Eavesdropping on GSM: state-of-affairs

Ea v esdropping on GSM: state-of-affai rs F abian v an den Broek Radb oud Universit y , Nijme gen Institute for Computing and I n formatio n Sciences (iCIS) Abstract. In the almost 20 years since GSM was deploy ed seve ral se- curity problems hav e b een found, b oth in the p rotocols and in the - orig- inally secret - cry ptograph y . How ever, practical exploits of t hese wea k- nesses are complicated b ecause of all the signal pro cessing in volved and hav e not b een seen muc h outside of their use by law enforcement agen- cies. This could change due to recently developed op en-source equipment and soft ware that can capt ure and digitize signals from the GSM frequencies. This migh t make practical attacks against GSM muc h simpler to p erform. Indeed, several claims h a ve recen tly app eared in th e media on success- fully ea vesdropping on GSM. When lo ok ing at these claims in depth the conclusion is often that more is clai med than what they are actu- ally capable of. Ho wev er, it is u n deniable t hat these claims herald the p ossibili ties t o ea vesdrop on GSM using publicly a v ailable eq u ipmen t. This p ap er ev aluates the claims and practical p ossibilities when it comes to ea vesdropping on GSM, using relativ ely cheap hardwa re and op en source initiativ es which hav e generated many h eadlines ov er the past year. The basis of the pap er is exten sive ex periments with the USRP (Universal Soft w are Radio Peripheral) and softw are pro jects for this hardwa re. Keyw ords: GSM, ea v esd ropping, USRP , op en-source, A5/1 1 In tr o duction GSM was develo p ed in the late 1980 s and deploy ed in most W e stern coun tries in the early 1990s. S ince then GSM has seen an enormous rise b oth in its co verage and in the n um b er of sub scrib ers. GSM is p erh aps the most succe ssful tec h n ology of the last tw en ty y ears. A sur vey by the In ternational T ellecomm unication Union (ITU) sho wed that b y the end of 2008 around 1.5 billion p eople in the w orld (some 23%) u s e the I nternet. But there were around 4.1 billion p eople in the w orld (o ve r 60%) who h ad a mobile subscription, while ov er 90% of the w orlds p opulation liv ed in a region that at least has acc ess to GSM [1]. These are staggering n umber s sho w ing a tremend ous spr ead of GSM tec hnology . The fact that GSM has wea knesses is nothing new. Th e lac k of mutual authen tication in GSM – a mobile ph one authen ticates itself to the cell to we r, bu t not v ice ve rsa – w as quickly seen as a p roblem [2]. Also GSM sp ecifically do es not use p oint to p oin t encryption b et ween callers. It only encrypts the messages while on the air interface. This allo ws la w enforcers to tap conv ersations in the core of the GSM n et w ork. Mean while more and more services are b eing deplo y ed on top of the GSM n etw ork, incr easing the in cen tiv e for criminals to attac k GSM. In sev eral coun tries y ou can p a y f or services or pro du cts via text messaging. Sev eral Inte rnet banking app licat ions use th e mobile phone as an exte r- nal (out-of-band) c hannel to v erify transactions. The Dutc h ING bank stated only last Jan uary that they will start to use the mobile phone to send us ers their p assw ord reminders, ev en th ough they already use it for transaction verificat ion [3]. Where pr eviously making un-b illed calls w as the ma jor economic attracti on in attac king GSM, increasingly real money can b e made. A t the end of 2009 s ome p rett y large tables usable for a brute-force attac k against the main cipher used in GS M where relea sed. T his has let to many wild claims on the insecurit y of GSM in the m edia. This do cumen t examines the f easibility of these claims, based on exp eriment al w ork with a USRP – an op en-hard w are generic radio transceiv er – and sev eral op en-sour ce soft w are pro ducts, whic h could, in theory , b e used to ea v esdrop on GSM. A t ab out the same time some practical examples of Man-in-the-Middle (MITM) attac ks on GSM surfaced. These are p ossible b ecause in GSM the cell to wers do not authen ticate themselv es to the m obile p h ones. So it is p ossible to act as a cell tow er to wards a mobile phone. Cur ren tly these attac ks lac k th e abilit y to act as a cell p hone to wards a cell to w er, so only a limited form of a MIT M attac k has b een sho wn, in which an attac k er acts as a genuine cell to w er, instructs the cell p hone to not use encryption, and transfers outgoing calls via a V OIP connection. This attac k can only capture calls b eing made from the cell ph one under attac k, and not incoming calls. This do cument w ill limit itself to ea vesdropping, and th us excludes these MITM attac ks. Section 2 discusses the equipment that w as used du ring our exp eri- men ts. Section 3 will discuss the th eoretic al steps r equired to p assiv ely 2 ea v esdrop on GSM, while Section 4 will d iscuss the current status of sev- eral practical pr o jects implementi ng these steps. Section 5 discu sses some p ossible countermeasures against an ea vesdropping attac k. 2 Equipmen t used In order to ev aluate the practicalit y of ea vesdropping attac ks, we exp eri- men ted w ith some hard and softw are. Sp ecifically this w ere: – The USRP , – com bin ed with the DBSRX d augh ter b oard – and runnin g GNU Radio and AirProb e. – A Nokia 3210 mobile phone – connected to a p c runn ing the Gammu softw are. The USRP (Univ ersal Softw are Rad io Peripheral) is a general p urp ose, op en-hardware, transceive r that can b e linke d to a computer via US B, and handles the r eceiv e part of an ea v esdropping attac k. The USRP , and its successor, USRP2, are discussed in m ore detail in Section 4.1. The USRP has to b e extended with a daugh ter b oard in order to receiv e the correct frequ en cy sp ectrum. W e u sed th e DBSRX d augh ter b oard in this r esearc h, which is a 800MHz to 2.4GHz receiv e-only b oard, co v ering all basic GSM frequency bands. The USRP w as controlle d us ing th e GNU R ad io softw are and the AirProb e soft ware on top of that. Both softw are p r od ucts are detailed in Sections 4.1 and 4.3. Next to this w e also made extensiv e use of a Nokia 3210 GSM ph one, connected to a computer, also via USB, running the op en-sour ce Gamm u [4] p ro ject. This co m b ination enabled us to force the Nokia 3210 in a debug m o d e that transparen tly log s all p ack ets sen t to and from the phone. The Gammu + Nokia phone metho d has m u ch b etter reception than the USRP + Air P rob e, after all the mob ile phone is sp ecifically made to receiv e these s ignals. Though y ou can only see th e messages to or from the sp ecific ph one connected to the compu ter. Y ou cannot see an y message for other ph ones, n or is it p ossible to c h ange the phone’s b eha vior in this. So this is a great practical aid to get a b etter grasp of the GSM p rotocol and to fi n etune the USRP , bu t it lac k s the ve rsatilit y to b e u seful in a ea v esdropping attac k. 3 3 Ho w to ea vesd rop on GSM in theory? Ea vesdropping on GS M, or probably any comm unication system for that matter, can b e broken do wn into three stages: 1. Capturing the signals. 2. De crypting the captured signals. 3. In terpreting the decrypted signals. This section will lo ok at these steps in more detail. Section 4 will lo ok at the cur r en t state of practical op en-source pro jects usable for these steps. 3.1 Capturing the signals Already the first stage h as b een a ma jor obstacle for man y yea rs. Sp ecial- ized equipmen t to capture the GSM signals h as long b een v ery exp ensiv e and often pr oprietary . GSM can b e u sed on sev eral frequency band s, b ut most commonly u sed are th e GSM-900 and GSM-1800 band s. T he fre- quency bands are d ivid ed into channels of 200 KHz wide eac h. In a t ypical con versat ion t w o of these channels will b e used at an y giv en time for a mobile phone to communicat e with the cell to wer; one c h annel for eac h direction. These channels are separated by a constan t offset. One part of user data in a GSM n et w ork, e.g. 20ms of sp eec h data, is transmitted in four p ack ets, called bu rsts in GSM. These bu rsts are mo dulated r ad io w av es transmitted in a time slot of 576.9 µ s. Most GSM net works emplo y channel ho pping , w h ic h is used as a signal qualit y mea- sure, and causes the transm ission to switc h to a new c hann el after ev ery single b urst. T he challe nge in capturing the GSM signals lies in receiving the bursts on time and in demo dulating them correctly . Section 4.1 d iscusses pr o jects and hardware that can b e used to cap- ture GS M signals. 3.2 Decrypting the captured signals Assuming that encry p tion is enabled on the GSM net work, decrypting the captured bursts is the next step. There are three encryption algorithms defined for GSM; A5/1 and A5/2, b oth str eam ciphers, and A5/3, a blo c k cipher. Of these th r ee A5/2 is b y far the we ak est and can b e b r ok en in less than a s econd on a p ersonal computer with only a few dozen milliseconds of cipher text [5]. Th e A5/3 algo rithm is consider ed the strongest encryp- tion of th e three. A5/ 3 v ery recen tly sa w a th eoretic al break [6]. This attac ks requ ires 2 26 c hosen plain text messages encrypted under relate d 4 k eys. F or n o w this do es not lead to a practical attac k on A5/3, though it is cause for concern since this w eakness do es n ot exist in MISTY, the cipher that A5/3 was b ased on. A t the moment of writing no attac k on A5/3 is feasible, the future will tell w h ether this remains so. A5/1 is the main en cr y p tion algorithm used in most W estern coun- tries. It is a stream cipher with three registers that clo c k irregularly and ha ve a com bined s ize of 64 b its — wh ic h, conv enien tly , is also the s ize of the session ke y . The session k ey is computed b y the SIM card and in the pr o vider’s h ome net work from a random c hallenge and a secret ke y b y an undisclosed propr ietary algorithm. Originally most pro viders used an algorithm called COMP128, wh ic h wa s rev ers e engineered in 19 98 by Briceno et. al. [7 ]. This sho wed that CO MP128 actually deliv ered a 54 bits session key with ten app end ed zeros. It is unkn own wh ic h algorithms are curren tly used by pro viders to generate the session k ey and if the session k eys are still we ak ened. The A5/1 algorithm w as actually the fi rst encryption algorithm u s ed in GSM. It w as originally k ept secret and w as only disclosed to GSM man u facturers und er an ND A. In 1999 though, Marc Briceno reve rse en- gineered the design of b oth A5/1 and A5/2 fr om a GSM ph one [7]. S ev eral attac ks against A5/1 ha ve b een pub lished since then [8,5,9]. Recen tly a p ractica l implemen tation for a brute-force T ime-Memo ry- T rade-Off attac k aga in st A5/1 was announced, wh ic h w ill b e discussed in Section 4.2. This attac k is in fact an imp ro ve d v ersion of an attac k prop osed by Elad Bark an et. al. in 2003 [5]. 3.3 In t erpreting the decrypted signals After the signals h a v e b een captured and deciph er ed they still need to b e in terp reted. Th e p a yload of the bursts needs to b e r eordered and can b e c heck ed for transmission errors. Besides the cryptography , all the sp ecifi- cations of GS M are p ublic, so this do es not require any rev erse engineer- ing. Sev eral pro jects that implemen t a GSM stac k are discussed in Section 4.3 4 The op en-source pract ical implemen tation Ea vesdropping on GSM is p ossible — equipmen t can b e b ough t that allo ws for ea ve s dropping on A5/1 and A5/2 encryp ted con ve rsations [10], but this equip men t is sold restrictiv ely to la w enforcemen t age ncies and 5 military and at a high price. So it is not a question on whether it is p ossible to ea v esd rop on GSM, but rather ho w hard it is using publicly a v ailable hard w are. Recen tly sev eral op en-source pr o jects ha ve surfaced that either aim to pro ve th e ins ecurit y of GSM, or simply offering op en-source imple- men tations of core GSM n et w ork elements. S o how far are the pr actic al realizatio n s of the three steps from the p r evious section in the op en-source comm un it y? F or eac h of th ese steps there is a p ossible op en-sour ce pro ject to u se. Resp ectiv ely th ese are: 1. USRP together with GnuRadio and AirProb e, u sable for signal cap- turing 2. Krak en, for the decryption of the captured signals 3. Op enBTS or Op enBSC or AirProb e, to interpret the messages Because the AirProb e pro ject is actually a collection of to ols u sable b oth for capturing and for the in terpr eting of th e GSM burs ts, the pro ject is listed t wice. W e w ill no w lo ok at eac h of these pr o jects in more detail. 4.1 Capturing using USRP together with Gn uRadio and AirProb e Capturing GSM signals can b e done us in g the USRP and GNU Radio com bination. T he Univ ersal Softw are Radio Peripheral ( USRP ) is an op en-hardware device develo p ed by Matt Ettus a nd whic h can b e or- dered through his compan y Ettus Researc h [11]. It is a transceiv er that can b e link ed to a computer and can b e tailored to sp ecific frequencies b y exte nding it with daughte r b oards and attac hin g the app ropriate an- tenna. T he USR P contai ns a programmable FPGA which can b e used to p erform some signal pro cessing. In its s tandard configuration a USRP creates 16 bit I and Q samples when r eceiving a giv en frequency . These are complex samples, with the real part (Q) describing the cosine of the signal, and th e imaginary part (I) describing the s in e of the signal plus 90 degrees. One sample is thus 32 bit long and can b e sen t to the host computer th rough the communicat ion p ort, for f urther pr o cessing. There are curr en tly t wo t yp es: th e USRP and th e US RP2. T he USRP (or USRP1) can receiv e a bandw idth of 32MHz and can transm it on a bandwidth of 64MHz. It transmits the samples to the host computer via a USB2.0 connection, w hic h has a practical m axim um data throughput of 32 Mbyte/ s. The US R P 2 can r eceiv e a band width of 50 MHz and transmit on a b andwidth of 200 MHz wid e. Compared to the US R P 1, th e USRP2 6 also con tains a m u c h faster FPGA and a Gigabit Ethernet p ort in stead of the USB connection. The USRP s h a v e a 64MHz crystal oscillator internal clo c k, wh ile m ost GSM phones use a 13MHz sym b ol clo c k w ith a m u c h b etter accuracy . Of course the 64MHz samples can b e re-sampled to (a m u ltiple of ) 13MHz, although this brings an extra computing complexit y . Also the USRP’s oscillato rs are m u c h less accurate and can sho w quite some dr ift when compared to GSM system clo c ks, resulting in bad reception. An external clock can b e attac hed to the USRPs. Using a more accurate external clo c k pro v id ing a pulse at (a multiple of ) 13MHz solv es these issues. GNU R adio [12] is a fr ee soft w are toolkit licensed under GPL for im- plemen ting soft ware-defined radios. It w as started b y Eric Blossom. It w orks with sev eral different t yp es of RF hardware, suc h as soundcards, but it is mostly used in combinatio n with an USRP . Basically GNU Radio is a library cont aining lots of standard signal p r ocessing fun ctions, such as filters and (de)mo dulations. GNU Radio, out-of-the-b o x, d oes not offer m u c h in terms of GSM sniffing capabilities. Ho w ever, GNU Radio can b e used by other soft ware pac k ages, su c h as AirPr ob e , to p erf orm the lo w lev el fu nctions of GSM sniffing, such as reception and d emod ulation. AirProb e [13] is an op en- source pro j ect trying to built an air-in terface analysis tool f or the GSM (and p ossible lat er 3G) mobile phone standard. On e part of the pro ject handles the reception of GSM signals (using the GNU Radio fu n ctions) while another part can also b e used to interpret the GSM signals, which is why w e will get bac k to AirPr ob e in section 4.3. Cu r ren tly AirPr ob e is only able to listen to the do w n lin k (cell tow er → mobile ph one) of con versat ions, s o some dev elopment is still required. The main problem for reception is the c hann el hopping used in most GSM net w orks. Using the AirProb e softw are out of the b o x h elps y ou receiv e a single carrier on the do wn link (messages from cell to w er to mobile). In order to capture an entire conv ersation when c h annel hopping is used, y ou will need a w a y to gather all the b ursts on all the different frequencies. There are t w o general approac hes to achiev e this: I. L et the USRP follo w the hop p ing sequence. I I. Capture all p ossible frequencies and attempt to follo w the sequence afterw ards . 7 Approac h I requires a lot of p ro cessing inside the USRP’s FPGA. All the parameters for the hopp ing sequ ence need to b e r etriev ed fr om certain bursts, then the hopping sequence needs to b e calculate d an d follo w ed for ev ery burst. There are th ree p ossible configur ations for mobile net wo rks in whic h to transmit the h opping sequence parameters. In one of these the parameters are transmitted in the cle ar. In the other tw o configurations these parameters are transmitted after encryp tion has b een enab led. Dur- ing our exp erimen ts w e only ev er observe d cell to w ers that us e so-calle d “early assignmen t”, in which the hopping parameters are tr an s mitted u n- der encryp tion. Besides, the net work can alw ays command a new hoppin g sequence u nder encryp tion, ir resp ectiv e of whic h configuration is used. This necessitates breaking th e encryption really fast in ord er to follo w the hopping sequence in time. This is currently not p ossib le. The USRP’s FPGA only samples a certain frequency at a certain rate and send s these samples to a compu ter. So h a ving the FPGA decrypt and in terpret the bursts in order to follo w the hopping sequence will require a lot of im- plemen tation. It is questionable whether ev en the USRP2’s m u c h faster FPGA will b e able to d ecrypt messages and then compute the h opping sequence in time. This app roac h m igh t need add itional FPGAs, and thus additional costs, to pull off. Also the tune dela ys of the USRP’s hard- w are (the time b etw een a “tune” command and th e m omen t the USRP retriev es usable samples from the desired frequency) seem to large at the momen t an d need to b e b rough t down. How ev er, it is an ap p roac h that should work for ev ery cell to we r and regardless of the amount of traffic. Approac h I I r equ ires the capture of large amounts of data, namely to log all c hannels and determine the hopping sequence later. Th e p roblem here lies in red ucing the data the USRP send s on to the computer. A hop- ping sequence can maximall y hop b et ween 64 carrier frequencies. These carriers are all 200 KHz wide, and can b e spr ead out evenly on the en tire GSM s p ectrum. So worst case the attac k er has to capture the enti re GSM band (for GSM900 this is 25MHz for the up or do w n link). Th e problem here is d ata th roughput to the PC. Eac h sample of an USRP is repre- sen ted b y t w o 16 bit num b ers . F or the USRP1’s USB2.0 connection this means that the maxim um bandwid th th at can b e sent to the computer is around 8MHz (8MHz × 2 × 16 = 256Mbit/s). The USRP2’s GBE connec- tion can manage around 30MHz, wh ic h is enough for one sid ed captur e of GSM900. T his would requir e th e host compu ter to b e able to p ro cess 100 MByte/s of data (25MHz × 2 × 16 = 800Mbit/s) and ev en 200 MByte/s for b oth up and do wn link, which is to o muc h for most PC s . 8 Of course some optimizations are p ossible. A single cell tow er nev er serv es the en tire GSM frequency band. Th is means that y ou can already discard all carriers ab ov e the top frequency and all carriers b elo w the lo we st frequency of a sp ecific cell tow er. Ho wev er, th at approac h will not w ork for most situations, since the m aximal n umb er of carriers (64) for a sin gle cell to wer is still to o muc h f or the USRP . Also, since the USRP can only receiv e a con tinuous frequ ency band, if the top and b ottom frequencies are to o far apart, th is app roac h will not work. Another optimization w ould b e to h a v e the FPGA discard all c hannels that ha v e no traffic on them. Th is will of course only b e effectiv e if only a few phones are activ e –a s in calling – at the same time. It would b e ev en b etter to h a v e the FPGA in terpr et enough of the bur sts, so it can already drop some th at are not a part on the conv ersation th e attac k er tries to captur e. This optimizati on do es see the same p roblems as those with th e first approac h b ecause it requires a lot of FPGA computation – though less so, b ecause the FPGA d oes n ot need to crac k A5/1 in the second app roac h. The ob jections stated ab ov e, ho w ever, do not form a problem if the cell to we r und er attac k do es not employ c hannel hopping, or only transmits on a few frequencies in a tigh t sp ectrum. On such cell to w ers ea vesdrop- ping using an USRP seems a gen uine p ossibility . It is not clear h o w man y , if any , of the cell to wers in op eration, matc h one of these conditions. This mak es it hard to estimate the r isk in the current situatio n. During this researc h only a handfu l of cell to w ers were observed, but none of those fulfilled these conditions that w ould allo w ea vesdropping using the USRP . Currently appr oac h I I seems to b e the one that most p eople in the AirProb e comm unit y b eliev e is the correct one to follo w. It do es indeed seem the easie r w a y out, with a higher c hance of success (on at le ast some cell to w ers), though the FPGA programming n eeded here is by no means a simp le task. A t least no one has communicated a wa y to tac kle this. This approac h w ill probably not work in ev ery situation, giv en the problems w ith data throughpu t to the P C, but a working implementa tion for some cell to wers is enough for the AirPr ob e comm u nit y to sho w that they can listen in on GSM. 4.2 Decrypting using Kraken A p ro ject wa s pub licly announ ced in August of 2009 su ggesting a wa y to efficien tly br eak the A5/1 cipher. This p ro ject ru ns und er the, sligh tly 9 unimaginativ e, name A5/1 [14]. How ev er, in July 2010 the lo ok-up tool for this pro ject wa s released and named Kr aken . T o av oid any confu sion with th e cipher we will refer to the A5/1 pro ject b y the name Krak en. The Krak en pro ject mainly consists of creating large tables in a generic time-memory trade off. This had b een pr op osed b efore [15], but the distin- guishing factor of this new pro ject is that in s tead of computing the tables at a single p oin t ev eryb o dy on the In ternet can join in and compute a table and then sh are them via bit torrent [16]. The co de to compute these tables can b e do wn loaded and it runs on certain types of NVIDIA and A TI graphics cards. The idea b ehind these tables is as follo ws. Th e con ten ts of several bursts that are sent through the air, after encryption is enabled, ca n for the most part b e guessed. This giv es kno wn plain text samples. X ORin g those plain text samples w ith th e actually rece iv ed cipher text r ev eals k eystream samples. The tables no w fun ction as a co de b o ok with 64 bits of k eystream that are mapp ed to int ernal A5/1 stat es pro du cing th at exact piece of keystrea m. There are 2 64 p ossible int ernal states for A5/1. That n u m b er is to o large to b e able to map all in tern al states. S o instead of just storing an in tern al state and its 64 b its of keystream, they actually compute large c hains where for eac h link 64 of the output bits are again u s ed as the in tern al state. They only store the b egin and en d p oints of these c hains. No w wh en a piece of keystrea m is reco ve red, the attac ke r starts to mak e a c hain out of this keystream, but for ev ery link he chec ks whether the resulting v alue is stored in its table. If the attac k er finds a hit, then the atta ck er can reco ve r the in ternal state b y computing the original c hain from its stored b egin p oint – f rom the in ternal s tate th e s ession k ey th at wa s used can b e computed, allo win g for decryption of the en tire comm un icati on. This shrinks the size of the tables, but the attac k time is increased and the tables n o longer guaran tee that an in ternal state can b e found. But a m uch bigger problem that surfaces with this approac h is c hain mergers. Sev eral different inte rnal s tates will compute the same 64 k eystream bits causing different chains to ‘merge’ and cov er the same part of the key sp ace. This mak es the tables muc h less effectiv e. T o counte r some of these problems a com bination of t wo tec hniqu es, one to decrease the attac k time and one to decrease the n um b er of chain m ergers, is us ed . Those tec hn iqu es are distinguished p oin ts and rain b o w tables resp ectiv ely . Com b ining these tec hn iques has b een prop osed b efore [17,18]. 10 Because of the c hain mergers, a certain num b er of differen t tables need to b e pro duced. Those tables also n eed to co v er a certain amount of the entire ke y sp ace. Recen tly a set of tables, named the ‘Berlin set’ w as released toget her with the lo okup to ol, Krak en . The tables are dis- tributed via bittorren t in a sp ecial transp ort format. Cur r en tly this is around 1.5TB of data. This transp ort format can then b e transco d ed in to the actual read format, wh ich tak es just un der 1.7TB disk space. Currently the tables co v er aroun d 22% of the ke yspace. If the k ey is in the tables, then Krak en will t y p ically fin d it w ithin a few min utes (around 1 to 4 minutes) on a Intel Core2 Quad 2.33GHz mac hine with the tables divided ov er sev eral d isks. Using solid state memory instead of conv en- tional hard drive s for the table storage should significan tly impr o v e on this lo ok up time, at th e exp ens e of an increase in the financial costs. A ma jor dra wbac k of this approac h is that it requires faultless re- ception of 64 consecutive b its. A single unn oticed err or in a reception will mak e it imp ossible to retriev e the session k ey using these tables. In GSM the encryption is p erformed on top of th e error detection co des, so the er r or d etec tion can not b e u sed to fin d reception err ors b efore the decryption step. Curr en tly the receptio n from the USRP , while ru nning AirProb e, d oes not provide the faultless r eception needed by Krak en. 4.3 In t erpreting using Op enBTS, or Op e nBSC, or AirProbe After the demo dulation and decryption steps the bu rsts need to b e inter- preted. Th ere are current ly sev eral op en-sour ce pro jects th at implemen t at least part of the GSM stac k. Th ese are the Op en BTS[19 ], Op enBS C [20] and AirProb e[13] pr o jects. The Op enBTS and Op enBSC pro jects b oth aim to offer a fu nctional op en-source GSM n et w ork. Th e AirPr ob e pr o ject on the other hand aims to create a functional s niffer for GS M traffic. S o for ea vesdropping ac- tivities the AirProb e pro ject seems the most logical c h oice. Ho wev er, the AirProb e pro ject is still lac king some essen tial fun ctionalit y . F or one, de- ciding wh ic h t yp e of bur s t is receiv ed is decided by the standard, most lik ely , division of the b r oadcast c hannel, instead of making this d ecision based on the bu rst. T his means that the results are worse w hen cell to w- ers use non-standard division of the b roadcast c hannels. Also, curr en tly the AirProb e sn iffers can only int erpret some t yp es of bursts. A t the mo- men t a lot of dev elopmen t to AirProb e is necessary in order to b e able to receiv e and inte rpret all of the GSM bu rsts. This is mostly a practical issu e though, which will b e resolv ed in time. 11 5 Coun termeasures As w as already discus s ed in th e introdu ction, theoretical attac ks against GSM are almost as old as the GSM sys tem itself. So the GSM industry has h ad ample time to pr ep are for the p ractica l implemen tations of these attac ks. There are sev eral coun termeasur es against these attac ks, w e will discuss th e effectiv eness of thr ee of these coun termeasur es here. T hese are: 1. Encrypt cont en t using A5/3 2. Use random paddin g in GSM p ack ets 3. Use UMTS 5.1 Encrypt con tent using A5/3 In Section 3.2 w e already briefly discussed the A5/3 cipher. This ciph er has b een pub lished from its inception, and as of yet no feasible attac k has been found. So us in g this cipher t o encrypt conv ersations should significan tly hamp er ea ve sdroppin g. Indeed, pure ea v esdr opping will no lo nger b e possib le wh en u sing A5/3, ho wev er it w ill not impr o v e GSM’s securit y m u c h. This is due to the fact that irresp ective of the c h oice of encryption algorithm, the session k ey used will b e th e same. Basica lly the session k ey is created based on the secret key , kn o wn only to the S IM card and the home net w ork, and a c hallenge transmitted by the cell to w er. Th is challenge is trans mitted in the clear, s o an attac ke r could j ust record the c hallenge and an A5/3 en- crypted con versati on, then at any later time pretend to b e a base station to th e u ser and retransmit the c h allenge. This forces the user’s SIM to compute the same s ession k ey , whic h could b e brok en in an A5/2 connec- tion set up by the fak e cell tow er, and used to decrypt the con versation. Also, this w ill n ot m itiga te against MITM attac ks. Finally the GSMA (GSM Asso ciation) h as b een advisin g the use of A5/3 by pro v id ers since 2004, but it seems only a single small pro vid er world-wide has ever made this tran s ition [21]. 5.2 Use random padding This defensiv e s tr ateg y sp ecifically mak es the K rak en attac k discussed in Section 4.2 harder. It r ev olv es around the fact that the inform ation in GSM pac kets is p ad d ed to a standard length using a standard pattern of “2b”. Some pac ket s consist almost entirely of p adding b its – the “cipher 12 mo de complete” , the first message a cell p hone tran s mits enciphered to the cell to wer, usually has 144 of its 265 bits filled with padding b its – whic h giv es an attac ker a large source of kno wn p lain text. Ho we v er, the length of the information bits is already describ ed in the p ac k et h eader, making the standard padd ing pattern redund an t. These padding b its can th us b e randomized, and that is exactly w hat w as sp ecified by the ETS I in 2008 [22]. This w ould remo ve a large source of kno w n p lain text for an attac k er . Without kno wn p lain text there are no kno wn keystream samples which can b e lo ok ed up in the Krak en tables. It is questionable how fast this c h ange will b e implemen ted, ho wev er. All the lo w lev el GSM pro cessing is done by closed source GSM stac ks, so it is unkno wn whether this c hange wo uld affect the already deplo y ed equipment . All the mobile hand sets in the fi eld can not b e u p dated, so this c h ange can only b e made in new p h ones. Also this change will not completely r emo v e any known plain text from the system. Some messages can still b e guessed, su c h as system inform ation m essages, making the attac k d escrib ed in Section 4.2 still feasible for longer conv ersations. 5.3 Use UMTS This is kind of a cop-out, b u t a metho d that is at least current ly a v ail- able to quite some user s . Th e successors of GSM – the 3G systems, mostly UMTS – offer muc h b etter securit y . Sp ecifically it h as mutual auth enti- cation b et w een cell to w er and mobile p hone – p rev enti ng MITM attac ks – and offers stronger encryption, that has seen academic scrutiny . In order to fu lly u se this add ed securit y , a user should deactiv ate his phone’s GSM reception, and solely use UMTS . Otherwise an attac ker could force a phone to use GSM, by j amm in g the UMTS frequencies. O f course the u s abilit y of this solution will dep end on the a v ailabilit y of a UMTS netw ork to the sp ecific u s er, and might h a v e additional data costs. 6 Conclusions P assively ea v esdropping on GSM remains pretty hard to do using pub licly a v ailable hard and soft ware. Theoretically , there are no real constrain ts in b reaking con versation confi den tialit y in GSM. Ho wev er, there are still sev eral p ractical issues preven ting a w orkin g imp lemen tation of a GSM sniffer using f r eely a v ailable h ardw are. 13 Of the three steps n amed in Section 3 the fir st – capturin g the GSM signals from the air – remains the b ottlenec k. Esp ecially the channel hop- ping used in GSM net works – whic h is not ev en a secur it y measure – prev en ts the correct capture of GS M p ack ets. With the current state-of-the-art, the b est w ay to capture GSM data from the air pro ved the u se of an old Nokia p h one (3310), whic h can b e put in a debug mo de, logging all the GSM bu rsts it receiv es. Ho wev er, this w ill never reve al bur s ts that are n ot mean t for this sp ecific phone, and can therefore never b e used for ea v esdropping. Th e com bination of the USRP , with Gn u Radio and AirProb e currently do es not deliv er the p ossibilities needed for ea vesdropping. The release of the rain b ow tables and the Krak en to ol has made the breaking of the A5/1 encryption m u c h easier. Ho w ever, this approac h do es hav e a f ew do wnsides: b esides the hard d isk size this metho d also requires p erf ect samples – p utting additional strain on the capturing pro- cess – and n aturally th e tables will nev er give a 100% c hance of fin ding the key . Still, the curren t co v erage of 22 % of the k ey space sh ould b e w ork able giv en enough samp les. The practical pr oblems th at at the moment p r ev ent a general attac k to ol can v ary with the sp ecific practical situation. F requency h opping migh t n ot b e employ ed b y a sp ecific cell to wer, or the cell tow er trans- mits on only a few frequencies that lie close together. In fact a cell to we r migh t n ot ev en u se encryption. In those cases many attac ks b ecome muc h easier, but w e do not kno w if and how man y cell tow ers ha ve su c h a config- uration. During this researc h all observed cell tow ers u sed b oth frequency hopping and encryp tion. The same p ractica l problems will probably p rev ent an y general attac k to ol to b e released using the current generation of hardwa re. It is more lik ely that a to ol will b e released that can ea v esdrop on some cell to w ers, though again without p ublicly a v ailable num b ers on the configuration of cell tow ers it is hard to jud ge ho w many cell to wers are vulnerable. In the mean time the op en-sour ce GSM p r o jects hav e not ye t dir ectly w orsen ed the confidential it y of con v ersations o ve r GSM. Despite many recen t claims to the con trary no actual conv ersation has b een captured and decrypted, and it will tak e a lot of effort b efore the cu rren t pr ob lems prev en ting these attac ks are solv ed. It is hard to p redict h o w long it will tak e the current communit y b e- hind these op en-source pro jects to solv e these practical p roblems. T hough 14 reactions from the comm unit y seem eager, th e recent r ate of develo pment in f or instance AirProb e do n ot show m uc h progress. Of the coun termeasur es that are often referred to b y the GSM industry when do wn p la ying the news stories, th e m ost effectiv e one is essen tially to by-pass GSM all together and use solely UMTS in stead. References 1. Chris T ryh orn. Nice talking to you .. . mobile phone use passes milestone. The Guar dian , 2009. T uesda y 3 Marc h http://www .guardian .co.uk/tec hnology/2009/mar/03/mobile- phones1 . 2. Ross J. An derson. Se curity Engine ering: A Guide to Buil di ng Dep endable Distribute d Sys tems , chapter 17. Wiley Computer Publishing, 2001. ISBN: 0471389 226. 3. F ebru ary 2010. http://www. ing.nl/par ticulier/internetbankieren/internetbankieren/wijzigingen- in- v o o r w a a r d e n - m i j n - i n g / . 4. Jan uary 2010. https:// svn.berli n.ccc.de/p rojects/airprobe/wiki/tracelog and http://www .gammu.or g/ . 5. Elad Bark an, Eli Biham, and Nathan Keller. Instant ciphertext-only cryptanalysis of gsm encry pted comm unication. In A dvanc es in Crypt olo gy - CR YPTO 2003 , vol ume 2729/2 003, pages 600–616 . Springer Berlin / Heidelb erg, 2003. 6. Orr D unkelma n, Nathan Keller, and Adi Shamir. A p ractical-time attac k on the a5/3 cryptosystem used in third generation gsm telephony . 2010. http://epr int.iacr. org/ . 7. Marc Briceno, Ian Goldb erg, and David W ag ner. A p edagogica l implementa- tion of the gsm a5/1 and a5/2 “voice priv acy” encry ption algorithms, 1999. http://cry ptome.org /gsm- a512.htm (originally on www.scard.org ). 8. Jo v an Golic. Cryptanalysis of Al le ge d A5 Str e am Cipher , page 23955. 199 7. http://jya .com/a5- hack.h tm . 9. Elad Bark an and Eli Biham. Conditional Estimators: An Effe ctive Attack on A5/1 , page 119. 2005. 10. August 2010. http://www.globa l- security- solutions.com/GSAudioSurv.html . 11. Jan uary 2010. http://www.ettu s.com/ . 12. Septem b er 2009. http://gnuradio .org/trac . 13. Jan uary 2010. https://svn.ber lin.ccc.de /projects/airprobe/wiki . 14. Jan uary 2010. http://www.refl extor.com/ trac/a51 . 15. Steve Muller and David H ulton. The a5 cracking pro ject. In Chaos Communic ation Camp 2007 , 2007. http://vid eo.google .com/video play?docid=8955054591690672567 . 16. Jan uary 2010. http://reflexto r.com/torr ents/ . 17. Erguler, Imran, An arim, and Emin. A new cryptanalytic time- m emory trade-off for stream ciphers. In Computer and Information Scienc es - ISCIS 2005 , volume 3733 of L e ctur e Notes in Computer Scienc e , pages 215–223. Springer Berlin / H eidelberg, 2005. 18. Jin Hong, Kyung Jeong, Eun K w on, In -Sok Lee, and D aegun Ma. V aria nts of the distinguished p oin t metho d for cryptanalytic t ime memory trade-offs. In Informa- tion Se curity Pr actic e and Exp erienc e , volume 4991 of L e ctur e Notes in Computer Scienc e , pages 131–145. S p ringer Berlin / H eidelberg, 2008. 15 19. Septem b er 2009. http://openbts. sourceforg e.net/ . 20. Septem b er 2009. http://bs11- abis.gn umonks.org /trac/wiki/OpenBSC . 21. Karsten N ohl and Chris P aget. Gsm - srsly? presen ted at 26C3 in Berlin, http://eve nts.ccc.d e/congress /2009/Fahrplan/attachments/1519_26C3.Karsten.Nohl.GSM.pdf , December 2009. 22. European T elecomm un ications Standards Institute, F rance. Digital c el lular tele c ommunic ations system (Phase 2);Mobi le Station - Base Stations System (MS - BSS) interfac e Data Link (DL) layer sp e cific ation , 2010. TS 44.006 v9.1.0. 16