7/14/2012
Research by:  
Security Research Labs

Mobile networks differ widely in security, none protect well in all dimensions

The base technology of most cell phone networks in the world – GSM – has been known to be weak for years. Consequently, standardization bodies and equipment manufacturers have invented and implemented security features to protect cell phone users from simple attacks.

Mobile network operators must now implement these security features. To publicly track the (currently slow) progress of security upgrading is publicly tracked by us to allow users to choose the highest (that is: least bad) protection in their market.

Measuring GSM security

The level of security upgrades and configuration is continuously tracked at gsmmap.org based on data contributions from all over the world (please refer to this tutorial for a simple way to contribute data).

Each network’s protection capabilities are tracked in three dimensions:

  1. Intercept – Can calls and text messages be eavesdropped upon?
  2. Impersonation – Can an attacker hijack a mobile identity; for example to send expensive premium SMS or to access the user’s voice mail?
  3. Tracking – Can the users’ location be found through publicly accessible information?

As of May 2012, a little over 100 networks were mapped on gsmmap.org. Surprisingly few implement protection measures that have been known for years. Three of the many measures tracked would defeat most simple attacks:

  1. A5/3 encryption (seen in 5 of 107 networks) – This “modern” encryption function derives from the AES competition held at the end of the last century. While not perfect, due to its small key size of 64 bits, A5/3 defeats intercept attacks.
  2. Strict authentication (seen in 8 networks) – Networks should generate a fresh encryption key for each call and SMS. Most likely, most networks followed this secure configuration at some point but switched to less secure settings as their user base outgrew the scalability of their key generation infrastructure (Some networks may also have deemed the time of setting up a call so much more important than security that the
  3. Home routing (seen in 12 networks) – Most mobile networks advertise the location of its users to facilitate SMS delivery. The resulting privacy issues have been discussed publicly since a talk in 2008. Ever since, networks are expected to introduce Home as a technique that routes all SMS through the same servers, thereby keeping the phone location away from public sources.

Reference network

The GSM security map compares each network against a reference defined as a network that implements all protection measures that have been seen “in the wild”. The reference is regularly updated to reflect new protection ideas becoming commercially available. Networks, therefore, have to improve continuously to maintain their score, just as hackers are continuously improving their capabilities to circumvent protections.

The main protection features of the reference network 2.0 of June 2012 are: A5/3 encryption, padding randomization, full authentication for outgoing calls and SMS, regular TMSI updates, and Home Routing.

References

  • The network security comparison is found at gsmmap.org.
  • Samples for as-of-yet uncovered countries can easily be contributed following this tutorial.
  • The measurement metric is partly based on our experience of cracking GMS networks using the Kraken cryptanalysis tool.

Explore more

aLL articles
Payment terminals allow for remote PIN capture and card cloning
cryptography
device hacking
7/12/2012
EDRs decrease your enterprise security, unless properly hardened
redteam
8/24/2022
Blue Merle: Reducing your cellular footprint
telco
open source
2/2/2023