Security Now 213
Topic: Cracking GSM
Recorded: September 8, 2009
Published: September 9, 2009
Security Now 213: Cracking GSM
News & Errata
01:25 - 04:40
- Steve has finished proof reading Gibraltar stars
08:30 - 12:52
- 5 remote code execution problems fixed by Microsoft in the second Tuesday of the month patches
- Microsoft have a problem with with IIS and the FTP vulnerability, they have said they are likely to fix it with an out of cycle patch
12:53 - 13:45
- OpenOffice has multiple vulnerabilities that have been disclosed in the Word.doc format, they are remote code execution attacks
13:46 - 16:34
- If you have upgraded to OS X Snow Leopard then it installs a version of Adobe Flash player which has known vulnerabilities even if you have already updated flash player in Leopard
16:35 - 17:30
- Firefox V3.0 and V3.5 will warn users if they are using an out of date version of the Flash plugin
17:31 - 19:38 Barnett (Unknown)
A bolt of lighting produced EMF in the network wiring and damaged a server. It would take a long time to restore it from the backup so he ran spinrite on the drive. It ran for 6 hours and recovered 1,310 sectors fixing the drive
23:00 - 01:05:38
23:00 - 29:00
- GSM = Global System for Mobile communications
- It currently has three billion users worldwide. GSM has 80 percent of the cellphone market spread through 200 countries
- The GSM alliance would not put the encryption algorithm into the public but as all the devices which use it need to have it installed on them it was quickly reverse engineered
- GSM was designed back when there was limited computing power
- It is a pseudo random bit stream cipher like WEP
- The data you want to encrypte is XOR'd against data from a pseudorandom data generator
- If you have a really good pseudorandom data generator this is a good method to use
- But there are problems due to a known plain text attack
29:01 - 34:35
- Steve decided to talk about cracking GSM as a hacker group said that "within a couple months there was going to be publicly available, open source technology to allow anyone to decrypt cellphone conversations."
- These vulnerabilities have been known for about a decade but the GSM alliance have not taken them seriously saying "this [exploit] would require the construction of a large lookup table of approximately two terabytes. This is equivalent to the amount of data contained in a 20-kilometer-high pile of books"
- They also said "However, before a practical attack could be attempted, the GSM call has to be identified and recorded from the radio interface. So far, this aspect of the methodology has not been explained in any detail, and we strongly suspect the team developing the intercept approach has underestimated its practical complexity."
- To get the conversations from the air you can use a technology called the Universal Software Radio Peripheral (USRP) from Ettus
- It's a hardware platform, a seven-inch by seven-inch square circuit board
- The first iteration, the USRP 1, or just USRP, had a USB 2 interface.
- You can then get daughter boards that span various ranges of radio frequencies.
- And this thing runs all the way from zero (DC) to 5.9 GHz.
- You can use it to experiment with GPS signals that are at a couple gigahertz, with AM through WiFi and beyond.
- This is a general purpose radio transceiving peripheral.
- The second version has a gigabit Ethernet interface rather than USB 2.0 because they wanted to be able to operate at larger bandwidths and so have a greater data flow in and out of this board.
- The first one costs $700.
- The second one is $1,400.
34:36 - 40:33
- The GNU Radio project is a general purpose software radio project developing all of the modules that go behind this piece of hardware
- There's a company called Path Intelligence which uses this board and the software from the GNU Radio project to track people in shopping malls
40:34 - 50:25
- The technology that GSM uses for generating pseudorandom data is weak
- They rely'd on it being kept secret
- It uses a technique called Linear Feedback Shift Register, LFSR.
- A shift register is a long string of bits contained in a hardware register
- On the event of a clock pulse, this shift register moves all of the bits one place to either the right or left, depending upon whether it's shifting right or shifting left
- Let's imagine that this is shifting to the right.
- So you have a string of little bit cells. Upon receiving a clock pulse, every one and zero moves one cell to the right.
- Well, you need something to fill the gap that was open
- What they do is they take some few bits stationed in various places in the shift register and exclusive OR those bits
- For example it could be the last three bits
- They will be XOR'd meaning that:
- You count up the number of ones in the last three positions
- If it's an odd number, then the result is a one.
- And if it's an even number then the result is a zero.
- And so you feed that back into the front of the shift register.
- Before we had mature cryptography this was thought to be really secure
- GSM uses three of these shift registers
- One is 19 bits long. The second is 22 bits long. And the third is 23 bits long
- It turns out it is possible to use precomputation attacks against this pseudorandom generator
- Tt was published completely, in 2003.
- You'd have to listen to two minutes of GSM cellphone traffic, and then you could crack the key that was used to encrypt this.
- After two minutes you could crack it in one second
- Or if you listen to two seconds of GSM cellphone traffic, then you can crack it in two minutes.
- And they use precomputed tables, the so-called two terabytes that the GSM Alliance was pooh-poohing and saying, well, you know, no one's ever going to be able to produce this.
50:26 - 54:09
- There is another attack that doesnt require the use of precomputed tables but is complex
- If you knew somebody who was using a GSM phone, and you wanted to crack them, you're able to pretend to be a cell tower to their phone.
- If you monitor them, initiating a conversation, the way the GSM handshake functions is that the cell tower comes up with a 128-bit, pseudorandom, one-time token.
- It gives it to the customer and says, using the preshared key you have stored in your sim card encrypt this
- The cell tower, who knows the customer's account, knows what SIM card they have with the preshared key.
- So the cell tower gives them a 128-bit token, which is a one-time token, says use your preshared key to encrypt this that I've given you, and give me the result to prove that you're you.
- So there's an authentication phase. And unfortunately the same data is used to produce the session key, which is a big mistake.
- You never want to use the same data for authentication and encryption, which is a mistake that GSM has unfortunately made.
- And that's a weakness because it allows someone who's listening to see this random number that comes from the cell tower as it is in the clear. So if you're listening to that conversation, you can then subsequently appear to be a cell tower.
- There is no protection against re-use, which is another big problem.
- So you can pretend to be a cell tower, give the same key to the user, and cause them, since their preshared key is static, you give them the same challenge, essentially, in this challenge handshake.
- They will generate the same session key, which now you have. And so you're now able to decrypt a conversation that you had previously without any use of two terabytes of tables.
54:10 - 01:05:38
- SMS uses this same technology and is vulnerable to the same attacks
- Data also uses this technology and is vulnerable to the same attacks
- The stream cipher is called A5
- The authentication algorithm is known as A3.
- The key agreement algorithm is A8.
- Their are variations on the A5 stream cipher
- There's A5/0, which says no encryption
- There's A5/1, which was the original strong encryption, but it had export restrictions placed on it.
- So as a consequence, phones also support A5/2, which is a deliberately weakened, exportable encryption.
- You can trick a phone into using a weaker version of the cipher and make it easier to decrypt phone calls
- 3G is a stronger technology but all phones can fall back to an older technology
- Go To My PC
- Ad Time: 0:35-0:51 and 20:09-22:58
- Recorded Date: September 8, 2009
- Release Date: September 9, 2009
- Duration: 1:07:43
- Log line:
- Edited by: Tony
- Leo was talking: 44:11
- Reconnecting with Steve: 54:40
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|