GSM cracking ● Introduction. GSM cracking Scope of this lecture ● A (very) brief tour of GSM ● The Cryptography ● How it's possible to crack it ● What's.

Slides:

Advertisements

Similar presentations

GSM Network Overview Um Abis A BSC BTS Mobile Station HLR VLR EIR AuC

Advertisements

GSM.

An Improvement on Privacy and Authentication in GSM Young Jae Choi, Soon Ja Kim Computer Networks Lab. School of Electrical Engineering and Computer Science,

Kingdom Special Operations SJS-KW

Secure Systems Research Group - FAU Process Standards (and Process Improvement)

GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.

GSM Security and Encryption

Breaking the A5 Encryption Algorithm for GSM Phones Matthew Flaschen David Gallmeier John Kuipers Rohit Sinha Jeff Wells.

Topics In Information Security Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication Presented by Idan Sheetrit

GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free.

CELLULAR TELEPHONE NETWORK SECURITY Ari Vesanen, Department of Information Processing Sciences, University of Oulu.

GSM Security Threats and Countermeasures Saravanan Bala Tanvir Ahmed Samuel Solomon Travis Atkison.

GSM Sniffing with OsmocomBB

Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.

Cellular Networks II KAIST Yongdae Kim.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

Security of Mobile Banking

GSM Protocol Stack Shrish Mammattva Bajpai. What is Protocol Stack ? A protocol stack (sometimes communications stack) is a particular software implementation.

GSM Global System for Mobile Communications

Myagmar, Gupta UIUC G Security Principles Build on GSM security Correct problems with GSM security Add new security features Source: 3GPP.

GSM standard (continued)

SMUCSE 5349/7349 GSM Security. SMUCSE 5349/7349 GSM Security Provisions Anonymity Authentication Signaling protection User data protection.

G53SEC 1 Mobile Security GSM, UTMS, Wi-Fi and some Bluetooth.

Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.

Modes Mobile Station ( MS )

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.

NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From ： Proceeding of the First International Conference on Security and Privacy for.

Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)

Cellular Mobile Communication Systems Lecture 7

Information Security for Managers (Master MIS)

GSM Network Security ‘s Research Project By: Jamshid Rahimi Sisouvanh Vanthanavong 1 Friday, February 20, 2009.

IWD2243 Wireless & Mobile Security Chapter 2 : Security in Traditional Wireless Network Prepared by : Zuraidy Adnan, FITM UNISEL1.

Bilal Saqib. Courtesy: Northrop Grumman Corporation.

GSM: The European Standard for Mobile Telephony Presented by Rattan Muradia Requirement for course CSI 5171 Presented by Rattan Muradia Requirement for.

Security in GSM/GPRS and UMTS

CDMA Network Structure and Components Lance Westberg.

GSM Network Structure Lance Westberg.

Cellular Mobile Communication Systems Lecture 8

WEP Protocol Weaknesses and Vulnerabilities

Mobile Telephone System And GSM Security. The Mobile Telephone System First-Generation Mobile Phones First-Generation Mobile Phones Analog Voice Analog.

GSM NETWORK ARCHITECTURE CH 2. In this chapter we will see : In this chapter we will see : 1.GSM NETWORK ARCHITECTURE 2.The Radio Subsystem 3.The Network.

4.1 Security in GSM Security services – access control/authentication user  SIM (Subscriber Identity Module): secret PIN (personal identification number)

Chapter 7 – Confidentiality Using Symmetric Encryption.

GSM Network Architecture

Overview of cellular system

Network and Internet Security Prepared by Dr. Lamiaa Elshenawy

Erik Nicholson COSC 352 March 2, WPA Wi-Fi Protected Access New security standard adopted by Wi-Fi Alliance consortium Ensures compliance with different.

GSM GPRS Global System for Mobile communication

GLOBAL SYSTEM FOR MOBILE COMMUNICATION

Mobile Telephone System And GSM Security. The Mobile Telephone System First-Generation Mobile Phones First-Generation Mobile Phones Analog Voice Analog.

Bitwali1 Wireless Communication Introduction to Mobile Communication and Cellular System Lecture 3-4.

GSM security: feit en fictie NLUUG Najaarsconferentie 2010 Fabian van den Broek Institute for Computing and Information Sciences (iCIS)

Overview of the GSM for Cellular System

Wireless Network PMIT- By-

GSM SECURITY AND ENCRYPTION

CALL & MOBILITY MANAGEMENT

IoT Network Monitor.

By Theodora Kontogianni

Name:Shivalila A H,Shima

Subject Name: GSM Subject Code: 10EC843

VPN: Virtual Private Network

Security Issues with Wireless Protocols

LM 7. Cellular Network Security

Security in Wide Area Networks

Presentation transcript:

GSM cracking ● Introduction

GSM cracking Scope of this lecture ● A (very) brief tour of GSM ● The Cryptography ● How it's possible to crack it ● What's required ● A demonstration ● Summary

GSM basics ● Infrastructure ● Protocols

GSM acronym soup ● SIM ● MS, BTS, BSC ● ARFCN ● MSISDN ● IMSI & TMSI ● FDMA, TDMA, bursts

Cryptography ● Ki is the shared secret - held on the SIM and the network HLR ● A3 authentication algorithm (Ki + RAND → SRES) ● A8 key generation algorithm (Ki + RAND → Kc) ● A5 encryption algorithm to protect 'air' interface MS ↔ BTS ● SIM contains the IMSI, Ki, A3 and A8 algorithms ● 64-bit session key - the Kc

How it's possible to crack it A5/1 stream cipher weaknesses ● Length of the key - can create rainbow tables ● Predictability - known plain-text

How easy is it to crack? “ … the GSM call has to be identified and recorded from the radio interface. *…+ we strongly suspect the team developing the intercept approach has underestimated its practical complexity. A hacker would need a radio receiver system and the signal processing software necessary to process the raw radio data.” – GSMA, Aug.‘09

The cracking time-line How easy is it to crack in the real world? ● C3 “GSM SRSLY?” - Karsten Nohl & Chris Paget ● C3 “Wideband GSM sniffing” - Karsten Nohl, Sylvain Munaut ● 2010 osmocomBB development ● 2011 optimized rainbow tables available

What's required (GSM knowledge), tools, programming: ● OsmocommBB: Open Source MObile COMunications – BaseBand “OsmocomBB implements the GSM protocol stack's three lowest OSI Layers of the client side GSM protocol and device drivers. The protocol layers forming the kernel exists on the baseband processor, typically consisting of an ARM processor and a digital signal processor.” (wikipedia) Building on the work done on OpenBSC (libosmocore), using available datasheets of 'Calypso' chipset. ● A cracking server (“Kraken”) with downloaded Rainbow Tables ● Programming the “missing link” tools

osmocomBB components ● osmocon, binary firmware, mobile, other apps Project branches: ● 'testing', 'gsmmap', 'burst_ind'

Demo - the cracking stages ● Information gathering ● Identifying targets and networks ● Sniffing bursts (Vodaphone ) (T-Mobile ) ● Session key cracking ● Data reassembly

Current state ● Cracking with RTL-SDR (Software Defined Radio) and-wireshark/ ● The public release of code & tools? ● Hackvision MatrixX (?)

Summary ● How and why GSM is vulnerable ● Knowledge, Tools, Programming to crack it ● Precomputed rainbow lookup tables ● Hardware ● Risk and mitigation for Users ● Risk and mitigation for Network Operators

● Questions?

gsmmap output example Cell ID: 204_4_002A_1164 cell_log.c:248 Cell: ARFCN=29 PWR=-63dB MCC=204 MNC=04 (Netherlands, Vodafone) Cell ID: 204_16_015E_0D26 cell_log.c:248 Cell: ARFCN=1004 PWR=-59dB MCC=204 MNC=16 (Netherlands, T-Mobile) Cell ID: 204_8_1190_C6F3 cell_log.c:248 Cell: ARFCN=8 PWR=-83dB MCC=204 MNC=08 (Netherlands, KPN) Cell ID: 204_21_0001_48C7 cell_log.c:248 Cell: ARFCN=968 PWR=-82dB MCC=204 MNC=21 (Netherlands, NS Railinfrabeheer B.V.)