Defending mobile phones. Karsten Nohl, Luca Melette,

Transcription

1 Defending mobile phones Karsten Nohl, Luca Melette,

2 GSM networks provide the base for various attacks SS7 Phone Base station GSM backend network User database (HLR) Vulnerability -> attack vector User naiveté -> Phishing OS bugs -> Malware Lack of network authentication -> Fake base stations Weak encryption, predictable plaintext -> Intercept Irregular authentication -> Mobile impersonation HLR leaks -> User tracking Covered in this lecture 1

3 Agenda HAR2009 / 26C3 Mobile impersonation GSM network defenses GSM self-defense GSM encryption can be cracked with GPUs

4 Premium number/sms fraud is on the rising

5 Fraud can happen through mobile impersonation Legitimate transactions authenticated with TMSI, KC Illegitimate transaction Send premium SMS Access voice mail Circumvent caller-id-based authentication Phone knows: 1. TMSI ( temporary user name) 2. KC ( temporary password) Osmocom phone sniffs legitimate transaction Attacker breaks KC within seconds Decrypting the transaction with KC reveals the current TMSI Phone programmed with authenticators emulates target phone Intercept attack Impersonation attack 4

6 Agenda 27C3 Mobile impersonation GSM network defenses GSM self-defense GSM network wish list 1.SMS home routing 2.Randomized padding 3.Rekeying before each call and SMS 4.Frequent TMSI changes 5.Frequency hopping 5

7 Cracking GSM requires both a weak cipher and predictable transactions A5/1 cracking A5/1 key steam Plaintext 1 GSM weakness: Plaintext is often predictable A5/1 key steam 2 GSM weakness: Encryption is breakable This weakness could quickly disappear, putting GSM crackers out of business

8 Some network defenses can be deployed within weeks GSM weakness Mitigations Measures Cost Deployment time GSM crackers rely on 2 GSM weaknesses 1 Predictable plaintext 2 Stream cipher with small state 3 Padding randomization SI randomization A5/3 A5/4 Software update (free to a few millions $) New base station controllers (tens to hundreds of millions $) Weeks 1-2 years Statistical weaknesses

9 GSM transaction are often highly predictable SDCCH trace d b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b e 02 ea 81 5c b 2b 2b d 9f 6d b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b a a e 0d 02 d b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b Mitigations Padding randomization was standardized in 2008 (TS44.006) SI5/SI6 randomization standardized in 2011 (TS ) Do not encrypt predictable control messages being standardized, however not backward-compatible with existing phones (GP and GP ) 8

10 Randomizing control messages can win the arms race against A5/1 crackers GSM security upgrades 1. Basic network randomization 2. Full network randomization 3a. A5/3 encryption OR 3b. Uplink randomiz. Effect Current A5/1 black boxes drop to < 30% success rate Current black boxes drop to < 5% for long-range (passive) sniffing Current black boxes are defeated, even in short-range and active operations Popularity Patches available Standardization finalized Select networks plan A5/3 upgrades Roll-outs in some networks Select operators test proprietary ideas A5/3 available on new phones (but buggy on at least one!) Randomization available on latest chips, seen on 1 phone 9

11 Network operators greatly differ in protection, none implements all available security Select European networks ordered by their protection against impersonation* Example best-inclass networks Example weak networks... Authenticated Randomization calls, % Padding SI HLR blocking** No network currently implements all available protection measures * Based on the SRLabs GSM security metric v0.6, ** Parameter not relevant for mobile impersonation 10

12 The GSM security metric quantifies the protection against 3 attacks relative to best practices Relevant attacks Impersonation Example security parameters Encryption Authentication frequency Reference network 2011 A5/1 100% Intercept Padding randomization SI randomization Tracking HLR blocking TMSI change 100% Reference will be updated yearly to reflect ongoing technology evolution

13 Help us create transparency around networks defense abilities gsmmap.org network comparison Please help in collecting data for the rest of the world and in keeping the map up to date All you need is an Osmoconcapable phone

14 Agenda Mobile impersonation GSM network defenses 26C3 GSM self-defense Fake BTS

15 IMSI catcher attacks can be detected Fake base stations ( IMSI catchers ) are used towards three illegitimate purposes 1 Phone inventory Phone and SIM card identifier (IMEI, IMSI) are harvested to build location profiles Fake base stations leave suspicious traces Evidence on phone Location rejects Evidence in network Unusual location update queries 2 Pinpointing The phone is forced into a silent call that is tracked as a radio token Silent call at highest send power 3 Man-in-themiddle Calls and SMS are routed through the fake base station and intercepted Unencrypted transactions Authentication delays (for encrypting attacks) The CatcherCatcher project detects this evidence on Osmocom phones 14

16 Questions? GSM map, Osmocom patches CatcherCatcher project Mailing lists (gsmmap, CatcherCatcher) gsmmap.org opensource.srlabs.de lists.srlabs.de Karsten Nohl Luca Melette