Security breaches

Time to time, people have tried to decode GSM algorithms. For instance, according to Issac press release (1998) in April 1998, SDA (Smartcard Developer Association) along with two U.C Berkeley researchers alleged that they have cracked COMP128 algorithm, which is stored on SIM. They claimed that within several hours they were able to deduce Ki by sending immense numbers of challenges to authorization module. They also said that out of 64 bits, Kc uses only 54 bits with zeros padding out other 10, which makes cipher key purposefully weaker. They felt government interference might be reason behind this, as this would allow them to monitor conversations. However, they were unable to confirm their assertion since it is illegal to use equipment to carry out such an attack in US. In reply to this assertion, GSM alliance stated that since GSM network allows only one call from any phone number at any one time it is of no relevant use even if a SIM could be cloned. GSM has ability to detect and shut down duplicate SIM codes found on multiple phones (Business press release, 1998).

According to Srinivas (2001), one of other claims was made by ISAAC security research group. They asserted that a fake base station could be built for around $10,000, which would allow a “man-in-the-middle” attack. As a result of this, real base station can get deluged which would compel a mobile station to connect to fake station. Consequently, base station could eavesdrop on conversation by informing phone to use A5/0, which is without encryption.

One of other possible scenarios is of insider attack. In GSM system, communication is encrypted only between Mobile station and Base Transceiver station but within provider’s network, all signals are transmitted in plain text, which could give a chance for a hacker to step inside (Li, Chen & Ma).

Measures taken to tackle these flaws According to Quirke (2004), since emergence of these, attacks, GSM have been revising its standard to add newer technologies to patch up possible security holes, e.g. GSM1800, HSCSD, GPRS and EDGE. In last year, two significant patches have been implemented. Firstly, patches for COMP 128-2 and COMP128-3 hash function have been developed to address security hole with COMP 128 function. COMP128-3 fixes issue where remaining 10 bits of Session Key (Kc) were replaced by zeroes. Secondly, it has been decided that a new A5/3 algorithm, which is created as part of 3rd Generation Partnership Project (3GPP) will replace old and weak A5/2. But this replacement would result in releasing new versions of software and hardware in order to implement this new algorithm and it requires co-operation of hardware and software manufacturers. GSM is coming out of their “security by obscurity” ideology, which is actually a flaw by making their 3GPP algorithms available to security researchers and scientists (Srinivas, 2001).

Conclusion To provide security for mobile phone traffic is one goals described in GSM 02.09 specification, GSM has failed in achieving it in past (Quirke, 2004). Until a certain point GSM did provide strong subscriber authentication and over-the-air transmission encryption but different parts of an operator’s network became vulnerable to attacks (Li, Chen, Ma). The reason behind this was secrecy of designing algorithms and use of weakened algorithms like A5/2 and COMP 128. One of other vulnerability is that of inside attack. In order to achieve its stated goals, GSM is revising its standards and it is bringing in new technologies so as to counteract these security holes. While no human-made technology is perfect, GSM is most secure, globally accepted, wireless, public standard to date and it can be made more secure by taking appropriate security measures in certain areas. Bibliography

Business Wire Press release (1998). GSM Alliance Clarifies False & Misleading Reports of Digital Phone Cloning. Retrieved October 26th, 2004 Web site: http://jya.com/gsm042098.txt

Brookson (1994). Gsmdoc Retrieved October 24th, 2004 from gsm Web site: http://www.brookson.com/gsm/gsmdoc.pdf

Chengyuan Peng (2000). GSM and GPRS security. Retrieved October 24th, 2004 from Telecommunications Software and Multimedia Laboratory Helsinki University of Technology Web site: http://www.tml.hut.fi/Opinnot/Tik-110.501/2000/papers/peng.pdf Epoker Retrieved October 27th, 2004 from Department of Mathematics Boise State University, Mathematics 124,Fall 2004 Web site:http://math.boisestate.edu/~marion/teaching/m124f04/epoker.htm Huynh & Nguyen (2003). Overview of GSM and GSM security. Retrieved October 25th, 2004 from Oregon State university, project Web site: http://islab.oregonstate.edu/koc/ece478/project/2003RP/huynh_nguyen_gsm.doc

Li, Chen & Ma (n.d). Security in gsm. Retrieved October 24th, 2004 from gsm-security Web site: http://www.gsm-security.net/papers/securityingsm.pdf

Quirke (2004). Security in GSM system. Retrieved October 25th, 2004 from Security Website:http://www.ausmobile.com/downloads/technical/Security in GSM system 01052004.pdf

Margrave (n.d). GSM system and Encryption. Retrieved October 25th, 2004 from gsm-secur Web site: http://www.hackcanada.com/blackcrawl/cell/gsm/gsm-secur/gsm-secur.html Press release (1998). Smartcard Developer Association Clones Digital GSM 1998). Retrieved October 26th, 2004 from is sac Web site: http://www.isaac.cs.berkeley.edu/isaac/gsm.html

Srinivas (2001). The GSM Standard (An overview of its security) Retrieved October 25th, 2004 from papers Web site:http://www.sans.org/rr/papers/index.php?id=317

Stallings (2003). Cryptography and Network Security: Principles and practices. USA: Prentice Hall.

Secondly you will need what is called a gateway. The gateway is connected between your computer and Ethernet modem. The VoIP gateway is where your phone line will be plugged into. Gateways enable freedom from possible computer problems that can shut down calling capabilities or deteriorate voice quality. Computer crashes, slow memory, and many other computer problems that plague us in everyday life, you do not want to plague your ability to make phone calls.

Gateways are specifically designed for VoIP phones but adapters are available for current phones should you not want to buy a brand new phone. VoIP providers usually have adapters available for sale so you don’t have to shop around for one yourself. Before you write off buying a new phone however, video phones are newest product line and it won’t be long before this trend explodes. You may want to get your video phone so you aren’t left out of exciting face to face conversations with friends and relatives when they get theirs. Packet8 VoIP has a good video phone sold separately with their services.

The services included with VoIP usually include all convenient bells and whistles your current phone service provides including your own local VoIP telephone number, call waiting, voice messaging, 3 way calling, and more.

There are some important things to remember with VoIP before you go diving in to this feature rich voice technology. You should check with your VoIP provider for local 911 emergency coverage. Some VoIP providers charge extra on a monthly basis for both 911 and 411 access so make sure you know how much it is going to cost you before committing to a calling contract.

One last important thing to remember is that your gateway is reliant on electricity to function. This means power outages will put your phone line out of service, but then isn’t your phone already only functional with electricity these days?

This article was written by Aaron Siegel of www.TopSavings.Net which provides consultive services for communications at the residential level all the way up to government.