Mobility

GSM encryption: No need to crack it, just turn it off

There are ways to get around GSM encryption, but the equipment has been expensive and difficult to get -- until now. Michael Kassner explores the latest Defcon breakthrough.

There are ways to get around GSM encryption, but the equipment has been expensive and difficult to get. It appears that is no longer the case.

----------------------------------------------------------------------------------------

It's that time of year. Defcon and Black Hat conventions are happening. Invited presenters are spilling the beans about security issues they have uncovered. One of the more controversial presentations explains how to affordably side step GSM encryption. That's a big deal since billions of people are still using GSM phones.

Some history

GSM encryption can be circumvented due to the trusting nature of the protocol. Fortunately, the following two factors have kept it safe:

  • The cost of equipment required to circumvent GSM encryption is astronomical.
  • Not just anyone can buy the equipment. You have to work for one of those three-letter organizations or have a badge.

Enter Chris Paget

It had to happen; cost is no longer an issue. Chris Paget is saying it's possible to intercept GSM phone calls on the cheap. That type of bravado created the drama Defcon is known for. So much so, that Mr. Paget wasn't sure he was going to give his talk.

A credible source indicated to Mr. Paget that AT&T (only AT&T and T-Mobile have GSM networks) might be considering a lawsuit. On top of that, the FCC let it be known they were concerned about unlawful interception of phone calls. After conferring with EFF lawyers, Mr. Paget went ahead with the presentation and live demonstration. Mr. Paget mentions his appreciation for their help in one of his blogs:

"I'd like to say a really big thank you to the EFF; without their assistance the talk would not have gone ahead (the demo certainly wouldn't have)."

Weak link

Mr. Paget uses what many consider a flaw in the GSM protocol. That being there is no mutual-authentication exchange between mobile phones and the network. Only the phone authenticates. It sends a unique International Mobile Subscriber Identity (IMSI) stored on the SIM to the cell tower it's trying to associate with.

It would appear that this weakness opens the door for Man-in-the-Middle (MitM) attacks. Yet, some argue that's not possible. The traffic is encrypted. Well, maybe not. The GSM protocol gives network controllers (cell towers) the option to force connected mobile phones to turn off encryption.

What that means

Like any MitM attack, the idea is to create a situation where a piece of hardware is able to interact with GSM mobile phones in the same manner as the telco provider's cell tower. Hardware devices capable of this are fittingly called IMSI-catchers.

Any number of things can happen after the IMSI-catcher is in control. Sensitive information such as IMSI, IMEI, and phone numbers can be captured. It's also possible to record the audio portion of each call.

Required equipment

Some friends of mine stressed that this is not new technology. Several companies sell IMSI-catchers, NeoSoft being one example. The catch is that the equipment is usually only sold to governmental agencies and law enforcement groups. Besides they are hugely expensive.

Therein lies the real significance of what Mr. Paget accomplished. He made an IMSI-catcher for around $1500 US. That includes the transceiver, two directional antennas, a notebook, OpenBTS a software-GSM access point, and Asterisk -- software that acts as a gateway between GSM networks and VoIP networks. The following slide gives you an idea of the setup (courtesy of Dave Bullock and Wired):

Indications of an attack

There aren't strong indicators that a MitM attack is taking place. Mr. Paget did mention we need to be alert for the following oddities when making a phone call:

  • The phone is on a GSM network in a known 3G coverage area and the phone is 3G capable.
  • The receiving party is seeing an unusual phone number on caller-ID.
  • Paget's IMSI-catcher only captures outbound calls. Incoming calls go directly to voice mail.

Mr. Paget during his talk admitted the software could easily be upgraded to forward the caller's real phone number.

Possible workarounds

There is some recourse for people using AT&T and T-Mobile phones. Mr. Paget mentioned that BlackBerry phones from RIM may add a second layer of encryption and have a setting to disable GSM. Another possibility is AT&T's new encryption service. For the rest of us, it seems we need to make sure the 3G is displayed.

Final thoughts

Fortunately, this attack only works if your mobile phone is using a GSM network. CDMA and 3G networks are safe for now. The real concern is that this attack vector is no longer out of reach due to cost. Making it one more thing security-conscious people need to be aware of.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

55 comments
Dr_Zinj
Dr_Zinj

You really have to wonder if the FBI, the CIA, and other black government intelligence organizations already know these things. Of course it's been my experience that while Uncle Sam's Assassins are good at offense, they leave a lot to be desired on the defense and protection side. Good at breakign into things, not so good at keeping intruders out.

Ocie3
Ocie3

Available from: http://www.grc.com/securitynow.htm SERIES: Security Now! EPISODE: #213 DATE: September 10, 2009 TITLE: Cracking GSM Cellphones If you really want to know the gory details, then listening to this podcast and/or reading the transcript will give you an excellent, very detailed description of GSM encryption. The GSM cipher can be supplanted, and it has been on 3G networks. Realize that the GSM technology is about 30 years old. There remains the problem that hundreds of thousands, if not millions, of cellphones are hard-wired to use only GSM because that is the only encryption implemented on the instrument, and there are also many towers that can receive and send only with GSM. Succinctly, there is no way to easily "update" them.[b]*[/b] It would be less expensive to simply replace them. So, equipment that has a subsequent encryption alternative(s) is also designed to "fall back" to GSM when the cell phone (or the tower) uses only GSM. Steve Gibson basically lays out exactly how to go about capturing GSM-encrypted calls and decrypting them. He also points out many of the ordinary "analog" ways that telephone conversations can be intercepted and recorded, such as old-fashioned wiretapping on an ordinary land line to which the cell phone call is placed. Maybe the Black Hat presenter, Mr. Paget, listened to Security Now! 213. Mr. Gibson does not explicitly discuss a MITM attack, although he mentions it, and Mr. Paget's demonstrated a MITM attack on GSM at Black Hat. But I have [i]not[/i] made a step-by-step comparison of them. (I doubt that I will have time to do that soon, unfortunately -- family matters.) __________ [b]*[/b] My remarks as to the number of GSM cellphones significantly underestimates the number, and, implicitly, their impact: [i]"About 3.5 billion of the 4.3 billion wireless connections across the globe use GSM. In North America, 299 million consumers use the technology."[/i] Quotation from ZdNet article by Andrew J. Nusca: http://www.zdnet.com/blog/btl/code-that-encrypts-worlds-gsm-mobile-phone-calls-is-cracked/28942

Jaqui
Jaqui

seems the only way to really be sure your communications are secure is to make sure you have them only face to face in a "white room". so no eavesdropping via technological means possible. or, never discuss anything confidential outside of such an [ expensive ] facility.

simone.asnaghi
simone.asnaghi

It's important to highlight that, when saying that this MiTM attack only works on GSM networks, this means also when going from a only-2G cell to a 3G cell: this means that, after cracking cryptography while a phone camp in a only-2G cell, the passage to the 3G cell doesn't involve a new handling on the cyphering key...the former 2G shortest key is used and the 3G key is simply the doubled former 2G-key...if the first 2G key is cracked, the same is for the last 3G key!!!

JCitizen
JCitizen

I figured the cell companies were turning encryption off to save on bandwidth and speed; I've always expected it - this now confirms it. Kinda like expecting gmail SSL to work all the way to the target. Just ain't happening!

Neon Samurai
Neon Samurai

Wow.. just.. Wow. This time of year is like Christmas for me. The GSM talk has to be second only to the bank machine Jackpot Attack talk.

Michael Kassner
Michael Kassner

A Defcon presenter shows how to deploy an effective MitM attack on GSM mobile phones.

PhilippeV
PhilippeV

If the possibility of turning off the encryption from the cell tower of an opertor exists, it's not because of GSM authors, but BECAUSE governments really WANTED this possibility. They have forced the operators to implement this weakness. This possibility was not a necessary function of GSM, and where it has been used, it's exactly where the governments wanted it first, before delivering licences to mobile operators. Now I'm wuite sure that such traps also exist in CDMA or all other protocols used in mobile networks. If governments are now not happy with this possibility, then operators only have one option: drop this support because the government trap required by governments is so weak that it can be used by anyone at very modest costs. Morality: never trusts governments in their claims. They want to break things in a way that will later be abused and criticized by themselves. Morality 2: please operators, stop accepting any calls with encrpytion turned off. Make it mandatory throuhout your network, and complain to governments, because it is the governments that broke your system. Morality 3: for cutomers, think about looking for VoIP compatible mobile phones, and make sure that the security mechnism is upgradable/replacable at any time. For operators: only accept to implement security features that can easily be replaced at any time, and discuss with mobile phone operators to allow this feature to be easily deployed to your customers with their existing mobile phone. Morality 4: abandon completely GSM and similar old protocols built specifically for telephony, and convert to VoIP everywhere, using open technologies that will benefit of the convergence and much better management of bandwidth and interoperability, with also better management of frequencies, in a more technology-neutral approach. So accept the convervence of GSM, CDMA, WiFi, WiMax, UMTS, etc. and merge all your frequency bandwidths so that will now be used to convey ONLY IP traffic. Morality 5: for operators, campaign so that govenrment will no longer discriminate the usage of mobile services in separate bands. A fequency is a frequency. The only thing that will count is what is its available usefull IP bandwidth and how it will be shared across your customers. Then identify your customers exactly like on the Internet, using the same technologies (VoIP, SSL/TLS tunnels, IPSEC, IPv4 or IPv6, and streaming protocols over IP like RTSP, and the same codecs like MPEG Audio Layer, and the same tools for networkwide traffic management including ICMP, IP routing protocols and announcement, Gateway-to-Gateway protocols, firewalls, VPN technologies for private networks...). It's also high time to abandon completely the telephony-specific protocol (and time to deprecate ITU, forcing it to join its efforts with IETF/ISOC/ICANN, and with ISO for its internationalization). The same should be true also for numeric TV protocols (over cable or satellite) or numeric radios (which will probably never be deployed to replace the FM band, when most of them are already converted to the Internet).

Neon Samurai
Neon Samurai

The civilians are always the last to find out and most at risk by these things. If civilians are aware of it, you can bet people with malicious intent are way ahead already.

Michael Kassner
Michael Kassner

I think you have it backwards. Our friend Mr. Steve is feeding off of a well-regarded security researcher, IMO.

Neon Samurai
Neon Samurai

now.. where is the tounge-in-cheak smilie code.. ;D

Michael Kassner
Michael Kassner

I have not heard of this before. Do you have references or papers that I could read. I humbly ask only to understand what you are proposing.

Wunderbarb
Wunderbarb

Encryption does not impact (at least significantly) the bandwidth. Once authentication and session key established, encrypted voice has the same size than clear voice. And the duration of authentication is short, compared to communication.

Michael Kassner
Michael Kassner

I was hoping it might show up somewhere. I almost bought the Defcon Uplink, just to see that and the GSM presentation.

TobiF
TobiF

Back in those days when GSM was originally designed, people had the main focus on how to make sure that nobody places calls at someone elses expense, so the SIM card was invented along with a system where the network would send a random value to the sim card and the sim card uses the random value and its own built-in cipher key and algorithms to calculate a authentication response value, as well as a session key for the encrypted communication. But people didn't think of the need for the SIM card to validate the connected network. This makes it possible to spoof a network if GSM-style authentication is used. The other function, which is further abused here, is that the network may declare that the traffic shall go unencrypted. Some handsets may show a special symbol on the screen when traffic is not encrypted. For instance, I noted such a symbol on my handset when I was in Moscow during the siege of a theatre, several years ago. So the governmental services had simply instructed all network operators to temporarily turn off encryption, so that the police could timely eavesdrop on all gsm communication around the theatre. The authentication procedure was updated for the 3G standard, and now the s.c. u-sim also authenticates the network. Note, however, that a 3G network may actually use 2G authentication (i.e. one-way).

munsch
munsch

I love AT&T / T-Mobile's security reasoning on this one. "It's been too expensive, so it's fine." Right. Cause technology never gets cheaper, criminals never innovate, and no one would ever invest X dollars into criminal operations that could net them 100X. Fail. Just once, i'd like to see instead of "we'll sue you and apply government pressure to conceal our nakedness" a response more along the lines of "holy crap, we'd better go and fix that." Just once. You know, for the novelty of it.

Ocie3
Ocie3

The date on Security Now! #213 is [b]September 10, 2009,[/b] which is almost eleven months ago. When did Mr. Paget begin his "research"? Something that Steve stresses in his presentation is that the cost of the hardware and software (open source) is less than ~ $2,000. It is clear in the podcast that Steve Gibson did quite a lot of his own research on the subject of "cracking GSM". By the way, somewhat lost in the glare of the Black Hat press coverage: "Code that encrypts world's GSM mobile phone calls is cracked" by Andrew Nusca on the ZDNet [i]Between the Lines[/i] blog describes the successful conclusion of a project to which Steve Gibson alluded in the podcast: http://www.zdnet.com/blog/btl/code-that-encrypts-worlds-gsm-mobile-phone-calls-is-cracked/28942 But as you ask, what does that matter [b][i] if[/i][/b] you can turn encryption off during a MITM attack? Maybe you cannot always make a MITM attack, but you should be able to intercept, identify, and record the transmissions between the cell phone and the tower, then decrypt them easily and quickly, without any apparent risk of discovery.

Ocie3
Ocie3

ROFLMAO! That's a good one, Neon!!

JCitizen
JCitizen

much the same way VPN does on my router. The equipment can only take so much ciphering at a certain chip speed, so this can slow things down. However, I'm not so sure cell companies use a tunneling protocol, so my example would be inaccurate. If it is dropping the encryption totally after first contact, the equipment would load the data stream just like unencrypted data, in fact [u]it would be unencrypted[/u]. Just something I've mused about; not that I actually know a hill of beans about the reality of it.

Neon Samurai
Neon Samurai

I can see how a direct encryption would not add any size to the data; your just taking "A" and turning it into "$" essentially. A seed value would add data on to the cyphertext though. Is GSM not using seed values?

Neon Samurai
Neon Samurai

I figured I'd give the talks a few days for processing then see if they make them available. Hopefully they pop up on Securitytube and I can trace the links back for the rest of them.

Ocie3
Ocie3

The first thing that I would have done is replace explorer.exe. Clearly, according to the error message, an instruction that is at a specific location in memory is trying to "read" its location in memory. I don't think that any instruction is allowed to do anything to itself. :-) But without any prior experience with Coreflood, who would ever think to check the key that CaptBill1Eye described?

DarkEnjinu
DarkEnjinu

I'm definitely not. A lot of the current encryption technology in use is said to be highly protected based off of the myth that the hardware and software needed to crack it is just too expensive to be purchased. I wonder if the big corps know that the Easter bunny is not real either!

Neon Samurai
Neon Samurai

AT&T isn't the worst. There's a company that provides lan management software which can easily be exploited. When the issue was reported, the company's response was "none of our existing customers have had a problem or expressed concern. If they did ask though, we'd provide them with a patch right away. There is no reason to fix it at this time though." The won a Ponnie award for that response.

Michael Kassner
Michael Kassner

They were hoping GSM would go away before this happened. Another clandestine theory is that the .govs want it that way.

Michael Kassner
Michael Kassner

I thought it was later than that. I thought I read that this researcher was working on this for about a year.

Ocie3
Ocie3

since Steve Gibson mentions that the cell tower can require that exchanges be clear text (A/0). He certainly makes it clear that someone can intercept and record transmissions for subsequent decryption. And he mentions that a MITM attack - between cell phone and tower - was possible, but he did not discuss that possibility in detail. After re-reading most of the transcript for that podcast, it seems to me that anyone giving it some thought would conclude that it should be possible for someone to trick a cell phone into communicating with their equipment as if it were a tower, and in that context, certainly, encryption could be disabled. Of course, tricking the cell phone and the tower, respectively, is the essence of a MITM attack. When Security Now! #213 was recorded, all of the hardware and software needed for "cracking GSM" was either available or under development and nearing release. So, much of Steve Gibson's exposition is about the details of the GSM system [i]per se[/i] in the context of how the tools were available, or becoming available, for "cracking" GSM. Thanks for a marvelous article, Michael.

santeewelding
santeewelding

Oh, and by the way, period after "...crack it." New sentence. "Just" works just fine.

Michael Kassner
Michael Kassner

But, encryption is a moot point when the attacker can shut it off.

Ocie3
Ocie3

Steve Gibson (Security Now! #213) describes GSM encryption: [i]"... this is an XORing approach where you have a generator of pseudorandom data where, bit by bit, you XOR, you exclusive OR the output of this generator with the data you want to encrypt."[/i] Implicitly, the cell phone and the tower must exchange initial seed values, and use the same pseudorandom bit-string generator (which he describes in detail). [i]".... If you monitor them, initiating a conversation, the way the GSM handshake functions is that the cell tower comes up with a 128-bit, pseudorandom, one-time token. It gives it to the customer and says, using the preshared key - in the SIM card is a 128-bit preshared key. The cell tower, who knows the customer's account, knows what SIM card they have with the preshared key. So the cell tower gives them a 128-bit token, which is a one-time token, says use your preshared key to encrypt this that I've given you, and give me the result to prove that you're you.[/i] [i]So there's an authentication phase. And unfortunately the same data is used to produce the session key, which is a big mistake. You never want to use the same data for authentication and encryption, which is a mistake that GSM has unfortunately made. And that's a weakness because it allows someone who's listening to that - [b]this random number that comes from the cell tower is in the clear.[/b] So if you're listening to that conversation, you can then subsequently appear to be a cell tower."[/i] The preceding text is a quotation from the transcript for the Security Now! podcast #213, available from: http://www.grc.com/securitynow.htm

Neon Samurai
Neon Samurai

Or my brain just isn't spotting the seeding details at the moment. I'll have to re-read it again though. Cheers for the link

Michael Kassner
Michael Kassner

A big chunk of the Black Hat conference is there as well.

bboyd
bboyd

Having seen estimates I would say much bigger. Plus they have natural daily cyclic to take advantage of. Use more of the cluster during the daily lows. Plus I can imagine they have a very good data set for password dictionary attacks. Makes me consider using scroogle more and more.

Neon Samurai
Neon Samurai

I'm playing with wireless this week and currently working on my test router's WPA. This made me wonder if the notebook currently chewing on a dictionary file is actually working through it faster than my desktop would. Possibly; but that lead me on to thinking about Google's data collection antics. They have a stupidly huge cluster to work with; how much effort would it take them to set a subset of the Google cluster on cracking consumer grade encryption. I don't think it would be much of a challenge given what people have already done with Amazon's cluster and I suspect, Google's is bigger.

JCitizen
JCitizen

another dunce cap for corporate stupidity and arrogant indifference.

Michael Kassner
Michael Kassner

I was unable to find any information about the encryption details here.

speculatrix
speculatrix

it's been demonstrated that many GSM networks run with shorter key lengths (imagine a 64 bit key where eight bits are always zero) and this has been blamed on national governments wanting weaker keys so that they can brute force decryption with their hardware

munsch
munsch

Good recall, i'd completely forgotten about that too. Died a horrible well-deserved death.

JCitizen
JCitizen

fiasco? I think that was back in the Clinton administration. That pretty much proved governments don't want perfect encryption. They can't hack the fact that the Orwellian concept is dying fast!

munsch
munsch

that a corporation looks at the cost of fixing something vs. its remaining expected lifetime. Don't always agree, but i understand what they're thinking, i guess. As far as the .govs, you mean want to be able to flick a switch to disable encryption? Hrm. As theories go that's a tempting one, but i think the .govs have better centralized means of getting convos recorded that having to be near the tower, don't they..? Not sure.

Editor's Picks