diff options
author | Harald Welte <laforge@gnumonks.org> | 2015-10-25 21:00:20 +0100 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2015-10-25 21:00:20 +0100 |
commit | fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 (patch) | |
tree | a2011270df48d3501892ac1a56015c8be57e8a7d /2013/gsmsec-tpe2013 |
import of old now defunct presentation slides svn repo
Diffstat (limited to '2013/gsmsec-tpe2013')
-rw-r--r-- | 2013/gsmsec-tpe2013/BTSGEO.pdf | bin | 0 -> 259682 bytes | |||
-rw-r--r-- | 2013/gsmsec-tpe2013/DatongDX300.pdf | bin | 0 -> 171923 bytes | |||
-rw-r--r-- | 2013/gsmsec-tpe2013/Intellijam.pdf | bin | 0 -> 72153 bytes | |||
-rw-r--r-- | 2013/gsmsec-tpe2013/LadderLU.pdf | bin | 0 -> 68485 bytes | |||
-rw-r--r-- | 2013/gsmsec-tpe2013/MRTBTS.pdf | bin | 0 -> 182414 bytes | |||
-rw-r--r-- | 2013/gsmsec-tpe2013/VBTSFigure.pdf | bin | 0 -> 20956 bytes | |||
-rw-r--r-- | 2013/gsmsec-tpe2013/bladox-turbosim.jpg | bin | 0 -> 8304 bytes | |||
-rw-r--r-- | 2013/gsmsec-tpe2013/gsm_network.png | bin | 0 -> 57000 bytes | |||
-rw-r--r-- | 2013/gsmsec-tpe2013/gsmsec.pdf | bin | 0 -> 1406597 bytes | |||
-rw-r--r-- | 2013/gsmsec-tpe2013/gsmsec.snm | 0 | ||||
-rw-r--r-- | 2013/gsmsec-tpe2013/gsmsec.tex | 1072 | ||||
-rw-r--r-- | 2013/gsmsec-tpe2013/nohl-slides-14.pdf | bin | 0 -> 1521871 bytes | |||
-rw-r--r-- | 2013/gsmsec-tpe2013/rebelsim2.jpg | bin | 0 -> 35929 bytes | |||
-rw-r--r-- | 2013/gsmsec-tpe2013/simtrace_and_phone.jpg | bin | 0 -> 71804 bytes |
14 files changed, 1072 insertions, 0 deletions
diff --git a/2013/gsmsec-tpe2013/BTSGEO.pdf b/2013/gsmsec-tpe2013/BTSGEO.pdf Binary files differnew file mode 100644 index 0000000..97a7fbe --- /dev/null +++ b/2013/gsmsec-tpe2013/BTSGEO.pdf diff --git a/2013/gsmsec-tpe2013/DatongDX300.pdf b/2013/gsmsec-tpe2013/DatongDX300.pdf Binary files differnew file mode 100644 index 0000000..13f581c --- /dev/null +++ b/2013/gsmsec-tpe2013/DatongDX300.pdf diff --git a/2013/gsmsec-tpe2013/Intellijam.pdf b/2013/gsmsec-tpe2013/Intellijam.pdf Binary files differnew file mode 100644 index 0000000..551e886 --- /dev/null +++ b/2013/gsmsec-tpe2013/Intellijam.pdf diff --git a/2013/gsmsec-tpe2013/LadderLU.pdf b/2013/gsmsec-tpe2013/LadderLU.pdf Binary files differnew file mode 100644 index 0000000..e3f7894 --- /dev/null +++ b/2013/gsmsec-tpe2013/LadderLU.pdf diff --git a/2013/gsmsec-tpe2013/MRTBTS.pdf b/2013/gsmsec-tpe2013/MRTBTS.pdf Binary files differnew file mode 100644 index 0000000..296b2ab --- /dev/null +++ b/2013/gsmsec-tpe2013/MRTBTS.pdf diff --git a/2013/gsmsec-tpe2013/VBTSFigure.pdf b/2013/gsmsec-tpe2013/VBTSFigure.pdf Binary files differnew file mode 100644 index 0000000..f77fb1e --- /dev/null +++ b/2013/gsmsec-tpe2013/VBTSFigure.pdf diff --git a/2013/gsmsec-tpe2013/bladox-turbosim.jpg b/2013/gsmsec-tpe2013/bladox-turbosim.jpg Binary files differnew file mode 100644 index 0000000..02b6372 --- /dev/null +++ b/2013/gsmsec-tpe2013/bladox-turbosim.jpg diff --git a/2013/gsmsec-tpe2013/gsm_network.png b/2013/gsmsec-tpe2013/gsm_network.png Binary files differnew file mode 100644 index 0000000..c5f6399 --- /dev/null +++ b/2013/gsmsec-tpe2013/gsm_network.png diff --git a/2013/gsmsec-tpe2013/gsmsec.pdf b/2013/gsmsec-tpe2013/gsmsec.pdf Binary files differnew file mode 100644 index 0000000..7bf9672 --- /dev/null +++ b/2013/gsmsec-tpe2013/gsmsec.pdf diff --git a/2013/gsmsec-tpe2013/gsmsec.snm b/2013/gsmsec-tpe2013/gsmsec.snm new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/2013/gsmsec-tpe2013/gsmsec.snm diff --git a/2013/gsmsec-tpe2013/gsmsec.tex b/2013/gsmsec-tpe2013/gsmsec.tex new file mode 100644 index 0000000..ccd6c10 --- /dev/null +++ b/2013/gsmsec-tpe2013/gsmsec.tex @@ -0,0 +1,1072 @@ + +\documentclass{beamer} + +\mode<presentation> +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + +\mode<handout>{ + \usepackage{handoutWithNotes} + \pgfpagesuselayout{2 on 1 with notes landscape}[a4paper,border shrink=5mm] + \usecolortheme{seahorse} +} + +% ensure the page number is printed in front of the author name in the footer +\newcommand*\oldmacro{} +\let\oldmacro\insertshortauthor% save previous definition +\renewcommand*\insertshortauthor{% + \leftskip=.3cm% before the author could be a plus1fill ... + \insertframenumber\,/\,\inserttotalframenumber\hfill\oldmacro} + +\usepackage[english]{babel} +\usepackage[latin1]{inputenc} +\usepackage{times} +\usepackage[T1]{fontenc} + +\usepackage{subfigure} +\usepackage{hyperref} +\usepackage{textcomp,listings} +%\usepackage{german} +\lstset{basicstyle=\scriptsize\ttfamily, upquote} + +\title{GSM Security Problems} + +%\subtitle{and other GSM related fun} + +\author{Harald~Welte} + +\institute{osmocom.org\\hmw-consulting.de\\sysmocom.de} + +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[Julyh 2013] % (optional, should be abbreviation of conference name) +{July 2013, TSC TIB, Taipei/TAIWAN} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{GSM Security} +% This is only inserted into the PDF information catalog. Can be left +% out. + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + + +\section{Introduction} + + +\begin{frame}{About Harald Welte}{hwelte@hmw-consulting.de} +\begin{itemize} + \item Linux Kernel, bootloader, driver, firmware developmer since 1999 + \item IT security specialist, focus on network protocol security + \item Board-level Electrical Engineering + \item Interested in various protocols (RFID, DECT, GSM) + \item netfilter/iptables, OpenPCD, OpenMoko, librfid, OpenEZX + \item Main developer of OpenBSC project + \item Founder and key developer of OsmocomBB project + \item Co-founder of sysmocom - systems for mobile communications GmbH +\end{itemize} +\end{frame} + +\begin{frame}{About Osmocom.org}{Open Source MObile COMmunications} +\begin{itemize} + \item community-driven project to implement communcation systems + on protocol and/or radio level + \item many sub-projects, including + \begin{itemize} + \item OsmocomBB (telephone-side GSM stack) + \item OpenBSC (OsmoNITB, OsmoBSC, network-side GSM stack) + \item OsmoSGSN and OpenGGSN (network-side GPRS+EDGE) + \item OsmocomTETRA (TETRA PMR receiver/decoder) + \item OsmocomGMR (GMR satellite telephony decoder) + \item OsmocomDECT (DECT cordless telephony) + \item OsmocomSIMTRACE (SIM protocol tracer hardware) + \item OsmocomSDR (SDR receiver hardware) + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Legal Disclaimer} +\begin{itemize} + \item GSM operates in licensed spectrum + \item Operating any transmitter in the GSM frequency bands requires a license from the respective regulatory authority + \item Interference with commercial cellular operators is often a fellony and punishable as a crime + \item It is the users responsibility to configure OpenBSC and BTS equipment in a way that complies with the law +\end{itemize} +\end{frame} + +\begin{frame}{Legal Disclaimer} +\begin{itemize} +\item We are demonstrating normal GSM operations and security flaws using a private network and informed participants +\item By leaving your GSM handset turned on during this workshop, you consent to participate in these demonstrations +\item Nothing we do will damage your handset, but may cause temporary disruptions in service, unsolicited text messages or other annoyances +\item Not all of the software used to demonstrate security weaknesses is part of the normal OpenBTS or OpenBSC distributions +\end{itemize} +\end{frame} + +\begin{frame}{Information Sources} +\begin{itemize} + \item All information presented here is available form public sources + \item Most of the information presented here is readily derived from public specifications, \emph{if you actually take the time to read them} + \item Nothing presented here is subject to trade secret restrictions + \item Nothing presented here was received under a government security clearance agreement +\end{itemize} +\end{frame} + + + +\begin{frame}{Threat Models} +\begin{itemize} + \item GSM is a massively distributed network with many interfaces + \item Some interfaces are exposed completley public, others not + \item Attack vectors and threat models depend on who you are +\end{itemize} +\end{frame} + +\subsection{Security if you are an Operator} + +\begin{frame}{If you are an operator} +\begin{itemize} + \item The subscriber is a potential attacker + \begin{itemize} + \item may want to commit fraud + \item may want to DoS or otherwise impact your network + \item may be violating your terms of services (VoIP, SIMboxes) + \item SIM card cloning + \end{itemize} + \item A third party is a potential attacker + \begin{itemize} + \item only as much as a subscriber (see above) + \item SS7 based fraud (SMS spam, etc.) + \item eavesdropping on Um, Abis/microwave, SS7 etc. is +mostly to invide subscriber privacy. Not primarliy an operator concern! + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{Security if you are a Subscriber} + +\begin{frame}{If you are a subscriber} +\begin{itemize} + \item The operator is a potential threat + \begin{itemize} + \item detailed location profiles about subscriber + \item access to all plain-text communication + \item untrusted operator SIM card tied into your phone + \end{itemize} + \item A third party is a potential threat + \begin{itemize} + \item eavesdropping on the radio interface + \item eavesdropping on microwave back-haul + \item intelligence based on SS7 queries on the worldwide SS7 network + \item mobile malware on your phone, on your SIM + \end{itemize} + \item Governments are a potential threat + \begin{itemize} + \item access to all data (location, CDR) at the operator + \item actively performing air interface attacks (IMSI catcher, etc) + \item lawful intercept at the core network + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{Security if you are a Government} + +\begin{frame}{If you are a government} +\begin{itemize} + \item The operator is a potential threat + \begin{itemize} + \item mostly because operator has all CDRs, location +profiles and access to content of communication. An informant at the +operator could coopeate with foreign governments or criminal groups + \item security of the private operator affects your security + \item operator wants to maximize profits, not subscriber :security + \end{itemize} + \item Other governments are a potential threat + \begin{itemize} + \item eavesdropping on the air interface or microwave back-haul + \item active attacks on the air interface + \item mobile malware on phone or SIM cards + \item SS7 based intelligence (location, etc.) from worldwide SS7 network + \end{itemize} + \item Criminal organizations are a potential threat + \begin{itemize} + \item the same as {\em Other governments} above + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{The GSM network -- Overview} + +\begin{frame}{The GSM network} + \begin{figure}[h] + \centering + \includegraphics[width=100mm]{gsm_network.png} + \end{figure} +\end{frame} + +\begin{frame}{GSM network components} + \begin{itemize} + \item The BSS (Base Station Subsystem) + \begin{description}[BTS] + \item[MS] (Mobile Station): Your phone + \item[BTS] (Base Transceiver Station): The {\em cell tower} + \item[BSC] (Base Station Controller): Controlling up to hundreds of BTS + \end{description} + \item The NSS (Network Sub System) + \begin{description}[MSC] + \item[MSC] (Mobile Switching Center): The central switch + \item[HLR] (Home Location Register): Database of subscribers + \item[AUC] (Authentication Center): Database of authentication keys + \item[VLR] (Visitor Location Register): For roaming users + \item[EIR] (Equipment Identity Register): To block stolen phones + \end{description} + \end{itemize} +\end{frame} + + +\section{GSM security problems} + +\begin{frame}{Known GSM security problems}{Scientific papers, etc} +\begin{itemize} + \item No mutual authentication between phone and network + \begin{itemize} + \item leads to rogue network attacks + \item leads to man-in-the-middle attacks + \item is what enables IMSI-catchers + \end{itemize} + \item Weak encryption algorithms + \item Encryption is optional, user never knows when it's active or not + \item DoS of the RACH by means of channel request flooding + \item RRLP (Radio Resource Location Protocol) + \begin{itemize} + \item the network can obtain GPS fix or even raw GPS data from the phone + \item combine that with the network not needing to authenticate itself + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{The Baseband} + +\begin{frame}{Known GSM security problems}{The Baseband side} +\begin{itemize} + \item GSM protocol stack always runs in a so-called baseband processor (BP) + \item What is the baseband processor + \begin{itemize} + \item Typically ARM7 (2G/2.5G phones) or ARM9 (3G/3.5G phones) + \begin{itemize} + \item Runs some RTOS (often Nucleus, sometimes L4) + \item No memory protection between tasks + \end{itemize} + \item Some kind of DSP, model depends on vendor + \begin{itemize} + \item Runs the digital signal processing for the RF Layer 1 + \item Has hardware peripherals for A5 encryption + \end{itemize} + \end{itemize} + \item The software stack on the baseband processor + \begin{itemize} + \item is written in C and assembly + \item lacks any modern security features (stack protection, non-executable pages, address space randomization, ..) + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Interesting observations}{Learned from implementing the stack} +While developing OpenBSC, we observed a number of interesting +\begin{itemize} + \item Many phones use their TMSI from the old network when they roam to a new network + \item Various phones crash when confronted with incorrect messages. We didn't even start to intentionally send incorrect messages (!) + \item There are tons of obscure options on the GSM spec which no real network uses. Potential attack vector by using rarely tested code paths. +\end{itemize} +OpenBTS developers observed the same. +\end{frame} + + +\begin{frame}{GSM Security: A5 -- Ciphering} +\begin{itemize} + \item A5 is a family of symmetric ciphers inside the GSM Um Layer 1 + \begin{description}[A5/4..8] + \item[A5/0] means no encryption + \item[A5/1] is the {\em secure} cipher variant + \item[A5/2] is the {\em weak} cipher variant + \item[A5/3] is the 64bit variant of UMTS cipher for GSM + \item[A5/4] is the 128bit variant of the UMTS cipher for GSM + \item[A5/5..8] mentioned in protocol spec but never defined + \end{description} + \item MS indicates A5 capabilities in classmark procedure + \begin{itemize} + \item Compromised MS software could indicate no A5/1 capability to the network + \item Network can decide to use A5/0 even if the phone supports A5/1,2,3 + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{GSM Security: A5 -- Ciphering} +\begin{itemize} + \item Encryption Key $K_C$ is produced as result to A3/A8 authentication + \item Re-keying can be initiated by the network at any given time by means of the authentication procedure + \item $K_C$ as a result of authentication is stored on SIM + \item $K_C$ can be read and written by the phone itself + \begin{itemize} + \item OS on Baseband Processor typically has some kind of API to access SIM + \item However, quite often direct access to $K_C$ is not permitted + \item Still, baseband processor software exploits do exist! + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{GSM uses symmetric session keys} +\includegraphics[bb=0in 0in 12in 6in,clip,width=5.3in,page=12]{nohl-slides-14.pdf} +\end{frame} + +\subsection{GSM Security -- Design Flaws + Oversights} + +\begin{frame}{GSM Security -- Bad Assumption} +\begin{block}{Bad Assumption} +No rogue actors in L3 +\end{block} +\begin{itemize} + \item Any entity that can implement L1 and L2 correctly is assumed to be legitimate until a challenge fails + \item This was a common telco security assumption in the 1980's, back when equipment was big and expensive and all of the networks were run by governments and quasi-governmental monopolies + \item It is an assumption inherited from wireline telcos, and is even weaker in the wireless world +\end{itemize} +\end{frame} + + +\begin{frame}{GSM Security -- Oversights} +\begin{block}{Oversight} +No authentication of the network +\end{block} +\begin{itemize} +\item GSM allows the network to authenticate a handset, but provides no means for the handset to authenticate the network +\item Authentication is based on challenge-response, but the only comparison happens in the network end +\item Any entity that can present a network-side Um interface is assumed to the legitimate, making it easy to create the GSM equivalent of a rogue access point. +\end{itemize} +\end{frame} + + +\begin{frame}{GSM Security -- Oversights} +\begin{block}{Oversight} +Handset cannot release in L3 RR +\end{block} +\begin{itemize} +\item The channel release operation must always be initiated by the network +\item As long as the handset sees a valid idle pattern in L2, it can be made to hold an active channel indefinitely +\end{itemize} +\end{frame} + +\begin{frame}{GSM Security -- Oversights} +\begin{block}{Oversight} +The network controls privacy +\end{block} +\begin{itemize} + \item GSM privacy controls are in the network, not in the handset + \item Ciphering indications controlled by carrier. + \item Any entity that assumes the role of the network takes control of the privacy features as well. + \item Once camped, the MS is essentially a slave of the BTS. +\end{itemize} +\end{frame} + + +\begin{frame}{GSM Security -- Oversights} +\begin{block}{Oversight} +Ciphering was an afterthought +\end{block} +\begin{itemize} + \item Ciphering was added to the system low in L1, below FEC + \item L2 idle frames generate a lot of known plaintext + \item FEC lowers the entropy of the plaintext stream + \item The A5 ciphering algorithms were not subject to adequate review by cryptographic experts prior to standardization + \item Encryption at L1 cannot be end-to-end since L1 terminates in the BTS, \emph{so microwave backhaul can still be fully exposed} +\end{itemize} +\end{frame} + +\begin{frame}{GPRS Security -- Oversights} +\begin{block}{Oversight} +GPRS uses same $K_C$ key generation (A3/A8) as GSM +\end{block} +\begin{itemize} +\item Even if GPRS has stronger crypto algorithm, $K_C$ is generated the same way as in GSM +\item $K_C$ key recovery attack using A5/2 can be performed using same random challenge +\item GPRS traffic can thus be recorded and later reviewed if MS with same SIM enters IMSI-Catcher and is presented with challenge from the recording +\end{itemize} +\end{frame} + +\begin{frame}{GSM Security -- Oversights} +\begin{block}{Oversight} +UMTS handsets also support GSM +\end{block} +\begin{itemize} + \item Many GSM security problems are fixed in UMTS, but all UMTS handsets fall back to 2.5G GSM operation when UMTS is not available. + \item UMTS handsets can be ordered to fall back to GSM by a rogue 3G Node B before mutual authentication even happens. + \item UMTS handsets can be forced into the GSM mode by jamming the UMTS service. +\end{itemize} +\end{frame} + +\begin{frame}{GSM Security -- Anachronism} +\begin{block}{Anachronism} +Predates public key encryption +\end{block} +\begin{itemize} + \item Network cannot authenticate the initial access attempt + \item Any transaction must begin with the revelation of some subscriber ID over an unencrypted channel + \item All security depends on the protection of $K_i$ + \item Once $K_i$ is broken, the SIM is permanently compromised +\end{itemize} +\end{frame} + +\subsection{Intentional Weaknesses} + +\begin{frame}{GSM Security -- Intentional Weaknesses} +\begin{block}{Intentional Weakness} +A5/1 \& A5/2 +\end{block} +\begin{itemize} + \item Western governments were reluctant to export ``strong'' encryption to other parts of the world, so they defined two ciphering algorithms, A5/1 for the US and Europe and A5/2 for everywhere else + \item The specification requires that any handset support both of these algorithms, so the cryptosystem is exported anyway and determined party can reverse-engineer either A5 from a standard handset. +\end{itemize} +\end{frame} + +\begin{frame}{GSM Security -- Intentional Weaknesses} +% This is old information. +% Still need a good reference to verify this in recent systems. +\begin{block}{Intentional Weakness} +Carriers do not use the full range of $K_i$, $K_C$. +\end{block} +\begin{itemize} + \item The spec allows 128 bits for $K_i$, but some carriers allegedly use only 64. + \item The spec allow 64 bits for $K_C$, but some carriers evidently use only 54. +\end{itemize} +\end{frame} + +\begin{frame}{GSM Security -- Intentional Weaknesses} +\begin{block}{Intentional Weakness} +Security features are optional +\end{block} +\begin{itemize} + \item Authentication is optional + \item A5/0 means no ciphering at all and all handsets support it + \item TMSIs are optional + \item A3/A8 is selected by the operator, used to be COMP128 +\end{itemize} +\end{frame} + + +\begin{frame}{GSM Security -- Handset Bugs} +\begin{itemize} +% Other good ones? OTA-related? + \item TMSI exposure bugs compromise anonymization + \item Many handsets crash or hang when presented with erroneous message formats or sequences + \item Many features of the protocol are not widely used and therefore probably not well tested + \item Many handsets vendor specific OTA and SIM support features not subject to outside review +\end{itemize} +\end{frame} + +\subsection{GSM security research} + +\begin{frame}{GSM/3G protocol level security} +\begin{itemize} + \item Observation + \begin{itemize} + \item Both GSM/3G and TCP/IP protocol specs are publicly available + \item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny + \item GSM networks are as widely deployed as the Internet + \item Yet, GSM/3G protocols receive no such scrutiny! + \end{itemize} + \item There are reasons for that: + \begin{itemize} + \item GSM industry is extremely closed (and closed-minded) + \item Only about 4 closed-source protocol stack implementations + \item GSM chip set makers never release any hardware documentation + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{Handset manufacturing side} +\begin{itemize} + \item Only very few companies build GSM/3.5G baseband chips today + \begin{itemize} + \item Those companies buy the operating system kernel and the protocol stack from third parties + \end{itemize} + \item Only very few handset makers are large enough to become a customer + \begin{itemize} + \item Even they only get limited access to hardware documentation + \item Even they never really get access to the firmware source + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{Network manufacturing side} +\begin{itemize} + \item Only very few companies build GSM network equipment + \begin{itemize} + \item Basically only Ericsson, Nokia-Siemens, Alcatel-Lucent and Huawei + \item Exception: Small equipment manufacturers for picocell / nanocell / femtocells / measurement devices and law enforcement equipment + \end{itemize} + \item Only operators buy equipment from them + \item Since the quantities are low, the prices are extremely high + \begin{itemize} + \item e.g. for a BTS, easily 10-40k EUR + \item minimal network using standard components definitely in the 100,000s of EUR range + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{Operator side} +From my experience with Operators (prove me wrong!) +\begin{itemize} + \item Operators are mainly finance + marketing today + \item Many operators outsources + \begin{itemize} + \item Network servicing / deployment, even planning + \item Other aspects of business like Billing + \end{itemize} + \item Operator just knows the closed equipment as shipped by manufacturer + \item Very few people at an operator have knowledge of the protocol beyond what's needed for operations and maintenance +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{Security implications} +The security implications of the closed GSM industry are: +\begin{itemize} + \item Almost no people who have detailed technical knowledge outside the protocol stack or GSM network equipment manufacturers + \item No independent research on protocol-level security + \begin{itemize} + \item If there's security research at all, then only theoretical (like the A5/2 and A5/1 cryptanalysis) + \item Or on application level (e.g. mobile malware) + \end{itemize} + \item No open source protocol implementations + \begin{itemize} + \item which are key for making more people learn about the protocols + \item which enable quick prototyping/testing by modifying existing code + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Security analysis of GSM}{How would you get started?} +If you were to start with GSM protocol level security analysis, where and +how would you start? +\begin{itemize} + \item On the handset side? + \begin{itemize} + \item Difficult since GSM firmware and protocol stacks are closed and proprietary + \item Even if you want to write your own protocol stack, the layer 1 hardware and signal processing is closed and undocumented, too + \item Known attempts + \begin{itemize} + \item The TSM30 project as part of the THC GSM project + \item MADos, an alternative OS for Nokia DTC3 phones + \end{itemize} + \item none of those projects successful so far + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Security analysis of GSM}{How would you get started?} +If you were to start with GSM protocol level security analysis, where and +how would you start? +\begin{itemize} + \item On the network side? + \begin{itemize} + \item Difficult since equipment is not easily available and normally extremely expensive + \item However, network is very modular and has many standardized/documented interfaces + \item Thus, if equipment is available, much easier/faster progress + \item Also, using SDR (software defined radio) approach, special-purpose / closed hardware can be avoided + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Security analysis of GSM}{The bootstrapping process} +\begin{itemize} + \item Read GSM specs day and night (> 1000 PDF documents) + \item Gradually grow knowledge about the protocols + \begin{itemize} + \item OpenBSC: Obtain actual GSM network equipment (BTS) + \item OpenBTS: Develop SDR based GSM Um Layer 1 + \end{itemize} + \item Try to get actual protocol traces as examples + \item Start a complete protocol stack implementation from scratch + \item Finally, go and play with GSM protocol security +\end{itemize} +\end{frame} + +\section {The False BTS} + +\subsection{Basics} + +\begin{frame}{False BTS Basis \#1} +\begin{block}{Problem} +The handset does not authenticate the network. +\end{block} +\begin{itemize} + \item Any device that can generate the network-side Um interface can be used to spoof a cellular carrier. + \item All you need to do is terminate L3 locally and run a partial simulation of the carrier's core network. + \item Once you overcome the technical hurdle of generating Um, the rest is depressingly easy. +\end{itemize} +\end{frame} + +\begin{frame}{False BTS Basis \#2} +\begin{block}{Problem} +Ciphering is optional. +\end{block} +\begin{itemize} + \item If ciphering were mandatory, it would allow the handset a means of authenticating the network Oh well... +\end{itemize} +\end{frame} + +\begin{frame}{False BTS IP History} +\begin{itemize} + \item Patents are public records: + \begin{itemize} + \item Early Nokia work + \item R\&S EP 1051053 -- the first real IMSI-catcher patent + \end{itemize} + \item Litigation produces public records: + \begin{itemize} + \item MMI v CellXion -- lots of discussion of IMSI-catcher history, identified several IMSI-catcher developers + \item Martone v Burgess -- public identification of IMSI-catcher developers working for the US gov't + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{R\&S ``Virtual Basestation''} +\begin{figure}[h] + \centering + \includegraphics[width=75mm]{VBTSFigure.pdf} + \caption{From EP 1051053} +\end{figure} +\end{frame} + +\begin{frame}{False BTS Design Approaches} +\begin{itemize} + \item Early R\&S designs (GA 090) based on BTS emulators. + \item Standard approach: mini-BTS and laptop with T1/E1 card. Hardware similar to OpenBSC w/BS11. + \item Abis-over-IP quickly replacing T1/E1 systems (CellXion/Datong DX series). Hardware same as OpenBSC w/NanoBTS. + \item All-software BTS units with tighter L3 integration starting to appear (MRT-BTS). Software approach more similar to OpenBTS. +\end{itemize} +\end{frame} + +\subsection{Examples} + +\begin{frame}{False BTS Example -- Datong} +\begin{figure}[h] + \centering + \includegraphics[width=100mm]{DatongDX300.pdf} + \caption{From Datong brochure} +\end{figure} +\end{frame} + +\begin{frame}{False BTS Example -- MRT} +\begin{figure}[h] + \centering + \includegraphics[width=100mm]{MRTBTS.pdf} + \caption{From MRT, Inc. public web pages} +\end{figure} +\end{frame} + +\begin{frame}{False BTS Example -- Tecore} +\begin{figure}[h] + \centering + \includegraphics[width=100mm]{Intellijam.pdf} + \caption{From Tecore public web pages} +\end{figure} +\end{frame} + + +\subsection{Behavior} + +\begin{frame}{Cell Selection Behavior} +\begin{itemize} + \item ``Capture'' technique based on handset's BTS selection rules, GSM 03.22 4 and GSM 04.08 4.2. + \item Use the same MCC/MNC/NCC as the local GSM carrier. + \item Choose an ARFCN from the serving cell's neighbor list. + \item Ramp up power gradually to avoid congestion. + \item Can also use CRO to increase effective power advantage. +\end{itemize} +\end{frame} + +\begin{frame}{Mobility Behavior} +\begin{itemize} + \item Based on rules of GSM 04.08 4. + \item When the handset enters a new ``location area'' it will attempt to register. + \item So the IMSI-catcher advertises LAC different from any of the other cells in the area. + \item Set timer T3212 for registrations on 6-minute intervals or change LAC to induce registration, like a broadcast ping to all camped handsets. +\end{itemize} +\end{frame} + +\begin{frame}{Key Transaction -- Location Update} +\begin{figure}[h] + \centering + \includegraphics[width=70mm]{LadderLU.pdf} +\end{figure} +\end{frame} + + +\begin{frame}{Location Update Options} +\begin{itemize} + \item Location update request includes IMSI or TMSI of MS, plus MCC/MNC/LAC of previous serving cell. + \item Authentication and ciphering are optional, so don't use them. + \item Can request IMSI, TMSI or IMEI during update operation. + \item Can assign a new TMSI. + \item Can accept or refuse location update attempt \emph{based on inspection of ID}. +\end{itemize} +\end{frame} + +\begin{frame}{Accept/Reject Tricks} +\begin{itemize} + \item If IMSI-catcher accepts registration, the handset remains camped to IMSI-catcher and ignores real network. DOS. + \item Reject cause codes matter: + \begin{description}[not roaming in LA] + \item[illegal MS] locks handset until SIM is removed. + \item[no roaming in LA] denies service \emph{in any cell with the same LAC} until next time phone power-cycles. + \item[IMSI not in VLR] kicks the phone back to the carrier with little or no disruption. + \end{description} +\end{itemize} +\end{frame} + +\begin{frame}{More Accept/Reject Tricks} +\begin{itemize} + \item Send an ``MM Information'' message. + \begin{itemize} + \item Set network name on the display. + \item Set the handset clock. (May allow smartphones to accept expired security certs, BTW.) + \end{itemize} + \item Query the handset GPS receiver. (More on that later.) +\end{itemize} +\end{frame} + +\subsection{Man-in-the-Middle} + +\begin{frame}{Boy-In-the-Middle} +\begin{itemize} + \item Accept target handset registrations. + \item Allow MO call attempts, using A5/0. + \item Connect call with wireline phone or another GSM handset, as in EP1051053 figure. + \item Suppress CLID in the PSTN. + \item Collect both sides of the conversation. +\end{itemize} +% Demo +\end{frame} + +\begin{frame}{Man-In-the-Middle} +\begin{itemize} + \item Accept target handset registrations + \item Allow MO call attempts, using A5/0 + \item Connect call with wireline phone, VoIP carrier, ISDN or another GSM handset + \item \emph{Spoof} CLID in the PSTN + \item Collect both sides of the conversation +\end{itemize} +% Demo +\end{frame} + +\begin{frame}{Covert Call -- Technique} +\begin{itemize} + \item Starts like a normal MT call setup, but user is never alerted. + \item Connection in RR and MM, but no CC/Q.931 steps. + \item Phone goes to an active TCH and transmits an idle pattern. + \item Phone is assigned a known training sequence, unique on its ARFCN, to make tracking easier. + \item BTS controls power and channel release, tracks timing advance for distance estimate. +\end{itemize} +\end{frame} + +\begin{frame}{Covert Call -- Applications} +\begin{itemize} + \item Battery drain, by pushing tx power to maximum. + \item Handset tracking via geoobservables. + \begin{itemize} + \item Timing advance and measurement reports. + \item Midamble and idle pattern as markers for TOA \& AOA estimation. + \end{itemize} +\end{itemize} +\end{frame} + + +\begin{frame}{IMSI-Catcher with Integrated Geolocation} +\begin{figure}[h] + \centering + \includegraphics[width=100mm]{BTSGEO.pdf} + \caption{From MRT, Inc. public web pages} +\end{figure} +\end{frame} + + + +\section{Security beyond the Um interface} + +\subsection{The GSM network -- RAN backhaul} + +\begin{frame}{Backhaul security} +In classic GSM, +\begin{itemize} + \item design goal: provide same confidentiality/security as wired telephony + \item wired telephony networks typically run without any encryption + \item encryption is only on Um, i.e. between MS and BTS + \item backhaul interface (Abis on BTS-BSC link) originally designed to run over E1 + \item backhaul between BTS and BSC has no encryption + \item attacker requires physical access to E1 line in wired E1 +\end{itemize} +\end{frame} + +\begin{frame}{Backhaul security} +Running A-bis backhaul over microwave +\begin{itemize} + \item E1 over microwave radio typically unencrypted (e.g. MINI-LINK) + \item tuning into microwave links relatively easy + \begin{itemize} + \item side-lobes of microwave antenna + \item propagation of signal beyond receiving antenna + \item main obstacle: proprietary coding/synchronization of microwave link + \end{itemize} + \item passive eavesdropping of backhaul link provides easy option to full signalling and traffic +\end{itemize} +\end{frame} + +\subsection{SIM card security} + +\begin{frame}{The Subscriber Identity Module (SIM)} +\begin{itemize} + \item Basic idea was to store cryptographic identity of subscriber inside smart card + \item User can thus migrate identity from one device to another + \item User can furthermore use different SIM in same device (e.g. local prepaid SIM while travelling) + \item Original SIM card design mostly ISO 7816-4 filesystem and single command to execute A3/A8 algorithm inside card + \begin{itemize} + \item This could even be done in logic, no processor required + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The modern SIM} +The modern SIM is an entirely different beast +\begin{itemize} + \item Cryptographic processor smart card + \begin{itemize} + \item Symmetric cryptography such as DES, 3DES, AES + \item Public key cryptography such as RSA, ECC + \end{itemize} + \item Java Card including a small Java VM and Java RE + \item Multiple application support + \item Ability to download applications (Applets) into card +\end{itemize} +\end{frame} + + +\begin{frame}{SIM Application Toolkit (SAT)} +\begin{itemize} + \item Ability for card to run applications that have UI on the phone + \begin{itemize} + \item Display menu items on-screen + \item Get user input from keypad/touch-screen + \end{itemize} + \item Described in TS 11.14 and 11.11 +\end{itemize} +\end{frame} + +\begin{frame}{SAT -- Proactive SIM} +The {\em Proactive SIM} features +\begin{itemize} + \item Sending a short message + \item Setting up a voice call + \item Playback of a tone in earpiece + \item Providing location information from ME to SIM + \item Have ME execute timers on behalf of SIM + \item Sending DTMF to network + \item Running an AT command received from SIM, sending result back to SIM + \item Ask ME to launch browser to SIM-provided URL +\end{itemize} +\end{frame} + +\begin{frame}{SAT -- Call and SMS Control} +\begin{itemize} + \item ME passes MO call setup attempts to SIM for approval + \item SIM can then + \begin{itemize} + \item approve or decline the MO call + \item modify the call details such as phone number + \item replace the call with USSD message + \end{itemize} + \item ME passes USSD requests similar to Call Control + \item Similar mechanism exists for all MO SMS +\end{itemize} +\end{frame} + +\begin{frame}{SAT -- Provide local information} +The SIM can inquire the ME about +\begin{itemize} + \item MCC / MNC / LAC / Cell ID + \item IMEI of ME + \item Network Measurement Results + \item BCCH channel list + \item Date, Time, Timezone + \item ME language setting + \item Timing Advance +\end{itemize} +\end{frame} + +\begin{frame}{SAT -- Event download} +The SIM is notified by ME about certain events such as +\begin{itemize} + \item Call Connected / Disconnected + \item Location Status (Location Area change) + \item User activity (keyboard input) + \item Idle screen available + \item Browser termination +\end{itemize} +\end{frame} + +\begin{frame}{SAT - Data download} +\begin{itemize} + \item Enables Operator to exchange arbitrary data with the SIM + \item Could be RFM (Remote File Management) + \begin{itemize} + \item Read or modify phone book entries + \item Even change the IMSI of the SIM (!) + \end{itemize} + \item In case of Java Card, can be download of card applets + \begin{itemize} + \item Applets are stored permanently on SIM + \item Can later use SAT procedures to interact with ME + \item TS 03.19 specifies Java API to access SAT from Java RE + \end{itemize} +\end{itemize} +\end{frame} + + +\begin{frame}{SAT - Data download} +SAT Data Download can happen via +\begin{itemize} + \item via SMS or Cell Broadcast + \begin{itemize} + \item Uses TS 03.40 TP-PID {\em SIM DATA Download} + \item ME forwards such SMS to the SIM in {\tt ENVELOPE} APDU + \item Response from SIM is sent back as MO-SMS or DELIVERY REPORT + \end{itemize} + \item via BIP (Bearer Independent Protocol) + \begin{itemize} + \item Dedicated CSD call between network and SIM + \item GPRS session between network and SIM + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{SAT - Data download}{Data download security} +\begin{itemize} + \item GSM TS 03.48 specifies secure messaging for data download + \item Includes replay protection + \item Supports DES and 3DES + \item SMS chaining for long commands / large data +\end{itemize} +\end{frame} + +%%%%%% +\begin{frame}{SIM card abuse by hostile operator} +\begin{itemize} + \item Even if the phone might be considered trusted, the SIM card is owned and controlled by the operator + \item Using SAT features, the operator can control many aspects of the phone + \item Examples + \begin{itemize} + \item Remotely reading address book / stored SMS + \item Monitor user behavior (browser termination, idle screen, ...) + \item Ask phone to establish packet data session + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{SIM card re-programming by attacker} +\begin{itemize} + \item If the SIM is not properly secured (auth + encryption keys, ...) a third party attacker can send SAT envelope SMS to the card and install resident Java applets + \item The attacker can then + \begin{itemize} + \item Obtain detailed location information and send it via SMS + \item Intercept/log outgoing calls + \item Sending copies of incoming + outgoing SMS elsewhere + \end{itemize} + \item Even using SIM card channel to exploit baseband stack is feasible +\end{itemize} +\end{frame} + +\begin{frame}{SIM card proxy / MITM by attacker} +As soon as an attacker has temporary physical access to a phone, he can +\begin{itemize} + \item Insert a proxy-SIM between real SIM and phone + \item Do everything a Java applet could do, but even with a securely configured SIM as he does not modify the existing SIM + \item Sniff current Kc and send it out e.g. via SMS or even UDP/TCP packets over GPRS + \item ... by only using standard interfaces that are common among all phones (as opposed to baseband software hacking which is very model-specific) +\end{itemize} +Most users would never notice this as they rarely check their SIM slot +\end{frame} + +%%%%%% + +\begin{frame}{Defending against SIM based attacks} +\begin{itemize} + \item SIM cards are Operator issued, Ki is on the SIM + \begin{itemize} + \item SIM card can thus not be replaced, but original SIM must be used + \end{itemize} + \item Configure telephone to not store contacts or SMS on SIM + \item Communication between SIM and ME is not encrypted/authenticated + \item Solution: Proxy SIM between SIM and ME to break STK / OTA + \begin{itemize} + \item Filter all STK/OTA/Proactive commands like ENVELOPE + \item Indicate lack of STK support to ME (EF.Phase) + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Proxy SIM with firewall} +\begin{itemize} + \item There are no known commercial products that implement STK/OTA filtering + \item But there are a number of shim SIM cards that are plugged between SIM and SIM slot + \item Most of them are used for SIM unlocking modern phones + \item Some vendors produce freely (re)programmable proxy SIMs: +\end{itemize} +\begin{figure}[h] +\subfigure{\includegraphics[width=40mm]{bladox-turbosim.jpg}} +\subfigure{\includegraphics[width=25mm]{rebelsim2.jpg}} + \caption{Bladox TurboSIM (AVR) and RebelSIM II (8051)} + %\caption{Bladox Turbo SIM (AVR)}} +\end{figure} +\end{frame} + +\subsection{Osmocom SIMtrace} + +\begin{frame}{Analyzing SIM toolkit applications is hard} +\begin{itemize} + \item Regular end-user phone does not give much debugging + \item SIM card itself has no debug interface for printing error messages, warnings, etc. + \item However, as SIM-ME interface is unencrypted, sniffing / tracing is possible + \item Commercial / proprietary solutions exist, but are expensive (USD 5,000 and up) + \item Technically, sniffing smard card interfaces is actually very simple +\end{itemize} +\end{frame} + +\begin{frame}{Introducing Osmocom SIMtrace} +\begin{itemize} + \item Osmocom SIMtrace is a passive (U)SIM-ME communication sniffer + \item Insert SIM adapter cable into actual phone + \item Insert (U)SIM into SIMtrace hardware + \item SIMtrace hardware provides USB interface to host PC + \item {\tt simtrace} host PC program encapsulates APDU in GSMTAP + \item GSMTAP is sent via UDP to localhost + \item wireshark dissector for GSM TS 11.11 decodes APDUs +\end{itemize} +\end{frame} + +\begin{frame}{Osmocom SIMtrace Hardware} +\begin{figure}[h] + \centering + \includegraphics[width=85mm]{simtrace_and_phone.jpg} +\end{figure} +\end{frame} + +\end{document} diff --git a/2013/gsmsec-tpe2013/nohl-slides-14.pdf b/2013/gsmsec-tpe2013/nohl-slides-14.pdf Binary files differnew file mode 100644 index 0000000..884f455 --- /dev/null +++ b/2013/gsmsec-tpe2013/nohl-slides-14.pdf diff --git a/2013/gsmsec-tpe2013/rebelsim2.jpg b/2013/gsmsec-tpe2013/rebelsim2.jpg Binary files differnew file mode 100644 index 0000000..0ba6247 --- /dev/null +++ b/2013/gsmsec-tpe2013/rebelsim2.jpg diff --git a/2013/gsmsec-tpe2013/simtrace_and_phone.jpg b/2013/gsmsec-tpe2013/simtrace_and_phone.jpg Binary files differnew file mode 100644 index 0000000..7c53de2 --- /dev/null +++ b/2013/gsmsec-tpe2013/simtrace_and_phone.jpg |