Not long ago I studied the capabilities of HackRF for analyzing GSM network traffic; the device’s synchronizing signal fluctuates somewhat, but in any case the result will be access to various system messages. Next, I assume that you have Linux installed with gnuradio, and you are also a happy owner of hackrf. If not, you can use a live cd, information about which is in the " Software» forum. This is a great option when hackrf works right out of the box.
First we need to determine the frequency of the local GSM station. To do this I used gprx which is included in the live cd. After analyzing the frequencies around 900 MHz you will see something like this:
You can see permanent channels on 952 MHz and 944.2 MHz. In the future, these frequencies will be the starting points.
Now, using the following commands, we must install Airprobe.
git clone git://git.gnumonks.org/airprobe.git
git clone git://git.gnumonks.org/airprobe.git
Cd airprobe/gsmdecode
./bootstrap
./configure
make
CD airprobe/gsm-receiver
./bootstrap
./configure
make
Installation completed. Now we can receive a GSM signal. Let's launch wireshark using the command
Select "lo" as the receiving device and select gsmtap as the filter as shown in the following image:
Now go back to the terminal and enter
cd airprobe/gsm-receiver/src/python
./gsm_receive_rtl.py -s 2e6
A pop-up window will open and you will need to disable automatic collection, and also move the slider to maximum. Next, we enter the GSM frequencies obtained earlier as the average frequency.
We also select the peak and average values in the trace options section, as shown below:
You will see that only the correct sequence signal (blue graph) goes beyond the peak value (green graph) in places, thereby indicating that this is a constant channel. Now you need to start decoding. In the window, click on the middle of this very frequency jump. You may see errors, but that's normal. I started getting data this way:
Now you can notice that gsm data is coming into wireshark. As I mentioned at the beginning of the article, the clock signal floats, so to maintain the set frequency you need to keep clicking on the circuit. However, the program works quite well. As funny as it may sound, wrapping your hack rf in a towel (or something similar) will increase the thermal stability of the clock signal and reduce scatter. On its own, you probably won't find this method very useful, but I think at the very least it shows the great potential of HackRF.
Let's move on to looking at GSM hacking. Articles about vulnerabilities in A5/1 appeared about 15 years ago, but there has still been no public demonstration of hacking A5/1 in real world conditions. Moreover, as can be seen from the description of the network’s operation, one must understand that in addition to breaking the encryption algorithm itself, a number of purely engineering problems must be solved, which are usually always omitted from consideration (including at public demonstrations). Most articles on GSM hacking rely on a 2006 paper by Eli Barkan and research by Karsten Noh. In their article, Barkan et al. showed that since in GSM, error correction occurs before encryption (but it should be the other way around), a certain reduction in the search space for selecting KCs and the implementation of known-ciphertext attacks (with completely passive listening to the airwaves) are possible in an acceptable time using pre-computed data. The authors of the article themselves say that when receiving without interference, hacking within 2 minutes requires 50 terabytes of pre-computed data. The same article (in the section about A5/2) indicates that the signal from the air always comes with interference, which complicates the selection of the key. For A5/2, a modified algorithm is presented that is able to take into account interference, but at the same time requires twice the amount of pre-computed data and, accordingly, the hacking time doubles. For A5/1, the possibility of constructing a similar algorithm is indicated, but the algorithm itself is not given. It can be assumed that in this case it is also necessary to double the amount of precomputed data. The process of selecting the A5/1 key is probabilistic and depends on time, i.e. how takes longer audition, the more likely it is to pick up KC. Thus, the 2 minutes stated in the article are an approximate and not a guaranteed time for selecting KC. Karsten Nohl is developing the most famous project for hacking GSM networks. His firm dealing with problems computer security, was going to post it in the end of 2009 open access rainbow tables of session keys of the A5/1 algorithm, which is used to encrypt speech in GSM networks. Karsten Nohl explains his demarche against A5/1 with the desire to attract public attention to existing problem and force telecom operators to switch to more advanced technologies. For example, UMTS technology involves the use of the 128-bit A5/3 algorithm, the strength of which is such that it cannot be hacked by any means available today. According to Carsten's calculations, the complete A5/1 key table in packaged form will occupy 128 petabytes and be distributed distributedly on many computers on the network. To calculate it, it will take about 80 computers and 2–3 months of work. The use of modern CUDA graphics cards and Xilinx Virtex programmable arrays should significantly reduce computation time. In particular, his speech at 26С3 (Chaos Communication Congress) in December 2009 caused a lot of noise. The essence of the speech can be briefly formulated as follows: soon we can expect the appearance of budget systems for online decoding A5/1. Let's move on to engineering problems. How to get data from the air? To intercept conversations, you need to have a full-fledged scanner, which must be able to figure out which basic ones are broadcasting around, on what frequencies, which operators they belong to, which phones with which TMSI in currently active. The scanner must be able to monitor the conversation from the specified phone, correctly process transitions to other frequencies and base stations. There are offers on the Internet for purchasing a similar scanner without a decoder for 40–50 thousand dollars. This cannot be called a budget device. Thus, to create a device that, after simple manipulations, could begin to listen to a telephone conversation, it is necessary:
a) implement the part that works with ether. In particular, it allows you to specify which TMSI corresponds to the desired phone or, using active attacks, force phones to “discover” their real IMSI and MSISDN;
b) implement a KC selection algorithm for A5/1 that works well on real data (with noise/errors, omissions, etc.);
d) combine all these points into a complete working solution.
Karsten and the rest of the researchers mainly solve point “c”. In particular, he and his colleagues suggest using OpenBTS, airdump and Wireshark to create IMSI interceptor(IMSI catcher). For now, we can say that this device emulates a base station and is embedded between the MS and the real base station. The speakers claim that a SIM card can easily prevent a phone from showing that it is operating in A5/0 encryption mode (i.e., no encryption at all) and that most SIM cards in circulation are exactly like this. It really is possible. In GSM 02.07, it is written (Normative Annex B.1.26) that the SIM card contains a special bit OFM in the Administrative field, which, if the value is equal to one, will lead to the prohibition of the connection encryption indication (in the form of a barn lock). In GSM 11.11, the access rights for this field are as follows: read is always available, and write rights are described as “ADM”. The specific set of rights governing entry into this field is set by the operator at the stage of creating SIM cards. Thus, the presenters hope that most cards are issued with the bit set and their phones really do not show an indication of the lack of encryption. This really makes the work of the IMSI catcher much easier because... the owner of the phone cannot detect the lack of encryption and become suspicious. Interesting detail. Researchers were faced with the fact that phone firmware is tested for compliance with GSM specifications and is not tested for handling emergency situations, therefore, in the case incorrect operation base station (for example, the “dummy” OpenBTS that was used for interception), phones often freeze. The greatest resonance was caused by the statement that for just $1,500 you can assemble a ready-made kit for listening to conversations using USRP, OpenBTS, Asterisk and airprobe. This information was widely distributed on the Internet, only the authors of these news and articles derived from them forgot to mention that the speakers themselves did not provide details, and the demonstration did not take place. In December 2010, Carsten and Munaut again gave a presentation at the 27C3 conference on intercepting conversations in GSM networks. This time they presented a more complete scenario, but there are many "greenhouse" conditions in it. To locate a location, they use Internet services that make it possible to send “send routing info” requests into the SS7 network. SS7 is a network/protocol stack that is used for communication telephone operators(GSM and terrestrial) with each other and for the GSM network components to communicate with each other. Next, the authors make a link to the implementation mobile communications in Germany. There, the RAND obtained as a result of the query correlates well with the region code (area code/zip code). Therefore, such requests there make it possible to determine, down to the city or even part of the city, where this subscriber is located in Germany. But the operator is not obliged to do this. Now researchers know the city. After that, they take a sniffer, go to the previously found city and begin visiting all its LACs. Having arrived at the territory that is part of some LAC, they send an SMS to the victim and listen to whether the victim’s phone is paging (this happens over an unencrypted channel, in all base channels at once). If there is a call, then they receive information about the TMSI that was issued to the subscriber. If not, they go check the next LAC. It should be noted that since IMSI is not transmitted during paging (and researchers do not know it), but only TMSI is transmitted (which they want to know), then a “timing attack” is performed. They send several SMS with pauses in between, and see which TMSIs are being paged, repeating the procedure until there is only one (or none) left in the list of “suspicious” TMSIs. To prevent the victim from noticing such “probing”, an SMS is sent that will not be shown to the subscriber. This is either a specially created flash sms, or an incorrect (broken) SMS, which the phone will process and delete, but nothing will be shown to the user. Having found out the LAC, they begin to visit all cells of this LAC, send SMS and listen for paging responses. If there is an answer, then the victim is in this cell, and you can start hacking her session key (KC) and listening to her conversations. Before this, you need to record the broadcast. Here the researchers suggest the following:
1) there are custom-made FPGA boards that are capable of simultaneously recording all channels or uplink (communication channel from the subscriber (phone or modem) to the base station mobile operator), or downlink (communication channel from the base station to the subscriber) GSM frequencies(890–915 and 935–960 MHz, respectively). As already noted, such equipment costs 40–50 thousand dollars, so the availability of such equipment for a simple security researcher is questionable;
2) you can take less powerful and cheaper equipment and listen to part of the frequencies on each of them. This option costs approximately 3.5 thousand euros with a solution based on USRP2;
3) you can first break the session key, and then decode the traffic “on the fly” and follow the frequency change (frequency hopping) using four phones that have alternative OsmocomBB firmware instead of the native firmware. Telephone roles: 1st telephone is used for paging and control of responses, 2nd telephone is allocated to the subscriber for conversation. In this case, each phone must record both reception and transmission. This is a very important point. Up to this point, OsmocomBB actually did not work, and within a year (from 26С3 to 27С3) OsmocomBB was completed to a usable state, i.e. until the end of 2010 there was no practical working solution. Hacking a session key. Being in the same cell as the victim, they send her an SMS, record the victim’s communication with the base cell, and crack the key, taking advantage of the fact that during session setup, many half-empty packets or with predictable contents are exchanged. Rainbow tables are used to speed up hacking. At the time of 26C3, these tables were not so well filled out and hacking was not done in minutes or even tens of minutes (the authors mention an hour). That is, before 27C3, even Karsten (the main researcher in this area) did not have a solution that allowed him to hack KC in acceptable time(during which, most likely, the session key will not be changed (rekeying)). The researchers then take advantage of the fact that changing the key is rarely done after every call or SMS, and the session key they have learned will not change for some time. Now, knowing the key, they can decode encrypted traffic to/from the victim in real time, and do frequency hopping at the same time as the victim. To capture the air in this case, four re-flashed phones are actually enough, since it is not necessary to write all frequencies and all timeslots. Researchers have demonstrated this technology in action. True, the “victim” sat still and was served by one hundredth. Summing up Subtotal You can answer the question in the affirmative about the possibility of intercepting and decrypting GSM conversations on the fly. In doing so, you need to remember the following:
1) The technology described above does not exist in a form accessible to anyone (including script kiddies). This is not even a construction kit, but a blank for construction kit parts that need to be completed to a usable state. Researchers repeatedly note that they do not have clear plans to publish general access implementation specifics. This means that based on these developments, manufacturers in the Middle East are not mass-producing $100 devices that everyone can listen to.
2) OsmocomBB supports only one chip family (albeit the most common one).
3) The method of determining location by queries to HLR and enumerating LAC works more in theory than in practice. In practice, the attacker either knows where the victim is physically located, or cannot get into the same cell as the victim. If the attacker cannot listen to the same cell in which the victim is located, then the method does not work. Unlike the demonstration, in reality there are thousands of paging messages in an average LA load. Moreover, paging does not work at the moment of sending, but in certain time windows and in batches (by paging groups with their own queues, the number of which is the remainder of dividing the IMSI by the number of channels, which can be different in each cell), which again complicates the implementation .
4) Let's say LA is found. Now you need to “grope” for the subscriber’s response. The telephone transmitter has a power of 1–2 watts. Accordingly, scanning it from a distance of several tens of meters is also a task (not an easy one). It turns out to be a paradox: LA covers, for example, an entire region (city). It has, for example, 50 cells, some of which have a range of up to 30 km. We are trying to catch and decipher radiation using an omnidirectional antenna. To implement this task in this embodiment, a lot of equipment is required. If we proceed from the premise that the victim is in direct visibility, i.e. distance at which interception looks more realistic, a directional microphone is much more effective and simpler. It should be noted that during the demonstration, researchers intercept their phones at a distance of 2 meters.
5) Moving the victim between cells also causes problems, because you also need to move with it.
6) The phones used in the demonstration require hardware modification; you need to remove the filter from the antenna, otherwise the “foreign” uplink phones will not “see”. A filter in the phone is needed in order to “listen” not to all frequencies, but only to “your own”.
7) If the network regularly changes the key (rekeying) or changes TMSI (none of the researchers took this into account), then this method does not work at all or works very poorly (the decryption time may be longer than the conversation time).
8) You won’t be able to listen to the entire network; you need to know the phone number.
Cloning SIM cards
One common problem is SIM card cloning. On the Internet you can often find advertisements about an easy way to clone a card, and there are also many utilities, for example, SIM Card Seizure. The goals of cloning are usually the ability to make free calls at someone else's expense and the ability to listen to conversations of the owner of the cloned SIM card. In the first use case, the owner of the clone will have problems receiving incoming calls, but outgoing calls can be made freely. The main consumers are people who then offer passers-by at the metro a cheap call to any country in the world. As for listening to the subscriber, the next section is devoted to consideration of this issue.
The previous section described the SIM card authentication process (Fig. 120). The basic parameters in this process are IMSI and
KI. In order for a clone to authenticate to AUC, it must know these parameters. Finding out the IMSI is easy; it can be written on the card itself or attached to it. It can be easily read from the SIM card using a smart card reader. But with K I everything is somewhat more complicated.
As you already know, KI is stored in only two places - in the SIM card memory and in the AUC memory. K I is never transmitted in clear text during authentication, i.e. it cannot be intercepted during authentication. Attackers have 4 options for obtaining KI. The first option is an insider in the operating company. This option is preferable because You can get information from several cards at once. The disadvantages of this option are that due to the significance of K I, access to their values is strictly limited and if a massive leak is detected, the insider will quickly be calculated. In addition, AUC often lacks functionality for reading KI for the same security reasons. The second option is based on the theft of KI immediately after receiving a batch of SIM cards from the manufacturer. The problems here are the same as in the previous version: the number of people who have necessary accesses, is calculated in units.
Third option: read K I from the SIM card memory. Let's start with what you need to get physical access to the card (remove it from the victim’s phone under some pretext, know the PIN code). An important drawback: the SIM card does not have an interface through which K I can be directly read or changed.
And finally, the last option: calculate K I. The attacker must have knowledge of the A3 algorithm used by the operator. In this case, you can try to calculate KI by observing the results of the RAND to SRES conversion. To do this, RAND is manually generated, the encryption algorithm is called and the RAND is passed to it. This process is automated by programs such as SimScan and WoronScan.
This is how the first clones of SIM cards were obtained. This was made available because the A3 algorithm, called COMP128, was leaked online. A vulnerability was discovered in the algorithm that made it possible to select KI in an acceptable number of attempts. After the vulnerability was discovered, most operators replaced it with something more robust. There are currently three versions of COMP128. Second and third versions on this moment are considered unopenable. And although there are programs on the network that declare the ability to hack these versions, in reality it always turns out that their goal is to force the user to download a “Trojan”.
If the attacker does not have information about the implementation of A3, then he can try to select K I by brute force. Here another obstacle arises: the number of attempts to select KI is limited. U
SIM cards have a built-in A3 call counter, and if a certain threshold (65535) is exceeded, the card is blocked and stops responding to registration requests (although other functions work, e.g. phone book). Under normal operating conditions, when A3 is called every time a SIM card is registered on the network (when the phone is turned on), such restrictions do not interfere with the subscriber. But to obtain K I it may take more attempts.
If the attacker managed to find K I, then he gets the opportunity to make calls at someone else’s expense. But there are several limiting factors. Firstly, because the money in the account will begin to appear faster than usual, it is very likely that the owner of the SIM card may notice this. A detailed printout will immediately reveal “extra” calls. This also applies to “unlimited” tariffs, because they also have restrictions, in particular when calling abroad. Therefore, attackers strive to speak out the entire available balance and get rid of the clone. Secondly, if both cards are registered on the network, then incoming calls will come to the card that was last authorized, or with which the last one was made outgoing call. Accordingly, a legitimate user may notice that he will no longer receive expected calls. For the purposes of conspiracy, it is generally contraindicated for attackers to pick up the phone. Otherwise, the user’s correspondents will immediately detect the fraud. Third, the operator can calculate SIM cards that register with the network in geographically dispersed locations for a limited time. If there is suspicion of card cloning, the operator will block the card and issue the subscriber a new one.
To summarize, we can say that cloning SIM cards is possible, but quite difficult. If the operator has timely modernized the implementation of A3, and its employees are loyal and incorruptible, then subscribers should not be afraid of the appearance of clones of their SIM cards. In addition, the relevance of such fraud is decreasing, because The demand for cheap calls abroad is compensated by the possibility of calling on Skype, as well as offers from legal operators.
Interception of conversations in the GSM network
Let's move on to looking at GSM hacking. Articles about vulnerabilities in A5/1 appeared about 15 years ago, but there has still been no public demonstration of hacking A5/1 in real world conditions. Moreover, as can be seen from the description of the network’s operation, one must understand that in addition to breaking the encryption algorithm itself, a number of purely engineering problems must be solved, which are usually always omitted from consideration (including at public demonstrations).
Most articles on GSM hacking rely on a 2006 paper by Eli Barkan and research by Karsten Noh.
In their article, Barkan et al. showed that since in GSM, error correction occurs before encryption (but it should be the other way around), a certain reduction in the search space for selecting K C and the implementation of a known-ciphertext attack (with completely passive listening to the air) is possible in an acceptable time using pre-computed data.
The authors of the article themselves say that when receiving without interference, hacking within 2 minutes requires 50 terabytes of pre-computed data. The same article (in the section about A5/2) indicates that the signal from the air always comes with interference, which complicates the selection of the key. For A5/2, a modified algorithm is presented that is able to take into account interference, but at the same time requires twice the amount of pre-computed data and, accordingly, the hacking time doubles. For A5/1, the possibility of constructing a similar algorithm is indicated, but the algorithm itself is not given. It can be assumed that in this case it is also necessary to double the amount of precomputed data.
The process of selecting the A5/1 key is probabilistic and depends on time, i.e. The longer the audition goes on, the more likely it is to pick up K C . Thus, the 2 minutes stated in the article is an approximate and not a guaranteed time for selecting K C .
Karsten Nohl is developing the most famous project for hacking GSM networks. By the end of 2009, his company, which deals with computer security issues, was going to make publicly available rainbow tables of session keys for the A5/1 algorithm, which is used to encrypt speech in GSM networks.
Karsten Nohl explains his demarche against A5/1 with a desire to draw public attention to the existing problem and force telecom operators to switch to more advanced technologies. For example, UMTS technology involves the use of the 128-bit A5/3 algorithm, the strength of which is such that it cannot be hacked by any means available today.
According to Carsten's calculations, the complete A5/1 key table in packaged form will occupy 128 petabytes and be distributed distributedly on many computers on the network. To calculate it, it will take about 80 computers and 2-3 months of work. The use of modern CUDA graphics cards and Xilinx Virtex programmable arrays should significantly reduce computation time. In particular, his speech at 26С3 (Chaos Communication Congress) in December 2009 caused a lot of noise. The essence of the speech can be briefly formulated as follows: soon we can expect the appearance of budget systems for online decoding A5/1.
Let's move on to engineering problems. How to get data from the air? To intercept conversations, you need to have a full-fledged scanner, which must be able to figure out which basic ones are broadcasting around, on what frequencies, which operators they belong to, which phones with which TMSI are currently active. The scanner must be able to monitor the conversation from the specified phone and correctly process transitions to other frequencies and base stations.
There are offers on the Internet for purchasing a similar scanner without a decoder for 40-50 thousand dollars. This cannot be called a budget device.
Thus, to create a device that, after simple manipulations, could begin to listen to a telephone conversation, it is necessary:
a) implement the part that works with ether. In particular, it allows you to specify which TMSI corresponds to the desired phone or, using active attacks, force phones to “discover” their real IMSI and MSISDN;
b) implement an algorithm for selecting K c for A5/1 that works well on real data (with noise/errors, omissions, etc.);
d) combine all these points into a complete working solution.
Karsten and the rest of the researchers mainly solve point “c”. IN
In particular, he and his colleagues suggest using OpenBTS, airdump and Wireshark to create an IMSI catcher. More information about the device and interception of calls with its help is written below in the section “Man-in-the-middle attack in GSM”. For now, we can say that this device emulates a base station and is embedded between the MS and the real base station.
The presenters claim that a SIM card can easily prevent a phone from showing that it is operating in A5/0 encryption mode (i.e., no encryption at all) and that most SIM cards in circulation are like this. It really is possible. In GSM 02.07, it is written (Normative Annex B.1.26) that the SIM card contains a special OFM bit in the Administrative field, which, if the value is equal to one, will lead to the prohibition of the connection encryption indication (in the form of a barn lock). In GSM 11.11, the access rights for this field are as follows: read is always available, and write rights are described as “ADM”. The specific set of rights governing entry into this field is set by the operator at the stage of creating SIM cards. Thus, the presenters hope that most cards are issued with the bit set and their phones really do not show an indication of the lack of encryption. This really makes the work of the IMSI catcher much easier because...
the owner of the phone cannot detect the lack of encryption and become suspicious.
Interesting detail. Researchers were faced with the fact that phone firmware is tested for compliance with GSM specifications and is not tested for handling abnormal situations, therefore, in the event of incorrect operation of the base station (for example, a “dummy” OpenBTS, which was used for interception), the phones often freeze.
The greatest resonance was caused by the statement that for just $1,500 you can assemble a ready-made kit for listening to conversations using USRP, OpenBTS, Asterisk and airprobe. This information was widely distributed on the Internet, only the authors of these news and articles derived from them forgot to mention that the speakers themselves did not provide details, and the demonstration did not take place.
In December 2010, Carsten and Munaut again gave a presentation at the 27C3 conference on intercepting conversations in GSM networks. This time they presented a more complete scenario, but there are many "greenhouse" conditions in it.
To locate a location, they use Internet services that make it possible to send “send routing info” requests into the SS7 network. SSV is a network/protocol stack that is used for telephone operators (GSM and landline) to communicate with each other and for GSM network components to communicate with each other.
Next, the authors make reference to the implementation of mobile communications in Germany. There, the RAND obtained as a result of the query correlates well with the region code (area code/zip code). Therefore, such requests there make it possible to determine, down to the city or even part of the city, where this subscriber is located in Germany. But the operator is not obliged to do this.
Now researchers know the city. After that, they take a sniffer, go to the previously found city and begin visiting all its LACs. Having arrived at the territory that is part of some LAC, they send the victim an SMS and listen to whether the victim’s phone is paging (this happens over an unencrypted channel, in all base channels at once). If there is a call, then they receive information about the TMSI that was issued to the subscriber. If not, go check the next LAC.
It should be noted that since IMSI is not transmitted during paging (and researchers do not know it), but only TMSI is transmitted (which they want to know), then a “timing attack” is performed. They send several SMS with pauses in between, and see which TMSIs are being paged, repeating the procedure until there is only one (or none) left in the list of “suspicious” TMSIs.
To prevent the victim from noticing such “probing”, an SMS is sent that will not be shown to the subscriber. This is either a specially created flash sms, or an incorrect (broken) SMS, which the phone will process and delete, but nothing will be shown to the user.
Having identified the LAC, they begin visiting all cells of that LAC, sending SMS and listening for paging responses. If there is an answer, then the victim is in this cell, and you can start hacking her session key (K C) and listening to her conversations.
Before this, you need to record the broadcast. Here the researchers suggest the following:
1) there are custom-made FPGA boards that are capable of simultaneously recording all channels of either uplink (communication channel from the subscriber (phone or modem) to the base station of the cellular operator) or downlink (communication channel from the base station to the subscriber) of GSM frequencies (890 -915 and 935-960 MHz respectively). As already noted, such equipment costs $4,050 thousand, so the availability of such equipment for a simple security researcher is questionable;
2) you can take less powerful and cheaper equipment and listen to part of the frequencies on each of them. This option costs approximately 3.5 thousand euros with a solution based on USRP2;
3) you can first break the session key, and then decode the traffic “on the fly” and follow the frequency change (frequency hopping) using four phones that have alternative OsmocomBB firmware instead of the native firmware. Telephone roles: 1st telephone is used for paging and control of responses, 2nd telephone is allocated to the subscriber for conversation. In this case, each phone must record both reception and transmission. This is a very important point. Up to this point, OsmocomBB actually did not work, and within a year (from 26С3 to 27С3) OsmocomBB was completed to a usable state, i.e. until the end of 2010 there was no practical working solution.
Hacking a session key. Being in the same cell as the victim, they send her an SMS, record the victim’s communication with the base cell, and crack the key, taking advantage of the fact that during session setup, many half-empty packets or with predictable contents are exchanged. Rainbow tables are used to speed up hacking. At the time of 26C3, these tables were not so well filled out and hacking was not done in minutes or even tens of minutes (the authors mention an hour). That is, before 27C3, even Carsten (the main researcher in this area) did not have a solution that could crack KC in an acceptable time (during which, most likely, the session key would not be changed (rekeying)).
The researchers then take advantage of the fact that changing the key is rarely done after every call or SMS and the session key they have learned will not change for some time. Now, knowing the key, they can decode encrypted traffic to/from the victim in real time, and do frequency hopping at the same time as the victim. To capture the air in this case, four re-flashed phones are actually enough, since it is not necessary to write all frequencies and all timeslots. Researchers have demonstrated this technology in action. True, the “victim” sat still and was served by one hundredth.
To sum up, we can answer affirmatively the question about the possibility of intercepting and decrypting GSM conversations on the fly. In doing so, you need to remember the following:
1) The technology described above does not exist in a form accessible to anyone (including script kiddies). This is not even a construction kit, but a blank for construction kit parts that need to be completed to a usable state. Researchers repeatedly note that they do not have clear plans to make implementation specifics publicly available. This means that based on these developments, manufacturers in the Middle East are not mass-producing $100 devices that everyone can listen to.
2) OsmocomBB supports only one chip family (albeit the most common one).
3) The method of determining location by queries to HLR and enumerating LAC works more in theory than in practice. In practice, the attacker either knows where the victim is physically located, or cannot get into the same cell as the victim. If the attacker cannot listen to the same cell in which the victim is located, then the method does not work.
Unlike the demonstration, in reality there are thousands of paging messages in an average LA load. Moreover, paging does not work at the moment of sending, but in certain time windows and in batches (by paging groups with their own queues, the number of which is the remainder of dividing the IMSI by the number of channels, which can be different in each cell), which again complicates the implementation .
4) Let's say LA is found. Now you need to “grope” for the subscriber’s response. The telephone transmitter has a power of 1-2 watts. Accordingly, scanning it from a distance of several tens of meters is also a task (not an easy one). It turns out to be a paradox: LA covers, for example, an entire region (city). It has, for example, 50 cells, some of which have a range of up to 30 km. We are trying to catch and decipher radiation using an omnidirectional antenna. To implement this task in this embodiment, a lot of equipment is required. If we proceed from the premise that the victim is in direct visibility, i.e. distance at which interception looks more realistic, a directional microphone is much more effective and simpler. It should be noted that in the demonstration, researchers intercept their phones at a distance of 2 meters.
5) Moving the victim between cells also causes problems, because you also need to move with it.
6) The phones used in the demonstration require hardware modification; you need to remove the filter from the antenna, otherwise the “alien” uplink phones will not “see”. A filter in the phone is needed in order to “listen” not to all frequencies, but only to “your own”.
7) If the network regularly changes the key (rekeying) or changes TMSI (none of the researchers took this into account), then this method does not work at all or works very poorly (the decryption time may be longer than the conversation time).
8) You won’t be able to listen to the entire network; you need to know the phone number.
Traffic interception protection
1) Instead of a constant byte, use random values for paging empty GSM messages.
2) Change K C after each call.
3) Change TMSI as often as possible.
Points 2 and 3 can be solved by simply reconfiguring the elements of the provider’s network and do not require updating firmware or equipment.
In addition, there are various modified phones on the market, for example, the Cancort crypto smart phone, which provides operation on GSM 900/1800 communication lines in two modes:
Open mode ( normal mode GSM);
Encryption mode with hack-proof encryption of information.
Cancort performs the following functions:
Encryption/decryption of short messages (SMS service)
Data encryption/decryption (BS26 and GPRS service).
Email encryption/decryption.
Encryption/decryption of information in all telephone directories (SIM PB).
Encryption/decryption of MMS information.
You can also use scramblers for protection, which have proven themselves in protecting regular telephone networks. An example is GUARD GSM. This device(like analogues) connects to a cell phone via a wired headset and has small sizes. The GUARD GSM scrambler has thirty-two scrambling modes.
The operating principle of this scrambler is based on the initial destruction and temporary rearrangement of sound on the transmitting side with its subsequent restoration on the receiving side. This process is two-way. Temporary rearrangement of speech signal segments and restoration of their sequence at reception takes a certain time interval. Therefore, a mandatory property of such equipment is a small signal delay on the receiving side. The conversation usually starts at open mode and then, upon mutual command, the devices switch to scrambling mode. When conducting negotiations, the device simultaneously performs two functions: scrambling and descrambling. That is, the speech spoken by one of the subscribers is encrypted on his part, and the second scrambler located at the second subscriber decrypts this speech. And the same thing happens in the opposite direction, when the second subscriber begins to speak.
Specifications:
1. Speech intelligibility is at least 95%.
2. Connection type full duplex.
3. Signal delay on the line is no more than 100 ms.
4. The level of security of the linear signal is temporary.
5. Use in GSM 900/1800 standard networks.
6. Connection type cell phone wired headset 7. dimensions 80x45x16 mm
Man-in-the-middle attack in GSM
The attack discussed earlier actively used a device called IMSI-catcher. This section discusses how such a device works and its limitations.
On the Internet you can find many offers for the sale of special devices that can emulate base stations. Such advertisements declare that such emulators allow you to secretly listen to any conversations without informing the operator or even knowing the phone number of the person being listened to.
Devices with similar functionality do exist (for example, the RA 900 complex produced by Rohde & Schwarz), but they have far less impressive capabilities:
1) secretly you can only determine whether a phone into which a SIM card with the specified IMSI is inserted is located in the coverage area, or get a list of IMSI/IMEI but not phone numbers in the “pseudo-base” coverage area. This implies that the attacker knows the IMSI.
2) You can listen to outgoing conversations from a specific phone, but the subscriber’s signal encryption will be disabled. In addition, the caller's number will be changed or hidden. In this case, the subscriber himself can detect this and establish the fact of listening (or suspect).
3) When listening directly, incoming calls cannot be delivered to the subscriber and, accordingly, cannot be listened to. For other network subscribers, the listened subscriber is “out of coverage area”.
As you can see, the functionality presupposes the presence of certain information about the victim.
Operating principles of IMSI-catcher
IMSI-catcher is a device that, on the one hand, behaves like a GSM network base station, and on the other hand contains a SIM card or some other technical means for connection to communication networks. It is used as follows:
1. The device is placed near the victim's mobile phone. The range is determined based on the power level of the actual base station.
2. During operation, the device appears as a regular station. Naturally, it must impersonate the station of the operator to which the victim belongs. The GSM standard does not require the base station to confirm its authenticity to the phone (unlike UMTS networks, for example), so this is quite easy to do. The frequency and signal strength of the fake base are selected so that the real base stations of all neighboring networks do not interfere with its operation.
3. The victim's phone is forced to select the fake base as the best available base station due to its good and strong signal. The selection principle was described earlier. As a result, the attacker can determine the IMEI of the victim.
4. To listen to conversations during registration, the fake database informs the phone about the need to switch to A5/0 encryption mode, that is, without encryption at all. Phone by GSM standard can't refuse.
5. After this, all outgoing calls of the victim pass through the fake station in the clear and can be recorded/listened to there. In this case, the device acts as a proxy, independently connecting to the dialed number and transparently transmitting the voice through itself in both directions.
Limitations of IMSI-catcher
1. When connected to a fake station, the victim becomes unavailable for incoming calls. To support incoming calls, the device must be served by the operator's network in the same way as other base stations. To do this, you need to connect to some base station controller (BSC) and register in its routing tables. But if an attacker has access to the operator’s network at a level that allows them to connect and configure new base stations, then in this case it is more effective to use SORM. If, in addition to the victim, others enter the device’s coverage area Cell phones located near the victim, they will show the presence of coverage, but neither incoming nor outgoing calls will be serviced. This may raise suspicions.
2. Majority modern phones have an encryption indication (in the form of a padlock) and the victim may become wary if he sees that the connection is not encrypted.
3. To broadcast outgoing calls, the device needs an output telephone network. If you use your own GSM module with a SIM card for this, then outgoing calls from the fake station will be made with a number different from the victim’s number. To hide this, you can use the “calling line identification restriction” (CLIR) service, which can also alert the recipients of the call and they can inform the victim about it. Alternatively, when using WiFi+VoIP, you can replace the number of a fake station with the correct one, but this complicates the design.
For more accurate spoofing, it is necessary that the device uses a SIM card of the same operator used by the victim, in which case the attacker will have the opportunity to broadcast the victim’s calls to service and short numbers.
4. If the victim moves, he can easily move out of the device’s coverage area, which will result in the process having to be started all over again.
The listed disadvantages show that the use of such a device is limited to short-term interception of conversations and is practically not suitable for long-term listening.
Thus, the main benefit of such a device may be to identify the Sh3ShMSH of a victim, about whom only its location is precisely known, and then use the information about Sh5I to conduct routine eavesdropping using SORM means.
Conclusion
Interception of messages in OBM networks is possible. But, taking into account the conditions necessary for the implementation of interception, we can say that the OBM is much better protected than shown in films and on the Internet.
Loading...
