Comment Re:From SIM to Chip and PIN (Score 1) 155
I have been wondering about Stingrays too. Based on the Stingrays Wikipedia page they would not need access to the SIM card's private key. Instead they force the device to use the weaker A5/2 security protocol and then crack it which allows them to recover the SIM card's private key.
The "GSM Active Key Extraction" performed by the StingRay in step three merits additional explanation. A GSM phone encrypts all communications content using an encryption key stored on its SIM card with a copy stored at the service provider. While simulating the target device during the above explained man-in-the-middle attack, the service provider cell site will ask the StingRay (which it believes to be the target device) to initiate encryption using the key stored on the target device. Therefore, the StingRay needs a method to obtain the target device's stored encryption key else the man-in-the-middle attack will fail.
GSM primarily encrypts communications content using the A5/1 call encryption cypher. In 2008 it was reported that a GSM phone's encryption key can be obtained using $1,000 worth of computer hardware and 30 minutes of cryptanalysis performed on signals encrypted using A5/1. However, GSM also supports an export weakened variant of A5/1 called A5/2. This weaker encryption cypher can be cracked in real-time. While A5/1 and A5/2 use different cypher strengths, they each utilize the same underlying encryption key stored on the SIM card. Therefore, the StingRay performs "GSM Active Key Extraction" during step three of the man-in-the-middle attack as follows: (1) instruct target device to use the weaker A5/2 encryption cypher, (2) collect A5/2 encrypted signals from target device, and (3) perform cryptanalysis of the A5/2 signals to quickly recover the underlying stored encryption key. Once the encryption key is obtained, the StingRay uses it to comply with the encryption request made to it by the service provider during the man-in-the-middle attack.
This perfectly illustrates why allowing protocol variants with weaker security is a bad idea. It also makes Gemalto's security lapse look somewhat irrelevant: cracking the SIM's private key seems pretty trivial anyway.