Cellphone Security David Wagner U.C. Berkeley

Cellular Systems Overview  Cellphone standards from around the world: North America AnalogAMPS DigitalCDMA, TDMA, N-AMPS EuropeDigitalGSM

Cellular Crypto Algorithms ConfidentialityAuthenticationKeying US Analog None US Digital XOR mask & CMEA (ORYX) CAVE GSM A5/0, A5/2, or A5/1 (soon: A5/3) COMP128 (COMP128-2, 3DES-CBC-MAC) COMP128 (same)

Cellular Crypto Algorithms ConfidentialityAuthenticationKeying US Analog None US Digital XOR mask & CMEA (ORYX) CAVE GSM A5/0, A5/2, or A5/1 (soon: A5/3) COMP128 (COMP128-2, 3DES-CBC-MAC) COMP128 (same) Key: = insecure

Cellular Crypto Algorithms ConfidentialityAuthenticationKeying US Analog None US Digital XOR mask & CMEA (ORYX) CAVE GSM A5/0, A5/2, or A5/1 (soon: A5/3) COMP128 (COMP128-2, 3DES-CBC-MAC) COMP128 (same) Key: = insecure

Part I: North American Analog Systems

Overview of US Analog Protocol  Everything goes in the clear: MIN, ESN voice PST N MIN, ESN voice Home agent

Vulnerabilities: Early Frauds  At first, billing was done offline when roaming –Then criminals discovered one could pick a random MIN/ESN pair and make free calls  So, providers added blacklists to base stations –But the first use of any MIN/ESN pair was unauthenticated, so criminals made very long calls –Later, tumbling: use a new MIN/ESN pair each time  Countermeasure: realtime positive authentication –But cloning attacks became deadly: eavesdrop on MIN/ESN pair from a legitimate user, replay them later –Tumbling + cloning makes fraud hard to detect, black boxes widely available

Impacts of Fraud  Fraud a big problem in analog system –  5% of calls were fraudulent (~ 1995) (In Oakland on Friday night, reportedly 60-70%) –US losses:  $650 million/year (  2% of revenue)  Attackers got organized & sophisticated –And early weaknesses gave criminals the capital and training to break future systems

Vulnerabilities: Privacy  Anyone can eavesdrop on voice calls  Scanners (were) widely available –  million scanners sold on US mass market –  50 million users of US analog cellphones It seems plausible that the majority of US analog cellphone users may have had one of their calls intercepted at some point.

Summary on Analog Cellphones  Everything that could go wrong, has –Threat models changed –Security architecture didn’t scale up with deployment –We trained & funded a criminal underground Analog cellphones are totally insecure.

Part II North American Digital Systems

Overview of US Digital Protocol  Crypto is used on the air link: MIN, ESN RAND PST N MIN, ESN voice Home agent SRES (SRES, k) = CAVE(AK, RAND) k + voice AK

Cryptanalysis  Voice privacy is XOR with 520-bit mask –Breakable in realtime via ciphertext-only attack [Bar92]; also, first frame is often silence (“all zeros”)  Control channel uses CMEA, a variable-width block cipher with 2 rounds –Breakable in hours with 80 known texts [WSK97]  ORYX, a LFSR-based stream cipher, was proposed for data traffic –Breakable in realtime via ciphertext-only attack [WSDKMS98]  CAVE is a dedicated hash with 64-bit key –Best attack I know needs 2 21 chosen texts [Wag97]

Why the Crypto May Not Matter  Few base stations support encryption –It costs more  Some handsets have AK = 0 –Key management considered too expensive Security of US digital cellphones rests primarily on cost of digital scanners and existence of easier targets. And many digital phones will fall back to analog, in areas of poor coverage.

Part III GSM

RAND, SRES, K c Overview of GSM Protocol  A review of the crypto: PST N IMSI voice Home agent (SRES, K c ) = A38(K i, RAND) IMSI RAND, n SRES A5/n(K c, voice) SIM

r' 16 k0k0 k 16 r0r0 r 16 repeat 8 times r1r1 k1k1 … k0k0 r' 0 r' 1 k 16 Cryptanalysis of COMP128  Is it secure? –Well, it has lots of rounds… –The keyed map f k : r |  r' is applied 8 times  But: beware collisions! –Attempt #1: flip a bit in r 0 and hope for an internal collision Doesn’t work: such a collision can never happen

Cryptanalysis of COMP128  Is it secure? –Well, it has lots of rounds… –The keyed map f k : r |  r' is applied 8 times  But: beware collisions! –Attempt #2: Modify both r 0 and r 8, and look for an internal collision [BGW98] r' 16 k0k0 k 16 r0r0 r 16 repeat 8 times r1r1 k1k1 … k0k0 r' 0 r' 1 k 16 It works! r8r8

Cryptanalysis of A5/1  Fix a 16-bit α; let S = {k : A5(k) = α · any}; define f : {0,1} 48  S so that f(x) = k with A5(k) = α · x, noting that f can be computed efficiently; define g : {0,1} 48  {0,1} 48 by α · g(x) = A5(f(x))  Apply Hellman’s time-space tradeoff to g [BSW00] –Breaks A5/1 with 2 24 work per key, 2 36 space, & 2 48 precomputation R1 R2 R3 Ri clocks just when Ci = Majority(C1,C2,C3)

Description of A5/2  Add a 17-bit LFSR, R4, that is clocked normally  Clock control of R1, R2, R3 is a non-linear function of R4  Output is quadratic function of R1, R2, R3  After key loaded, one bit of each register is forced to be set (!!!)

One Evaluation of A5/2 ``The resource budget for the project was man-months … The results of the mathematical analysis did not identify any features of [A5/2] which could be exploited as the basis for a practical eavesdropping attack on the GSM radio path … All members of SAGE stated that they were satisfied that [A5/2] was suitable to protect against eavesdropping on the GSM radio path’’ -- ETSI TR 278

Attacking A5/2  If you can get keystream from two frames 2 11 apart: –R4 will be the same for both, due to the clobbered bit (hmm…) –Guess R4; then the clocking for R1, R2, R3 is known (double hmm…)  Now solve for R1, R2, R3 –Keystream difference is a linear function of R1, R2, R3 difference, so can solve using linear algebra –This reveals the key  Complexity: 2 16 simple dot-products  realtime! –Our code breaks A5/2 in ~ 10 milliseconds [BGW99]

Concluding Thoughts  Attacks are known on most of the cryptographic algorithms found in today’s cellphones  Questions?

Attacking A5/2  Get keystream from two frames 2 11 apart –R4 will be the same for both, due to the clobbered bit –Guess R4; then the clocking for R1, R2, R3 is known  Solve for R1, R2, R3 –Keystream difference is a linear function of R1, R2, R3 difference, so solve using linear algebra  Complexity: 2 16 simple dot-products  realtime!

The security risk: RF leakage

The outsider threat Lesson: build in security from the start

Keeping the outsider at bay networ k base station k k k k k k A simple approach: global shared keys

Global shared keys  Advantages –Simple; reasonable performance  Limitations –No security against insider attacks –What if a mote is compromised or stolen?

Part II: Security against insiders Tolerating compromised motes

Defending against insider attacks networ k base station k4k4 k5k5 k1k1 k3k3 k2k2 k 1, …, k 5 per-mote keying

Per-mote keying  Advantages –Simple; reasonable performance –Lost motes don’t reveal rest of network’s keys  Disadvantages –Motes can’t talk to each other without the help of the base station

Per-mote keying  Advantages –Simple; reasonable performance –Lost motes don’t reveal rest of network’s keys  Disadvantages –Motes can’t talk to each other without the help of the base station –Insiders can still falsify sensor readings

An example networ k base station Computing the average temperature 67° 64° 69° 71° 68° f( 67°, …, 68°) where f(x 1, …, x n ) = (x 1 + … + x n ) / n

An example + an attack networ k base station Computing the average temperature 67° 64° 69° 71° 68° f( 67°, …, 1,000°) where f(x 1, …, x n ) = (x 1 + … + x n ) / n 1,000° result is drastically affected

Resilient aggregation  Some theory: –For f :  n → , a random variable X on  n, and σ = StdDev[f(X)], define Pow(A) = E[(f(A(X)) – f(X)) 2 ] 1/2 ⁄ σ –Say f is (m, α)-resilient if Pow(A) ≤ α for all adversaries A :  n →  n modifying only m of their inputs –Example: the “average” is not (m, α)-resilient for any constant α

Relevance of resilience  Intuition –The (m, α)-resilient functions are the ones that can be meaningfully and securely computed in the presence of m malicious insiders.  Formalism –Theorem. If f isn’t (m, α)-resilient, m insiders can bias f(...) by at least ± α σ, on average. If f is (m, α)-resilient, it can be computed centrally with bias at most ± α σ, for m insiders.

Examples f… is (m, α)-resilient, where averageα = ∞ average, discarding 5% outliers α ≈ 1.65 m/n 1/2 for m 0.05 n medianα ≈ m/n 1/2 for m < 0.5 n maxα = ∞ 95 th percentile “max”α ≈ O(m/n 1/2 ) for m < 0.05 n countα ≈ m/(p(1–p)n) 1/2 (assuming n independent Gaussian/Bernoulli distributions)

Primitives for aggregation (1)  Computing with histograms –Theorem. If f is a (m, α)-resilient, symmetric function with ∑ i |∂f/∂x i | ≤ β, f can be computed securely using a histogram with buckets of width w. With m insiders, the bias will be at most about α σ + 0.5wβ.

Primitives for aggregation (2)  Computing with random sampling –Idea in progress. If f is a (m, α)-resilient, symmetric function with ∑ i |∂f/∂x i | ≤ β, perhaps f can be computed securely by sampling the values at k randomly selected motes.

But: An important caveat! networ k Aggregation in the network introduces new challenges

Summary  Crypto helps, but isn’t a total solution –Be aware of the systems tradeoffs  Seek robustness against insider attack –Resilience gives a way to think about insiders –The law of large numbers is your friend  Feedback?

Cryptanalysis of COMP128  Is it secure? –Well, it has lots of rounds… –The keyed map f k : r |  r' is applied 8 times  But: beware collisions! r' 16 k0k0 k 16 r0r0 r 16 repeat 8 times r1r1 k1k1 … k0k0 r' 0 r' 1 k 16