# Global System for Mobile Communications (GSM) - It is a standard used to describe 2G protocols - Uses Subscriber Identity Module (SIM) card - Used by [[Global Mesh Labs]] in [[Build Your Own Mesh Gateway]] ## Wiki https://www.wikiwand.com/en/GSM ### Security GSM was intended to be a secure wireless system. It has considered the user authentication using a [pre-shared key](https://www.wikiwand.com/en/Pre-shared_key "Pre-shared key") and [challenge-response](https://www.wikiwand.com/en/Challenge-response_authentication "Challenge-response authentication"), and over-the-air encryption. However, GSM is vulnerable to different types of attack, each of them aimed at a different part of the network. The development of [UMTS](https://www.wikiwand.com/en/Universal_Mobile_Telecommunications_System "Universal Mobile Telecommunications System") introduced an optional [Universal Subscriber Identity Module](https://www.wikiwand.com/en/Universal_Subscriber_Identity_Module "Universal Subscriber Identity Module") (USIM), that uses a longer authentication key to give greater security, as well as mutually authenticating the network and the user, whereas GSM only authenticates the user to the network (and not vice versa). The security model therefore offers confidentiality and authentication, but limited authorization capabilities, and no [non-repudiation](https://www.wikiwand.com/en/Non-repudiation "Non-repudiation"). GSM uses several cryptographic algorithms for security. The [A5/1](https://www.wikiwand.com/en/A5/1), [A5/2](https://www.wikiwand.com/en/A5/2), and [A5/3](https://www.wikiwand.com/en/A5/3 "A5/3") [stream ciphers](https://www.wikiwand.com/en/Stream_cipher "Stream cipher") are used for ensuring over-the-air voice privacy. A5/1 was developed first and is a stronger algorithm used within Europe and the United States; A5/2 is weaker and used in other countries. Serious weaknesses have been found in both algorithms: it is possible to break A5/2 in real-time with a [ciphertext-only attack](https://www.wikiwand.com/en/Ciphertext-only_attack "Ciphertext-only attack"), and in January 2007, The Hacker's Choice started the A5/1 cracking project with plans to use [FPGAs](https://www.wikiwand.com/en/FPGA) that allow A5/1 to be broken with a [rainbow table](https://www.wikiwand.com/en/Rainbow_table "Rainbow table") attack. The system supports multiple algorithms so operators may replace that cipher with a stronger one. Since 2000 different efforts have been made in order to crack the A5 encryption algorithms. Both A5/1 and A5/2 algorithms have been broken, and their cryptanalysis has been revealed in the literature. As an example, [Karsten Nohl](https://www.wikiwand.com/en/Karsten_Nohl "Karsten Nohl") developed a number of [rainbow tables](https://www.wikiwand.com/en/Rainbow_table "Rainbow table") (static values which reduce the time needed to carry out an attack) and have found new sources for [known plaintext attacks](https://www.wikiwand.com/en/Known_plaintext_attack "Known plaintext attack"). He said that it is possible to build "a full GSM interceptor...from open-source components" but that they had not done so because of legal concerns. Nohl claimed that he was able to intercept voice and text conversations by impersonating another user to listen to [voicemail](https://www.wikiwand.com/en/Voicemail "Voicemail"), make calls, or send text messages using a seven-year-old [Motorola](https://www.wikiwand.com/en/Motorola "Motorola") cellphone and decryption software available for free online. GSM uses [General Packet Radio Service](https://www.wikiwand.com/en/General_Packet_Radio_Service "General Packet Radio Service") (GPRS) for data transmissions like browsing the web. The most commonly deployed GPRS ciphers were publicly broken in 2011. The researchers revealed flaws in the commonly used GEA/1 and GEA/2 (standing for GPRS Encryption Algorithms 1 and 2) ciphers and published the open-source "gprsdecode" software for [sniffing](https://www.wikiwand.com/en/Packet_analyzer "Packet analyzer") GPRS networks. They also noted that some carriers do not encrypt the data (i.e., using GEA/0) in order to detect the use of traffic or protocols they do not like (e.g., [Skype](https://www.wikiwand.com/en/Skype "Skype")), leaving customers unprotected. GEA/3 seems to remain relatively hard to break and is said to be in use on some more modern networks. If used with [USIM](https://www.wikiwand.com/en/Subscriber_Identity_Module) to prevent connections to fake base stations and [downgrade attacks](https://www.wikiwand.com/en/Downgrade_attack "Downgrade attack"), users will be protected in the medium term, though migration to 128-bit GEA/4 is still recommended. The first public cryptanalysis of GEA/1 and GEA/2 (also written GEA-1 and GEA-2) was done in 2021. It concluded that although using a 64-bit key, the GEA-1 algorithm actually provides only 40 bits of security, due to a relationship between two parts of the algorithm. The researchers found that this relationship was very unlikely to have happened if it wasn't intentional. This may have been done in order to satisfy European controls on export of cryptographic programs.