11) Vulnerability to replay attacks: The attacker can 5. Solutions to the GSM Security Flaws
misuse the previously exchanged messages between
the subscriber and network in order to perform the The GSM specifications have been revolutionized
replay attacks. during times. In 2002, several efforts have been done
12) Increased redundancy due to the coding to design new cryptographic algorithms for GSM,
preference: The Forward Error Correcting (FEC) is ECSD, GPRS, and EGPRS that can be implemented on
performed prior to the ciphering so there is a dual-mode phones. Ultimately, A5/3 for GSM and
redundancy that increases the security vulnerabilities ECSD/EDGE, GEA3 for GPRS, and f8 for UMTS
of deployed cryptographic algorithms. were proposed, all of them having a similar structure.
The security mechanisms of the GPRS are similar to
that of the GSM. However, instead of using A5
4. Security of Transport Channels
algorithm, GPRS uses the GPRS Encryption Algorithm
The GSM network has some transport channels: (GEA) that currently has three versions: GEA1, GEA2,
Short Message Service (SMS), Unstructured and GEA3. In the GPRS, the end terminal of
Supplementary Service Data (USSD), Wireless encryption is moved towards a deeper point in the
network, i.e. the SGSN. Although the encryption is real network and force MS to deactivate the ciphering
performed at the physical layer of the GSM, it is mode so it is also necessary to modify the
accomplished at the Logical Link Control (LLL) layer authentication protocols.
of the GPRS. The UMTS, in addition to its new 3) Securing the backbone traffic: Encrypting the
offered applications, has scrutinized the GSM security backbone traffic between the network components can
problems and has resolved most of them. The main prevent the attacker to eavesdrop or modify the
reason of GSM security problems was due to the fact transmitted data. Although this solution may be
that its security was provided by obscurity so the implemented without the blessings of GSM
UMTS algorithms were openly designed. consortium, the cooperation of hardware
Consequently, its algorithms are not encountered with manufacturers is still required.
serious problems. Although some theoretical attacks
are proposed, they are not practically feasible with the 4) End-to-end Security: The best, easiest, and most
current technology. However, there are also some profitable solution is to deploy the end-to-end security
other problems related to the deployed protocols. or security at the application layer. Most of GSM
Regardless of security improvements in the upper security vulnerabilities (except SIM cloning and DoS
generation networks, it is necessary to provide attacks) do not aim ordinary people, and their targets
solutions to improve the security of the currently are usually restricted to special groups so it is
available 2G systems. Hereunder, some practical reasonable and economical that such groups make their
solutions are proposed for this purpose. communications secure by the end-to-end security.
Since the encryption and security establishment is
1) Using secure algorithms for A3/A8 performed at the end-entities, any change to the GSM
implementations: This can thwart the dangerous SIM hardware will not be required. In this way, even if the
card cloning attack. This solution is profitable since conversation is eavesdropped by the police or legal
the network operators can perform such improvement organizations, they cannot decrypt the transmitted data
themselves and without any need to the software and without having the true ciphering key, provided that a
hardware manufacturers or the GSM consortium. secure enough cryptographic algorithm is deployed.
However, this solution requires providing and Therefore, in order to avoid illegal activities, it should
distributing new SIM cards and modifying the be transparent to both GSM operator and service
software of the HLR. Currently, both COMP128-2 and provider. It may also be necessary to find solutions for
COMP128-3 algorithms thwart the SIM card cloning a legal interception or a key screw scheme. The end-to-
and over-the-air cracking of Ki. Since COMP128-3 end security establishment has a complete flexibility to
enhances the effective key length of the session key to the deployed algorithms so the appropriate upgrades
further 10 bits, it allows the deployed cryptographic can be easily accomplished when necessary. However,
algorithm to have its nominal security. Although it is it may be a subject to export control. Generally, the
soon to judge on the real security of COMP128-2 and end-to-end security can be provided in the cellular
COMP128-3, they have apparent advantages over the systems by following one or some of the following
traditional COMP128-1 that its SIM cloning apparatus approaches:
are available at very low prices. 1) Exploiting the processing capabilities of mobile
2) Using secure ciphering algorithms: Operators can phone using the programming languages such as
use newer and more secure algorithms such as A5/3 J2ME (Java 2 Mobile Edition): Supported by the most
provided that such improvements are allowed by the recent cellular phones and Personal Digital Assistants
GSM consortium. The deployed cryptographic (PDA) with the improved processing capabilities.
algorithms should be implemented on both BTS and 2) Exploiting the processing capabilities of the SIM
mobile phones. Any change to the cryptographic using the SIM Application Toolkit (SAT) [14]: Not
algorithms requires agreement and cooperation of supported by all SIM cards; especial SIM cards are
software and hardware manufacturers since they required; the processing resources are still limited; and
should perform the appropriate changes to their operations may be so time-consuming.
products. Since the cryptographic algorithms should be 3) Exploiting the processing capabilities of an
implemented on the cellular phones, the agreement of additional smart card, e.g. JavaCard: Not supported
mobile phone manufacturers is also required. by the usual phones; requires costly dual slot cellular
However, a lonely upgrading of the deployed phones.
cryptographic algorithms cannot be so useful. Even 4) Exploiting the processing capabilities of a portable
though the ciphering algorithms are replaced with the PC (laptop) connected to the ME: suitable for security
strongest ones, the attacker can simply impersonate the mechanisms with huge processing and memory
requirements, e.g. real-time end-to-end secure voice 7. References
communications over the GSM voice channel [15].
5) Exploiting the processing capabilities of a crypto- [1] GSM World News - Statistics: http://www.gsmworld.
processor that is embedded in the ME [16]: It should com/news/statistics/index.shtml. Access: Jan. 23 2008.
be accomplished by the mobile manufacturer; cannot [2] P. Chandra, “Bulletproof Wireless Security, GSM,
be changed or manipulated by the user; and may be a UMTS, 802.11 and Ad hoc Security,” Elsevier, 2005.
[3] S.M. Siddique, and M. Amir, “GSM Security Issues
subject to export control.
and Challenges,” 7th IEEE International Conference on
The first four approaches have an inherent Software Engineering, Artificial Intelligence,
advantage due to their capability of being simply Networking and Parallel/Distributed Computing
manipulated by the end-entities. However, choosing (SNPD'06), pp.413-418, June 2006.
the most profitable approach regards to some [4] V. Niemi, and K. Nyberg, “UMTS Security,” John
parameters such as required memory and processing Wiley and Sons, 2003.
resources of the corresponding application. For [5] C-C Lo, and Y-J Chen, “Secure Communication
example, if the voice is to be end-to-end encrypted Mechanisms for GSM Networks,” IEEE Transactions
over the data channel, it can even be implemented by a on Consumer Electronics, Vol.45, No.4, pp.1074-1080,
Nov. 1999.
software application that is installed on an advanced
[6] W. Rankl, and W. Effing, “Smart Card Handbook,” 3rd
cellular phone. On the other hand, for encryption over ed., John Wiley and Sons, 2003.
the voice channel that is hard to be tracked and so [7] F.J. Gonzalez-Castano, J. Vales-Alonso, J.M. Pousada-
attractive for the terrorist and illegal activities, the Carballo, F.I. de Vicente, and M.J. Fernandez-Iglesias,
fourth approach may be suitable [15]. The end-to-end “Real-Time Interception Systems for the GSM
security can be established by both symmetric and Protocol,” IEEE Transactions on Vehicular
asymmetric encryption. The asymmetric encryption is Technology, Vol.51, No.5, pp. 904-914, Sept. 2002.
usually too slow to be used for the real-time [8] http://www.alarm.de
applications and may be used for the key establishment [9] J.R. Rao, P. Rohatgi, H. Scherzer, and S. Tinguely,
“Partitioning Attacks: Or How to Rapidly Clone Some
of a symmetric encryption algorithm. The public keys
GSM Cards,” IEEE Symposium on Security and
are usually jointed with the certificates. The private Privacy (S&P'02), pp.31-41, 2002.
keys and the certificates can be securely stored on [10] A. Biryukov, A. Shamir, and D. Wagner, “Real Time
either SIM card, an additional smart card (for the dual- Cryptanalysis of A5/1 on a PC,” pp.1-18, Fast Software
slot phones), or a secure hardware on the phone. There Encryption Workshop, April 2000.
are also some proposals for the Wireless Public Key [11] E. Barkan, E. Biham, and N. Keller, “Instant
Infrastructure (WPKI). Ciphertext-Only Cryptanalysis of GSM Encrypted
Communication,” pp.600-616, CRYPTO 2003.
[12] G. Lorenz, T. Moore, G. Manes, J. Hale, and S. Shenoi,
6. Conclusions “Securing SS7 Telecommunications Networks,” IEEE
Workshop on Information Assurance and Security,
In this paper, the security of the GSM network is
pp.273-278, June 2001.
evaluated, and a complete and brief review of its [13] V. Bocan, and V. Cretu, “Mitigating Denial of Service
security problems is presented. It is proved that the Threats in GSM Networks,” 1st IEEE International
GSM network has many inherent security flaws that Conference on Availability, Reliability and Security
can be misused for fraudulent purposes or for (ARES'06), April 2006.
deceiving users. Some practical solutions to improve [14] European Telecommunications Standards Institute.
the security of currently available 2G networks are also Digital cellular Telecommunications system (Phase
proposed. Some solutions include the security 2+); Security mechanisms for the SIM Application
improvement of the infrastructure while the others tend Toolkit; Stage 1. GSM 02.48 version 6.0.0 Release 97.
to provide the end-to-end security. It is also deduced April 1998.
[15] N.N. Katugampala, K.T. Al-Naimi, S. Villette, and
that the end-to-end security or the security at the
A.M. Kondoz, “Real-time End-to-end Secure Voice
application layer is the best and most profitable Communications Over GSM Voice Channel,” 13th
solution for the currently available 2G systems. European Signal Processing Conference
(EUSIPCO'05), Turkey, Sep. 2005.
Acknowledgment [16] A.B. Rekha, B. Umadevi, Y. Solanke, and S.R. Kolli,
“End-to-End Security for GSM Users,” IEEE
This work is partially supported by a grant from Iran International Conference on Personal Wireless
Telecommunication Research Center (ITRC). Communications, pp.434-437, Jan. 2005.