GSM Sniffing. Karsten Nohl, Sylvain Munaut,

Similar documents
Karsten Nohl, Breaking GSM phone privacy

Defending mobile phones. Karsten Nohl, Luca Melette,

Evaluating GSM A5/1 security on hopping channels

Mobile network security report: Poland

Mobile network security report: Greece

GSM security country report: USA

GSM security country report: Germany

Mobile network security report: Belgium

Mobile network security report: Germany

Mobile network security report: Norway

Karsten Nohl, Chris Paget 26C3, Berlin GSM SRSLY?

GSM Research. Chair in Communication Systems Department of Applied Sciences University of Freiburg 2010

Mobile network security report: Netherlands

Mobile network security report: Poland

Security of phone communications

Mobile Security. Practical attacks using cheap equipment. Business France. Presented the 07/06/2016. For. By Sébastien Dudek

GSM Channels. Physical & Logical Channels. Traffic and Control Mutltiframing. Frame Structure

Ch GSM PENN. Magda El Zarki - Tcom Spring 98

SPYTEC 3000 The system for GSM communication monitoring

Wireless Phone GSM tracking. Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim

GSM and Similar Architectures Lesson 07 GSM Radio Interface, Data bursts and Interleaving

GSM: PHYSICAL & LOGICAL CHANNELS

Using TEMS Pocket. Johan Montelius

GSM Databases. Virginia Location Area HLR Vienna Cell Virginia BSC. Virginia MSC VLR

Mobile self- defense. Karsten Nohl SRLabs Template v12

The GSM and GPRS network T /301

RADIUS. Brief brochure. Product Purpose

GSM System. Global System for Mobile Communications

GSM Risks and Countermeasures

Appendix C GSM System and Modulation Description

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

CS Cellular and Mobile Network Security: GSM - In Detail

Frequency [MHz] ! " # $ %& &'( " Use top & bottom as additional guard. guard band. Giuseppe Bianchi DOWNLINK BS MS UPLINK MS BS

How To Understand The Gsm And Mts Mobile Network Evolution

Global System for Mobile Communications (GSM)

Introduction to WiFi Security. Frank Sweetser WPI Network Operations and Security

Global System for Mobile Communication (GSM)

GSM - Global System for Mobile Communications

CS263: Wireless Communications and Sensor Networks

MAP/C SEND ROUTING INFO FOR SM. Destination Mobile Number. Obtain the SS7 address of the MSC VLR currently serving the specified Mobile Number

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Chapter 6 Bandwidth Utilization: Multiplexing and Spreading 6.1

INTRODUCTION... 3 FREQUENCY HOPPING SPREAD SPECTRUM... 4 SECURED WIRELESS COMMUNICATION WITH AES ENCRYPTION... 6

Worldwide attacks on SS7 network

2G/3G Mobile Communication Systems

Karsten Nohl University of Virginia. Henryk Plötz HU Berlin

Wireless LAN Security: Securing Your Access Point

Wireless LANs vs. Wireless WANs

GSM Network and Services

Wireless Cellular Networks: 1G and 2G

Verint GI2. Gi2 Features Verint Systems Inc. All rights reserved.

WHITE PAPER. WEP Cloaking for Legacy Encryption Protection

Authentication in WLAN

Mobile Phone Network Security

introduction to femtocells

Lecture overview. History of cellular systems (1G) GSM introduction. Basic architecture of GSM system. Basic radio transmission parameters of GSM

Monitoring mobile communication network, how does it work? How to prevent such thing about that?

Attenuation (amplitude of the wave loses strength thereby the signal power) Refraction Reflection Shadowing Scattering Diffraction

Mobile Communications TCS 455

(U)SimMonitor: A Mobile Application for Security Evaluation of Cellular Networks

How to hack your way out of home detention

Module 5. Broadcast Communication Networks. Version 2 CSE IIT, Kharagpur

UMTS security. Helsinki University of Technology S Security of Communication Protocols

Your Wireless Network has No Clothes

CSE331: Introduction to Networks and Security. Lecture 6 Fall 2006

Security in IEEE WLANs

Theory and Practice. IT-Security: GSM Location System Syslog XP 3.7. Mobile Communication. December 18, GSM Location System Syslog XP 3.

9.1 Introduction. 9.2 Roaming

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Authentication and Security in Mobile Phones

Mobile Phone Security. Hoang Vo Billy Ngo

Chapter 6 CDMA/802.11i

Provides a communication link between MS and MSC; Manages DB for MS location. Controls user connection. Transmission.

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

3GPP Wireless Standard

SHORT MESSAGE SERVICE SECURITY

GSM BASICS GSM HISTORY:

PwC. Outline. The case for wireless networking. Access points and network cards. Introduction: OSI layers and 802 structure

LoRaWAN. What is it? A technical overview of LoRa and LoRaWAN. Technical Marketing Workgroup 1.0

Content Teaching Academy at James Madison University

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Wireless LAN Security Mechanisms

Wireless Tools. Training materials for wireless trainers

Mobile Communications Chapter 4: Wireless Telecommunication Systems slides by Jochen Schiller with modifications by Emmanuel Agu

SSL A discussion of the Secure Socket Layer

Special Topics in Security and Privacy of Medical Information. Reminders. Medical device security. Sujata Garera

Security in cellular-radio access networks

Bluetooth voice and data performance in DS WLAN environment

EPL 657 Wireless Networks

What is LOG Storm and what is it useful for?

Lab 7. Answer. Figure 1

CS Cellular and Mobile Network Security: CDMA/UMTS Air Interface

Reviving smart card analysis

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

Forensic Identification of GSM Mobile Phones

Attacking Automatic Wireless Network Selection. Dino A. Dai Zovi and Shane A. Macaulay

Network Security - ISA 656 Review

Transcription:

GSM Sniffing Karsten Nohl, nohl@srlabs.de Sylvain Munaut, 246tnt@gmail.com

GSM networks are victim and source of attacks on user privacy SS7 Phone Base station GSM backend network User database (HLR) Attack vectors GUI attacks, phishing Malware Weak encryption No network authentication Over-the-air software installation (security is optional) Access to private user data Focus of this talk

Source: GSMA press statement GSM intercept is an engineering challenge the GSM call has to be identified and recorded from the radio interface. * + we strongly suspect the team developing the intercept approach has underestimated its practical complexity. A hacker would need a radio receiver system and the signal processing software necessary to process the raw radio data. GSMA, Aug. 09 This talk introduces cheap tools for capturing, decrypting and analyzing GSM calls and SMS

We will demonstrate how to find phones and decrypt their calls Attack input: Phone number OsmocomBB phones Silent SMS Rainbow tables HLR lookups Outputs: 1. Target location 2. Decrypted calls and SMS

Agenda Locating a phone Sniffing air traffic Cracking A5/1

Telcos do not authenticate each other but leak private user data The global SS7 network Telco Send SMS to your subscriber x Telco Telco Where in the world is your subscriber y Telco HLR query can be abused All telcos trust each other on the global SS7 network SS7 is abused for security and privacy attacks; currently for SMS spam

Information leaked through SS7 network disclose user location Query Accessible to Location granularity HLR query Anytime interrogation Anybody on the Internet Network operators General region (rural) to city part (urban) Cell ID: precise location -location granularity accessible from the Internet-

Our target phone is currently in Berlin Starting point: Target phone number 1 Find city and IMSI through HLR 2 Find LAC and TMSI: Probe each location area through silent (or broken) SMSs Demo 3 Find cell: Probe each cell in location area through SMSs

Agenda Locating a phone Sniffing air traffic Cracking A5/1

GSM calls are transmitted encrypted over unpredictable frequencies Beacon channel Phone, are you here? Yes, I am Ok, switch channel Downlink Uplink Encrypted Control channel Start encryption You are being called Switch to hopping channels OK OK Traffic channel Voice Voice Unpredictable hopping Voice Voice Voice Voice Voice Voice

GSM spectrum is divided by operators and cells GSM 900 brand Operator allocation One cell allocation Channels of one call 960 MHz 925 MHz 915 MHz Downlink Uplink Cell allocations and hopping sequences should be spread over the available spectrum for noise resistance and increased sniffing costs 880 MHz

GSM debugging tools have vastly different sepctrum coverage GSM 900 band Channels of one call GSM debugging tools [sniffing bandwidth] OsmocomBB [200 khz] USRP-1 [8MHz] USRP-2 [20MHz] Frequency coverage Commercial FPGA board [50 MHz] Downlink Uplink Focus of this talk

Even reprogrammed cheap phones can intercept hopping calls Start with a EUR 10 phone from 2006 You get: Upgrade to an open source firmware Patch DSP code to ignore encryption Add faster USB cable Remove uplink filter Debugger for your own calls Single timeslot sniffer Demo Multi timeslot sniffer Uplink + downlink sniffer

Agenda Locating a phone Sniffing air traffic Cracking A5/1

GSM uses symmetric A5/1 session keys for call privacy Operator and phone share a master key to derive session keys Random nonce Master key Hash function Session key Random nonce and session key Random nonce Communication A5/1- Operator Home Location Register Base station encrypted with session key Cell phone We extract this session keys

A5/1 s 64-bit keys are vulnerable to timememory trade-off attacks Start 1 2-5 6 7 End A5/1 keys can be cracked with rainbow tables in seconds on a PC (details: 26C3 s talk GSM SRLY? ) Second generation rainbow tables is available through Bittorrent Distinguished points: Last 12 bits are zero 15

GSM packets are expanded and spread over four frames 23 byte message Forward error correction 57 byte redundant user data 114 bit burst 114 bit burst 114 bit burst 114 bit burst encryption encryption encryption encryption

Lots of GSM traffic is predictable providing known key stream Assignment Frame with known or guessable plaintext Very early Early Late Known Channel Unknown Channel Timing known through 1. Empty Ack after Assignment complete Mobile terminated calls Network terminated calls 2. Empty Ack after Alerting 3. Connect Acknowledge 4. Idle filling on SDCCH (multiple frames) 5. System Information 5+6 (~1/sec) 6. LAPDm traffic 1. Empty Ack after Cipher mode complete 2. Call proceeding 3. Alerting 4. Idle filling (multiple frames) 5. Connect 6. System Information 5+6 (~1/sec) 7. LAPDm Stealing bits Counting Counting frames Stealing bits Counting Source:GSM standards 17

Two phones are enough for targeted intercept Demo Plaintext SI msg. Encrypted SI msg. Kraken A5/1 cracker Encryption key Kc Phone 1 records control messages for target TMSI(s) Phone 2 hops on the same frequencies as target phone, records voice calls

Randomized padding makes control messages unpredictable to mitigate attacks SDCCH trace 238530 03 20 0d 06 35 11 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238581 03 42 45 13 05 1e 02 ea 81 5c 08 11 80 94 03 98 93 92 69 81 2b 2b 2b 238613 00 00 03 03 49 06 1d 9f 6d 18 10 80 00 00 00 00 00 00 00 00 00 00 00 238632 01 61 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238683 01 81 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238715 00 00 03 03 49 06 06 70 00 00 00 00 00 04 15 50 10 00 00 00 00 0a a8 238734 03 84 21 06 2e 0d 02 d5 00 63 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238785 03 03 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b Padding in GSM has traditionally been predictable (2B) Every byte of randomized padding increasing attack cost by two orders of magnitude! Randomization was specified in 2008 (TS44.006) and should be implemented with high priority Additionally needed: randomization of system information messages 19

GSM network wish list 1. SMS home routing 2. Randomized padding 3. Rekeying before each call and SMS 4. Frequent TMSI changes 5. Frequency hopping

GSM should currently be used as an untrusted network, just like the Internet Threat Investment Scope Fake base station Passive intercept of voice + SMS Passive intercept of data Phone virus / malware Phishing Low Low Currently not possible Medium to high High Local Local Large Large Mitigation Mutual authentication & trust anchor Trust anchor Cell phone networks do not provide state-of-the art security. Protection must be embedded in the phones and locked away from malware.

Questions? GSM project supported by Rainbow tables, Airprobe, Kraken OsmocomBB firmware Karsten Nohl Sylvain Munaut srlabs.de osmocom.org nohl@srlabs.de 246tnt@gmail.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information