Assess A5 ciphering and IMSI/TMSI exposure

Mechanism

GSM confidentiality is supplied by the A5 family of ciphers, applied to the radio link after the network sends a Cipher Mode Command naming the algorithm to use. The algorithm in force is therefore readable on the air from that L3 signalling message — it is the single most decisive fact about the link. A5/0 is no ciphering at all; A5/1 is a 64-bit stream cipher; A5/2 is an export-weakened variant; A5/3 and A5/4 use the KASUMI block cipher and are far stronger [welte2010a52]. The negotiated algorithm matters more than its mere presence because the weaker options are publicly broken.

A5/2 falls to a ciphertext-only attack: Barkan, Biham and Keller showed that a few dozen milliseconds of A5/2 ciphertext yield the session key in under a second on a PC, and — crucially — because A5/1 and A5/2 derive the session key Kc the same way, an active man-in-the-middle can issue a Cipher Mode Command that forces a handset down to A5/2, recover Kc, and use it to decrypt traffic that was actually recorded under A5/1 [barkan2003instant]. This shared-key-generation downgrade is why A5/2 was eventually withdrawn from handsets entirely, a process Welte documents [welte2010a52]. A5/1 itself was moved from theory to off-the-shelf capability by the Berlin A5/1 Security Project: precomputed rainbow tables (~1.6–2 TB), published as “GSM SRSLY?” at 26C3, recover the 64-bit Kc from a known-keystream slice, after which the rest of the captured A5/1 call or SMS decrypts [nohl2009gsm]. None of this touches A5/3 (KASUMI), so confirming an A5/3 cell is a materially stronger result than confirming A5/1.

The second axis is identity. The permanent subscriber identity (IMSI) is meant to be hidden behind a network-assigned temporary identity (TMSI); the IMSI is only supposed to appear on the air during attach or location update when no valid TMSI is held. The network can, however, compel disclosure: the Identification procedure of the L3 mobility-management protocol lets the network send an Identity Request for the IMSI or IMEI, which the handset answers [3gpp24008]. Because GSM authentication is one-way — the handset authenticates to the network, but the network never proves itself to the handset — a passive observer that sees the cell paging by IMSI, or sees an IMSI in an Identity Response, has both a privacy finding (the subscriber is trackable) and the on-air signature that an active IMSI catcher exploits by impersonating the cell and demanding the IMSI plus weak or absent ciphering [dabrowski2014imsi]. This control measures the passive exposure; the active rogue-cell technique is authorised-testing-only and belongs to the GSM AT-layer control.

Procedure

All steps are passive reception of what the network already broadcasts, on equipment you own or are authorised to test. Step 5 (key recovery) decrypts traffic and is authorised-testing-only: a licensed lab or RF-shielded enclosure with explicit permission and your own test SIMs — recovering keys from live traffic you are not authorised to intercept is illegal in most jurisdictions.

1. Find a live cell and its ARFCN. Sweep the regional band with kalibrate to list carriers with a live BTS, their power, and the radio’s clock error:

   kal -s GSM900 -g 40

   Expected: a table of channels, e.g. chan: 12 (944.4MHz ...) power: 159873.12. Pick the strongest channel, then read its exact ppm offset so the receiver locks cleanly:

   kal -c 12 -g 40

   Expected: an average absolute error: <N> ppm line — note that ppm for the next step. (Use a HackRF/UHD kalibrate fork instead of kal (kalibrate-rtl) for those radios; PCS-1900 needs a HackRF/bladeRF/USRP.)

2. Demodulate and decode the downlink. Tune the found ARFCN’s downlink frequency with gr-gsm, applying the ppm correction:

   grgsm_livemon_headless -f 944.4M -g 40 --ppm <N>

   It demodulates the GMSK bursts, decodes the BCCH/CCCH/SDCCH control channels, and forwards each frame as GSMTAP over UDP to localhost port 4729.

3. Read the signalling in Wireshark. Capture the GSMTAP stream on loopback:

   sudo wireshark -k -i lo -f 'udp port 4729' -Y 'gsmtap'

   Confirm System Information, paging and assignment frames are scrolling — this proves the decode chain is working before you assess crypto or identity.

4. Determine the negotiated A5 algorithm. In Wireshark, filter for the cipher-mode signalling:

   gsm_a.dtap.msg_rr_type == 0x35

   Open the Cipher Mode Command and read the Cipher Mode Setting / algorithm identifier: it states A5/0 (no ciphering), A5/1, A5/2, or A5/3. This is the control’s primary verdict. A cell that sets A5/0 or A5/2 is a finding on its own [barkan2003instant]; A5/1 is breakable with the rainbow tables [nohl2009gsm]; A5/3 is the hardened case.

5. Assess identity exposure. Two checks:

   • In Wireshark, inspect Paging Request messages — filter gsm_a.dtap and look at the mobile-identity IE: if the cell pages by IMSI (rather than TMSI), or you see an Identity Request for the IMSI followed by an Identity Response carrying it, the permanent identity is exposed [3gpp24008].
   • Cross-check passively with the Oros42 IMSI-catcher, which consumes the same GSMTAP stream and prints harvested identities:

     python3 simple_IMSI-catcher.py --sniff

     Expected: lines pairing TMSI/IMSI with country/operator for handsets the cell pages — concrete evidence of on-air identity exposure with no transmission [dabrowski2014imsi].

6. (Authorised lab only) Recover the A5/1 key. Where the cell runs A5/1 and you are authorised to decrypt, isolate a burst with a recoverable known-keystream segment from the capture and feed it to Kraken against the rainbow tables to recover Kc, which then decrypts the rest of the captured A5/1 session [nohl2009gsm]:

   ./kraken indexes
   crack 001110001100... (114-bit known keystream)

   Expected: Kraken searches the tables and, on success, prints the recovered internal state / Kc. No effect on A5/3.

Field case

Worked from a public sample capture rather than a live target: gr-gsm ships the SRLabs “Airprobe How-To” capture vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile (ptrkrysik/test_data; the README records its SRLabs origin), and the gr-gsm “Usage: Decoding How-To” wiki plus the project’s CI decode fixtures replay it end to end [grgsmtestdata]. Decoding it with grgsm_decode -c vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile -s $((100000000/174)) -a 725 -m BCCH -t 0 (decimation 174, so a 100e6/174 sample rate) confirms the carrier on ARFCN 725 (E-GSM-900 downlink), and re-running on the SDCCH8 with the recovered key (-m SDCCH8 -t 1 -e 1 -k 0x1E,0xF0,0x0B,0xAB,0x3B,0xAC,0x70,0x02) decrypts the session. In the decrypted SDCCH8 fixture the RR Cipher Mode Command carries a Cipher Mode Setting whose start-ciphering bit is set with algorithm identifier 000, i.e. A5/1; the recovered 64-bit A5/1 session key is Kc = 1E F0 0B AB 3B AC 70 02. The identity exchanged on the air is TMSI only — the paging / identity IEs carry P-TMSI values (e.g. 0x014faf9a, 0x015c5703); no IMSI is exposed in the documented decode [grgsmtestdata]. Findings for this public sample:

• ARFCN / downlink: ARFCN 725 (E-GSM-900 downlink), decoded at sample rate 100e6/174 (decimation 174) [grgsmtestdata]
• Cipher Mode Command algorithm: A5/1 (Cipher Mode Setting byte 0x11 — start-ciphering bit set, algorithm identifier 000 = A5/1); recovered session key Kc = 1E F0 0B AB 3B AC 70 02 [grgsmtestdata]
• Identity seen on the air: TMSI only — P-TMSI values such as 0x014faf9a and 0x015c5703; no IMSI exposed in the documented decode [grgsmtestdata]
• Verdict: A5/1 in force — a publicly broken cipher whose 64-bit Kc is recoverable from the captured keystream (here 1E F0 0B AB 3B AC 70 02), so a confidentiality finding; identity handling is sound for this sample (TMSI only, no IMSI on the air) [grgsmtestdata]

This is a documented public example, not a live interception: the capture, the decode commands, the negotiated A5/1, the recovered Kc and the TMSI-only identity behaviour are all taken from the gr-gsm sample capture and its wiki / CI fixtures [grgsmtestdata]. Against your own authorised target, substitute the ARFCN, A5 algorithm and identity finding you actually measure; no claim is made about any production network.

Remediation

Developer (handset / modem vendors). Reject A5/2 outright and refuse to fall back to A5/0 or A5/1 once a stronger algorithm has been used in the area, closing the shared-key-generation downgrade that lets a forced A5/2 session expose previously-recorded A5/1 traffic [barkan2003instant] [welte2010a52]. Surface the negotiated cipher to the user/operator where possible, and prefer A5/3 (KASUMI) where the network offers it.

Integrator (device OEMs / IoT product owners). For new designs, do not ship 2G-only radios for anything carrying sensitive data; where 2G is a fallback, treat the GSM link as unauthenticated and unconfidential by default and add end-to-end application-layer encryption and authentication above it, so an exposed IMSI or a recovered Kc does not yield plaintext. Disable 2G entirely on devices that do not need it, removing the downgrade target.

Operator (network / defenders / assessors). Run A5/3 and disable A5/1 and A5/2 on the radio network; A5/2 was withdrawn from handsets precisely because of the downgrade-to-A5/2 break [welte2010a52]. Minimise IMSI exposure by reallocating TMSIs promptly and avoiding IMSI paging, since frequent IMSI exposure is both a privacy weakness and the signature of an active IMSI catcher [dabrowski2014imsi] [3gpp24008]. For assessors: the cipher-and-identity read in steps 1–5 is fully passive and safe to run on equipment you are authorised to monitor; the key-recovery step 6 and any active rogue-cell work are authorised-testing-only (own equipment, test SIMs, RF shielding, explicit permission). There is no BSAM cellular control to defer to — this is RFSAM’s domain.