Defending mobile phones. Karsten Nohl, nohl@srlabs.de Luca Melette, luca@srlabs.de



Similar documents
Mobile network security report: Poland

GSM security country report: Germany

GSM security country report: USA

Mobile network security report: Germany

Mobile network security report: Belgium

Mobile network security report: Netherlands

Mobile network security report: Poland

Mobile network security report: Greece

Mobile network security report: Norway

GSM Research. Chair in Communication Systems Department of Applied Sciences University of Freiburg 2010

Mobile self- defense. Karsten Nohl SRLabs Template v12

GSM Risks and Countermeasures

Karsten Nohl, Breaking GSM phone privacy

Monitoring mobile communication network, how does it work? How to prevent such thing about that?

Security of phone communications

(U)SimMonitor: A Mobile Application for Security Evaluation of Cellular Networks

Wireless Phone GSM tracking. Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim

Reviving smart card analysis

GSM and UMTS security

RADIUS. Brief brochure. Product Purpose

Security in cellular-radio access networks

UMTS security. Helsinki University of Technology S Security of Communication Protocols

SPYTEC 3000 The system for GSM communication monitoring

Karsten Nohl University of Virginia. Henryk Plötz HU Berlin

Security in the GSM Network

How to hack your way out of home detention

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Cellular Analysis for Legal Professionals Larry E. Daniel Digital Forensic Examiner and Cellular Analyst EnCE, DFCP, BCE, ACE, CTNS, AME

Karsten Nohl, Chris Paget 26C3, Berlin GSM SRSLY?

(U)SimMonitor: A New Malware that Compromises the Security of Cellular Technology and Allows Security Evaluation

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Security of mobile TAN on smartphones

SS7 & LTE Stack Attack

Ch GSM PENN. Magda El Zarki - Tcom Spring 98

IAIK. Motivation 2. Advanced Computer Networks 2015/2016. Johannes Feichtner IAIK

GSM Databases. Virginia Location Area HLR Vienna Cell Virginia BSC. Virginia MSC VLR

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

LTE security and protocol exploits

Worldwide attacks on SS7 network

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

An Example of Mobile Forensics

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

Business Phone Security. Threats to VoIP and What to do about Them

2 System introduction

Mobile Security. Practical attacks using cheap equipment. Business France. Presented the 07/06/2016. For. By Sébastien Dudek

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

IMSI Catcher. Daehyun Strobel. 13.Juli Seminararbeit Ruhr-Universität Bochum. Chair for Communication Security Prof. Dr.-Ing.

Mobile Phone Network Security

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Information Security. Be Aware, Secure, and Vigilant. Be vigilant about information security and enjoy using the internet

Evaluating GSM A5/1 security on hopping channels

LTE and IMSI catcher myths

Theory and Practice. IT-Security: GSM Location System Syslog XP 3.7. Mobile Communication. December 18, GSM Location System Syslog XP 3.

TELE 301 Network Management. Lecture 16: Remote Terminal Services

SS7: Locate. Track. Manipulate.

IDRBT Working Paper No. 11 Authentication factors for Internet banking

Mobile Communications

9.1 Introduction. 9.2 Roaming

WHITE PAPER Security in M2M Communication What is secure enough?

Secure Your Mobile Workplace

Wireless Security: Token, WEP, Cellular

Where every interaction matters.

Distributed Denial of Service Attack Tools

House intercoms attacks

Attacking Automatic Wireless Network Selection. Dino A. Dai Zovi and Shane A. Macaulay

Dirty use of USSD codes in cellular networks

Global System for Mobile Communications (GSM)

How To Protect A Wireless Lan From A Rogue Access Point

GSM Security Claude Castelluccia INRIA

A Security Survey of Strong Authentication Technologies

introduction to femtocells

Locking down a Hitachi ID Suite server

WIRELESS NETWORK SECURITY

Using TEMS Pocket. Johan Montelius

COSC 472 Network Security

How CA Arcot Solutions Protect Against Internet Threats

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Encrypted SMS, an analysis of the theoretical necessities and implementation possibilities

PICKPOCKETING MWALLETS. A guide to looting mobile financial services

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

GSM BASICS GSM HISTORY:

GSM Channels. Physical & Logical Channels. Traffic and Control Mutltiframing. Frame Structure

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

Michael Seltzer COMP 116: Security Final Paper. Client Side Encryption in the Web Browser Mentor: Ming Chow

Two-Factor Authentication and Swivel

Loophole+ with Ethical Hacking and Penetration Testing

Security Issues with the Military Use of Cellular Technology Brad Long, Director of Engineering, IFONE, Inc.

SecureCom Mobile s mission is to help people keep their private communication private.

Rational AppScan & Ounce Products

iscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi

Transcription:

Defending mobile phones Karsten Nohl, nohl@srlabs.de Luca Melette, luca@srlabs.de

GSM networks provide the base for various attacks SS7 Phone Base station GSM backend network User database (HLR) Vulnerability -> attack vector User naiveté -> Phishing OS bugs -> Malware Lack of network authentication -> Fake base stations Weak encryption, predictable plaintext -> Intercept Irregular authentication -> Mobile impersonation HLR leaks -> User tracking Covered in this lecture 1

Agenda HAR2009 / 26C3 Mobile impersonation GSM network defenses GSM self-defense GSM encryption can be cracked with GPUs

Premium number/sms fraud is on the rising

Fraud can happen through mobile impersonation Legitimate transactions authenticated with TMSI, KC Illegitimate transaction Send premium SMS Access voice mail Circumvent caller-id-based authentication Phone knows: 1. TMSI ( temporary user name) 2. KC ( temporary password) Osmocom phone sniffs legitimate transaction Attacker breaks KC within seconds Decrypting the transaction with KC reveals the current TMSI Phone programmed with authenticators emulates target phone Intercept attack Impersonation attack 4

Agenda 27C3 Mobile impersonation GSM network defenses GSM self-defense GSM network wish list 1.SMS home routing 2.Randomized padding 3.Rekeying before each call and SMS 4.Frequent TMSI changes 5.Frequency hopping 5

Cracking GSM requires both a weak cipher and predictable transactions A5/1 cracking A5/1 key steam Plaintext 1 GSM weakness: Plaintext is often predictable A5/1 key steam 2 GSM weakness: Encryption is breakable This weakness could quickly disappear, putting GSM crackers out of business

Some network defenses can be deployed within weeks GSM weakness Mitigations Measures Cost Deployment time GSM crackers rely on 2 GSM weaknesses 1 Predictable plaintext 2 Stream cipher with small state 3 Padding randomization SI randomization A5/3 A5/4 Software update (free to a few millions $) New base station controllers (tens to hundreds of millions $) Weeks 1-2 years Statistical weaknesses

GSM transaction are often highly predictable SDCCH trace 238530 03 20 0d 06 35 11 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238581 03 42 45 13 05 1e 02 ea 81 5c 08 11 80 94 03 98 93 92 69 81 2b 2b 2b 238613 00 00 03 03 49 06 1d 9f 6d 18 10 80 00 00 00 00 00 00 00 00 00 00 00 238632 01 61 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238683 01 81 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238715 00 00 03 03 49 06 06 70 00 00 00 00 00 04 15 50 10 00 00 00 00 0a a8 238734 03 84 21 06 2e 0d 02 d5 00 63 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238785 03 03 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b Mitigations Padding randomization was standardized in 2008 (TS44.006) SI5/SI6 randomization standardized in 2011 (TS 44.018) Do not encrypt predictable control messages being standardized, however not backward-compatible with existing phones (GP-111234 and GP-111333) 8

Randomizing control messages can win the arms race against A5/1 crackers GSM security upgrades 1. Basic network randomization 2. Full network randomization 3a. A5/3 encryption OR 3b. Uplink randomiz. Effect Current A5/1 black boxes drop to < 30% success rate Current black boxes drop to < 5% for long-range (passive) sniffing Current black boxes are defeated, even in short-range and active operations Popularity Patches available Standardization finalized Select networks plan A5/3 upgrades Roll-outs in some networks Select operators test proprietary ideas A5/3 available on new phones (but buggy on at least one!) Randomization available on latest chips, seen on 1 phone 9

Network operators greatly differ in protection, none implements all available security Select European networks ordered by their protection against impersonation* Example best-inclass networks Example weak networks... Authenticated Randomization calls, % Padding SI 38 99 100 100 2 0 0 1 HLR blocking** No network currently implements all available protection measures * Based on the SRLabs GSM security metric v0.6, ** Parameter not relevant for mobile impersonation 10

The GSM security metric quantifies the protection against 3 attacks relative to best practices Relevant attacks Impersonation Example security parameters Encryption Authentication frequency Reference network 2011 A5/1 100% Intercept Padding randomization SI randomization Tracking HLR blocking TMSI change 100% Reference will be updated yearly to reflect ongoing technology evolution

Help us create transparency around networks defense abilities gsmmap.org network comparison Please help in collecting data for the rest of the world and in keeping the map up to date All you need is an Osmoconcapable phone

Agenda Mobile impersonation GSM network defenses 26C3 GSM self-defense Fake BTS

IMSI catcher attacks can be detected Fake base stations ( IMSI catchers ) are used towards three illegitimate purposes 1 Phone inventory Phone and SIM card identifier (IMEI, IMSI) are harvested to build location profiles Fake base stations leave suspicious traces Evidence on phone Location rejects Evidence in network Unusual location update queries 2 Pinpointing The phone is forced into a silent call that is tracked as a radio token Silent call at highest send power 3 Man-in-themiddle Calls and SMS are routed through the fake base station and intercepted Unencrypted transactions Authentication delays (for encrypting attacks) The CatcherCatcher project detects this evidence on Osmocom phones 14

Questions? GSM map, Osmocom patches CatcherCatcher project Mailing lists (gsmmap, CatcherCatcher) gsmmap.org opensource.srlabs.de lists.srlabs.de Karsten Nohl Luca Melette nohl@srlabs.de luca@srlabs.de

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information