Transcript GSM - SRSLY (Shmoocon)

GSM: SRSLY?
What’s coming up
• Overview of GSM arch & crypto
– Hacking as we go...
• OpenBootTS-1.0
– GSM Base Station LiveCD
• Demo BTS is live – feel free to connect!
– Network name is TestSIM or 001-01
– SMS your 10-digit phone number to 101
GSM Identifiers
• IMEI:
– International Mobile Equipment Identifier
– Identifies a handset. Easily changed, illegal to do so.
• IMSI:
– International Mobile Subscriber Identifier
– Secret? Kind of.
– Identifies an account - stored in SIM card.
• TMSI:
– Temporary Mobile Subscriber Identifier
– Assigned by network to prevent IMSI transmission.
• Auth with IMSI, use TMSI from then on
– Unless, of course, the BTS asks for it.
MCC & MNC: Own the BTS
• MCC: Mobile Country Code
– 310 to 316 for USA, 302 for Canada
• MNC: Mobile Network Code
– Country-specific, usually a tuple with MCC
– 310-260 for T-Mobile US
– Full list on Wikipedia
• Spoof MNC/MCC, phones will connect
– If you claim it, they will come.
– Strongest signal wins
– a.k.a. “IMSI catcher”
IMSI catching in practice
• OpenBTS + USRP + 52MHz clock
– Easy to set up, Asterisk is hardest part
– On-board 64MHz clock is too unstable
• Software side is easy
– ./configure && make
– Libraries are the only difficulty
• Set MCC/MNC to target network
• Find and use an open channel (ARFCN in GSM-ese)
• Wait.
• Don’t forget Wireshark!
– Built-in SIP analyser
OpenBootTS
• http://sourceforge.net/projects/openbootts/
• Scripts for DebianLive
• Creates a bootable CD with
– GNU Radio + OpenBTS
– Asterisk
– Build chain
• Much customization is possible
– Preloaded configs
– Virtual consoles
– Different target image types
• Demo and future plans
The iPhone that wouldn’t quit
• What if we don’t want to catch IMSIs?
– We want a closed network
• Set MCC/MNC to 001-01 (Test/Test)
• Phones camp to strongest signal
– Remove transmit antenna
– Minimize Tx power
• GSM-900 in .eu overlaps ISM in USA
– 902-928MHz is not a GSM band in the USA
• Despite all of this we couldn’t shake a 3G…
Fun bugs in OpenBTS
• Persistent MNO shortnames
– Chinese student spoofed local MNO
– Classmates connected
– Network name of “OpenBTS”
• Even after BTS was removed & phones hard rebooted!
• Open / Closed registration
–
–
–
–
Separate from SIP-level HLR auth
Supposed to send “not authorized” msg
Instead sent “You’ve been stolen” msg
Hard reboot required, maybe more.
Attacking Without Crypto
•
•
•
•
Request IMSI to break TMSI secrecy
Unintentional DoS
Unintentional semi-permanent DoS
Spoof 6-digit MCC/MNC for MITM
• SRSLY?
GSM Crypto Primitives
• Inputs:
– Rand: 16-byte challenge from BTS
– Ki: 16-byte secret key, stored in SIM
• Outputs:
– Kc: 8-byte session key
– SRES: 4-byte authentication response
• Algorithms:
– A3, A5, A8: GSM-specific algorithms
• A3/A8 are hash functions (usually combined into one)
• A5 is a cipher
Camping
• Mobile Station (MS) finds BTS, sends TMSI
• BTS sends RAND to MS
– Only source of entropy.
• MS passes RAND along to the SIM
– Usually over a cleartext channel
•
•
•
•
The SIM calculates A3A8(Ki || RAND)
MS uses the result as SRES and Kc
SRES is sent to BTS as proof of Ki knowledge
A5 is used from here, keyed with Kc
IMSI catching crypto
• How can we negotiate crypto?
– No knowledge of Ki
– No idea of Kc for a given RAND
– Can’t decrypt the result?
• We don’t need to.
– BTS: “I’d like to use A5/{0..3}!”
• A5/0 == plaintext
– MS: “Sure! I’d love to!”
• Who needs crypto anyway?
Plaintext? SRSLY?
• GSM 02.07 Normative Annex B.1.26
– “...whenever a connection is in place, which
is, or becomes unenciphered, an indication
shall be given to the user.”
• You’ve never seen this alert because:
– “The ciphering indicator feature may be
disabled by the home network operator”
• Every operator disables it.
Attacks on A3A8
• First version of A3A8 is COMP128-1
– Reverse-engineered and broken in 1998
– Recover Ki (clone the SIM) with ~150k challenges
• About 8 hours with a smartcard reader
– Further work reduces to ~80k challenges
– Over-the-air SIM cloning is plausible, given time
• Obviously deprecated
– Still used extensively though
• Replaced by COMP128-2 and COMP128-3
– Neither has been disclosed or cryptanalysed
– Many MNO-specific alternatives
A3A8 in practice
• COMP128 no longer trusted by MNOs
– Still used by several major networks
• v1 attack is well-known
– http://users.net.yu/~dejan/
– Not open-source - watch for malware!
• A3A8 can be any algorithm
– MNOs can (and do) use anything
– Who knows what bugs are lurking?
A5
• Used to encrypt traffic
• Three (known) variants:
– A5/1: Almost universal for 2G (GSM)
• Stream cipher
– A5/2: Weakened (export) version of A5/1
• Stream cipher
– A5/3: Used for 3G (UMTS)
• Block cipher
• A5 variant negotiated during camping
Attacking A5
• A5/2: Deliberately weak.
– Broken in 1999, key from ciphertext
• Assuming we own the BTS:
– We choose A5 variant
– We choose RAND
– Sniff a conversation…
• Frequency hopping? Grab the whole band!
– …then demand A5/2 and reuse RAND
• No forward secrecy in GSM.
A5/1 and A5/3
• A5/1: 64-bit stream cipher, 54-bit key
– Deliberately weakened
• A5/3: 128-bit block cipher
• Multiple known attacks on both:
– A5/1 has practical attacks
• Rainbow tables
• Various time-memory tradeoffs
– A5/3 has impractical attacks
• Too much plaintext required for attacking 3G
Attacking With Crypto
•
•
•
•
•
•
•
•
•
•
•
No client challenge
Kc is only 54 (effective) bits
SIM vulnerable to MITM
NULL crypto is acceptable (encouraged?)
COMP128-1 badly broken, still used
Secret hash functions
A5/1 broken
A5/2 badly broken
A5/3 academically broken
RAND replay over A5/2
No forward secrecy
• SRSLY?
What’s left?
• There’s a network behind the BTS
• SS7 is just as broken as GSM
• What if you combine the two?
• "We Found Carmen San Diego"
• Nick DePetrillo and Don Bailey
• Boston Source - April 21-23
Questions?
[email protected]
@ChrisPaget