GSM/3G securityOpenBSC: Implementing GSM protocols
Security analysisSummary
OpenBSC network-side GSM stackrunning on top of Linux
Harald Welte
gnumonks.orggpl-violations.org
OpenBSCairprobe.org
hmw-consulting.de
Linux Kongress 2009, October 2009, Dresden/Germany
Harald Welte OpenBSC network-side GSM stack
GSM/3G securityOpenBSC: Implementing GSM protocols
Security analysisSummary
Outline1 GSM/3G security
The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols
2 OpenBSC: Implementing GSM protocolsGetting startedOpenBSC software architectureCode Reuse
3 Security analysisTheoryThe BasebandObservations
4 SummaryWhat weve learnedWhere we go from hereFuture PlansFurther Reading
Harald Welte OpenBSC network-side GSM stack
GSM/3G securityOpenBSC: Implementing GSM protocols
Security analysisSummary
About the speaker
Always been fascinated by networking andcommunicationsUsing + playing with Linux since 1994Kernel / bootloader / driver / firmware development since1999IT security specialist, focus on network protocol securityBoard-level Electrical EngineeringAlways looking for interesting protocols (RFID, DECT,GSM)
Harald Welte OpenBSC network-side GSM stack
GSM/3G securityOpenBSC: Implementing GSM protocols
Security analysisSummary
The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols
GSM/3G protocol security
ObservationBoth GSM/3G and TCP/IP protocol specs are publiclyavailableThe Internet protocol stack (Ethernet/Wifi/TCP/IP) receiveslots of scrutinyGSM networks are as widely deployed as the InternetYet, GSM/3G protocols receive no such scrutiny!
There are reasons for that:GSM industry is extremely closed (and closed-minded)Only about 4 closed-source protocol stack implementationsGSM chipset makers never release any hardwaredocumentation
Harald Welte OpenBSC network-side GSM stack
GSM/3G securityOpenBSC: Implementing GSM protocols
Security analysisSummary
The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols
The closed GSM industryHandset manufacturing side
Only very few companies build GSM/3.5G baseband chipstoday
Those companies buy the operating system kernel and theprotocol stack from third parties
Only very few handset makers are large enough tobecome a customer
Even they only get limited access to hardwaredocumentationEven they never really get access to the firmware source
Harald Welte OpenBSC network-side GSM stack
GSM/3G securityOpenBSC: Implementing GSM protocols
Security analysisSummary
The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols
The closed GSM industryNetwork manufacturing side
Only very few companies build GSM network equipmentBasically only Ericsson, Nokia-Siemens, Alcatel-Lucent andHuaweiException: Small equipment manufacturers for picocell /nanocell / femtocells / measurement devices and lawenforcement equipment
Only operators buy equipment from themSince the quantities are low, the prices are extremely high
e.g. for a BTS, easily 10-40k EUR
Harald Welte OpenBSC network-side GSM stack
GSM/3G securityOpenBSC: Implementing GSM protocols
Security analysisSummary
The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols
The closed GSM industryOperator side
Operators are mainly banks todayTypical operator outsources
BillingNetwork planning / deployment / servicing
Operator just knows the closed equipment as shipped bymanufacturerVery few people at an operator have knowledge of theprotocol beyond whats needed for operations andmaintenance
Harald Welte OpenBSC network-side GSM stack
GSM/3G securityOpenBSC: Implementing GSM protocols
Security analysisSummary
The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols
The closed GSM industrySecurity implications
The security implications of the closed GSM industry are:Almost no people who have detailed technical knowledgeoutside the protocol stack or GSM network equipmentmanufacturersNo independent research on protocol-level security
If theres security research at all, then only theoretical (likethe A5/2 and A5/1 cryptanalysis)Or on application level (e.g. mobile malware)
No open source protocol implementationswhich are key for making more people learn about theprotocolswhich enable quick prototyping/testing by modifying existingcode
Harald Welte OpenBSC network-side GSM stack
GSM/3G securityOpenBSC: Implementing GSM protocols
Security analysisSummary
The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols
Security analysis of GSMHow would you get started?
If you were to start with GSM protocol level security analysis,where and how would you start?
On the handset side?Difficult since GSM firmware and protocol stacks are closedand proprietaryEven if you want to write your own protocol stack, the layer1 hardware and signal processing is closed andundocumented, tooKnown attempts
The TSM30 project as part of the THC GSM projectmados, an alternative OS for Nokia DTC3 phones
none of those projects successful so far
Harald Welte OpenBSC network-side GSM stack
GSM/3G securityOpenBSC: Implementing GSM protocols
Security analysisSummary
The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols
Security analysis of GSMHow would you get started?
If you were to start with GSM protocol level security analysis,where and how would you start?
On the network side?Difficult since equipment is not easily available andnormally extremely expensiveHowever, network is very modular and has manystandardized/documented interfacesThus, if equipment is available, much easier/faster progress
Harald Welte OpenBSC network-side GSM stack
GSM/3G securityOpenBSC: Implementing GSM protocols
Security analysisSummary
The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols
Security analysis of GSMThe bootstrapping process
Read GSM specs day and night (> 1000 PDF documents)Gradually grow knowledge about the protocolsObtain actual GSM network equipment (BTS)Try to get actual protocol traces as examplesStart a complete protocol stack implementation fromscratchFinally, go and play with GSM protocol security
Harald Welte OpenBSC network-side GSM stack
GSM/3G securityOpenBSC: Implementing GSM protocols
Security analysisSummary
The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols
The GSM network
Harald Welte OpenBSC network-side GSM stack
GSM/3G securityOpenBSC: Implementing GSM protocols
Security analysisSummary
The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols
GSM network components
The BSS (Base Station Subsystem)MS (Mobile Station): Your phoneBTS (Base Transceiver Station): The cell towerBSC (Base Station Controller): Controlling up to hundredsof BTS
The NSS (Network Sub System)MSC (Mobile Switching Center): The central switchHLR (Home Location Register): Database of subscribersAUC (Authentication Center): Database of authenticationkeysVLR (Visitor Location Register): For roaming usersEIR (Equipment Identity Register): To block stolen phones
Harald Welte OpenBSC network-side GSM stack
GSM/3G securityOpenBSC: Implementing GSM protocols
Security analysisSummary
The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols
GSM network interfaces
Um: Interface between MS and BTSthe only interface that is specified over radio
A-bis: Interface between BTS and BSCA: Interface between BSC and MSCB: Interface between MSC and other MSC
GSM networks are a prime example of an asymmetricdistributed network, very different from the end-to-endtransparent IP network.
Harald Welte OpenBSC network-side GSM stack
GSM/3G securityOpenBSC: Implementing GSM protocols
Security analysisSummary
The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols
GSM network protocolsOn the Um interface
Layer 1: Radio Layer, TS 04.04Layer 2: LAPDm, TS 04.06Layer 3: Radio Resource, Mobility Management, CallControl: TS 04.08Layer 4+: for USSD, SMS, LCS, ...
Harald Welte OpenBSC network-side GSM stack
GSM/3G securityOpenBSC: Implementing GSM protocols
Security analysisSummary
The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols
GSM network protocolsOn the A-bis interface
Layer 1: Typically E1 line, TS 08.54Layer 2: A variant of ISDN LAPD with fixed TEIs, TS 08.56Layer 3: OML (Organization and Maintenance Layer, TS12.21)Layer 3: RSL (Radio Signalling Link, TS 08.58)Layer 4+: transparent messages that are sent to the MSvia Um
Harald Welte OpenBSC network-side GSM stack
GSM/3G securityOpenBSC: Implementing GSM protocols
Security analysisSummary
Getting startedOpenBSC software architectureCode Reuse
Implementing GSM protocolsHow I got started!
In September 2008, we were first able to make the BTSactive and see it on a phone
This is GSM900 BTS with 2 TRX at 2W output power (each)A 48kg monster with attached antenna200W power consumption, passive coolingE1 physical interface
I didnt have much time at the time (day job at Openmoko)Started to read up on GSM specs whenever I couldBought a HFC-E1 based PCI E1 controller, has mISDNkernel supportFound somebody in t