Re: [ISN] Hackers Copy Mannesmann Mobile Phone Sim Card

From: mea culpa (jerichot_private)
Date: Mon Apr 27 1998 - 18:00:22 PDT

  • Next message: mea culpa: "[ISN] InfoEdge: Information Security in a Networked World"

    From: Felix von Leitner <>
    Date: Tue, 28 Apr 1998 01:36:21 +0200
    Subject: Re: [ISN] Hackers Copy Mannesmann Mobile Phone Sim Card
    > In order to clone a SIM card, the hackers had to have both a copy of the
    > original SIM card for at least 11 hours and know the PIN number. 
    > Scientists at the University of California and the Smartcard Developers
    > Association in the USA already reported weaknesses in smaller mobile
    > telecoms networks at the beginning of April which work on the same GSM
    > standard as the German networks D1, D2 and E-Plus. 
    This is of course bullshit.  If they used the same standard, they would
    all be vulnerable.  As a member of the CCC I can clarify a little here.
    D2 is the only German network using COMP128 right now, which is the GSM
    reference encryption algorithm.  What we did is "simply" implement the
    attack outlined by Ian Goldberg et al from Berkeley.  And we made the
    necessary software available on, and there are blueprints for
    useful hardware.  The PIN is not an issue because evil mobile dealers
    can sell cloned phones now.
    Our GSM guy says that there are only three networks that are known not
    to use COMP128 right now, and two of them are in Germany, obviously.
    For those who speak German, there is a nice round-up on
    and you can download the software there, too.  There are pictures of the
    equipment there, too, that look quite cool ;)
    What we demonstrated was that you can get the pin from the "secure"
    envelope without traces and that you can use the attack from Goldberg to
    get the secret key from the card in about 11 hours without overclocking
    the card or tricks like that.  The URL to Goldberg's method was already
    posted on ISN I believe.  And we showed that the clone and the original
    can check into the D2 GSM network at the same time, they just can't
    place calls simultaneously without error messages.  This all is of
    course still very useful to criminals who need anonymous phones.
    BTW: D2 put out some of the typical press blah like "no real damage",
    "only theoretical attack", "same problem as when you lose your card",
    stuff like that ;)
    What remains to be seen is whether the other German mobile carriers use
    better or just different algorithms.
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Dimensional Communications (

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:51:43 PDT