Scribd Logo
Carica

Benvenuto in Scribd!

  • 1783 101228.27C3.GSM-Sniffing - Nohl Munaut

    Caricato da

    Huzaifah Mubbashir
    494 visualizzazioni23 pagine
    GSM networks are victim and source of attacks on user privacy. SS7 Phone Attack vectors GUI attacks, phishing Malware Base station Weak encryption No network authentication. This talk introduces cheap tools for capturing, decrypting and analyzing GSM calls and SMS.

    Descrizione originale:

    Titolo originale

    1783_101228.27C3.GSM-Sniffing.Nohl_Munaut

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    GSM networks are victim and source of attacks on user privacy. SS7 Phone Attack vectors GUI attacks, phishing Malware Base station Weak encryption No network authentication. This talk introduces cheap tools for capturing, decrypting and analyzing GSM calls and SMS.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    494 visualizzazioni23 pagine

    1783 101228.27C3.GSM-Sniffing - Nohl Munaut

    Caricato da

    Huzaifah Mubbashir
    GSM networks are victim and source of attacks on user privacy. SS7 Phone Attack vectors GUI attacks, phishing Malware Base station Weak encryption No network authentication. This talk introduces cheap tools for capturing, decrypting and analyzing GSM calls and SMS.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 23

    GSM Sniffing

    Karsten Nohl, nohl@srlabs.de


    Sylvain Munaut, 246tnt@gmail.com
    GSM networks are victim and source of
    attacks on user privacy

    SS7

    GSM backend User data-


    Phone Base station network base (HLR)

    Attack  GUI attacks,  Weak encryption  Over-the-air  Access to


    vectors phishing  No network software private user
     Malware authentication installation data
    (security is
    optional)
    Focus of this talk
    GSM intercept is an engineering challenge

    “… the GSM call has to be identified and recorded from


    the radio interface. *…+ we strongly suspect the team
    developing the intercept approach has underestimated
    its practical complexity.
    A hacker would need a radio receiver system and the
    signal processing software necessary to process the raw
    radio data.” – GSMA, Aug.‘09

    This talk introduces cheap tools for capturing,


    decrypting and analyzing GSM calls and SMS

    Source: GSMA press statement


    We will demonstrate how to find phones and
    decrypt their calls

    OsmocomBB
    phones
    Outputs:
    Attack input: Rainbow 1. Target location
    Phone tables 2. Decrypted
    number
    Silent SMS calls and SMS

    HLR lookups
    Agenda

     Locating a phone

     Sniffing air traffic

     Cracking A5/1
    Telcos do not authenticate each other but
    leak private user data
    The global SS7 network

    “Send SMS to your subscriber x”


    Telco Telco

    “Where in the world is your subscriber y” “HLR query”


    can be abused
    Telco
    Telco

     All telcos trust each other on the global SS7 network


     SS7 is abused for security and privacy attacks; currently for SMS spam
    Information leaked through SS7 network
    disclose user location
    Query Accessible to Location granularity

    HLR query  Anybody on  General region (rural)


    the Internet to city part (urban)
    Anytime  Network  Cell ID: precise
    interrogation operators location

    -location granularity accessible from the Internet-


    Our target phone is currently in Berlin
    Starting point: Target phone number

    1 Find city and IMSI through HLR

    2 Find LAC and TMSI: Probe each location area Demo


    through silent (or broken) SMSs

    3 Find cell: Probe each cell in location area through


    SMSs
    Agenda

     Locating a phone

     Sniffing air traffic

     Cracking A5/1
    GSM calls are transmitted encrypted over
    unpredictable frequencies Down-
    link
    Beacon Phone, Ok,
    Uplink
    channel are you switch
    here? channel
    Yes, Encrypted
    I am

    Control Start You are Switch to


    channel encryp- being hopping
    tion called channels

    OK OK

    Traffic Unpredictable
    channel Voice Voice hopping

    Voice Voice

    Voice Voice

    Voice Voice
    GSM spectrum is divided by operators and cells
    GSM 900 Operator One cell Channels of
    brand allocation allocation one call
    960 MHz

    Downlink
    Cell allocations
    and hopping
    925 MHz sequences should
    be spread over
    915 MHz the available
    spectrum for
    noise resistance
    Uplink and increased
    sniffing costs

    880 MHz
    GSM debugging tools have vastly different
    sepctrum coverage Frequency
    coverage
    GSM debugging tools [sniffing bandwidth]
    GSM 900 Channels of OsmocomBB USRP-1 USRP-2 Commercial
    band one call [200 kHz] [8MHz] [20MHz] FPGA board
    [50 MHz]

    Downlink

    Uplink

    Focus of this talk


    Even reprogrammed cheap phones can
    intercept hopping calls
    Start with a EUR 10 You get:
    phone from 2006

    Upgrade to an open Debugger for your


    source firmware own calls

    Patch DSP code to Single timeslot


    ignore encryption sniffer
    Demo
    Multi timeslot
    Add faster USB cable sniffer

    Uplink + downlink
    Remove uplink filter
    sniffer
    Agenda

     Locating a phone

     Sniffing air traffic

     Cracking A5/1
    GSM uses symmetric A5/1 session keys for
    call privacy
    Operator and Random nonce
    phone share a Hash Session key
    master key to de- Master key function
    rive session keys

    Random
    Random nonce
    nonce and
    session key
    Communi-
    cation A5/1-
    encrypted
    Operator Home Base station with sess- Cell phone
    Location Register ion key

    We extract this
    session keys
    A5/1’s 64-bit keys are vulnerable to time-
    memory trade-off attacks
    Start 1 2-5 6 7 End
     A5/1 keys can be
    cracked with
    rainbow tables in
    seconds on a PC
    (details: 26C3’s
    talk “GSM SRLY?”)
     Second generation
    rainbow tables is
    available through
    Bittorrent

    Distinguished points:
    Last 12 bits are zero
    15
    GSM packets are expanded and spread over
    four frames
    23 byte message

    Forward error correction

    57 byte redundant user data

    114 bit burst 114 bit burst 114 bit burst 114 bit burst

    encryption encryption encryption encryption


    Lots of GSM traffic is predictable providing
    known key stream
    Known Unknown
    Channel Channel
    Assignment
    Timing known
    Frame with known or guessable plaintext Very early Early Late through

    1. Empty Ack after ‘Assignment complete’


    2. Empty Ack after ‘Alerting’
    Mobile “Stealing
    termi- 3. ‘Connect Acknowledge’ bits”
    nated 4. Idle filling on SDCCH (multiple frames)
    calls
    5. System Information 5+6 (~1/sec)
    6. LAPDm traffic Counting

    1. Empty Ack after ‘Cipher mode complete’ Counting


    2. ‘Call proceeding’ frames
    Network 3. ‘Alerting’
    termi-
    4. Idle filling (multiple frames) “Stealing
    nated
    calls 5. ‘Connect’ bits”
    6. System Information 5+6 (~1/sec)
    7. LAPDm Counting

    17
    Source:GSM standards
    Two phones are enough for targeted Demo
    intercept
    Plaintext
    SI msg.
    Kraken Encryption
    Encrypted
    A5/1 key Kc
    SI msg.
    cracker

    Phone 1 records Phone 2 hops on the


    control messages same frequencies
    for target TMSI(s) as target phone,
    records voice calls
    Randomized padding makes control
    messages unpredictable to mitigate attacks
    SDCCH trace
    238530 03 20 0d 06 35 11 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
    238581 03 42 45 13 05 1e 02 ea 81 5c 08 11 80 94 03 98 93 92 69 81 2b 2b 2b
    238613 00 00 03 03 49 06 1d 9f 6d 18 10 80 00 00 00 00 00 00 00 00 00 00 00
    238632 01 61 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
    238683 01 81 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
    238715 00 00 03 03 49 06 06 70 00 00 00 00 00 04 15 50 10 00 00 00 00 0a a8
    238734 03 84 21 06 2e 0d 02 d5 00 63 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
    238785 03 03 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b

    Every byte of Randomization was specified in 2008


    Padding in GSM (TS44.006) and should be
    randomized padding
    has traditionally implemented with high priority
    increasing attack cost
    been predictable
    by two orders of Additionally needed: randomization
    (2B)
    magnitude! of system information messages

    19
    GSM network wish list
    1. SMS home routing
    2. Randomized padding
    3. Rekeying before
    each call and SMS
    4. Frequent TMSI
    changes
    5. Frequency hopping
    GSM should currently be used as an
    untrusted network, just like the Internet
    Threat Investment Scope Mitigation

    Low Local Mutual


    Fake base station authenti-
    Cell phone
    cation &
    networks do
    Passive intercept of Low Local trust
    not provide
    voice + SMS anchor
    state-of-the art
    security.
    Passive intercept of Currently not
    data possible Protection
    must be
    Phone virus / Medium to Large embedded in
    malware high Trust the phones and
    anchor locked away
    High Large from malware.
    Phishing
    Questions? GSM project supported by

    Rainbow tables, Airprobe, Kraken srlabs.de


    OsmocomBB firmware osmocom.org
    Karsten Nohl nohl@srlabs.de
    Sylvain Munaut 246tnt@gmail.com

    Potrebbero piacerti anche