Hacking Gsm - Secret Keys Revealed

Karsten Nohl, Chris Paget – 26C3, Berlin

GSM – SRSLY?

Summary:
GSM Encryption needs to be shown insecure
GSM is constantly under attack:
A5/1 cipher shown insecure
repeatedly  To rectify the perception of
Lack of network authentication allow GSM‟s security, we demon-
MITM intercept (IMSI Catcher) strate its weakness

 The community has
Security expec- computed the cryptographic
tations divert base for a public
from reality demonstration of cracking
GSM
However, GSM is used in a growing
number of sensitive applications:  This presentation details
Voice calls, obviously motives, approach and next
steps of the “A5/1 Cracking
SMS for banking Project”
Seeding RFID/NFC secure elements
for access control, payment and
authentication
Source: H4RDW4RE Karsten Nohl - A5/1 Cracking 1

GSM is global, omnipresent and insecure

80% of GSM
mobile encryption
phone introduced
market in 1987 …

200+ … then
countries disclosed
and
shown
4 billion insecure
users! in 1994

Source: Wikipedia, GSMA Karsten Nohl - A5/1 Cracking 2

We need to publicly demonstrate that GSM
uses insufficient encryption
Public break attempts
A5/1 shown academically broken
A5/1 shown more …
… and more …
… and more broken.
Broken with massive computation
Rainbow table computation
'97 '00 '03 '05 '06 '03/'08

Tables never released
Too expensive
Not enough known data in GSM packets
… that didn't work.


GSM encryption is constantly being broken, just not
publicly
All public break attempts of
A5/1 have failed so far
 Academic breaks of A5/1  15 years of of A5/1
cipher are not practical research have not
[EC1997, FSE2000, produced a single PoC
Crypto2003, SAC2005]
 (until today)
 Cracking tables computed
in 2008 but never released
Meanwhile … … A5/1 is constantly
being circumvented
by intelligence, law
enforcement, and
criminals


Active and passive intercept is common
as attack devices are readily available
Two flavors of attack devices
Active intercept:
Phones connect through
A fake base station
Easily spottable (but
nobody is looking)

Passive key cracking:
Technically challenging
B –Non-trivial RF setup
–Heavy pre-computation
Allows hidden operation
This talk demonstrates that GSM intercept
is practical to raise awareness
Source: H4RDW4RE, DeepSec GSM training Karsten Nohl - A5/1 Cracking

IMSI catching

Advertise base station on beacon channel

IMSI: Subscriber Identity (~= username)
 Sort-of secret (replaced by TMSI ASAP)

MCC*: Mobile Country Code
 262 for .de, 310-316 for USA
MNC*: Mobile Network Code
 Country-specific, usually a tuple with MCC
 262-01 for T-Mobile Germany

Phones will connect to any base station with spoofed MNC/MCC
 If you claim it, they will come.
 Strongest signal wins
 IMSI catching is detectable from phone, but no detect apps exists!
 Crypto is completely optional and set by the base station !!
* Full list of MNC/MCCs available on Wikipedia
Source: H4RDW4RE

IMSI catcher could even be built from open source
components
A Setup
OpenBTS + USRP + 52MHz clock
–Easy to set up, Asterisk is hardest part
–On-board 64MHz clock is too unstable
Software side is easy
–./configure && make
–Libraries are the only difficulty

B Configure
Set MCC/MNC to target network
Find and use an open channel (ARFCN in GSM-ese)
C Collect, Decode
Wireshark has a Built-in SIP analyzer
Or: capture data on air with Airprobe and decode GSM packets

Source: H4RDW4RE

The iPhone that wouldn‟t quit
What if we want to test and not catch IMSIs?

Set MCC/MNC to 001-01 (Test/Test)
Phones camp to strongest signal
– Remove transmit antenna
– Minimize Tx power
GSM-900 in .eu overlaps ISM in USA
– 902-928MHz is not a GSM band in the USA

Despite all of this we could not shake an
iPhone 3G*…
* Other iPhones would not connect at all.
Source: H4RDW4RE

Fun bugs exposed by OpenBTS
During testing, we saw bugs in OpenBTS and phones:
Persistent MNO shortnames
–Chinese student spoofed local MNO
–Classmates connected
–Network name of “OpenBTS”, even after BTS was
removed & phones hard rebooted!
Open / Closed registration
–Separate from SIP-level HLR auth
–Supposed to send “not authorized” message
–Instead sent “You‟ve been stolen” message
–Hard reboot required, maybe more.

Still many bugs in GSM stacks
They are being found thanks to open source

Source: H4RDW4RE

Active and passive intercept is common
as attack devices are readily available
Two flavors of attack devices
Active intercept:
Phones connect through
A fake base station
Easily spottable (but
nobody is looking)

Passive key cracking:
Technically challenging
B –Non-trivial RF setup
–Heavy pre-computation
Allows hidden operation

Source: H4RDW4RE, DeepSec GSM training Karsten Nohl - A5/1 Cracking

A5/1 is vulnerable to generic pre-computation
attacks
Code book attacks
 For ciphers with small keys,  Code book provides a
code books allow decryption mapping from known output to
secret state
Secret state Output
 An A5/1 code book is 128
A52F8C02 52E91001 Petabyte and takes 100,000+
years to be computed on a PC
62B9320A 52E91002

C309ED0A 52E91003

This talk revisits techniques for computing and storing a
A5/1 code book efficiently


Groundwork for table generation is complete and
released as open source

GSM
High-speed Table Para- Table
decrypt
A5/1 engine meterization Generation*
PoC

Status

Source and doc available: Tables seen
reflextor.com/trac/a51 on Bittorrent

* Community provided: fast graphics cards (NVidia
or ATI) and Cell processors (Playstation)


Key requirement of code book generation is a fast
A5/1 engine
Time on single threaded CPU:
100,000+ years

A Parallelization
 GPUs*: hundreds of threads
 FPGA: thousands of engines

B Algorithmic tweaks
 GPUs*: compute 4 bits at once
 FPGA: minimize critical path

C Implementation tweaks Latest speeds [chains/sec]
 GPUs*: bitslicing
 Nvidia GTX280 – 500
 ATI HD5870 – 500
3 months on 40 CUDA nodes  PS3 Cell – 120

* NVidia CUDA and ATI Brook GPUs are supported

Cracking to be demonstrated on Wednesday
The first tables started showing up on the congress FTPs
and Bittorrents;
–check reflextor.com/trac/a51 for up-to-date details
We want more!
–Please sort your tables before uploading
(tutorial on reflextor.com/trac/a51)
–After the congress, keep sharing through Bittorrent

We continue to collect tables until Tuesday evening
Current state to be demonstrated in workshop
–Wednesday Dec 30, 13:00, Large workshop room (A03)
–Bring encrypted GSM sniffs you want to decrypt

Karsten Nohl - A5/1 Cracking 14

Pre-computation tables store the code book
condensed

collision

Longer chains := a) less storage, b) longer attack time

Source: H4RDW4RE, c't Karsten Nohl - A5/1 Cracking 15

Distinguished point tables save hard disk lookups

44B2
collision
44B2

Hard disk access only needed at distinguished points


Rainbow tables mitigate collisions

44B2
collisio
n
44B2

Rainbow tables have no mergers, but an exponentially higher attack time


The combination of both table optimizations is
optimal

Assumptions
 2 TB total storage
 99% success rate when collec-
ting all available keystream*
 50% success rate when only
obvious keystream is used
 Near real-time decryption with
distributed cracking network

The most resource efficient
table for A5/1 is:
 32 DP segments of length 215
 Merged into one rainbow
 380 such tables with height
228.5 needed
* Collecting all available key stream requires data from a registered phone

GSM discloses more known keystream than
assumed in previous crack attempts
Known Unknown
Channel Channel

Assignment Timing known
Frame with known or guessable plaintext Very early Early Late through

Mobile 1. Empty Ack after „Assignment complete‟
termi- 2. Empty Ack after „Alerting‟
nated “Stealing
3. „Connect Acknowledge‟
calls
4. Idle filling on SDCCH (multiple frames) bits”
5. System Information 5+6 (~1/sec)

Network 1. Empty Ack after „Cipher mode complete‟ Counting
termi- 2. „Call proceeding‟ frames
nated
3. „Alerting‟
calls
4. Idle filling (multiple frames)
“Stealing
5. „Connect‟
bits”
6. System Information 5+6 (~1/sec)

Source: GSM Standards 19

Industry responds by creating a
new challenge
“… the GSM call has to be identified and
recorded from the radio interface. […] we
strongly suspect the team developing the
intercept approach has underestimated its
practical complexity.
A hacker would need a radio receiver system
and the signal processing software necessary
to process the raw radio data.” – GSMA, Aug.„09
These remaining components of an interceptor
could be repurposed from open source projects
Source: GSMA press statement Karsten Nohl - A5/1 Cracking 20

Hypothetically, an interceptor can be built
from open source components
Compo- “Radio receiver system” “Signal processing software”
nent

OpenBTS
– USRP2 –
Current  Capture 25 MHz of GSM spectrum  Decode and record one GSM
capabi- – Typically enough for one operator channel
lities – Need separate boards for  Interpret control channel data
up- and down-link

Needed  Decrease data rate (from 40MB/s)  Decrypt A5/1 packets given the
Improve- – Ability to detect active channels correct key (v.3.0?)
ments (energy detector)  Decode several channels (v.3.0)
– Execute steps of decode chain in
FPGA (Tune and Decimate)
Bottleneck: USRP programming


GSM‟s security must be overhauled

Upgrading GSM‟s encryption function should be a
mandatory security patch

A5/1 A5/?

However, replacing A5/1 with A5/3 may not be enough:
A The A5/3 cipher Kasumi is academically broken
B The same keys are used for A5/1 and A5/3
(weakest link security)


A Dunkelman, Keller, Shamir. Asiacrypt Rump session. Dec. 2009
Summary of the Attack on Kasumi:
 Data complexity: 226 plaintexts/ciphertexts

 Space complexity: 230 bytes (one gigabyte)

 Time complexity: 232 (hardest part: ex search)

 Completely practical complexities

 Attack verified by actual software simulation

B A5/3 can be cracked in a semi-active attack

1 3
Intercept an encrypted call Decrypt data
start_cipher(A5/3, rand) Decrypt call
or SMS with
Encrypted call data key cracked
from A5/1
Same rand trans-actions
=> same key!
2 GSM cracker
Ask phone to reuse key done
start_cipher(A5/1, rand) (but not
passive and
Encrypted IDLE frames* Fake BTS not realtime)

* IDLE frames contain known plaintext
Source: H4RDW4RE Karsten Nohl - A5/1 Cracking

B All tools needed for the semi-active attack are
openly available

Intercept an encrypted call Decrypt data
Crack key
from A5/1-
Record encrypted call data encrypted
IDLE frames
Airprobe
A5/1 rainbow
OpenBSC tables

Ask phone to reuse key
start_cipher(A5/1, rand)
Fake BTS Decrypt calls
Record encrypted frames Airprobe
OpenBTS/
Airprobe OpenBSC

* IDLE frames contain known plaintext
Source: H4RDW4RE Karsten Nohl - A5/1 Cracking

A5/1 cracking is just the first step …

 Pre-computation framework build to be generic
– Any cipher with small key space
– Flexible table layout
– Various back ends: CPU, CUDA, ATI, FPGA
 All tools released open source

 Please get involved
– Port table generator to cipher in your projects
– Find data to be decrypted (i.e., through
programming the USRP‟s FPGA)


Questions?
Documentation, reflextor.com/trac/a51
Source
Mailing list tinyurl.com/a51list
c‟t article tinyurl.com/ct-rainbows

Karsten Nohl <nohl@virginia.edu>
Chris Paget <chris@h4rdw4re.com>

Many thanks to Sascha Krißler, Frank A. Stevenson and
David Burgess!

27

Hacking Gsm - Secret Keys Revealed

More Related Content

What's hot (20)

Similar to Hacking Gsm - Secret Keys Revealed (20)

Hacking Gsm - Secret Keys Revealed