Presentation is loading. Please wait.

Presentation is loading. Please wait.

GSM cracking ● Introduction. GSM cracking Scope of this lecture ● A (very) brief tour of GSM ● The Cryptography ● How it's possible to crack it ● What's.

Published byEmerson Noye Modified over 9 years ago

Similar presentations

Presentation on theme: "GSM cracking ● Introduction. GSM cracking Scope of this lecture ● A (very) brief tour of GSM ● The Cryptography ● How it's possible to crack it ● What's."— Presentation transcript:

1 GSM cracking ● Introduction

2 GSM cracking Scope of this lecture ● A (very) brief tour of GSM ● The Cryptography ● How it's possible to crack it ● What's required ● A demonstration ● Summary

3 GSM basics ● Infrastructure ● Protocols

4 GSM acronym soup ● SIM ● MS, BTS, BSC ● ARFCN ● MSISDN ● IMSI & TMSI ● FDMA, TDMA, bursts

5 Cryptography ● Ki is the shared secret - held on the SIM and the network HLR ● A3 authentication algorithm (Ki + RAND → SRES) ● A8 key generation algorithm (Ki + RAND → Kc) ● A5 encryption algorithm to protect 'air' interface MS ↔ BTS ● SIM contains the IMSI, Ki, A3 and A8 algorithms ● 64-bit session key - the Kc

6 How it's possible to crack it A5/1 stream cipher weaknesses ● Length of the key - can create rainbow tables ● Predictability - known plain-text

7 How easy is it to crack? “ … the GSM call has to be identified and recorded from the radio interface. *…+ we strongly suspect the team developing the intercept approach has underestimated its practical complexity. A hacker would need a radio receiver system and the signal processing software necessary to process the raw radio data.” – GSMA, Aug.‘09

8 The cracking time-line How easy is it to crack in the real world? ● 2009 26C3 “GSM SRSLY?” - Karsten Nohl & Chris Paget http://www.youtube.com/watch?v=9K4EDAF5OlM ● 2010 27C3 “Wideband GSM sniffing” - Karsten Nohl, Sylvain Munaut http://www.youtube.com/watch?v=ZrbatnnRxFc ● 2010 osmocomBB development ● 2011 optimized rainbow tables available

9 What's required (GSM knowledge), tools, programming: ● OsmocommBB: Open Source MObile COMunications – BaseBand “OsmocomBB implements the GSM protocol stack's three lowest OSI Layers of the client side GSM protocol and device drivers. The protocol layers forming the kernel exists on the baseband processor, typically consisting of an ARM processor and a digital signal processor.” (wikipedia) Building on the work done on OpenBSC (libosmocore), using available datasheets of 'Calypso' chipset. ● A cracking server (“Kraken”) with downloaded Rainbow Tables ● Programming the “missing link” tools

10 osmocomBB components ● osmocon, binary firmware, mobile, other apps Project branches: ● 'testing', 'gsmmap', 'burst_ind'

11 Demo - the cracking stages ● Information gathering ● Identifying targets and networks ● Sniffing bursts (Vodaphone 0615 082 728) (T-Mobile 0648 312 976) ● Session key cracking ● Data reassembly

12 Current state ● Cracking with RTL-SDR (Software Defined Radio) http://domonkos.tomcsanyi.net/ http://www.rtl-sdr.com/rtl-sdr-tutorial-analyzing-gsm-with-airprobe- and-wireshark/ ● The public release of code & tools? ● Hackvision MatrixX (?)

13 Summary ● How and why GSM is vulnerable ● Knowledge, Tools, Programming to crack it ● Precomputed rainbow lookup tables ● Hardware ● Risk and mitigation for Users ● Risk and mitigation for Network Operators

14 ● Questions?

15 gsmmap output example Cell ID: 204_4_002A_1164 cell_log.c:248 Cell: ARFCN=29 PWR=-63dB MCC=204 MNC=04 (Netherlands, Vodafone) Cell ID: 204_16_015E_0D26 cell_log.c:248 Cell: ARFCN=1004 PWR=-59dB MCC=204 MNC=16 (Netherlands, T-Mobile) Cell ID: 204_8_1190_C6F3 cell_log.c:248 Cell: ARFCN=8 PWR=-83dB MCC=204 MNC=08 (Netherlands, KPN) Cell ID: 204_21_0001_48C7 cell_log.c:248 Cell: ARFCN=968 PWR=-82dB MCC=204 MNC=21 (Netherlands, NS Railinfrabeheer B.V.)

Download ppt "GSM cracking ● Introduction. GSM cracking Scope of this lecture ● A (very) brief tour of GSM ● The Cryptography ● How it's possible to crack it ● What's."

Similar presentations

GSM Network Overview Um Abis A BSC BTS Mobile Station HLR VLR EIR AuC

GSM Network Overview Um Abis A BSC BTS Mobile Station HLR VLR EIR AuC
GSM.

GSM.
An Improvement on Privacy and Authentication in GSM Young Jae Choi, Soon Ja Kim Computer Networks Lab. School of Electrical Engineering and Computer Science,

An Improvement on Privacy and Authentication in GSM Young Jae Choi, Soon Ja Kim Computer Networks Lab. School of Electrical Engineering and Computer Science,
Kingdom Special Operations SJS-KW

Kingdom Special Operations SJS-KW
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.

GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.
GSM Security and Encryption

GSM Security and Encryption
Breaking the A5 Encryption Algorithm for GSM Phones Matthew Flaschen David Gallmeier John Kuipers Rohit Sinha Jeff Wells.

Breaking the A5 Encryption Algorithm for GSM Phones Matthew Flaschen David Gallmeier John Kuipers Rohit Sinha Jeff Wells.
Topics In Information Security Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication Presented by Idan Sheetrit

Topics In Information Security Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication Presented by Idan Sheetrit
GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free.

GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free.
CELLULAR TELEPHONE NETWORK SECURITY Ari Vesanen, Department of Information Processing Sciences, University of Oulu.

CELLULAR TELEPHONE NETWORK SECURITY Ari Vesanen, Department of Information Processing Sciences, University of Oulu.
GSM Security Threats and Countermeasures Saravanan Bala Tanvir Ahmed Samuel Solomon Travis Atkison.

GSM Security Threats and Countermeasures Saravanan Bala Tanvir Ahmed Samuel Solomon Travis Atkison.
GSM Sniffing with OsmocomBB

GSM Sniffing with OsmocomBB
Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.

Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.
Cellular Networks II KAIST Yongdae Kim.

Cellular Networks II KAIST Yongdae Kim.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Security of Mobile Banking

Security of Mobile Banking
GSM Protocol Stack Shrish Mammattva Bajpai. What is Protocol Stack ? A protocol stack (sometimes communications stack) is a particular software implementation.

GSM Protocol Stack Shrish Mammattva Bajpai. What is Protocol Stack ? A protocol stack (sometimes communications stack) is a particular software implementation.
GSM Global System for Mobile Communications

GSM Global System for Mobile Communications
Myagmar, Gupta UIUC 2001 1 3G Security Principles Build on GSM security Correct problems with GSM security Add new security features Source: 3GPP.

Myagmar, Gupta UIUC G Security Principles Build on GSM security Correct problems with GSM security Add new security features Source: 3GPP.

Similar presentations

Ads by Google