Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: OpenBTS

[BruCON] GSM security: fact and fiction

GSM security: fact and fiction (Fabian van den Broek)

  • $600 Billion dollar a year industry
  • SMS is the biggest cash cow of GSM providers
  • 90% of the population has coverage (more than has access to clean water)
  • 4.1 billion mobile users

BTS –> BSC –> MSC –> GMSC

Even if 2 cellphones are on the same BTS, calls are routed all the way up to the MSC and back down. This is due to billing and legal wiretaps.

Authentication

Providers are obviously more interested in strong authentication than strong encryption.

  • A3
  • A8
  • COMP128

Initial version of COMP128 was leaked and has been found to be vulnerable and is used on a majority of SIM cards. Newer versions of COMP128 haven’t yet been tested/broken. Many providers are now implementing their own authentication.

Encryption

  • A5/0 (unencrypted)
  • A5/1 (export grade)
  • A5/2
  • A5/3

A5/1 and A5/2 are stream ciphers with information only released under NDA. Information has been leaked about the ciphers and are thought to be totally broken.

A5/3 is a block cipher with information publicly released. A few theoretical attacks have been proposed, but most require large amounts of known text making them unrealistic.

Process

When a handset joins the providers network it sends it’s IMSI through to the GMSC which creates a number of keys and other random values (RAND, SRES, Kc) and sends them to the MSC to authenticate the handset using challenge response. Once the authentication is complete the MSC uses Kc to create an encrypted tunnel. At no point is anything other than the handset authenticated.

From that point forward calls are encrypted between the BTS and the handset using a session key.

Attacks

1) Eavesdropping

  • Capture Bursts
  • Decrypt captured bursts
  • Interpret

Capture

  • Capture a burst
  • “Guess contents”
  • Compute keystream
  • Look-up corresponding session key

Capturing the GSM communications has always been the hard part. Equipment to achieve this was always very costly. Software defined radio (USRP) has changed this however.

USRP + GNU Radio +Air Probe

Frequency hopping was implemented not as a security feature, but to ensure quality of calls (prevent users from being stuck on a single frequency with a bad signal). Depending on when encryption takes place, it could be that the frequency hoping is exposed in the clear. Mostly, frequency hoping information is agreed after encryption however.

Decrypt

A5/1 was reverse engineered in 1994 and a few theoretical attacks were discussed in academic circles. Since then more time/memory trade-offs have been discussed. Tables were announced at the CCC conference in 2008. These tables were abandoned mid-way through.

Current: Berlin set & Kraken

Interpret

  • GSMDecode (Airprobe)
  • Wreshark
  • OpenBTS / OpenBSC

2) MITM Attack

Attacker sits in the middle claiming to be the BTS of a specific provider. The numbers required for this advertising are openly known. As soon as a handset detects a stronger signal it will shift to the attacks GSM.

An attack can then sit in the middle of the Start Ciphering process to gather the required information to crack the keys.

Ingredients

  • BTS: OpenBTS / OpenBSC
  • Phone: OsmocomBB

Problems

  • Hopping problem
  • Time window
  • Detectable (if people are looking!)

Other possible ways to MITM!

OpenBTS to Asterisk (as demoed in Las Vegas at Defcon)

This cuts out the need to forward on communications to the real provider. However, only useful for outgoing calls. No way for the attacker to track incoming calls as the user is no longer on the real GSM network.

Plus points: It already works and has been proven

Hybrid attack between MITM and Eavesdropping

  • Capture challenge
  • Capture conversation
  • Fake BTS attack with challenge

Issue of hopping is still a problem.

3) Other Attacks

  • IMSI Catcher
  • Attack on other parts of the network
  • Nokia 1100 (fake?)
  • Locations revealed (GPS, needs more research)
  • DoS Attacks

IMSI catching is often used by police to track phones used by drug dealers. By doing this they can detect the IMSI of every phone used for interception.

Improvements

GSM will still be around for the next 20 years. 3G is still not broken, however research is still ongoing. However 4G is already rumored to be based on an AES based encryption.

Conclusion

GSM is broken, many attack possibilities. However attackers aren’t normally going after these problems. The weakest link is probably your phone

LINK:

26C3: Playing with the GSM RF interface

Doing tricks with a mobile phone

This talk will show what can be done by taking control of the GSM RF part of a mobile phone, for example performing a DoS attack to the GSM network or using the phone as a sniffing device.

If the RF hardware of a mobile phone can be controlled, lots of things are possible, for example:

  • Sending continuous Channel Request which can lead to a huge load for a GSM cell and could be considered as a DoS attack to the GSM network.
  • Use a mobile phone as a cheap GSM receiver for sniffing the air traffic somehow similar to what can be done with the USRP.

Motivation for playing with GSM

The GSM network has been in use in Germany since 1992 and hasn’t been well researched until recently. It was always the case that access to GSM equipment was restricted. Now the game has changed. Second hand GSM equipment is easily available, OpenBTS, OpenBCS, etc…. the documentation behind GSM is also now public (but is very extensive)

OpenBTS

  • Hardware based on USRP
  • Air Interface (Um) is a software defined radio
  • Does not model classic GSM architecture, but uses a direct Um-to-SIP

OpenBCS

  • Implements the Abis protocol plus MSC/MSC/HLR
  • Supports the Siemens BS11 microBTS
  • Supports ip.access nanoBTS
  • Used to run the 26C3 network using 4 nanoBTS units

The nanoBTS is much smaller and more modern than the 10 year old Siemens BS11 unit.

Airprobe

  • Passively sniff the GSM Air Interface
  • Based on USRP and GNU Radio
  • Analyze protocols with Wireshark

What about an “open” phone

  • Project Blacksphere for Nokia DCT3 phone – No longer active ?
  • TSM30, based on the TI Calypso GSM chipset – source code available on the internet
    • Can be used to sniff the air traffic
    • Could be used to perform DoS on the GSM network
  • Openmoko GTA01/02: GSM modem based on TI Calypso
    • The software is open-source, but the GSM modem is still closed
  • Future plans: Take a GSM RF-Transceiver and Baseband chip, connect it to a DSP/FPGA board
    • Truly open
    • Very long term

TSM30

  • Spanish phone (about 6 years old)
  • GSM, GPRS, WAP
  • TI Calypso chipset – leaked documents can be found
  • Firmware is written in C – no source code for the DSP

Sniffing the air traffic

The TSM30 provides the chance to extract digitally converted traffic, however issues of extracting the data (1 MByte per second) from the phone need to be worked out. As there is no fast data transfer this is currently an issue. Tests with 1 second of audio have been tested and work as expected.

DoS Attack

  • By sending continuous RASH requests you can use up available channels on the BTS
  • Makes it difficult for phones to access the cell
  • Phones might switch to another cell
  • Useful for specifically targeting a location, but not a general wide-spread DoS
  • No 100% guarantee
  • Theory known for sometime, but never demonstrated
  • Even a phone without a SIM can perform the attack
  • Hard to track
  • Protection against the attack would require a complete rewrite of how GSM functions

One useful purpose for the attack, is performing a DoS against the cell and implement a rogue point to capture user information when phones attempt to register to another available BTS.

A demonstration of the DoS using the 25C6 conference GSM network (nanoBTS and OpenBTS)

More information can be found on the CCC wiki.