GSM: SRSLY?

What’s coming up

• Overview of GSM arch & crypto– Hacking as we go...

• OpenBootTS-1.0– GSM Base Station LiveCD

• Demo BTS is live – feel free to connect!– Network name is TestSIM or 001-01– SMS your 10-digit phone number to 101

GSM Identifiers

• IMEI: – International Mobile Equipment Identifier– Identifies a handset. Easily changed, illegal to do so.

• IMSI: – International Mobile Subscriber Identifier– Secret? Kind of.– Identifies an account - stored in SIM card.

• TMSI: – Temporary Mobile Subscriber Identifier– Assigned by network to prevent IMSI transmission.

• Auth with IMSI, use TMSI from then on– Unless, of course, the BTS asks for it.

MCC & MNC: Own the BTS

• MCC: Mobile Country Code– 310 to 316 for USA, 302 for Canada

• MNC: Mobile Network Code– Country-specific, usually a tuple with MCC– 310-260 for T-Mobile US– Full list on Wikipedia

• Spoof MNC/MCC, phones will connect– If you claim it, they will come.– Strongest signal wins– a.k.a. “IMSI catcher”

IMSI catching in practice

• OpenBTS + USRP + 52MHz clock– Easy to set up, Asterisk is hardest part– On-board 64MHz clock is too unstable

• Software side is easy– ./configure && make– Libraries are the only difficulty

• Set MCC/MNC to target network• Find and use an open channel (ARFCN in GSM-ese)• Wait.

• Don’t forget Wireshark!– Built-in SIP analyser

OpenBootTS

• http://sourceforge.net/projects/openbootts/• Scripts for DebianLive• Creates a bootable CD with

– GNU Radio + OpenBTS– Asterisk– Build chain

• Much customization is possible– Preloaded configs– Virtual consoles– Different target image types

• Demo and future plans

The iPhone that wouldn’t quit

• What if we don’t want to catch IMSIs?– We want a closed network

• Set MCC/MNC to 001-01 (Test/Test)• Phones camp to strongest signal

– Remove transmit antenna– Minimize Tx power

• GSM-900 in .eu overlaps ISM in USA– 902-928MHz is not a GSM band in the USA

• Despite all of this we couldn’t shake a 3G…

Fun bugs in OpenBTS

• Persistent MNO shortnames– Chinese student spoofed local MNO– Classmates connected– Network name of “OpenBTS”

• Even after BTS was removed & phones hard rebooted!

• Open / Closed registration– Separate from SIP-level HLR auth– Supposed to send “not authorized” msg– Instead sent “You’ve been stolen” msg– Hard reboot required, maybe more.

Attacking Without Crypto

• Request IMSI to break TMSI secrecy

• Unintentional DoS

• Unintentional semi-permanent DoS

• Spoof 6-digit MCC/MNC for MITM

• SRSLY?

GSM Crypto Primitives

• Inputs:– Rand: 16-byte challenge from BTS– Ki: 16-byte secret key, stored in SIM

• Outputs:– Kc: 8-byte session key– SRES: 4-byte authentication response

• Algorithms:– A3, A5, A8: GSM-specific algorithms

• A3/A8 are hash functions (usually combined into one)• A5 is a cipher

Camping

• Mobile Station (MS) finds BTS, sends TMSI

• BTS sends RAND to MS– Only source of entropy.

• MS passes RAND along to the SIM– Usually over a cleartext channel

• The SIM calculates A3A8(Ki || RAND)

• MS uses the result as SRES and Kc

• SRES is sent to BTS as proof of Ki knowledge

• A5 is used from here, keyed with Kc

IMSI catching crypto

• How can we negotiate crypto?– No knowledge of Ki– No idea of Kc for a given RAND– Can’t decrypt the result?

• We don’t need to.– BTS: “I’d like to use A5/{0..3}!”

• A5/0 == plaintext

– MS: “Sure! I’d love to!”

• Who needs crypto anyway?

Plaintext? SRSLY?

• GSM 02.07 Normative Annex B.1.26

– “...whenever a connection is in place, which is, or becomes unenciphered, an indication shall be given to the user.”

• You’ve never seen this alert because:

– “The ciphering indicator feature may be disabled by the home network operator”

• Every operator disables it.

Attacks on A3A8

• First version of A3A8 is COMP128-1– Reverse-engineered and broken in 1998– Recover Ki (clone the SIM) with ~150k challenges

• About 8 hours with a smartcard reader– Further work reduces to ~80k challenges– Over-the-air SIM cloning is plausible, given time

• Obviously deprecated– Still used extensively though

• Replaced by COMP128-2 and COMP128-3– Neither has been disclosed or cryptanalysed– Many MNO-specific alternatives

A3A8 in practice

• COMP128 no longer trusted by MNOs– Still used by several major networks

• v1 attack is well-known– http://users.net.yu/~dejan/ – Not open-source - watch for malware!

• A3A8 can be any algorithm– MNOs can (and do) use anything– Who knows what bugs are lurking?

A5

• Used to encrypt traffic• Three (known) variants:

– A5/1: Almost universal for 2G (GSM)• Stream cipher

– A5/2: Weakened (export) version of A5/1• Stream cipher

– A5/3: Used for 3G (UMTS)• Block cipher

• A5 variant negotiated during camping

Attacking A5

• A5/2: Deliberately weak.– Broken in 1999, key from ciphertext

• Assuming we own the BTS:– We choose A5 variant– We choose RAND– Sniff a conversation…• Frequency hopping? Grab the whole band!

– …then demand A5/2 and reuse RAND

• No forward secrecy in GSM.

A5/1 and A5/3

• A5/1: 64-bit stream cipher, 54-bit key– Deliberately weakened

• A5/3: 128-bit block cipher

• Multiple known attacks on both:– A5/1 has practical attacks

• Rainbow tables• Various time-memory tradeoffs

– A5/3 has impractical attacks• Too much plaintext required for attacking 3G

Attacking With Crypto• No client challenge• Kc is only 54 (effective) bits• SIM vulnerable to MITM• NULL crypto is acceptable (encouraged?)• COMP128-1 badly broken, still used• Secret hash functions• A5/1 broken• A5/2 badly broken• A5/3 academically broken• RAND replay over A5/2• No forward secrecy

• SRSLY?

What’s left?

• There’s a network behind the BTS• SS7 is just as broken as GSM• What if you combine the two?

• "We Found Carmen San Diego"• Nick DePetrillo and Don Bailey• Boston Source - April 21-23

Questions?

chris@h4rdw4re.com

@ChrisPaget