220 likes | 452 Views
GSM: SRSLY?. What’s coming up. Overview of GSM arch & crypto Hacking as we go... OpenBootTS-1.0 GSM Base Station LiveCD Demo BTS is live – feel free to connect! Network name is TestSIM or 001-01 SMS your 10-digit phone number to 101. GSM Identifiers. IMEI:
E N D
What’s coming up • Overview of GSM arch & crypto • Hacking as we go... • OpenBootTS-1.0 • GSM Base Station LiveCD • Demo BTS is live – feel free to connect! • Network name is TestSIM or 001-01 • SMS your 10-digit phone number to 101
GSM Identifiers • IMEI: • International Mobile Equipment Identifier • Identifies a handset. Easily changed, illegal to do so. • IMSI: • International Mobile Subscriber Identifier • Secret? Kind of. • Identifies an account - stored in SIM card. • TMSI: • Temporary Mobile Subscriber Identifier • Assigned by network to prevent IMSI transmission. • Auth with IMSI, use TMSI from then on • Unless, of course, the BTS asks for it.
MCC & MNC: Own the BTS • MCC: Mobile Country Code • 310 to 316 for USA, 302 for Canada • MNC: Mobile Network Code • Country-specific, usually a tuple with MCC • 310-260 for T-Mobile US • Full list on Wikipedia • Spoof MNC/MCC, phones will connect • If you claim it, they will come. • Strongest signal wins • a.k.a. “IMSI catcher”
IMSI catching in practice • OpenBTS + USRP + 52MHz clock • Easy to set up, Asterisk is hardest part • On-board 64MHz clock is too unstable • Software side is easy • ./configure && make • Libraries are the only difficulty • Set MCC/MNC to target network • Find and use an open channel (ARFCN in GSM-ese) • Wait. • Don’t forget Wireshark! • Built-in SIP analyser
OpenBootTS • http://sourceforge.net/projects/openbootts/ • Scripts for DebianLive • Creates a bootable CD with • GNU Radio + OpenBTS • Asterisk • Build chain • Much customization is possible • Preloaded configs • Virtual consoles • Different target image types • Demo and future plans
The iPhone that wouldn’t quit • What if we don’t want to catch IMSIs? • We want a closed network • Set MCC/MNC to 001-01 (Test/Test) • Phones camp to strongest signal • Remove transmit antenna • Minimize Tx power • GSM-900 in .eu overlaps ISM in USA • 902-928MHz is not a GSM band in the USA • Despite all of this we couldn’t shake a 3G…
Fun bugs in OpenBTS • Persistent MNO shortnames • Chinese student spoofed local MNO • Classmates connected • Network name of “OpenBTS” • Even after BTS was removed & phones hard rebooted! • Open / Closed registration • Separate from SIP-level HLR auth • Supposed to send “not authorized” msg • Instead sent “You’ve been stolen” msg • Hard reboot required, maybe more.
Attacking Without Crypto • Request IMSI to break TMSI secrecy • Unintentional DoS • Unintentional semi-permanent DoS • Spoof 6-digit MCC/MNC for MITM • SRSLY?
GSM Crypto Primitives • Inputs: • Rand: 16-byte challenge from BTS • Ki: 16-byte secret key, stored in SIM • Outputs: • Kc: 8-byte session key • SRES: 4-byte authentication response • Algorithms: • A3, A5, A8: GSM-specific algorithms • A3/A8 are hash functions (usually combined into one) • A5 is a cipher
Camping • Mobile Station (MS) finds BTS, sends TMSI • BTS sends RAND to MS • Only source of entropy. • MS passes RAND along to the SIM • Usually over a cleartext channel • The SIM calculates A3A8(Ki || RAND) • MS uses the result as SRES and Kc • SRES is sent to BTS as proof of Ki knowledge • A5 is used from here, keyed with Kc
IMSI catching crypto • How can we negotiate crypto? • No knowledge of Ki • No idea of Kc for a given RAND • Can’t decrypt the result? • We don’t need to. • BTS: “I’d like to use A5/{0..3}!” • A5/0 == plaintext • MS: “Sure! I’d love to!” • Who needs crypto anyway?
Plaintext? SRSLY? • GSM 02.07 Normative Annex B.1.26 • “...whenever a connection is in place, which is, or becomes unenciphered, an indication shall be given to the user.” • You’ve never seen this alert because: • “The ciphering indicator feature may be disabled by the home network operator” • Every operator disables it.
Attacks on A3A8 • First version of A3A8 is COMP128-1 • Reverse-engineered and broken in 1998 • Recover Ki (clone the SIM) with ~150k challenges • About 8 hours with a smartcard reader • Further work reduces to ~80k challenges • Over-the-air SIM cloning is plausible, given time • Obviously deprecated • Still used extensively though • Replaced by COMP128-2 and COMP128-3 • Neither has been disclosed or cryptanalysed • Many MNO-specific alternatives
A3A8 in practice • COMP128 no longer trusted by MNOs • Still used by several major networks • v1 attack is well-known • http://users.net.yu/~dejan/ • Not open-source - watch for malware! • A3A8 can be any algorithm • MNOs can (and do) use anything • Who knows what bugs are lurking?
A5 • Used to encrypt traffic • Three (known) variants: • A5/1: Almost universal for 2G (GSM) • Stream cipher • A5/2: Weakened (export) version of A5/1 • Stream cipher • A5/3: Used for 3G (UMTS) • Block cipher • A5 variant negotiated during camping
Attacking A5 • A5/2: Deliberately weak. • Broken in 1999, key from ciphertext • Assuming we own the BTS: • We choose A5 variant • We choose RAND • Sniff a conversation… • Frequency hopping? Grab the whole band! • …then demand A5/2 and reuse RAND • No forward secrecy in GSM.
A5/1 and A5/3 • A5/1: 64-bit stream cipher, 54-bit key • Deliberately weakened • A5/3: 128-bit block cipher • Multiple known attacks on both: • A5/1 has practical attacks • Rainbow tables • Various time-memory tradeoffs • A5/3 has impractical attacks • Too much plaintext required for attacking 3G
Attacking With Crypto • No client challenge • Kc is only 54 (effective) bits • SIM vulnerable to MITM • NULL crypto is acceptable (encouraged?) • COMP128-1 badly broken, still used • Secret hash functions • A5/1 broken • A5/2 badly broken • A5/3 academically broken • RAND replay over A5/2 • No forward secrecy • SRSLY?
What’s left? • There’s a network behind the BTS • SS7 is just as broken as GSM • What if you combine the two? • "We Found Carmen San Diego" • Nick DePetrillo and Don Bailey • Boston Source - April 21-23
Questions? • chris@h4rdw4re.com • @ChrisPaget