Phreaking: The GSM technology
The last click Issue 1
The first cell phones were born at the beginning of the 80's in Japan. Later they arrived in Scandinavia and in the USA. They were analog radiotelephones and the phones and the subscriptions were expensive.
In France, the first phones on the market were France Telecom with RADIOCOM 2000, then SFR in 1987.
The analog network had a weak capacity and a low quality and was soon replaced by a digital standard. This digital technology allowed a reduction in the size of the devices, a good sound quality and a confidentiality without precedent.
It is at the beginning of the 90s that France and Germany adopted the GSM standard. Today, most of the countries in Europe use this standard which tends to be globalized.
The analog network worked on the FM band, and worked like an improved CB (very improved anyway :) ). The phreak was therefore easily achievable, and the listening only required an FM scanner.
The GSM network, on the contrary, converts the information in binary (10001000110101...) and encrypts it using several algorithms... So it's not necessary to tell you that it's already more complex to phreak...
The number of people using cellular telephony is constantly increasing, the hertzian space allocated to this type of telephony would have been quickly insufficient if we had used the same technology as for the radio, the CB,... To avoid this problem, the cellular technology has been developed: It consists in dividing the hertzian space (VHF for cells) into sub-spaces, or cells (we will not go into detail about the cells for now). Basically, a cells correspond to a geographical area covered by a relay (Station). The relays, seen on a map form a kind of grid "honeycomb". Each device is under the control of a centralized station controller, itself connected to the telephone network.
Cellular phones are constantly receiving signals from the stations, which allows the localization of the device. During a call, the phone is connected to the nearest station. If this station is saturated, the phone will be connected to the second nearest, ... To allow the mobility of the user, the stations communicate with each other. This process is called H O (Hand Over).
In France, we have 3 networks (FT, SFR and Bouygues Telecom). There are also sub-operators (Motorola Telco, Hutchinson,...) but it's not a problem. Bouygues is a bit different because it's newer, but that's not the problem today.
Well, now that you know the story, I must inform you that it's a bit more complicated than the PBX phreak, etc...
It is about reprogramming a chip (it is the only way I know).
Required equipment:
- A phone without subscription
- A blank EPROM
- An EPROM reader
- An EPROM write program
- An I/O program for the chip
- A Special Code generator program (optional)
- A soldering iron
- A lot of patience
Well now, we can go...
As you must know, mobile phones and Bouygues use a unique identification card (the SIM card). It contains information on the type of subscription, options, numbers in memory, ... Obviously, this great system is there to piss off the phreakers. Thank you FT, it is successful ...
The GSM tech is different from the analog tech and it's much harder to phreak. The only sensible way to phreak a GSM is the cloning of the SIM card. But before attacking that, we must already understand how it works.
The GSM uses digital technology for encryption and sending data. Unlike analog cells, a scanner is not enough to trace a conversation or information. It uses several complicated encryption algorithms that make the conversation quite secure. Unfortunately, the data of the phone and the subscription are also encrypted during transmission. Some people have attacked the algorithms and have made good progress, well done guys. Me, I will not go that far. Cloning a SIM is already quite annoying.
So here it is... When you call with a mobile phone, you are identified by a number: the IMSI (International Mobile Subscriber Identity). This number is linked to an authentication key, called Ki. These numbers are not directly interceptable. The vocal data are also encrypted with a random key, the Kc.
When the mobile device is connected but not online, it is identified at the level of the central by the TMSI or Temporary Mobile Subscriber Identity, also random. The Ki is generated by the algorithm A3, and the Kc by the algorithm A8. These algorithms, as well as the PIN code (locking the phone) are contained in the SIM. The voice data encryption algorithm (A5) is contained in the phone's own memory, so there are three algorithms that make phreaking difficult. Upon arrival at the station, the IMSI and TMSI must be added to the voice data.
However, the A5 algorithm does not have to be modified, and it remains only to make changes to the SIM. It may be difficult, but not insurmountable. It is just that the information of the SIM and GSM are consistent.
To enter in communication, the station sends a number of 128 bits (RAND) to the GSM which establishes an answer adapted to the RAND using the information of the SIM. This is the SRES, number of 32 bits based on the Ki. The station calculates in its turn the SRES and compares it with that received to authenticate or not the mobile. For the sending of the vocal data, the Kc (64 bits) is generated by the A8 algorithm with the Ki. It is also based on the RAND, but be careful! This encryption key is active (not constant and regularly changed). The data are then encrypted by A5 on the basis of Kc, and routed by hertzian way to the central station. Ki and Kc never leave the phone.
The last security mechanism is based on the TMSI sent by the central office. This number is temporary and directly dependent on the call area, it changes at each change of station... Too bad for the clones.
Well, you already know a little more about the GSM, theoretically, the SIM cloning should work perfectly. I'm now working on the hardware part.
I'll tell you all about it in the next issue...
-= Shin =-
