GSM Sniffing - The Truth
GSM Sniffing - The Truth
GSM Sniffing - The Truth
Home
My Docs
Friends' Docs
https://fb.docs.com/YF03?_escaped_fragment_=
Add a Doc
Sign In
View Doc
GSM-Sniffing.Nohl_Munaut
Translate
by [ Docs ]
GSM-Sniffing.Nohl_Munaut
by Unofficial: ( Mossad)
GSM Sniffing Karsten Nohl, [email protected] Sylvain Munaut, [email protected]
WALL
GSM networks are victim and source of attacks on user privacy Phone User data-base (HLR) Base station SS7
GUI
attacks, phishing
Malware
Over-the-air software installation (security is optional)
Weak encryption
No network
authentication GSM backend network Attack vectors
Access to private user data Focus of this talk
GSM intercept is an engineering challenge the GSM call has to be identified and recorded from the radio interface.
*+ we strongly suspect the team developing the intercept approach has underestimated its practical complexity. A
hacker would need a radio receiver system and the signal processing software necessary to process the raw radio data.
GSMA, Aug.09 This talk introduces cheap tools for capturing, decrypting and analyzing GSM calls and SMS Source:
GSMA press statement
We will demonstrate how to find phones and decrypt their calls Attack input: Phone number Outputs: 1.Target location
2.Decrypted calls and SMS OsmocomBB phones Silent SMS HLR lookups Rainbow tables
Agenda
Locating a phone
Add a comment...
Cracking A5/1
Telcos do not authenticate each other but leak private user data The global SS7 network Telco Telco Telco Telco Send
SMS to your subscriber x Where in the world is your subscriber y HLR query can be abused
All telcos trust each
other on the global SS7 network
SS7 is abused for security and privacy attacks; currently for SMS spam
Information leaked through SS7 network disclose user location Query Accessible to Location granularity HLR query
Anybody on the Internet
General region (rural) to city part (urban) Anytime interrogation
Network operators
Cell ID: precise location -location granularity accessible from the InternetOur target phone is currently in Berlin 1 Find city and IMSI through HLR 2 Find LAC and TMSI: Probe each location area
through silent (or broken) SMSs 3 Find cell: Probe each cell in location area through SMSs Starting point: Target phone
number Demo
Agenda
Locating a phone
Cracking A5/1
GSM calls are transmitted encrypted over unpredictable frequencies Beacon channel Phone, are you here? Ok, switch
channel Yes, I am Control channel You are being called Start encryp-tion OK Switch to hopping channels OK Voice Voice
Voice Voice Voice Voice Voice Voice Traffic channel Encrypted Unpredictable hopping Down-link Uplink
GSM spectrum is divided by operators and cells Cell allocations and hopping sequences should be spread over the
available spectrum for noise resistance and increased sniffing costs 960 MHz 925 MHz Downlink GSM 900 brand
Operator allocation One cell allocation Channels of one call Uplink 915 MHz 880 MHz
GSM debugging tools have vastly different sepctrum coverage GSM 900 band Channels of one call GSM debugging tools
[sniffing bandwidth] Commercial FPGA board [50 MHz] USRP-2 [20MHz] USRP-1 [8MHz] OsmocomBB [200 kHz] Focus
of this talk Downlink Uplink Frequency coverage
Remove uplink filter Add faster USB cable Patch DSP code to ignore encryption Even reprogrammed cheap phones can
intercept hopping calls Start with a EUR 10 phone from 2006 Upgrade to an open source firmware Single timeslot sniffer
You get: Debugger for your own calls Multi timeslot sniffer Uplink + downlink sniffer Demo
Agenda
Locating a phone
Cracking A5/1
GSM uses symmetric A5/1 session keys for call privacy Operator Home Location Register Base station Cell phone
Random nonce and session key Random nonce encrypted with sess-ion key Communi-cation A5/1-We extract this
session keys Operator and phone share a master key to de-rive session keys Hash function Random nonce Master key
Session key
A5/1s 64-bit keys are vulnerable to time-memory trade-off attacks Start 1 2 -5 6 7 End Distinguished points: Last 12
bits are zero 15
A5/1 keys can be cracked with rainbow tables in seconds on a PC (details: 26C3s talk GSM SRLY?)
Second generation rainbow tables is available through Bittorrent
GSM packets are expanded and spread over four frames 23 byte message Forward error correction 57 byte redundant
user data 114 bit burst 114 bit burst 114 bit burst 114 bit burst encryption encryption encryption encryption
Lots of GSM traffic is predictable providing known key stream Known Channel Unknown Channel 1.Empty Ack after
Assignment complete 2.Empty Ack after Alerting 3.Connect Acknowledge 4.Idle filling on SDCCH (multiple frames)
5.System Information 5+6 (~1/sec) 6.LAPDm traffic 1.Empty Ack after Cipher mode complete 2.Call proceeding
3.Alerting 4.Idle filling (multiple frames) 5.Connect 6.System Information 5+6 (~1/sec) 7.LAPDm Stealing bits
Counting frames Stealing bits Mobile termi-nated calls Networktermi-nated calls Frame with known or guessable
plaintext Very early Early Late Timing known through Assignment Source:GSM standards Counting Counting 17
1 of 2
https://fb.docs.com/YF03?_escaped_fragment_=
Help
Terms of Use
Privacy
Settings
Randomized padding makes control messages unpredictable to mitigate attacks SDCCH trace 238530 03 20 0d 06 35 11
2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238581 03 42 45 13 05 1e 02 ea 81 5c 08 11 80 94 03 98 93 92
69 81 2b 2b 2b 238613 00 00 03 03 49 06 1d 9f 6d 18 10 80 00 00 00 00 00 00 00 00 00 00 00 238632 01 61 01 2b
2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238683 01 81 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
2b 2b 2b 2b 2b 2b 2b 238715 00 00 03 03 49 06 06 70 00 00 00 00 00 04 15 50 10 00 00 00 00 0a a8 238734 03 84
21 06 2e 0d 02 d5 00 63 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238785 03 03 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
2b 2b 2b 2b 2b 2b 2b 2b 2b Padding in GSM has traditionally been predictable (2B) Every byte of randomized padding
increasing attack cost by two orders of magnitude! Randomization was specified in 2008 (TS44.006) and should be
implemented with high priority Additionally needed: randomization of system information messages 19
GSM network wish list 1.SMS home routing 2.Randomized padding 3.Rekeying before each call and SMS 4.Frequent
TMSI changes 5.Frequency hopping
GSM should currently be used as an untrusted network, just like the Internet Fake base station Passive intercept of voice
+ SMS Passive intercept of data Phone virus /malware Phishing Threat Investment Scope Low Low Currently not possible
Medium to high High Local Local Large Large Mitigation Mutual authenti-cation & trust anchor Trust anchor Cell phone
networks do not provide state-of-the art security. Protection must be embedded in the phones and locked away from
malware.
Questions? Karsten Nohl [email protected] Sylvain Munaut [email protected] Rainbow tables, Airprobe, Kraken srlabs.de
OsmocomBB firmware osmocom.org GSM project supported by
2 of 2