gsm: srsly?. what’s coming up overview of gsm arch & crypto –hacking as we go......
TRANSCRIPT
![Page 1: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/1.jpg)
GSM: SRSLY?
![Page 2: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/2.jpg)
What’s coming up
• Overview of GSM arch & crypto– Hacking as we go...
• OpenBootTS-1.0– GSM Base Station LiveCD
• Demo BTS is live – feel free to connect!– Network name is TestSIM or 001-01– SMS your 10-digit phone number to 101
![Page 3: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/3.jpg)
GSM Identifiers
• IMEI: – International Mobile Equipment Identifier– Identifies a handset. Easily changed, illegal to do so.
• IMSI: – International Mobile Subscriber Identifier– Secret? Kind of.– Identifies an account - stored in SIM card.
• TMSI: – Temporary Mobile Subscriber Identifier– Assigned by network to prevent IMSI transmission.
• Auth with IMSI, use TMSI from then on– Unless, of course, the BTS asks for it.
![Page 4: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/4.jpg)
MCC & MNC: Own the BTS
• MCC: Mobile Country Code– 310 to 316 for USA, 302 for Canada
• MNC: Mobile Network Code– Country-specific, usually a tuple with MCC– 310-260 for T-Mobile US– Full list on Wikipedia
• Spoof MNC/MCC, phones will connect– If you claim it, they will come.– Strongest signal wins– a.k.a. “IMSI catcher”
![Page 5: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/5.jpg)
IMSI catching in practice
• OpenBTS + USRP + 52MHz clock– Easy to set up, Asterisk is hardest part– On-board 64MHz clock is too unstable
• Software side is easy– ./configure && make– Libraries are the only difficulty
• Set MCC/MNC to target network• Find and use an open channel (ARFCN in GSM-ese)• Wait.
• Don’t forget Wireshark!– Built-in SIP analyser
![Page 6: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/6.jpg)
OpenBootTS
• http://sourceforge.net/projects/openbootts/• Scripts for DebianLive• Creates a bootable CD with
– GNU Radio + OpenBTS– Asterisk– Build chain
• Much customization is possible– Preloaded configs– Virtual consoles– Different target image types
• Demo and future plans
![Page 7: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/7.jpg)
The iPhone that wouldn’t quit
• What if we don’t want to catch IMSIs?– We want a closed network
• Set MCC/MNC to 001-01 (Test/Test)• Phones camp to strongest signal
– Remove transmit antenna– Minimize Tx power
• GSM-900 in .eu overlaps ISM in USA– 902-928MHz is not a GSM band in the USA
• Despite all of this we couldn’t shake a 3G…
![Page 8: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/8.jpg)
Fun bugs in OpenBTS
• Persistent MNO shortnames– Chinese student spoofed local MNO– Classmates connected– Network name of “OpenBTS”
• Even after BTS was removed & phones hard rebooted!
• Open / Closed registration– Separate from SIP-level HLR auth– Supposed to send “not authorized” msg– Instead sent “You’ve been stolen” msg– Hard reboot required, maybe more.
![Page 9: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/9.jpg)
Attacking Without Crypto
• Request IMSI to break TMSI secrecy
• Unintentional DoS
• Unintentional semi-permanent DoS
• Spoof 6-digit MCC/MNC for MITM
• SRSLY?
![Page 10: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/10.jpg)
GSM Crypto Primitives
• Inputs:– Rand: 16-byte challenge from BTS– Ki: 16-byte secret key, stored in SIM
• Outputs:– Kc: 8-byte session key– SRES: 4-byte authentication response
• Algorithms:– A3, A5, A8: GSM-specific algorithms
• A3/A8 are hash functions (usually combined into one)• A5 is a cipher
![Page 11: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/11.jpg)
Camping
• Mobile Station (MS) finds BTS, sends TMSI
• BTS sends RAND to MS– Only source of entropy.
• MS passes RAND along to the SIM– Usually over a cleartext channel
• The SIM calculates A3A8(Ki || RAND)
• MS uses the result as SRES and Kc
• SRES is sent to BTS as proof of Ki knowledge
• A5 is used from here, keyed with Kc
![Page 12: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/12.jpg)
IMSI catching crypto
• How can we negotiate crypto?– No knowledge of Ki– No idea of Kc for a given RAND– Can’t decrypt the result?
• We don’t need to.– BTS: “I’d like to use A5/{0..3}!”
• A5/0 == plaintext
– MS: “Sure! I’d love to!”
• Who needs crypto anyway?
![Page 13: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/13.jpg)
Plaintext? SRSLY?
• GSM 02.07 Normative Annex B.1.26
– “...whenever a connection is in place, which is, or becomes unenciphered, an indication shall be given to the user.”
• You’ve never seen this alert because:
– “The ciphering indicator feature may be disabled by the home network operator”
• Every operator disables it.
![Page 14: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/14.jpg)
Attacks on A3A8
• First version of A3A8 is COMP128-1– Reverse-engineered and broken in 1998– Recover Ki (clone the SIM) with ~150k challenges
• About 8 hours with a smartcard reader– Further work reduces to ~80k challenges– Over-the-air SIM cloning is plausible, given time
• Obviously deprecated– Still used extensively though
• Replaced by COMP128-2 and COMP128-3– Neither has been disclosed or cryptanalysed– Many MNO-specific alternatives
![Page 15: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/15.jpg)
A3A8 in practice
• COMP128 no longer trusted by MNOs– Still used by several major networks
• v1 attack is well-known– http://users.net.yu/~dejan/ – Not open-source - watch for malware!
• A3A8 can be any algorithm– MNOs can (and do) use anything– Who knows what bugs are lurking?
![Page 16: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/16.jpg)
A5
• Used to encrypt traffic• Three (known) variants:
– A5/1: Almost universal for 2G (GSM)• Stream cipher
– A5/2: Weakened (export) version of A5/1• Stream cipher
– A5/3: Used for 3G (UMTS)• Block cipher
• A5 variant negotiated during camping
![Page 17: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/17.jpg)
Attacking A5
• A5/2: Deliberately weak.– Broken in 1999, key from ciphertext
• Assuming we own the BTS:– We choose A5 variant– We choose RAND– Sniff a conversation…• Frequency hopping? Grab the whole band!
– …then demand A5/2 and reuse RAND
• No forward secrecy in GSM.
![Page 18: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/18.jpg)
A5/1 and A5/3
• A5/1: 64-bit stream cipher, 54-bit key– Deliberately weakened
• A5/3: 128-bit block cipher
• Multiple known attacks on both:– A5/1 has practical attacks
• Rainbow tables• Various time-memory tradeoffs
– A5/3 has impractical attacks• Too much plaintext required for attacking 3G
![Page 19: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/19.jpg)
Attacking With Crypto• No client challenge• Kc is only 54 (effective) bits• SIM vulnerable to MITM• NULL crypto is acceptable (encouraged?)• COMP128-1 badly broken, still used• Secret hash functions• A5/1 broken• A5/2 badly broken• A5/3 academically broken• RAND replay over A5/2• No forward secrecy
• SRSLY?
![Page 20: GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free](https://reader035.vdocument.in/reader035/viewer/2022062421/56649c7c5503460f94930372/html5/thumbnails/20.jpg)
What’s left?
• There’s a network behind the BTS• SS7 is just as broken as GSM• What if you combine the two?
• "We Found Carmen San Diego"• Nick DePetrillo and Don Bailey• Boston Source - April 21-23