Editing GSM (section)

==GSM security==
GSM was intended to be a secure wireless system. It has considered the user authentication using a [[pre-shared key]] and [[challenge–response authentication|challenge–response]], and over-the-air encryption. However, GSM is vulnerable to different types of attack, each of them aimed at a different part of the network.<ref>[https://ieeexplore.ieee.org/document/4756489/;jsessionid=6953541B386CDDB70C29C041DC4189B1?arnumber=4756489 Solutions to the GSM Security Weaknesses], Proceedings of the 2nd IEEE International Conference on Next Generation Mobile Applications, Services, and Technologies (NGMAST2008), pp.576–581, Cardiff, UK, September 2008, {{arxiv|1002.3175}}</ref>

Research findings indicate that GSM faces susceptibility to hacking by [[Script kiddie|script kiddies]], a term referring to inexperienced individuals utilizing readily available hardware and software. The vulnerability arises from the accessibility of tools such as a DVB-T TV tuner, posing a threat to both mobile and network users. Despite the term "script kiddies" implying a lack of sophisticated skills, the consequences of their attacks on GSM can be severe, impacting the functionality of [[Cellular network|cellular networks]]. Given that GSM continues to be the main source of cellular technology in numerous countries, its susceptibility to potential threats from malicious attacks is one that needs to be addressed.<ref>{{Citation |last1=Ntantogian |first1=Christoforos |title=Attacking GSM Networks as a Script Kiddie Using Commodity Hardware and Software |date=2015 |url=https://link.springer.com/10.1007/978-3-319-22906-5_6 |work=Trust, Privacy and Security in Digital Business |volume=9264 |pages=73–86 |editor-last=Fischer-Hübner |editor-first=Simone |access-date=2023-12-14 |place=Cham |publisher=Springer International Publishing |language=en |doi=10.1007/978-3-319-22906-5_6 |isbn=978-3-319-22905-8 |last2=Valtas |first2=Grigoris |last3=Kapetanakis |first3=Nikos |last4=Lalagiannis |first4=Faidon |last5=Karopoulos |first5=Georgios |last6=Xenakis |first6=Christos |editor2-last=Lambrinoudakis |editor2-first=Costas |editor3-last=López |editor3-first=Javier}}</ref>

The development of [[Universal Mobile Telecommunications System|UMTS]] introduced an optional [[Universal Subscriber Identity Module]] (USIM), that uses a longer authentication key to give greater security, as well as mutually authenticating the network and the user, whereas GSM only authenticates the user to the network (and not vice versa). The security model therefore offers confidentiality and authentication, but limited authorization capabilities, and no [[non-repudiation]].

GSM uses several cryptographic algorithms for security. The [[A5/1]], [[A5/2]], and [[A5/3]] [[stream cipher]]s are used for ensuring over-the-air voice privacy. A5/1 was developed first and is a stronger algorithm used within Europe and the United States; A5/2 is weaker and used in other countries. Serious weaknesses have been found in both algorithms: it is possible to break A5/2 in real-time with a [[ciphertext-only attack]], and in January 2007, The Hacker's Choice started the A5/1 cracking project with plans to use [[FPGA]]s that allow A5/1 to be broken with a [[rainbow table]] attack.<ref>{{cite web|author=Steve |url=https://www.scribd.com/doc/7227619/Cracking-a5-THC-Wiki|title=The A5/1 Cracking Project|via=Scribd|accessdate=3 November 2011}}</ref> The system supports multiple algorithms so operators may replace that cipher with a stronger one.

Since 2000, different efforts have been made in order to crack the A5 encryption algorithms. Both A5/1 and A5/2 algorithms have been broken, and their [[cryptanalysis]] has been revealed in the literature. As an example, [[Karsten Nohl]] developed a number of [[rainbow table]]s (static values which reduce the time needed to carry out an attack) and have found new sources for [[known plaintext attack]]s.<ref>{{cite news|url=https://www.nytimes.com/2009/12/29/technology/29hack.html|title=Cellphone Encryption Code Is Divulged|newspaper=The New York Times|author=Kevin J. O'Brien|date=28 December 2009}}</ref> He said that it is possible to build "a full GSM interceptor{{nbsp}}... from open-source components" but that they had not done so because of legal concerns.<ref>{{cite web|url=http://reflextor.com/trac/a51 |title=A5/1 Cracking Project |accessdate=30 December 2009 |url-status=dead |archiveurl=https://web.archive.org/web/20091225000805/http://reflextor.com/trac/a51/ |archivedate=25 December 2009 }}</ref> Nohl claimed that he was able to intercept voice and text conversations by impersonating another user to listen to [[voicemail]], make calls, or send text messages using a seven-year-old [[Motorola]] cellphone and decryption software available for free online.<ref>
{{cite web
 |url=http://www.physorg.com/news/2011-12-gsm-unsafe-expert.html 
 |title=GSM phones -- call them unsafe, says security expert 
 |date=27 December 2011 
 |accessdate=27 December 2011 
 |archivedate=3 January 2012
 |archiveurl=https://web.archive.org/web/20120103184428/http://www.physorg.com/news/2011-12-gsm-unsafe-expert.html
 |quote=Nohl said that he was able to intercept voice and text conversations by impersonating another user to listen to their voice mails or make calls or send text messages. Even more troubling was that he was able to pull this off using a seven-year-old Motorola cellphone and decryption software available free off the Internet.
 |author=Owano, Nancy 
 |url-status=dead
}}
</ref>

GSM uses [[General Packet Radio Service]] (GPRS) for data transmissions like browsing the web. The most commonly deployed GPRS ciphers were publicly broken in 2011.<ref>{{cite news
 | url=https://www.forbes.com/sites/andygreenberg/2011/08/12/codebreaker-karsten-nohl-why-your-phone-is-insecure-by-design/
 | title=Codebreaker Karsten Nohl: Why Your Phone Is Insecure By Design
 | work=[[Forbes.com]]
 | date=12 August 2011
 | accessdate=13 August 2011 }}
</ref>

The researchers revealed flaws in the commonly used GEA/1 and GEA/2 (standing for GPRS Encryption Algorithms 1 and 2) ciphers and published the open-source "gprsdecode" software for [[Packet analyzer|sniffing]] GPRS networks. They also noted that some carriers do not encrypt the data (i.e., using GEA/0) in order to detect the use of traffic or protocols they do not like (e.g., [[Skype]]), leaving customers unprotected. GEA/3 seems to remain relatively hard to break and is said to be in use on some more modern networks. If used with [[Subscriber Identity Module|USIM]] to prevent connections to fake base stations and [[downgrade attack]]s, users will be protected in the medium term, though migration to 128-bit GEA/4 is still recommended.

The first public cryptanalysis of GEA/1 and GEA/2 (also written GEA-1 and GEA-2) was done in 2021. It concluded that although using a 64-bit key, the GEA-1 algorithm actually provides only 40 bits of security, due to a relationship between two parts of the algorithm. The researchers found that this relationship was very unlikely to have happened if it was not intentional. This may have been done in order to satisfy European controls on export of cryptographic programs.<ref>{{Cite web|title=Bombshell Report Finds Phone Network Encryption Was Deliberately Weakened|url=https://www.vice.com/en/article/bombshell-report-finds-phone-network-encryption-was-deliberately-weakened/|date=Jun 12, 2021|website=Vice.com|author=Lorenzo Franceschi-Bicchierai}}</ref><ref>{{cite book |display-authors=etal|last1=Christof Beierle  |title=Advances in Cryptology – EUROCRYPT 2021 |chapter=Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2 |series=Lecture Notes in Computer Science |date=Jun 18, 2021 |volume=12697 |pages=155–183 |doi=10.1007/978-3-030-77886-6_6 |isbn=978-3-030-77885-9 |s2cid=235452714 |url=https://eprint.iacr.org/2021/819.pdf |archive-url=https://web.archive.org/web/20210616151111/https://eprint.iacr.org/2021/819.pdf |archive-date=2021-06-16 |url-status=live}}</ref><ref>{{cite journal |last1=Matthew Sparks |title=Flaw in old mobile phone encryption code could be used for snooping|journal=New Scientist |date=Jun 17, 2021 |url=https://www.newscientist.com/article/2281423-flaw-in-old-mobile-phone-encryption-code-could-be-used-for-snooping/}}</ref>