|
YORKTOWN HEIGHTS, N.Y., May 7, 2002 -- IBM Research has discovered a new vulnerability in Subscriber Identification Module (SIM) cards, used in Global System for Mobile Communications (GSM) digital cell phones, and has developed technologies to protect them from hacker attacks. SIM cards typically store secret cryptographic keys which are used to identify users and protect their communications and transactions. Hackers who can learn the keys in your cell phone's SIM card can "become you" and make phone calls and do business transactions on your behalf.
The IBM Research team is the first one to illustrate a new class of side-channel attacks, called partitioning attacks, which extract secret key information from SIM cards by monitoring side-channels, such as power consumption and electromagnetic (EM) emanations. The attack can get the key information within minutes. This is much easier than either breaking the cryptographic algorithms used by the card or using intrusive attacks to extract the key from the microchip. The team has also developed a new technique to protect SIM cards from such attacks.
“This is significant development for secure mobile commerce and preventing loss of business revenue or money for companies and individuals,” says Charles Palmer, department group manager of Security, Privacy and Cryptography at IBM Research. “Currently GSM phones are being augmented and deployed with SIM application toolkits that enable applications such as phone banking and stock transactions. In all these situations, the personalization information is saved on the SIM card. If these toolkits are not designed carefully to protect against attacks, including partitioning attacks, then it is possible for a hacker to duplicate the information on the card and essentially be you.”
According to the GSM Association as of the end of 2001, more than 646 million people -- one of every eight people in the world -- use GSM digital cell phones. GSM accounts for approximately 70 percent of the total worldwide digital wireless market today.
Partitioning attacks of SIM cards
Scientists have known for some time that by looking at the side channels such as power consumption and the EM emanations from a computing device, one can derive some information about its internal workings. Many chip cards which perform cryptographic algorithms are designed to resist such information leakage. SIM cards deployed in many GSM networks use the COMP128 cryptographic algorithms or its derivatives for user identification and for achieving communications and transaction security.
The IBM Research team discovered a new way to quickly extract the COMP128 keys in SIM cards using side channels in spite of existing protections. The COMP128 algorithm requires the lookup of large tables, which can only be achieved in a complicated way on simple devices such as SIM cards leaking a lot of sensitive information into the side channels. The attack can be easily accomplished by making the card perform the algorithm just seven times with the unknown key. A hacker, who has possession of a SIM card for a minute, can easily extract the full 128-bit key. The previously best technique to attack GSM SIM cards was to employ a cryptanalytic attack on the COMP128 algorithm with 150,000 invocations, which required access to a SIM card for minimum eight hours.
Technique to protect against side channel attacks
IBM Research has developed a new technique to protect table lookup operations from side channel attacks. Table lookup operations are an integral part of most cryptographic algorithms used in practice. A table lookup operation consults a table in computer memory to retrieve a value stored in a particular location. The researchers designed a technique to replace a single table lookup operation, leaking information on the retrieved value in the side channel, with a sequence of table lookups at completely random locations, which leaks no information. This replacement is achieved by using a small randomly generated ancillary table. The side channel information is substantially degraded and is of no use to a hacker. Since the proposed technique uses little RAM for the ancillary table, it can be easily applied to protect a variety of memory constrained devices, including cell phones, against such side-channel attacks.
Cell phone users can also protect themselves against such attacks by taking precautions such as not lending their phones to strangers or leaving them unattended.
The technical paper on this work, “Partitioning Attacks: Or how to rapidly clone some GSM cards” by Josyula R Rao, Pankaj Rohatgi, Helmut Scherzer and Stefan Tinguely will be presented during the IEEE Symposium on Security and Privacy, which will be held in Oakland, California on May 12-15. More information on this project.
|
