Security of phone communications

Transcription

1 Security of phone communications Authentication, identification and mobile security Matej Kovačič (CC) 2015 This work is published under Creative Commons licence: AttributionNonCommercial-ShareAlike 2.5 Slovenia. Full legal text of the licence is available on a website: < Pictures: (CC) OpenClipArt.org, Matej Kovačič, Jaka Hudoklin (personal archive) and quoted authors (C).

2 Authentication and identification Authentication: a proof that message originated from holder of some given secret. Identification: a nontransferable proof that the other pa rty knows some given secret (wit hout revealing secret) Identification requires that the verifier check the info rmation presented against all th e entities it knows about. Authen tication requires that the inform ation be checked for a single, pr eviously identified entity.

3 Spoofing the identity of SMS sender

4 Sending of SMS from arbitrary number < username=xxxxxxxx&password=xxxxxxxxx&from=phrea ker&to= &text=sending%20of%20sms %20from%20number%20which%20is%20not%20a %20number.> EAS Y AS PIE!

5 Sending of SMS from arbitrary number

6 Spoofing the identity of a caller

7 Calling with arbitrary caller ID 1: setting-up the infrastructure phone network internet VPN

8 Calling with arbitrary caller ID 2: look into the virtual PBX

9 Calling with arbitrary caller ID 3: result on a phone [video]

10 Calling with arbitrary caller ID 4: traffic data recorded by the mobile provider

11 Practical»use«:-)

12 What does it means for the data retention measures and eavesdropping?

13 Courts tend to regard computer-generated materials as inherently trustworthy evidence. This has consequences for court procedure. In a court witnesses are sworn in and crossexamined to expose biases and conflicts. But what about software as a witness? Sergey Bratus, Ashlyn Lembree in Anna Shubina Software on the Witness Stand: What Should It Take for Us to Trust It?

14 Mobile identity spoofing

15 Mobile identity spoofing in GSM network (without possession of mobile phone and/or SIM card) [Vulrenabilities were fixed in most of Slovenian GSM networks, procedure is not working anymore. However, similar attacks could be possible via SS7 abuse...]

16 Mobile phone with Calypso chipset...

17 ...USRP, HackRF and HackRF clones Rad10 - HackRF clone.

18 RTL-SDR DVB-T with Elonics 4000 chipset.

19 GSM analysis with RTL-SDR Airprobe RTL-SDR

20 Use of weak encryption (A5/1)

21 Locating of user in mobile network We start sending silent SMS'es to a mobile number. During this we observe which TMSI number is receiving (encrypted) data. GSM network TMSI Mobile phone user does not detect reception of silent SMS. silent SMS Osmocom

22 Capture and cryptanalysis of A5/1 5. A3 GSM network 16 BE AF encrypted data C3 D C C8 C8 C3 29 2B 2B 2B 2B 2B CONTENT OF DATA BURST IN GSM 72 FE BC C4 2B Kraken From the air we passively capture encrypted data packets. With the help of guessing the contents of the GSM burst (guessing the padding bits) we calculate one-time encryption key. We use cryptanalysis to reconstruct session key Kc. In the process we need no access to the SIM card, mobile phone or mobile network! Kc

23 Cracking A5/1 session key Kc in a practice Cracking (cryptanalysis) with Kraken and predictions we are using in our gsmcrack.py...

24 Cracking A5/1 session key Kc in a practice and decrypted SMS message (received through 2G network). Application gsmcrack.py automatically identifies the TMSI number from the phone number (by sending silent SMS's). When we have TMSI of the target, our application is able to automatically follow the phone to an assigned dedicated channel and record encrypted message.

25 Mobile identity in mobile network Users in the mobile network does not identify themselves by the phone number, but with the IMSI and TMSI number. Important parameters are also the encryption key Kc and the Key sequence number. GSM network IMSI, TMSI, Kc, Key sequence number

26 Mobile identity spoofing If Kc does not change by every transaction, mobile identity can be easily spoofed. First, we have to identify IMSI number of our target HLR lookup HLR lookup is done through web service we get IMSI number.

27 SIM spoof Mobile identity spoofing with sim spoof command. For spoofing we need IMSI number (SS7 lookup), TMSI number (from the network), session key (we chack it) and key sequence number (from the network). In networks with A5/0 we need only TMSI and key sequence number no cryptanalysis needed!

28 Mobile identity spoofing Two SMS messages sent by spoofed mobile identity. Similarly it is possible to spoof voice calls too. [video]

29 SS7 attacks

30 Attacks on mobile networks through SS7 Signaling System 7 (SS7) is an architecture for performing out-of-band signaling in support of the call-establishment, billing, routing, and information-exchange functions of the public switched telephone network. Support for mobile telephony (roaming, SMS, data) has been added in 1990's and 2000's. Through SS7 it is possible to access Home Location Register, Visitor Location Register and Mobile Switching Center...

31 Attacks on mobile networks through SS7 With abuse of CAMEL protocol (Customised Applications for Mobile networks Enhanced Logic) it is possible to intercept outgoing calls: legitimate use: user who uses roaming in foreign country wants to call local number. MSC asks gsmscf (GSM Service Control Function) in his home network what to do with number in local format. gsmscf rewrites number in international format and forwards this number to MSC to call. attack: all calls are routed to the attacker with false gsmscf address rewrite. Attacker intercept the call and target it to its final destination.

32 Attacks on mobile networks through SS MSC, gsmscf

33 Attacks on mobile networks through SS7 Incoming calls interception is also possible: attacker pretends that user is roaming in his network. This is possible because SS7 updatelocation command is not authenticated attacker can send updatelocation command with his global title to user's HLR. All calls and SMS messages are now routed to the attacker. Consequences for two-factor authentication systems (mtan,...)?

34 Attack on mobile networks through SS7 TMSI deanonimisation and encryption key stealing: attacker intercepts TMSI number (for instance with OsmocomBB or RTL-SDR equipment)... attacker asks MSC for IMSI number og a giver TMSI number... with updatelocation command attacker can get phone number of user (MSISDN)... when attacker sends sendidentification SS7 request, MSC returns even session encrpyption key (Kc) of the user! Result: passive eavesdropping of mobile communications is possible and also mobile identity spoofing.

35 But there's an old saying inside the NSA: "Attacks always get better; they never get worse." --Bruce Schneier

36 ! D E T S U B Questions? Ilustracija: (CC) DeviantArt