Shmoocon Feb08 Gsm

Click here to load reader

download Shmoocon Feb08 Gsm

of 21

  • date post

    05-Apr-2018
  • Category

    Documents

  • view

    214
  • download

    0

Embed Size (px)

Transcript of Shmoocon Feb08 Gsm

  • 7/31/2019 Shmoocon Feb08 Gsm

    1/21

    Intercepting GSM TrafficIntercepting GSM Traffic

    David Hultonh1kari

    http://wiki.thc.org/gsm

    http://www.openciphers.orghttp://www.picocomputing.comhttp://www.toorcon.org

    mailto:0x31337@gmail.comhttp://wiki.thc.org/gsmhttp://www.openciphers.org/http://www.picocomputing.com/http://www.toorcon.org/http://www.toorcon.org/http://www.picocomputing.com/http://www.openciphers.org/http://wiki.thc.org/gsmmailto:0x31337@gmail.com
  • 7/31/2019 Shmoocon Feb08 Gsm

    2/21

    February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    AgendaAgenda

    Intro GSM

    Receiving GSM signals

    Cracking A5/1

  • 7/31/2019 Shmoocon Feb08 Gsm

    3/21

    February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    Intro to GSMIntro to GSM

    Widely deployed AT&T

    T-Mobile

    Most other country's carriers Security

    Authentication (A3/A8)

    Encryption (A5)

  • 7/31/2019 Shmoocon Feb08 Gsm

    4/21

    February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    Intercepting TrafficIntercepting Traffic

    Intercepting Traffic Nokia 3310 / Ericsson / TSM

    USRP (gssm Project)

    TI's OMAP dev kit Commercial Interceptors

  • 7/31/2019 Shmoocon Feb08 Gsm

    5/21

    February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    What now?What now?

    Various hardware will capture traffic Turns out that many basestations send SMSs

    unencrypted

    What about capturing conversations? Some countries don't use any encryption (A5/0)

    or weak encryption (A5/2)

    The US and most countries use A5/1

  • 7/31/2019 Shmoocon Feb08 Gsm

    6/21

    February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    A5/1 CrackingA5/1 Cracking

    A8(Ki) A8(Ki)Authenticate

    A5(Kc) A5(Kc)Conversation

    Kc Kc

  • 7/31/2019 Shmoocon Feb08 Gsm

    7/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    A5/1 CrackingA5/1 Cracking

    Frame Frame

    Plain-text Plain-text

    A5(Kc,Frame) A5(Kc,Frame)+ +

  • 7/31/2019 Shmoocon Feb08 Gsm

    8/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    A5/1 CrackingA5/1 Cracking

    Clock in 64-bit Kc and 22-bit frame number Clock for 100 cycles Clock for 114 times to generate 114-bits

  • 7/31/2019 Shmoocon Feb08 Gsm

    9/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    A5/1 CrackingA5/1 Cracking

    Other attacks are academic BS. 3-4 Frames. Fully passive.

    Combination of Rainbow Table attack and

    others.

  • 7/31/2019 Shmoocon Feb08 Gsm

    10/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    Sliding WindowSliding Window

    [0|1|1|0|1|0..........|1|0|1|1]

    [ 64 bit Cipherstream 0 .][ 64 bit Cipherstream 1 ......]

    [ 64 bit Cipherstream 2 ...]

    .

    [ 64 bit Cipherstream 50 ...]

  • 7/31/2019 Shmoocon Feb08 Gsm

    11/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    Sliding WindowSliding Window

    Total of 4 frames with 114-bits 114 64 + 1 = 51 keystreams per frame

    51 x 4 frames = 204 keystreams total

  • 7/31/2019 Shmoocon Feb08 Gsm

    12/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    Rainbow TableRainbow Table

    64-bits keystream

    Password Lanman Hash

  • 7/31/2019 Shmoocon Feb08 Gsm

    13/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    Rainbow TableRainbow Table

    Build a table that maps 64-bits of keystreamback to 64-bits of internal A5/1 state

    204 data points means we only need 1/64th ofthe whole keyspace

    258 = 288,230,376,151,711,744

    About 120,000 times larger than the largestLanman Rainbow Table

  • 7/31/2019 Shmoocon Feb08 Gsm

    14/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    How do we do this??How do we do this??

    1 PC 550,000 A5/1's per second

    33,235 years

    Currently using 68 Pico E-16 FPGAs 72,533,333,333 A5/1's per second

    3 months

    Building new hardware to speed this up

  • 7/31/2019 Shmoocon Feb08 Gsm

    15/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    HardwareHardware

  • 7/31/2019 Shmoocon Feb08 Gsm

    16/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    Rainbow TableRainbow Table

    Cheap Attack (~30 min) 6 350GB Hard Drives (2TB)

    1 FPGA (or a botnet)

    Optimal Attack (~30 sec) 16 128GB Flash Hard Drives (2TB)

    32 FPGAs

    Can speed it up with more FPGAs

  • 7/31/2019 Shmoocon Feb08 Gsm

    17/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    Reverse ClockingReverse Clocking

    Load A5/1 internal state Reverse clock with known keystream back to after Kc

    was clocked in Will resolve to multiple possible A5/1 states

  • 7/31/2019 Shmoocon Feb08 Gsm

    18/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    Reverse ClockingReverse Clocking

    Reverse all 3 A5/1 internal states The common state will be the correct one

    Use the internal state and clock forward to

    decrypt or encrypt any packet Can solve linear equations to derive key

    But isn't really necessary

  • 7/31/2019 Shmoocon Feb08 Gsm

    19/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    ConclusionsConclusions

    Tables will be finished in March Commercial version in Q2/08

    Will be scalable to whatever decryption time

    period is required

  • 7/31/2019 Shmoocon Feb08 Gsm

    20/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

    Threats & FutureThreats & Future

    GSM security has to become secure. Data/Identity theft, Tracking

    Unlawful interception

    Attacks on GSM Infrastructure Receiving and cracking GSM will become

    cheaper and easier

  • 7/31/2019 Shmoocon Feb08 Gsm

    21/21February 15th 2008February 15th 2008 ShmooCon 4ShmooCon 4

    Thank You! Questions?Thank You! Questions?

    David Hulton http://www.picocomputing.com

    http://www.openciphers.org

    ToorCon Seattle http://seattle.toorcon.org

    Seattle - April 18th-20th, 2008

    ToorCon 10

    http://www.toorcon.org San Diego - Sept 24th-28th, 2008

    ToorCamp!

    Near Seattle - Spring, 2009