Sei sulla pagina 1di 9

Evaluating GSM A5/1 security on hopping channels

Bogdan Diaconescu
v1.2
This paper is a practical approach on evaluating A5/1 stream cipher on a GSM hopping network air interface
called Um. The end goal is to evaluate how eas is to !reak A5/1 with "#TS hardware and open source
software.
$hat this paper is %#T a!out& a full description of GSM standard and A5/1 stream cipher.
About GSM hopping channels.
This work is !ased on the previous work that resulted in Airpro!e !eing a!le to decode the GSM logical
channels when a capture of '( data is provided for a specific A)*"%. $e modified Airpro!e to support hopping
channels ! taking '( data samples from files corresponding to each A)*"% of interest.
GSM slow fre+uenc hopping is intended to reduce the ad,acent cells interference ! switching !etween a set of
A)*"%s that are orthogonal to the set used ! own cell. The whole set of A)*"%s used ! the cell is !roadcast
! -TS on -"". channel in S' Tpe 1 message and the hopping parameters are sent from -TS to MS in an ))
'mmediate assignment message.
Method used for freuency hopping!
1. "apture spectrum so that all the needed A)*"%s for hopping will !e included into the !andwidth.
/. "hanneli0e and downsample the spectrum in order to o!tain a data stream for each needed A)*"%. A
1*- 21oliphase *ilter -ank3 is used for that.
4. 'dentif our call and in turn identif the hopping parameters.
5. *eed the modified gsm6receiver from airpro!e with the hopping parameters.
5. )un the same steps as in the case of non hopping cell. *or traffic channel there could !e a different set of
hopping parameters.
"rereuisites! Use US)1 %/17 or US)1/ from 8ttus. *or this work US)1 %/17 has !een used. 't can ac+uire
/5Mh0 !andwidth from the spectrum without an *1GA changes or other software changes on 1".
Step 1: Capture the data on the main ARFCN
The main A)*"% for the cell would !e the one with them ma9imum signal strength and this can !e determined
with kal tool :)ef 5;
sudo kal 6s GSM<77
kal& Scanning for GSM6<77 !ase stations.
chan& 44 2<51.=M.0 > /45.03 power& 17?<1.</

Therefore ' have m main cell phsical channel on A)*"% 44 and in turn the parameters for the engine needs to
!e set in capture_decode_channelize2.sh&
"#%*'GU)AT'#%@A7-A
"A@A44A
"7@A44A
MA@A71A B This needs to !e less or e+ual than the num!er of channels in "A
1age 1
./capture_decode_channelize2.sh > out.txt will produce the data streams for channel 44 and output of decoded
messages in $ireshark.
Step 2: Get all CA channels and determine cell hopping parameters for the call
Cetermine "ell Allocation2"A3 from Sstem 'nformation Tpe 1& 1/ // 44 5/ 5< 55
Then ne9t step is to determine SC"". channel Timeslot and hopping parameters from 'mmediate Assignment
message& channel Timeslot@1D Su!channel@7D MA'#@7D .S%@/D MA@7?
%ow run again the script in order to o!tain all channels&
"#%*'GU)AT'#%@A7-A B Timeslot 1
"A@A1/ // 44 5/ 5< 55A B "ell Allocation in increasing order
"7@A44A B "7 A)*"%
MA@A7?A B Mo!ile Allocation E A)*"%s used for this channel
1age /
MA'#@7 B Mo!ile Allocation 'nde9 #ffset
.S%@/ B .opping Se+uence %um!er
F8G@A77 77 77 77 77 77 77 77A
./capture_decode_channelize2.sh > out.txt
Step : !ecode the S!CC" channel
"#%*'GU)AT'#%@A1SA B Timeslot 1
"A@A1/ // 44 5/ 5< 55A B "ell Allocation in increasing order
"7@A44A B "7 A)*"%
MA@A7?A B Mo!ile Allocation E A)*"%s used for this channel
MA'#@7 B Mo!ile Allocation 'nde9 #ffset
.S%@/ B .opping Se+uence %um!er
F8G@A77 77 77 77 77 77 77 77A B F" E 0ero for now
1age 4
./capture_decode_channelize2.sh > out.txt
will produce $ireshark data for the frames that can !e decoded and the rest of the data in out.t9t.
Note: gsm6receiver will produce output for all the su!6slots currentl on the SC"". so it will !e useful to filter
the messages in $ireshark !ased on the known su!6slot from the 'mmediate Assignment command. 'n our case
the su!6slot value is 7.
The )) "iphering Mode "ommand is the last message sent in clear te9t !efore the encrption is ena!led. The
encrpted !ursts are to !e found in out.t9t in the form
"9 5HH145 ?557<7&
71117771177711711177711177711177711777111777171177711177111177771717711117171717171...
19 5HH145 ?557<7&
71117771177711711177711177711177711777111777171177711177111177771717711117171717171...
S9 5HH145 ?557<7&
1age 5
777777777777777777777777777777777777777777777777777777777777777777777777777777777...
where "9 is the cipher te9t !itsI 19 is the plain te9t !its and S9 is cipher stream. 'f 9@@1 then the !urst in
+uestion is the first !urst from the 5 ones that make up a frame.
Step #: Finding $c
The procedure used to find Fc !ased on rain!ow ta!les can !e found here :)ef 5;. The general idea is to know a
plain te9t together with itJs position inside cipher te9t stream. 'n our case it can !e Sstem 'nformation Tpe 5I
Sstem 'nformation Tpe 5TerI Sstem 'nformation Tpe = or an other known messages.
These messages are usuall sent at fi9ed intervals and !ased on this information one can guess the frame
num!ers where message supposed to !e in the crpted stream.
Suppose ou have the known plain6te9t at frame num!er =51175I it actuall is all over four frames& =5117/I
=51174I =51175I =51175&
'f ou know what is the plain6te9t message there then use gsmframecoder to generate the four !ursts that make
up the message&
./gsmframecoder message K !urst1 !urst / !urst 4 !urst5
Then use 9or.p to generate the cipher stream&
9or.p "1 !urst1 K results rs1
9or.p "7 !urst/ K results rs/
9or.p "7 !urst4 K results rs4
9or.p "7 !urst7 K results rs5
Then use the result from the 9or operations as input to crack tool&
crack rs1
crack rs/
crack rs4
crack rs5
'n m specific case ' get something on third !urst& *ound ccc=de=!=e4d4!!7 L // B? 2ta!le&/573
Then use findMkc to actuall determine the Fc&
./findMkc ccc=de=!=e4d4!!7 // ?55?=5
BBBB *ound potential ke 2!its& //3BBBB
/51f?15H5a4?e/af 6N /51f?15H5a4?e/af
*ramecount is ?55?=5
F"273& /f ce 45 dc 4e 7< /7 4c mismatch
...
F"2473& 5< !/ <7 =c <H 5f ce /! mismatch
F"2413& HH 7! H5 cd Hf /5 ?5 77 mismatch
'f there is another frame known then findMkc can match the e9act Fc from the list a!ove&
./findMkc ccc=de=!=e4d4!!7 // ?55?=5 ?55?<H
1age 5
1777171171717777717177117711717117717711777177717771111177171777771711111117177717717177711
17117177177771777711771
BBBB *ound potential ke 2!its& //3BBBB
/51f?15H5a4?e/af 6N /51f?15H5a4?e/af
*ramecount is ?55?=5
F"273& /f ce 45 dc 4e 7< /7 4c mismatch
...
F"2473& 5< !/ <7 =c <H 5f ce /! mismatch
F"2413& HH 7! H5 cd Hf /5 ?5 77 OOO MAT".8C OOO
%ow changing the F8G@A77 77 77 77 77 77 77 77A to F8G@AHH 7! H5 cd Hf /5 ?5 77A and running again
./capture_decode_channelize2.sh > out.txt will reveal the messages on SC"". after the ciphering started&
*rom the decrpted SC"". channel it is eas to o!serve the Assignment "ommand that is sent ! the -TS to
MS in order to assign the traffic channel. The important parameters are traffic channel Timeslot and hopping
parameters for the traffic channel.
1age =
Note: the traffic channel can have different hopping parameters than SC"". channel. Although the MA in this
case is the sameI it can !e +uite different than the MA used in the SC"". channel.
Step : !ecode the traffic channel
The saga continues with another run of ./capture_decode_channelize2.sh > out.txt. This is necessar to decode
the traffic channel and o!tain the audio stream and the configuration is presented !elow. #ne could also see in
$ireshark the S' messages sent on the *A"". channel that share the same Timeslot with T"..
"#%*'GU)AT'#%@A?TA B Timeslot ? for traffic
"A@A1/ // 44 5/ 5< 55A B "ell Allocation in increasing order
"7@A44A B "7 A)*"%
MA@A7?A B Mo!ile Allocation
MA'#@/ B Mo!ile Allocation 'nde9 #ffset
.S%@/ B .opping Se+uence %um!er
F8G@AHH 7! H5 cd Hf /5 ?5 77A B F"
1age ?
At this moment the voice stream will !e found in speech.au.gsm file that can !e listen with the following&
untoast speech.au.gsm
mplaer speech.au B or other plaer
#onclusion!
1. The securit of the GSM hopping channels is at the same level with the securit of the non hopping
channelsI the onl difference an attacker will encounter !eing the computing and storage resources
needed to channeli0e and produce the data for each A)*"%.
/. $e o!served a ver rapid degrading of the a!ilit of Airpro!e to correctl decode the GSM messages
when the overall S%) degrades under 6=7d- for "7 channelI making necessar for a !etter demodulator.
4. The P1 header of the known plainte9t 2S' message3 could change in !oth MS power level when *1" is
in use and Timing Advance when MS is moving. Therefore some prediction is necessar to !e used in
1age H
order to correctl guess the known plain te9t.
$eferences!
1. Airpro%e git! git&//git.gnumonks.org/airpro!e.git
2. &opping channels description GSM '5.'2 chapter (
). https!//srla%s.de/decrypting*gs+/
,. -al tool git! git&//githu!.com/ttsou/kali!rate6uhd.git
5. https!//lists.srla%s.de/piper+ail/a51/2'1'./uly/'''(00.ht+l
(. Airpro%e.hopping.git! https!//githu%.co+/BogdanD1A/airpro%e.hopping
1age <