Abstract:

In this presentation we present a very practical ciphertext-only
cryptanalysis of GSM encrypted communication, and various active attacks
on the GSM protocols. These attacks can even break into GSM networks
that use ``unbreakable'' ciphers. We describe a ciphertext-only attack
on A5/2 that requires a few dozen milliseconds of encrypted off-the-air
cellular conversation and finds the correct key in less than a second on
a personal computer. We then extend this attack to a (more complex)
ciphertext-only attack on A5/1. We describe new attacks on the protocols
of networks that use A5/1, A5/3, or even GPRS. These attacks are based
on security flaws of the GSM protocols, and work whenever the mobile
phone supports A5/2. We emphasize that these attacks are on the
protocols, and are thus applicable whenever the cellular phone supports
a weak cipher, for instance they are also applicable using the
cryptanalysis of A5/1. Unlike previous attacks on GSM that require
unrealistic information, like long known plaintext periods, our attacks
are very practical and do not require any knowledge of the content of
the conversation. These attacks allow attackers to tap conversations and
decrypt them either in real-time, or at any later time. We also show
active attacks, such as call hijacking, altering of data messages and
call theft.

Joint work with Elad Barkan and Nathan Keller