Cloning of a GSM mobile phone
Author: Niels Jørgensen.
The top of my webpage here at Roskilde University.
Last update to the present page: May 20th, 2018.
This web page describes my research into the
attack conducted in 1998 by members of the German hacker group,
Chaos Computer Club,
on GSM's authentification algorithm, the infamous comp128.
The successful attack enabled the CCC members
to "clone" a GSM mobile phone.
The Chaos Computer Club's attack, taking place in April 1998,
had been described in theory by three Californian cryptologists
(Briceno, Wagner and Goldberg)
earlier in the same month.
The cloning attack obtains the secret key of the phone's SIM-card.
One can then copy the key onto another SIM-card,
and make phone calls
with the identify of the owner of the first SIM-card.
In particular, that owner will get billed for the calls.
The CCC members cloned a SIM-card held
by a Spiegel-journalist who subsequently wrote about the attack
in the magazine on April 27.
I would like to know the answers to questions such as:
- The attack is non-trivial - how did the attackers actually make it work?
For instance, how did the hackers acquire the
cryptological and engineering competencies to write the key-guessing program?
How did they know that the program worked? (or worked most of the time)
What was the political context - to what extend was the hack a local (German) endeavour,
versus part of the global "crypto wars" of the 90s?
For instance, how much did the German hackers cooperate
with the Californian cryptologists?
What motivated the CCC's hackers -
the club's political goal of open design processes that allow for public scrutiny?
the goal of unrestricted, strong encryption?
or did they simply enjoy working with mobile phone technology?
As the outcome of the research, I plan to
write an academic paper about the hack, which I hope can
answer some of the above questions as well as other questions that arise in the course of the work.
For comparison, please see a paper I wrote several years ago
about the development process in the FreeBSD
open source project
Putting it all in the trunk:
incremental software development in the FreeBSD open source project.
My interest in these questions is rooted in my general interest
in the crypto wars. I would like to see more literature
about European developments, to supplement
the literature about the cryptological developments in the US,
such as Susan Landau's work on US export controls and the AES/Rijndael
(Under the Radar: NSA's Efforts to Secure Private-Sector Telecommunications Infrastructure,
Journal of National Security Law & Policy, 2014)
and the Electronic Frontier Foundation's work on the
DES cracker machine
(Cracking DES, EFF, 1998).
In order to understand the attack on GSM's comp128 algorithm,
I have implemented the attack. This allows me to collect
experimental data, including data about the cases where the attack fails.