Shmoocon Feb08 Gsm

7/31/2019 Shmoocon Feb08 Gsm

1/21

Intercepting GSM TrafficIntercepting GSM Traffic

David Hultonh1kari

http://wiki.thc.org/gsm

http://www.openciphers.orghttp://www.picocomputing.comhttp://www.toorcon.org
mailto:[email protected]://wiki.thc.org/gsmhttp://www.openciphers.org/http://www.picocomputing.com/http://www.toorcon.org/http://www.toorcon.org/http://www.picocomputing.com/http://www.openciphers.org/http://wiki.thc.org/gsmmailto:[email protected]


2/21

February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4

AgendaAgenda

Intro GSM

Receiving GSM signals

Cracking A5/1


3/21


Intro to GSMIntro to GSM

Widely deployed AT&T

T-Mobile

Most other country's carriers Security

Authentication (A3/A8)

Encryption (A5)


4/21


Intercepting TrafficIntercepting Traffic

Intercepting Traffic Nokia 3310 / Ericsson / TSM

USRP (gssm Project)

TI's OMAP dev kit Commercial Interceptors


5/21


What now?What now?

Various hardware will capture traffic Turns out that many basestations send SMSs

unencrypted

What about capturing conversations? Some countries don't use any encryption (A5/0)

or weak encryption (A5/2)

The US and most countries use A5/1


6/21


A5/1 CrackingA5/1 Cracking

A8(Ki) A8(Ki)Authenticate

A5(Kc) A5(Kc)Conversation

Kc Kc


7/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4


Frame Frame

Plain-text Plain-text

A5(Kc,Frame) A5(Kc,Frame)+ +




Clock in 64-bit Kc and 22-bit frame number Clock for 100 cycles Clock for 114 times to generate 114-bits




Other attacks are academic BS. 3-4 Frames. Fully passive.

Combination of Rainbow Table attack and

others.



Sliding WindowSliding Window

[0|1|1|0|1|0..........|1|0|1|1]

[ 64 bit Cipherstream 0 .][ 64 bit Cipherstream 1 ......]

[ 64 bit Cipherstream 2 ...]

.

[ 64 bit Cipherstream 50 ...]



Sliding WindowSliding Window

Total of 4 frames with 114-bits 114 64 + 1 = 51 keystreams per frame

51 x 4 frames = 204 keystreams total



Rainbow TableRainbow Table

64-bits keystream

Password Lanman Hash




Build a table that maps 64-bits of keystreamback to 64-bits of internal A5/1 state

204 data points means we only need 1/64th ofthe whole keyspace

258 = 288,230,376,151,711,744

About 120,000 times larger than the largestLanman Rainbow Table



How do we do this??How do we do this??

1 PC 550,000 A5/1's per second

33,235 years

Currently using 68 Pico E-16 FPGAs 72,533,333,333 A5/1's per second

3 months

Building new hardware to speed this up



HardwareHardware




Cheap Attack (~30 min) 6 350GB Hard Drives (2TB)

1 FPGA (or a botnet)

Optimal Attack (~30 sec) 16 128GB Flash Hard Drives (2TB)

32 FPGAs

Can speed it up with more FPGAs



Reverse ClockingReverse Clocking

Load A5/1 internal state Reverse clock with known keystream back to after Kc

was clocked in Will resolve to multiple possible A5/1 states



Reverse ClockingReverse Clocking

Reverse all 3 A5/1 internal states The common state will be the correct one

Use the internal state and clock forward to

decrypt or encrypt any packet Can solve linear equations to derive key

But isn't really necessary



ConclusionsConclusions

Tables will be finished in March Commercial version in Q2/08

Will be scalable to whatever decryption time

period is required



Threats & FutureThreats & Future

GSM security has to become secure. Data/Identity theft, Tracking

Unlawful interception

Attacks on GSM Infrastructure Receiving and cracking GSM will become

cheaper and easier


21/21February 15th 2008February 15th 2008 ShmooCon 4ShmooCon 4

Thank You! Questions?Thank You! Questions?

David Hulton http://www.picocomputing.com

http://www.openciphers.org

ToorCon Seattle http://seattle.toorcon.org

Seattle - April 18th-20th, 2008

ToorCon 10

http://www.toorcon.org San Diego - Sept 24th-28th, 2008

ToorCamp!

Near Seattle - Spring, 2009

Shmoocon Feb08 Gsm

Documents

Transcript of Shmoocon Feb08 Gsm