There are ways to get around GSM encryption, but the equipment has been expensive and difficult to get — until now. Michael Kassner explores the latest Defcon breakthrough.
There are ways to get around GSM encryption, but the equipment has been expensive and difficult to get. It appears that is no longer the case.
It's that time of year. Defcon and Black Hat conventions are happening. Invited presenters are spilling the beans about security issues they have uncovered. One of the more controversial presentations explains how to affordably side step GSM encryption. That's a big deal since billions of people are still using GSM phones.
GSM encryption can be circumvented due to the trusting nature of the protocol. Fortunately, the following two factors have kept it safe:
- The cost of equipment required to circumvent GSM encryption is astronomical.
- Not just anyone can buy the equipment. You have to work for one of those three-letter organizations or have a badge.
Enter Chris Paget
It had to happen; cost is no longer an issue. Chris Paget is saying it's possible to intercept GSM phone calls on the cheap. That type of bravado created the drama Defcon is known for. So much so, that Mr. Paget wasn't sure he was going to give his talk.
A credible source indicated to Mr. Paget that AT&T (only AT&T and T-Mobile have GSM networks) might be considering a lawsuit. On top of that, the FCC let it be known they were concerned about unlawful interception of phone calls. After conferring with EFF lawyers, Mr. Paget went ahead with the presentation and live demonstration. Mr. Paget mentions his appreciation for their help in one of his blogs:
"I'd like to say a really big thank you to the EFF; without their assistance the talk would not have gone ahead (the demo certainly wouldn't have)."
Mr. Paget uses what many consider a flaw in the GSM protocol. That being there is no mutual-authentication exchange between mobile phones and the network. Only the phone authenticates. It sends a unique International Mobile Subscriber Identity (IMSI) stored on the SIM to the cell tower it's trying to associate with.
It would appear that this weakness opens the door for Man-in-the-Middle (MitM) attacks. Yet, some argue that's not possible. The traffic is encrypted. Well, maybe not. The GSM protocol gives network controllers (cell towers) the option to force connected mobile phones to turn off encryption.
What that means
Like any MitM attack, the idea is to create a situation where a piece of hardware is able to interact with GSM mobile phones in the same manner as the telco provider's cell tower. Hardware devices capable of this are fittingly called IMSI-catchers.
Any number of things can happen after the IMSI-catcher is in control. Sensitive information such as IMSI, IMEI, and phone numbers can be captured. It's also possible to record the audio portion of each call.
Some friends of mine stressed that this is not new technology. Several companies sell IMSI-catchers, NeoSoft being one example. The catch is that the equipment is usually only sold to governmental agencies and law enforcement groups. Besides they are hugely expensive.
Therein lies the real significance of what Mr. Paget accomplished. He made an IMSI-catcher for around $1500 US. That includes the transceiver, two directional antennas, a notebook, OpenBTS a software-GSM access point, and Asterisk — software that acts as a gateway between GSM networks and VoIP networks. The following slide gives you an idea of the setup (courtesy of Dave Bullock and Wired):
Indications of an attack
There aren't strong indicators that a MitM attack is taking place. Mr. Paget did mention we need to be alert for the following oddities when making a phone call:
- The phone is on a GSM network in a known 3G coverage area and the phone is 3G capable.
- The receiving party is seeing an unusual phone number on caller-ID.
- Paget's IMSI-catcher only captures outbound calls. Incoming calls go directly to voice mail.
Mr. Paget during his talk admitted the software could easily be upgraded to forward the caller's real phone number.
There is some recourse for people using AT&T and T-Mobile phones. Mr. Paget mentioned that BlackBerry phones from RIM may add a second layer of encryption and have a setting to disable GSM. Another possibility is AT&T's new encryption service. For the rest of us, it seems we need to make sure the 3G is displayed.
Fortunately, this attack only works if your mobile phone is using a GSM network. CDMA and 3G networks are safe for now. The real concern is that this attack vector is no longer out of reach due to cost. Making it one more thing security-conscious people need to be aware of.