Presentation is loading. Please wait.

Presentation is loading. Please wait.

GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free.

Published byLila Yelverton Modified over 9 years ago

Similar presentations

Presentation on theme: "GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free."— Presentation transcript:

1 GSM: SRSLY?

2 What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free to connect! –Network name is TestSIM or 001-01 –SMS your 10-digit phone number to 101

3 GSM Identifiers IMEI: –International Mobile Equipment Identifier –Identifies a handset. Easily changed, illegal to do so. IMSI: –International Mobile Subscriber Identifier –Secret? Kind of. –Identifies an account - stored in SIM card. TMSI: –Temporary Mobile Subscriber Identifier –Assigned by network to prevent IMSI transmission. Auth with IMSI, use TMSI from then on –Unless, of course, the BTS asks for it.

4 MCC & MNC: Own the BTS MCC: Mobile Country Code –310 to 316 for USA, 302 for Canada MNC: Mobile Network Code –Country-specific, usually a tuple with MCC –310-260 for T-Mobile US –Full list on Wikipedia Spoof MNC/MCC, phones will connect –If you claim it, they will come. –Strongest signal wins –a.k.a. “IMSI catcher”

5 IMSI catching in practice OpenBTS + USRP + 52MHz clock –Easy to set up, Asterisk is hardest part –On-board 64MHz clock is too unstable Software side is easy –./configure && make –Libraries are the only difficulty Set MCC/MNC to target network Find and use an open channel (ARFCN in GSM-ese) Wait. Don’t forget Wireshark! –Built-in SIP analyser

6 OpenBootTS http://sourceforge.net/projects/openbootts/ Scripts for DebianLive Creates a bootable CD with – GNU Radio + OpenBTS – Asterisk – Build chain Much customization is possible – Preloaded configs – Virtual consoles – Different target image types Demo and future plans

7 The iPhone that wouldn’t quit What if we don’t want to catch IMSIs? –We want a closed network Set MCC/MNC to 001-01 (Test/Test) Phones camp to strongest signal –Remove transmit antenna –Minimize Tx power GSM-900 in.eu overlaps ISM in USA –902-928MHz is not a GSM band in the USA Despite all of this we couldn’t shake a 3G…

8 Fun bugs in OpenBTS Persistent MNO shortnames –Chinese student spoofed local MNO –Classmates connected –Network name of “OpenBTS” Even after BTS was removed & phones hard rebooted! Open / Closed registration –Separate from SIP-level HLR auth –Supposed to send “not authorized” msg –Instead sent “You’ve been stolen” msg –Hard reboot required, maybe more.

9 Attacking Without Crypto Request IMSI to break TMSI secrecy Unintentional DoS Unintentional semi-permanent DoS Spoof 6-digit MCC/MNC for MITM SRSLY?

10 GSM Crypto Primitives Inputs: –Rand: 16-byte challenge from BTS –Ki: 16-byte secret key, stored in SIM Outputs: –Kc: 8-byte session key –SRES: 4-byte authentication response Algorithms: –A3, A5, A8: GSM-specific algorithms A3/A8 are hash functions (usually combined into one) A5 is a cipher

11 Camping Mobile Station (MS) finds BTS, sends TMSI BTS sends RAND to MS –Only source of entropy. MS passes RAND along to the SIM –Usually over a cleartext channel The SIM calculates A3A8(Ki || RAND) MS uses the result as SRES and Kc SRES is sent to BTS as proof of Ki knowledge A5 is used from here, keyed with Kc

12 IMSI catching crypto How can we negotiate crypto? –No knowledge of Ki –No idea of Kc for a given RAND –Can’t decrypt the result? We don’t need to. –BTS: “I’d like to use A5/{0..3}!” A5/0 == plaintext –MS: “Sure! I’d love to!” Who needs crypto anyway?

13 Plaintext? SRSLY? GSM 02.07 Normative Annex B.1.26 –“...whenever a connection is in place, which is, or becomes unenciphered, an indication shall be given to the user.” You’ve never seen this alert because: –“The ciphering indicator feature may be disabled by the home network operator” Every operator disables it.

14 Attacks on A3A8 First version of A3A8 is COMP128-1 –Reverse-engineered and broken in 1998 –Recover Ki (clone the SIM) with ~150k challenges About 8 hours with a smartcard reader –Further work reduces to ~80k challenges –Over-the-air SIM cloning is plausible, given time Obviously deprecated –Still used extensively though Replaced by COMP128-2 and COMP128-3 –Neither has been disclosed or cryptanalysed –Many MNO-specific alternatives

15 A3A8 in practice COMP128 no longer trusted by MNOs –Still used by several major networks v1 attack is well-known –http://users.net.yu/~dejan/http://users.net.yu/~dejan/ –Not open-source - watch for malware! A3A8 can be any algorithm –MNOs can (and do) use anything –Who knows what bugs are lurking?

16 A5 Used to encrypt traffic Three (known) variants: –A5/1: Almost universal for 2G (GSM) Stream cipher –A5/2: Weakened (export) version of A5/1 Stream cipher –A5/3: Used for 3G (UMTS) Block cipher A5 variant negotiated during camping

17 Attacking A5 A5/2: Deliberately weak. – Broken in 1999, key from ciphertext Assuming we own the BTS: – We choose A5 variant – We choose RAND – Sniff a conversation… Frequency hopping? Grab the whole band! – …then demand A5/2 and reuse RAND No forward secrecy in GSM.

18 A5/1 and A5/3 A5/1: 64-bit stream cipher, 54-bit key – Deliberately weakened A5/3: 128-bit block cipher Multiple known attacks on both: – A5/1 has practical attacks Rainbow tables Various time-memory tradeoffs – A5/3 has impractical attacks Too much plaintext required for attacking 3G

19 Attacking With Crypto No client challenge Kc is only 54 (effective) bits SIM vulnerable to MITM NULL crypto is acceptable (encouraged?) COMP128-1 badly broken, still used Secret hash functions A5/1 broken A5/2 badly broken A5/3 academically broken RAND replay over A5/2 No forward secrecy SRSLY?

20 What’s left? There’s a network behind the BTS SS7 is just as broken as GSM What if you combine the two? "We Found Carmen San Diego" Nick DePetrillo and Don Bailey Boston Source - April 21-23

21 Questions? chris@h4rdw4re.com @ChrisPaget

Download ppt "GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free."

Similar presentations

Christopher Avilla. What is MiTM?Computer MiTMGSM MiTM Tips for Detection of MiTM.

Christopher Avilla. What is MiTM?Computer MiTMGSM MiTM Tips for Detection of MiTM.
Siyang Tian. TOPIC 1.SIM CARD card embedded with subscriber identity module 2. 3G network 3rd generation mobile telecommunications.

Siyang Tian. TOPIC 1.SIM CARD card embedded with subscriber identity module 2. 3G network 3rd generation mobile telecommunications.
An Improvement on Privacy and Authentication in GSM Young Jae Choi, Soon Ja Kim Computer Networks Lab. School of Electrical Engineering and Computer Science,

An Improvement on Privacy and Authentication in GSM Young Jae Choi, Soon Ja Kim Computer Networks Lab. School of Electrical Engineering and Computer Science,
GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.

GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.
GSM Security and Encryption

GSM Security and Encryption
Breaking the A5 Encryption Algorithm for GSM Phones Matthew Flaschen David Gallmeier John Kuipers Rohit Sinha Jeff Wells.

Breaking the A5 Encryption Algorithm for GSM Phones Matthew Flaschen David Gallmeier John Kuipers Rohit Sinha Jeff Wells.
Topics In Information Security Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication Presented by Idan Sheetrit

Topics In Information Security Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication Presented by Idan Sheetrit
CELLULAR TELEPHONE NETWORK SECURITY Ari Vesanen, Department of Information Processing Sciences, University of Oulu.

CELLULAR TELEPHONE NETWORK SECURITY Ari Vesanen, Department of Information Processing Sciences, University of Oulu.
GSM cracking ● Introduction. GSM cracking Scope of this lecture ● A (very) brief tour of GSM ● The Cryptography ● How it's possible to crack it ● What's.

GSM cracking ● Introduction. GSM cracking Scope of this lecture ● A (very) brief tour of GSM ● The Cryptography ● How it's possible to crack it ● What's.
Mario Čagalj University of Split 2013/2014. Security of Cellular Networks: Man-in-the Middle Attacks ‘Security in the GSM system’ by Jeremy Quirke, 2004.

Mario Čagalj University of Split 2013/2014. Security of Cellular Networks: Man-in-the Middle Attacks ‘Security in the GSM system’ by Jeremy Quirke, 2004.
CC4100 Active Cellular Intercept Technologies

CC4100 Active Cellular Intercept Technologies
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
GSM Global System for Mobile Communications

GSM Global System for Mobile Communications
Myagmar, Gupta UIUC 2001 1 3G Security Principles Build on GSM security Correct problems with GSM security Add new security features Source: 3GPP.

Myagmar, Gupta UIUC G Security Principles Build on GSM security Correct problems with GSM security Add new security features Source: 3GPP.
GSM—Global System for Mobile. 2 How does GSM handle multiple users The 1G cellular systems used FDMA. The first cellular standard adopting TDMA was GSM,

GSM—Global System for Mobile. 2 How does GSM handle multiple users The 1G cellular systems used FDMA. The first cellular standard adopting TDMA was GSM,
GSM standard (continued)

GSM standard (continued)
SMUCSE 5349/7349 GSM Security. SMUCSE 5349/7349 GSM Security Provisions Anonymity Authentication Signaling protection User data protection.

SMUCSE 5349/7349 GSM Security. SMUCSE 5349/7349 GSM Security Provisions Anonymity Authentication Signaling protection User data protection.
Modes Mobile Station ( MS )

Modes Mobile Station ( MS )
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)

Similar presentations

Ads by Google