Scribd Logo
Upload

Welcome to Scribd!

  • 1783 101228.27C3.GSM-Sniffing - Nohl Munaut

    Uploaded by

    simbanga
    10 views23 pages
    GSM Sniffing Tips & Trick

    Original Title

    1783 101228.27C3.GSM-Sniffing.nohl Munaut

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    GSM Sniffing Tips & Trick

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    10 views23 pages

    1783 101228.27C3.GSM-Sniffing - Nohl Munaut

    Uploaded by

    simbanga
    GSM Sniffing Tips & Trick

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 23

    GSM Sniffing

    Karsten Nohl, nohl@srlabs.de


    Sylvain Munaut, 246tnt@gmail.com
    GSM networks are victim and source of
    attacks on user privacy
    Phone
    User data-
    base (HLR) Base station
    SS7
    GUI attacks,
    phishing
    Malware
    Over-the-air
    software
    installation
    (security is
    optional)
    Weak encryption
    No network
    authentication
    GSM backend
    network
    Attack
    vectors
    Access to
    private user
    data
    Focus of this talk
    GSM intercept is an engineering challenge
    the GSM call has to be identified and recorded from
    the radio interface. *+ we strongly suspect the team
    developing the intercept approach has underestimated
    its practical complexity.
    A hacker would need a radio receiver system and the
    signal processing software necessary to process the raw
    radio data.
    GSMA, Aug.09
    This talk introduces cheap tools for capturing,
    decrypting and analyzing GSM calls and SMS
    Source: GSMA press statement
    We will demonstrate how to find phones and
    decrypt their calls
    Attack input:
    Phone
    number
    Outputs:
    1. Target location
    2. Decrypted
    calls and SMS
    OsmocomBB
    phones
    Silent SMS
    HLR lookups
    Rainbow
    tables
    Agenda
    Locating a phone
    Sniffing air traffic
    Cracking A5/1
    Telcos do not authenticate each other but
    leak private user data
    The global SS7 network
    Telco
    Telco
    Telco
    Telco
    Send SMS to your subscriber x
    Where in the world is your subscriber y
    HLR query
    can be abused
    All telcos trust each other on the global SS7 network
    SS7 is abused for security and privacy attacks; currently for SMS spam
    Information leaked through SS7 network
    disclose user location
    Query Accessible to Location granularity
    HLR query
    Anybody on
    the Internet
    General region (rural)
    to city part (urban)
    Anytime
    interrogation
    Network
    operators
    Cell ID: precise
    location
    -location granularity accessible from the Internet-
    Our target phone is currently in Berlin
    1 Find city and IMSI through HLR
    2 Find LAC and TMSI: Probe each location area
    through silent (or broken) SMSs
    3 Find cell: Probe each cell in location area through
    SMSs
    Starting point: Target phone number
    Demo
    Agenda
    Locating a phone
    Sniffing air traffic
    Cracking A5/1
    GSM calls are transmitted encrypted over
    unpredictable frequencies
    Beacon
    channel
    Phone,
    are you
    here?
    Ok,
    switch
    channel
    Yes,
    I am
    Control
    channel
    You are
    being
    called
    Start
    encryp-
    tion
    OK
    Switch to
    hopping
    channels
    OK
    Voice
    Voice
    Voice
    Voice
    Voice
    Voice
    Voice
    Voice
    Traffic
    channel
    Encrypted
    Unpredictable
    hopping
    Down-
    link
    Uplink
    GSM spectrum is divided by operators and cells
    Cell allocations
    and hopping
    sequences should
    be spread over
    the available
    spectrum for
    noise resistance
    and increased
    sniffing costs
    960 MHz
    925 MHz
    Downlink
    GSM 900
    brand
    Operator
    allocation
    One cell
    allocation
    Channels of
    one call
    Uplink
    915 MHz
    880 MHz
    GSM debugging tools have vastly different
    sepctrum coverage
    GSM 900
    band
    Channels of
    one call
    GSM debugging tools [sniffing bandwidth]
    Commercial
    FPGA board
    [50 MHz]
    USRP-2
    [20MHz]
    USRP-1
    [8MHz]
    OsmocomBB
    [200 kHz]
    Focus of this talk
    Downlink
    Uplink
    Frequency
    coverage
    Remove uplink filter
    Add faster USB cable
    Patch DSP code to
    ignore encryption
    Even reprogrammed cheap phones can
    intercept hopping calls
    Start with a EUR 10
    phone from 2006
    Upgrade to an open
    source firmware
    Single timeslot
    sniffer
    You get:
    Debugger for your
    own calls
    Multi timeslot
    sniffer
    Uplink + downlink
    sniffer
    Demo
    Agenda
    Locating a phone
    Sniffing air traffic
    Cracking A5/1
    GSM uses symmetric A5/1 session keys for
    call privacy
    Operator Home
    Location Register
    Base station Cell phone
    Random
    nonce and
    session key
    Random
    nonce
    encrypted
    with sess-
    ion key
    Communi-
    cation A5/1-
    We extract this
    session keys
    Operator and
    phone share a
    master key to de-
    rive session keys
    Hash
    function
    Random nonce
    Master key
    Session key
    A5/1s 64-bit keys are vulnerable to time-
    memory trade-off attacks
    Start 1 2 - 5 6 7 End
    Distinguished points:
    Last 12 bits are zero
    15
    A5/1 keys can be
    cracked with
    rainbow tables in
    seconds on a PC
    (details: 26C3s
    talk GSM SRLY?)
    Second generation
    rainbow tables is
    available through
    Bittorrent
    GSM packets are expanded and spread over
    four frames
    23 byte message
    Forward error correction
    57 byte redundant user data
    114 bit burst 114 bit burst 114 bit burst 114 bit burst
    encryption encryption encryption encryption
    Lots of GSM traffic is predictable providing
    known key stream
    Known
    Channel
    Unknown
    Channel
    1. Empty Ack after Assignment complete
    2. Empty Ack after Alerting
    3. Connect Acknowledge
    4. Idle filling on SDCCH (multiple frames)
    5. System Information 5+6 (~1/sec)
    6. LAPDm traffic
    1. Empty Ack after Cipher mode complete
    2. Call proceeding
    3. Alerting
    4. Idle filling (multiple frames)
    5. Connect
    6. System Information 5+6 (~1/sec)
    7. LAPDm
    Stealing
    bits
    Counting
    frames
    Stealing
    bits
    Mobile
    termi-
    nated
    calls
    Network
    termi-
    nated
    calls
    Frame with known or guessable plaintext Very early Early Late
    Timing known
    through
    Assignment
    Source:GSM standards
    Counting
    Counting
    17
    Two phones are enough for targeted
    intercept
    Phone 1 records
    control messages
    for target TMSI(s)
    Phone 2 hops on the
    same frequencies
    as target phone,
    records voice calls
    Kraken
    A5/1
    cracker
    Plaintext
    SI msg.
    Encrypted
    SI msg.
    Encryption
    key Kc
    Demo
    Randomized padding makes control
    messages unpredictable to mitigate attacks
    SDCCH trace
    238530 03 20 0d 06 35 11 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
    238581 03 42 45 13 05 1e 02 ea 81 5c 08 11 80 94 03 98 93 92 69 81 2b 2b 2b
    238613 00 00 03 03 49 06 1d 9f 6d 18 10 80 00 00 00 00 00 00 00 00 00 00 00
    238632 01 61 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
    238683 01 81 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
    238715 00 00 03 03 49 06 06 70 00 00 00 00 00 04 15 50 10 00 00 00 00 0a a8
    238734 03 84 21 06 2e 0d 02 d5 00 63 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
    238785 03 03 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
    Padding in GSM
    has traditionally
    been predictable
    (2B)
    Every byte of
    randomized padding
    increasing attack cost
    by two orders of
    magnitude!
    Randomization was specified in 2008
    (TS44.006) and should be
    implemented with high priority
    Additionally needed: randomization
    of system information messages
    19
    GSM network wish list
    1. SMS home routing
    2. Randomized padding
    3. Rekeying before
    each call and SMS
    4. Frequent TMSI
    changes
    5. Frequency hopping
    GSM should currently be used as an
    untrusted network, just like the Internet
    Fake base station
    Passive intercept of
    voice + SMS
    Passive intercept of
    data
    Phone virus /
    malware
    Phishing
    Threat Investment Scope
    Low
    Low
    Currently not
    possible
    Medium to
    high
    High
    Local
    Local
    Large
    Large
    Mitigation
    Mutual
    authenti-
    cation &
    trust
    anchor
    Trust
    anchor
    Cell phone
    networks do
    not provide
    state-of-the art
    security.

    Protection
    must be
    embedded in
    the phones and
    locked away
    from malware.

    Questions?
    Karsten Nohl nohl@srlabs.de
    Sylvain Munaut 246tnt@gmail.com
    Rainbow tables, Airprobe, Kraken srlabs.de
    OsmocomBB firmware osmocom.org
    GSM project supported by

    You might also like