GSM: SRSLY?
What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free to connect! –Network name is TestSIM or –SMS your 10-digit phone number to 101
GSM Identifiers IMEI: –International Mobile Equipment Identifier –Identifies a handset. Easily changed, illegal to do so. IMSI: –International Mobile Subscriber Identifier –Secret? Kind of. –Identifies an account - stored in SIM card. TMSI: –Temporary Mobile Subscriber Identifier –Assigned by network to prevent IMSI transmission. Auth with IMSI, use TMSI from then on –Unless, of course, the BTS asks for it.
MCC & MNC: Own the BTS MCC: Mobile Country Code –310 to 316 for USA, 302 for Canada MNC: Mobile Network Code –Country-specific, usually a tuple with MCC – for T-Mobile US –Full list on Wikipedia Spoof MNC/MCC, phones will connect –If you claim it, they will come. –Strongest signal wins –a.k.a. “IMSI catcher”
IMSI catching in practice OpenBTS + USRP + 52MHz clock –Easy to set up, Asterisk is hardest part –On-board 64MHz clock is too unstable Software side is easy –./configure && make –Libraries are the only difficulty Set MCC/MNC to target network Find and use an open channel (ARFCN in GSM-ese) Wait. Don’t forget Wireshark! –Built-in SIP analyser
OpenBootTS Scripts for DebianLive Creates a bootable CD with – GNU Radio + OpenBTS – Asterisk – Build chain Much customization is possible – Preloaded configs – Virtual consoles – Different target image types Demo and future plans
The iPhone that wouldn’t quit What if we don’t want to catch IMSIs? –We want a closed network Set MCC/MNC to (Test/Test) Phones camp to strongest signal –Remove transmit antenna –Minimize Tx power GSM-900 in.eu overlaps ISM in USA – MHz is not a GSM band in the USA Despite all of this we couldn’t shake a 3G…
Fun bugs in OpenBTS Persistent MNO shortnames –Chinese student spoofed local MNO –Classmates connected –Network name of “OpenBTS” Even after BTS was removed & phones hard rebooted! Open / Closed registration –Separate from SIP-level HLR auth –Supposed to send “not authorized” msg –Instead sent “You’ve been stolen” msg –Hard reboot required, maybe more.
Attacking Without Crypto Request IMSI to break TMSI secrecy Unintentional DoS Unintentional semi-permanent DoS Spoof 6-digit MCC/MNC for MITM SRSLY?
GSM Crypto Primitives Inputs: –Rand: 16-byte challenge from BTS –Ki: 16-byte secret key, stored in SIM Outputs: –Kc: 8-byte session key –SRES: 4-byte authentication response Algorithms: –A3, A5, A8: GSM-specific algorithms A3/A8 are hash functions (usually combined into one) A5 is a cipher
Camping Mobile Station (MS) finds BTS, sends TMSI BTS sends RAND to MS –Only source of entropy. MS passes RAND along to the SIM –Usually over a cleartext channel The SIM calculates A3A8(Ki || RAND) MS uses the result as SRES and Kc SRES is sent to BTS as proof of Ki knowledge A5 is used from here, keyed with Kc
IMSI catching crypto How can we negotiate crypto? –No knowledge of Ki –No idea of Kc for a given RAND –Can’t decrypt the result? We don’t need to. –BTS: “I’d like to use A5/{0..3}!” A5/0 == plaintext –MS: “Sure! I’d love to!” Who needs crypto anyway?
Plaintext? SRSLY? GSM Normative Annex B.1.26 –“...whenever a connection is in place, which is, or becomes unenciphered, an indication shall be given to the user.” You’ve never seen this alert because: –“The ciphering indicator feature may be disabled by the home network operator” Every operator disables it.
Attacks on A3A8 First version of A3A8 is COMP128-1 –Reverse-engineered and broken in 1998 –Recover Ki (clone the SIM) with ~150k challenges About 8 hours with a smartcard reader –Further work reduces to ~80k challenges –Over-the-air SIM cloning is plausible, given time Obviously deprecated –Still used extensively though Replaced by COMP128-2 and COMP128-3 –Neither has been disclosed or cryptanalysed –Many MNO-specific alternatives
A3A8 in practice COMP128 no longer trusted by MNOs –Still used by several major networks v1 attack is well-known – –Not open-source - watch for malware! A3A8 can be any algorithm –MNOs can (and do) use anything –Who knows what bugs are lurking?
A5 Used to encrypt traffic Three (known) variants: –A5/1: Almost universal for 2G (GSM) Stream cipher –A5/2: Weakened (export) version of A5/1 Stream cipher –A5/3: Used for 3G (UMTS) Block cipher A5 variant negotiated during camping
Attacking A5 A5/2: Deliberately weak. – Broken in 1999, key from ciphertext Assuming we own the BTS: – We choose A5 variant – We choose RAND – Sniff a conversation… Frequency hopping? Grab the whole band! – …then demand A5/2 and reuse RAND No forward secrecy in GSM.
A5/1 and A5/3 A5/1: 64-bit stream cipher, 54-bit key – Deliberately weakened A5/3: 128-bit block cipher Multiple known attacks on both: – A5/1 has practical attacks Rainbow tables Various time-memory tradeoffs – A5/3 has impractical attacks Too much plaintext required for attacking 3G
Attacking With Crypto No client challenge Kc is only 54 (effective) bits SIM vulnerable to MITM NULL crypto is acceptable (encouraged?) COMP128-1 badly broken, still used Secret hash functions A5/1 broken A5/2 badly broken A5/3 academically broken RAND replay over A5/2 No forward secrecy SRSLY?
What’s left? There’s a network behind the BTS SS7 is just as broken as GSM What if you combine the two? "We Found Carmen San Diego" Nick DePetrillo and Don Bailey Boston Source - April 21-23