Breaking GSM Security With a $15 Phone [Security]

Whatever assurances had been given in regards to the security of GSM cellphone calls, neglect them now.

Speaking at the Chaos Computer Club (CCC) Congress here today, a pair of researchers demonstrated a start-to-finish process of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network ” sniffers,” a pc and numerous open source software.

While such capabilities have long been available to law enforcement with the resources to buy an impressive network sniffing device for more than $50,000 (remember The Wire?), the pieced-together hack takes benefit of security flaws and short-cuts within the GSM network operators’ technology and operations to position the facility within the reach of virtually any motivated tech-savvy programmer.

” GSM is insecure, the more so as more is famous about GSM,” said Security Research Labs researcher Karsten Nohl. ” It’s practically like computers on the web within the 1990s, when people didn’t understand security well.”

Several of the individual pieces of this GSM hack had been displayed before. The power to decrypt GSM’s 64-bit A5/1 encryption was demonstrated last year at this same event, as an instance. However, network operators then responded that the problem of finding a particular phone, and of picking the right encrypted radio signal out of the air, made the theoretical decryption danger minimal at best.

Naturally this appeared like a challenge.

Working the audience through each process step, Nohl and OsmocomBB project programmer Sylvain Munaut demonstrated how the best way GSM networks exchange subscriber location data, so that it will correctly route phone calls and SMSs, allow anyone to make your mind up a subscriber’s current location with an effortless Internet query, to the level of city or general rural area.

Once a phone is narrowed right down to a selected city, a potential attacker can drive during the area, sending the target phone ” silent” or ” broken” SMS messages that do not appear on the phone. By sniffing to each bay station’s traffic, listening for the delivery of the message and the response of the target phone at the proper time, the site of the target phone may be more precisely identified.

To create a network sniffer, the researchers replaced the firmware of an easy Motorola GSM phone with their own alternative, which allowed them to retain the raw data received from the cell network, examine more of the cellphone network space than a single phone ordinarily monitors. Upgrading the USB connection allowed this knowledge to be sent in real time to a computer.

By sniffing the network while sending a target phone an SMS, they were ready to determine precisely which random network ID number belonged to the target. This gave them the facility to identify which the myriad streams of data they wanted to record from the network.

All that was left was decrypting the data. Not a trivial problem, but made possible by the way in which operator networks exchange system information with their phones.

As portion of this background communication, GSM networks send out strings of identifying information, in addition as essentially empty ” Are you there?” messages. Empty space in these messages is stuffed with buffer bytes. Although a new GSM standard was put in place several years ago to turn these buffers into random bytes, they in reality remain largely identical today, under a far older standard.

This allows the researchers to predict with a high degree of probability the plaintext content of these encrypted system messages. This, combined with a two-terabyte table of precomputed encryption keys (a so-called rainbow table), allows a cracking program to test the secret key to the session’s encryption in about 20 seconds.

This is very useful, the researchers said, because many if not most GSM operators reuse these session keys for several successive communications, allowing a key extracted from a test SMS to be used again to record a better telephone call.

” There is one key used for communication between the operators and the SIM card it really is all right protected, because that protects their monetary interest,” Nohl said. ” The alternative secret is less well protected, because it only protects your private data.”

The researchers demonstrated this process, using their software to sniff the headers being used by a phone, extract and crack a session encryption key, and then use this to decrypt and record a live GSM call between two phones in no a number of minutes.

Much of this vulnerability may be relatively easily addressed, Nohl said. Operators could ensure their network routing information was not so simply available during the Internet. They may implement the randomization of padding bytes inside the system information exchange, making the encryption harder to damage. They might certainly avoid recycling encryption keys between successive calls and SMSs.

Nor is it enough to imagine that modern phones, using 3G networks, are protected from these problems. Many operators reserve much of their 3G bandwidth for Internet traffic, while shunting voice and SMS off to the older GSM network.

Nohl elicited fun from the audience of hackers when he called the reprogrammed network-sniffing phones ” GSM debugging devices.” But he was serious, he said.

” It’s all a 20 year old infrastructure, with a lot of private data and not loads of security,” he said. ” We would like you to aid phones wade through an identical sort of evolutionary steps that computers did within the 1990s.”

Wired.com has been expanding the hive mind with technology, science and geek culture news since 1995.

Source

This post is tagged: chaos computer club, gsm network operators, impressive network, open source software, project programmer, security research, subscriber location