International Association
for Cryptologic Research

This paper introduces a practical TMTO-based attack against GSM (A5/3) and GPRS (GEA-3), which are both technologies used in 2G mobile networks. Although designed in the 80s, such networks are still quite active today, especially for embedded systems. While active attacks against 2G networks with a fake base station were already known for a while, the attack introduced in this paper relies on a passive attacker. We explain in the paper how to find material in GPRS and GSM communications to perform a TMTO attack and we experimented this step with off-the-shelf devices operated in real-life networks. We provide the success probability of the attack and its performances for several real-life scenarios. We optimized the implementation of KASUMI with AVX2 instructions, and we designed a specific TMTO implementation to get around the SSD access latency. For example, an attacker passively eavesdropping a GSM communication between a target and a base station can decrypt any 2-hour call with probability 0.43, in 14 min.

We describe in this paper how to perform a padding oracle attack against the GlobalPlatform SCP02 protocol. SCP02 is implemented in smart cards and used by transport companies, in the banking world and by mobile network operators (UICC/SIM cards). The attack allows an adversary to efficiently retrieve plaintext bytes from an encrypted data field. We provide results of our experiments done with 10 smart cards from six different card manufacturers, and show that, in our experimental setting, the attack is fully practical. Given that billions SIM cards are produced every year, the number of affected cards, although difficult to estimate, is potentially high. To the best of our knowledge, this is the first successful attack against SCP02.