GSM security: fact and fiction (Fabian van den Broek)
- $600 Billion dollar a year industry
- SMS is the biggest cash cow of GSM providers
- 90% of the population has coverage (more than has access to clean water)
- 4.1 billion mobile users
BTS –> BSC –> MSC –> GMSC
Even if 2 cellphones are on the same BTS, calls are routed all the way up to the MSC and back down. This is due to billing and legal wiretaps.
Providers are obviously more interested in strong authentication than strong encryption.
Initial version of COMP128 was leaked and has been found to be vulnerable and is used on a majority of SIM cards. Newer versions of COMP128 haven’t yet been tested/broken. Many providers are now implementing their own authentication.
- A5/0 (unencrypted)
- A5/1 (export grade)
A5/1 and A5/2 are stream ciphers with information only released under NDA. Information has been leaked about the ciphers and are thought to be totally broken.
A5/3 is a block cipher with information publicly released. A few theoretical attacks have been proposed, but most require large amounts of known text making them unrealistic.
When a handset joins the providers network it sends it’s IMSI through to the GMSC which creates a number of keys and other random values (RAND, SRES, Kc) and sends them to the MSC to authenticate the handset using challenge response. Once the authentication is complete the MSC uses Kc to create an encrypted tunnel. At no point is anything other than the handset authenticated.
From that point forward calls are encrypted between the BTS and the handset using a session key.
- Capture Bursts
- Decrypt captured bursts
- Capture a burst
- “Guess contents”
- Compute keystream
- Look-up corresponding session key
Capturing the GSM communications has always been the hard part. Equipment to achieve this was always very costly. Software defined radio (USRP) has changed this however.
USRP + GNU Radio +Air Probe
Frequency hopping was implemented not as a security feature, but to ensure quality of calls (prevent users from being stuck on a single frequency with a bad signal). Depending on when encryption takes place, it could be that the frequency hoping is exposed in the clear. Mostly, frequency hoping information is agreed after encryption however.
A5/1 was reverse engineered in 1994 and a few theoretical attacks were discussed in academic circles. Since then more time/memory trade-offs have been discussed. Tables were announced at the CCC conference in 2008. These tables were abandoned mid-way through.
Current: Berlin set & Kraken
- GSMDecode (Airprobe)
- OpenBTS / OpenBSC
2) MITM Attack
Attacker sits in the middle claiming to be the BTS of a specific provider. The numbers required for this advertising are openly known. As soon as a handset detects a stronger signal it will shift to the attacks GSM.
An attack can then sit in the middle of the Start Ciphering process to gather the required information to crack the keys.
- BTS: OpenBTS / OpenBSC
- Phone: OsmocomBB
- Hopping problem
- Time window
- Detectable (if people are looking!)
Other possible ways to MITM!
OpenBTS to Asterisk (as demoed in Las Vegas at Defcon)
This cuts out the need to forward on communications to the real provider. However, only useful for outgoing calls. No way for the attacker to track incoming calls as the user is no longer on the real GSM network.
Plus points: It already works and has been proven
Hybrid attack between MITM and Eavesdropping
- Capture challenge
- Capture conversation
- Fake BTS attack with challenge
Issue of hopping is still a problem.
3) Other Attacks
- IMSI Catcher
- Attack on other parts of the network
- Nokia 1100 (fake?)
- Locations revealed (GPS, needs more research)
- DoS Attacks
IMSI catching is often used by police to track phones used by drug dealers. By doing this they can detect the IMSI of every phone used for interception.
GSM will still be around for the next 20 years. 3G is still not broken, however research is still ongoing. However 4G is already rumored to be based on an AES based encryption.
GSM is broken, many attack possibilities. However attackers aren’t normally going after these problems. The weakest link is probably your phone