LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What are the main security weaknesses of the COMP128/GSM authentication architecture?

COMP128 relied on security-by-obscurity (partly leaked 1994, fully reverse-engineered 1999 by Marc Briceno), poorly diffuses input changes enabling a collision attack that extracts Ki in 7–12 hours, supports only one-sided authentication (enabling IMSI catchers), and allows easy downgrade attacks.

The catalogue of weaknesses:

  • Security-by-obscurity: the originally confidential COMP128 was partly leaked in 1994 and fully revealed in 1999 (reverse-engineered by Marc Briceno) — secrecy was its only protection
  • Weak diffusion → collision attack: small input changes aren't sufficiently spread, enabling a collision attack that recovers the secret Ki. In 1998 this took 7–12 hours — slow only because the SIM answers ~6.5 queries/second, and ~165,000 queries are needed
  • NSA capability: per published internal documents, the NSA can routinely decrypt A5/1 traffic
  • One-sided authentication: only the phone authenticates, not the base station → enables the IMSI catcher (a device to locate and eavesdrop on subscribers)
  • Downgrade attacks: trivially possible — instruct the phone to use weak (or no) encryption

The recurring theme: GSM security was designed in the 1980s with secrecy as a crutch, weak key sizes, and asymmetric (one-sided) trust. Almost every later attack traces back to one of these original sins.

Go deeper:

From Quiz: MOBINFSEC / GSM & LTE Security Infrastructure | Updated: Jul 05, 2026