gsm security 101 by sushil singh and dheeraj verma
TRANSCRIPT
GSM SECURITY 101 AN OVERVIEW OF ITS SECURITY
AGENDA
Brief introduction to GSM
GSM Architecture
Attacks and Threats on GSM networks
Types of Attacks against Mobile Networks
Third generation and evolution
GSM: INTRODUCTION
GSM is the most widely used cellular standard
Over 3.6 billion users, mostly in Europe and Asia
Based on TDMA radio access and PCM trunking
Use SS7 signaling with mobile-specific extensions
Provides authentication and encryption capabilities
Today’s networks are 2G evolving to 2.5G
Third generation (3G) and future (4G)
GSM ARCHITECTURE
GSM DATA
Initially designed to carry voice traffic
Data connections initially 9600 bps
No need for modems as there is a digital path from MS to MSC
Enhanced rates up to 14.4 kbps
GPRS provides speeds up to 150 kbps
UMTS (3G) promises permanent connections with up to 2 Mbps transfer rate
AUTHENTICATION
The authentication procedure checks the validity of the subscriber’s SIM card and then decides whether the mobile
station is allowed on a particular network. The network authenticates the subscriber through the use of a challenge-
response method.
GSM ALGORITHMS
A consequence of international roaming is the exchange of information between providers in different countries. All countries have strict regulations against the export of encryption algorithms and thus GSM works around it. When a user tries to use his phone in say another country, the local networks request the HLR of the subscriber’s home network for the RAND, SRES and KC which is sufficient for authentication and encrypting data. Thus the local network does not need to know anything about the A3 or A8 algorithms stored in the SIM.
Authentication Algorithm A3 – It is operator-dependent and is an operator option. The A3 algorithm is a one-way function. That means it is easy to compute the output parameter SRES by using the A3 algorithm but very complex to retrieve the input parameters (RAND and KI) from the output parameter. Remember the key to GSM’s security is keeping KI unknown. While it may sound odd that each operator may choose to use A3 independently, it was necessary to cover the case of international roaming.
Ciphering Algorithm A5 – Currently, there exists several implementations of this algorithm though the most commonly used ones are A5/0, A5/1 and A5/2. The reason for the different implementations is due to export restrictions of encryption technologies. A5/1 is the strongest version and is used widely in Western Europe and America, while the A5/2 is commonly used in Asia. Countries under UN Sanctions and certain third world countries use the A5/0, which comes with no encryption.
Ciphering Key Generating Algorithm A8 – It is operator-dependent. In most providers the A3 and A8 algorithms are combined into a single hash function known as COMP128. The COMP128 creates KC and SRES, in a single instance.
ATTACKS AND THREATS ON GSM NETWORKS
LOW-TECH FRAUD
Call forwarding to premium rate numbers
Bogus registration details
Roaming fraud
Terminal theft
Multiple forwarding, conference calls
COUNTERMEASURES FOR LOW-TECH FRAUD
Fraud Management systems look for:
Multiple calls at the same time,
Large variations in revenue being paid to other parties,
Large variations in the duration of calls, such as very short or long calls,
Changes in customer usage, perhaps indicating that a mobile has been stolen or is being abused,
Monitor the usage of a customer closely during a 'probationary period'
ATTACKS ON GSM NETWORKS
Eavesdropping. This is the capability that the intruder eavesdrops signalling and data connections
associated with other users. The required equipment is a modified MS.
Impersonation of a user. This is the capability whereby the intruder sends signalling and/or user data to
the network, in an attempt to make the network believe they originate from the target user. The required
equipment is again a modified MS.
Impersonation of the network. This is the capability whereby the intruder sends signalling and/or user
data to the target user, in an attempt to make the target user believe they originate from a genuine
network. The required equipment is modified BTS.
ATTACKS ON GSM NETWORKS
Man-in-the-middle. This is the capability whereby the intruder puts itself in between the target user and a
genuine network and has the ability to eavesdrop, modify, delete, re-order, replay, and spoof signalling and
user data messages exchanged between the two parties. The required equipment is modified BTS in
conjunction with a modified MS.
Compromising authentication vectors in the network. The intruder possesses a compromised
authentication vector, which may include challenge/response pairs, cipher keys and integrity keys. This data
may have been obtained by compromising network nodes or by intercepting signalling messages on network
links.
DE-REGISTRATION SPOOFING
An attack that requires a modified MS and exploits the weakness that the network cannot authenticate the
messages it receives over the radio interface.
The intruder spoofs a de-registration request (IMSI detach) to the network.
The network de-registers the user from the visited location area and instructs the HLR to do the same. The
user is subsequently unreachable for mobile terminated services.
3G: Integrity protection of critical signalling messages protects against this attack. More specifically, data
authentication and replay inhibition of the de-registration request allows the serving network to verify that
the de-registration request is legitimate.
LOCATION UPDATE SPOOFING
An attack that requires a modified MS and exploits the weakness that the network cannot authenticate the
messages it receives over the radio interface.
The user spoofs a location update request in a different location area from the one in which the user is
roaming.
The network registers in the new location area and the target user will be paged in that new area.
The user is subsequently unreachable for mobile terminated services.
3G: Integrity protection of critical signalling messages protects against this attack. More specifically, data
authentication and replay inhibition of the location update request allows the serving network to verify that
the location update request is legitimate.
CAMPING ON A FALSE BTS
An attack that requires a modified BTS and exploits the weakness that a user can be enticed to camp on a
false base station.
Once the target user camps on the radio channels of a false base station, the target user is out of reach of
the paging signals of the serving network in which he is registered.
3G: The security architecture does not counteract this attack. However, the denial of service in this case
only persists for as long as the attacker is active unlike the above attacks which persist beyond the moment
where intervention by the attacker stops. These attacks are comparable to radio jamming which is very
difficult to counteract effectively in any radio system.
CAMPING ON FALSE BTS/MS
An attack that requires a modified BTS/MS and exploits the weakness that a user can be enticed to camp on a false base station.
A false BTS/MS can act as a repeater for some time and can relay some requests in between the network and the target user, but subsequently modify or ignore certain service requests and/or paging messages related to the target user.
3G: The security architecture does not prevent a false BTS/MS relaying messages between the network and the target user, neither does it prevent the false BTS/MS ignoring certain service requests and/or paging requests.
Integrity protection of critical message may however help to prevent some denial of service attacks, which are induced by modifying certain messages.
FAKE BTS
• IMSI catcher by Law Enforcement
• Intercept mobile originated calls
• Can be used for over-the-air cloning
TYPES OF ATTACKS AGAINST MOBILE NETWORKS
SECURING THE MOBILE NETWORK
GSM SECURITY
As all cellular communications are sent over the air interface, it is less secure than a wired network, as it opens the
door to eavesdroppers with appropriate receivers. Several security functions were built into GSM to safeguard
subscriber privacy. These include:
Authentication of the registered subscribers only
Secure data transfer through the use of encryption
Subscriber identity protection
Mobile phones are inoperable without a SIM
Duplicate SIMs are not allowed on the network
Securely stored KI
SECURITY BY OBSCURITY
In April 1998, the Smartcard Developer Association (SDA) together with two U.C. Berkeley researchers claimed to have cracked the COMP128 algorithm stored on the SIM. By sending large number of challenges to the authorization module, they were able to deduce the KI within several hours. They also discovered that KC uses only 54 bits of the 64 bits. The remaining 10 bits are replaced by zeros, which makes the cipher key purposefully weaker.
The GSM Alliance responded to the incident, stating even if a SIM could be cloned it would serve no purpose, as the GSM network would only allow only one call from any phone number at any one time. GSM networks are also capable of detecting and shutting down duplicate SIM codes found on multiple phones
In August 1999, an American group of researchers claimed to have cracked the weaker A5/2 algorithm commonly used in Asia, using a single PC within seconds.
In December 1999, two leading Israeli cryptographers claimed to have cracked the strong A5/1 algorithm responsible for encrypting conversations. They admit the version they cracked may not be the exact version used in GSM handsets, as GSM operators are allowed to make small modifications to the GSM algorithms. The researchers used a digital scanner and a high end PC to crack the code. Within two minutes of intercepting a call with a digital scanner, the researchers were able to listen to the conversation.
The GSM Alliance of North America has claimed that none of its members use the A5/1 algorithm, opting for more recently developed algorithms.
THIRD GENERATION WIRELESS
Evolution from existing European and US digital cellular systems (W-CDMA, CDMA2000, UMTS).
Promises broadband multimedia on everyone’s handset and a multitude of related services.
Spectrum up for auctions in many countries, put many operators in financial debt.
Delays in 3G rollouts cast doubt over its success. Some talk about jumping to 4G directly.
THE GPRS NETWORK INFRASTRUCTURE
3G SECURITY MODEL
Network access security (I): the set of security features that provide users with secure access to 3G services,
and which in particular protect against attacks on the (radio) access link;
Network domain security (II): the set of security features that enable nodes in the provider domain to securely
exchange signalling data, and protect against attacks on the wireline network;
User domain security (III): the set of security features that secure access to mobile stations
Application domain security (IV): the set of security features that enable applications in the user and in the
provider domain to securely exchange messages.
Visibility and configurability of security (V): the set of features that enables the user to inform himself
whether a security feature is in operation or not and whether the use and provision of services should depend on
the security feature.
3G VS. GSM
A change was made to defeat the false base station attack. The security mechanisms include a sequence
number that ensures that the mobile can identify the network.
Key lengths were increased to allow for the possibility of stronger algorithms for encryption and integrity.
Mechanisms were included to support security within and between networks.
Security is based within the switch rather than the base station as in GSM. Therefore links are protected
between the base station and switch.
Integrity mechanisms for the terminal identity (IMEI) have been designed in from the start, rather than that
introduced late into GSM.
3G VS. GSM
GSM authentication vector: temporary authentication data that enables an VLR/SGSN to
engage in GSM AKA with a particular user. A triplet consists of three elements: a) a network
challenge RAND, b) an expected user response SRES and c) a cipher key Kc.
UMTS authentication vector: temporary authentication data that enables an VLR/SGSN to
engage in UMTS AKA with a particular user. A quintet consists of five elements: a) a network
challenge RAND, b) an expected user response XRES, c) a cipher key CK, d) an integrity key IK and e)
a network authentication token AUTN.
GSM AND GPRS SECURITY
The main function of a GSM/GPRS network is to support and facilitate the transmission of information, whether it is voice or non-voice. Similar to any form of information transmission, there exists associated information security risks. When information is transmitted across a GSM/GPRS network, security measures must be taken to protect the information from unauthorized access. The type of information that must be protected on a GSM/GPRS network includes the following:
User Data – This is either voice or non-voice data sent or received by users registered on a GSM/GPRS network.
Charging Information – Information collected from the SGSN and GGSN used to bill for non-voice services.
Subscriber Information – This information is stored in the mobile station, the HLR and the VLR. This is customer specific information for subscribers and roaming users.
Technical Information of the GSM/GPRS Network – This information describes and lays out the GSM/GPRS network architecture and configuration.
EVOLUTION OF GPRS
ADVANTAGES OF LTE
QUESTIONS ?