GPRS Intercept: Wardriving your country. Karsten Nohl, Luca Melette,

Similar documents
Mobile Network A9ack Evolu=on

GSM security country report: Estonia

GSM Sniffing with OsmocomBB. Joshua Pereyda

GSM security country report: Thailand

Mobile network security report: Ukraine

GSM Hacking. Wireless Mobile Phone Communication 30 th January 2014 UNRESTRICTED EXTERNAL

GSM Security Overview

GPRS security. Helsinki University of Technology S Security of Communication Protocols

Privacy through Pseudonymity in Mobile Telephony Systems

Recommendations for Device Provisioning Security

Attacking Mobile-Terminated Services in GSM

Chapter 2. Switch Concepts and Configuration. Part II

Contents. GSM and UMTS Security. Cellular Radio Network Architecture. Introduction to Mobile Telecommunications

Understanding IMSI Privacy!

LTE Security How Good Is It?

2 Overview of existing cipher mode setting procedure

GSM Open-source intelligence

GSM security. Christian Kröger. University of Twente P.O. Box 217, 7500AE Enschede The Netherlands

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Intercepting SNC-protected traffic

FAQ on Cisco Aironet Wireless Security

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri

Mobile Security Fall 2013

UNCLASSIFIED//FOR OFFICIAL USE ONLY INDUSTRIAL CONTROL SYSTEMS CYBER EMERGENCY RESPONSE TEAM

When the Lights go out. Hacking Cisco EnergyWise. Version: 1.0. Date: 7/1/14. Classification: Ayhan Koca, Matthias Luft

As for the requirement of having a USB 3.0 port, you will come to know the reason in the next section.

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Defeating All Man-in-the-Middle Attacks

Crypto meets Web Security: Certificates and SSL/TLS

How to hack your way out of home detention!

Unencrypted Mouse Packet

Abusing Calypso phones

Bank Infrastructure - Video - 1

EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE

Effective SS7 protection ITU Workshop on SS7 Security, June 29 th 2016

Case Studies, Lessons Learned. Ing. Tijl Deneut Lecturer Applied Computer Sciences Howest Researcher XiaK, Ghent University

LTE Network Automation under Threat

Implementing Cisco Network Security (IINS) 3.0

Welcome to my presentation: Message Denial and Alteration on IEEE Low- Power Radio Networks.

WarDriving. related fixed line attacks war dialing port scanning

ON THE IMPACT OF GSM ENCRYPTION AND MAN-IN-THE-MIDDLE ATTACKS ON THE SECURITY OF INTEROPERATING GSM/UMTS NETWORKS

Block Cipher Modes of Operation

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Advanced iscsi Management April, 2008

INSTITUTO DE MATEMÁTICA E ESTATÍSTICA UNIVERSIDADE DE SÃO PAULO. GSM Security. MAC Computação Móvel

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Information Security: Principles and Practice Second Edition. Mark Stamp

Achieving End-to-End Security in the Internet of Things (IoT)

Wireless LAN Security. Gabriel Clothier

Cryptanalysis. Ed Crowley

Classifying Encrypted Traffic with TLSaware

Cryptography ThreeB. Ed Crowley. Fall 08

Configuring WEP and WEP Features

Uniform Resource Locators (URL)

City Research Online. Permanent City Research Online URL:

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

1-7 Attacks on Cryptosystems

Understanding TETRA Security

Wireless Network Security Spring 2015

QUANTUM SAFE PKI TRANSITIONS

Green Lights Forever: Analyzing the Security of Traffic Infrastructure

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

GPRS for Mobile Internet

CYBER RISK CONSULTING. Smartphone Security Issues

(2½ hours) Total Marks: 75

It Just (Net)works. The Truth About ios' Multipeer Connectivity Framework. Alban

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Technological foundation

Wireless Network Security Fundamentals and Technologies

Wireless Network Security Spring 2016

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Computer Security CS 526

Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339

Chapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads

Online Banking Security

Wireless Security Security problems in Wireless Networks

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Mobile Hacking & Security. Ir. Arthur Donkers & Ralph Moonen, ITSX

GPRS and UMTS T

How to Break EAP-MD5

Section 4 Cracking Encryption and Authentication

Analysis of privacy in mobile telephony systems

MQ Jumping... Or, move to the front of the queue, pass go and collect 200

Defeating IMSI Catchers. Fabian van den Broek et al. CCS 2015

WHITE PAPER Security in M2M Communication What is secure enough?

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Making life simpler for remote and mobile workers

Applied IT Security. Device Security. Dr. Stephan Spitz 10 Development Security. Applied IT Security, Dr.

INSE Lucky 13 attack - continued from previous lecture. Scribe Notes for Lecture 3 by Prof. Jeremy Clark (January 20th, 2014)

CSE 127: Computer Security Cryptography. Kirill Levchenko

Telecoms: Generational Evolution of Attack Surfaces. HITB Beijing 2018

Preventing POODLE Attacks on ecopy ShareScan

CPSC 467b: Cryptography and Computer Security

Network Security Platform 8.1

CSCE 813 Internet Security Symmetric Cryptography

Signalling Tester MD8475B Product Introduction. Product Introduction

Transcription:

GPRS Intercept: Wardriving your country Karsten Nohl, nohl@srlabs.de Luca Melette, luca@srlabs.de

Executive summary Do not send sensitive data over GPRS GPRS/EDGE networks provide the data backbone of smart phones and industry automation systems The cryptographic protection of GPRS/EDGE is out-dated and vulnerable to several attacks Lack of mutual authentication allows for fake base stations to harvest data Lack of encryption (some countries) allows for passive intercept with EUR10 phone and software released during this talk Weak encryption (remaining countries) enables cryptanalysis, Ever more applications are building up on mobile data networks, thereby amplifying the exposed risks instead of mitigating them 2

Agenda GPRS basics Practical GPRS attacks Mitigation measures 3

GPRS provides the communication backbone for mobile societies Industry automation Mobility management Mobile phones, Pads, PCs GPRS / EDGE networks Smart grid 4

GPRS can encrypt data packets GPRS/EDGE device Base station SGSN backend Layer 3 Data packets of typically 1,520 bytes are exchanged with backend. Encryption should prevent intercept over-the-air and on transport links. Layer 1/2 GPRS/EDGE share channels with GSM and only differ in the modulation and multiplexing. 5

GPRS support different encryption levels, but predominantly the weak ones are used Protection function Encryption Key length Used by GEA/0 No encryption N/A Anybody? GEA/1 GEA/2 Proprietary stream cipher (96 bit state) Proprietary stream cipher (125 bit state) 64 bit 64 bit Most operators use both GEA/1 and GEA/2 GEA/3 Standard block cipher (128 bit state) 64 bit Some, mostly newer networks GEA/4 128 bit Nobody 6

Agenda GPRS basics Practical GPRS attacks Mitigation measures 7

GPRS networks are valuable to multiple attacks Covered in this talks Covered in 27C3, 28C3 talks GEA/0 Attacks Passive Simple intercept Active Fake base station GEA/1 GEA/2 GEA/3 Cryptanalysis Rainbow tables (where IV is constant) Phones downgrade to GEA/0 when asked by (fake) base station 8

GPRS interception only requires open source tools Osmocom BB Raw data GPRS decode gsmtap Wireshark Function Capture bursts Layer 2 parsing Layer 3 parsing Implemented Adaptations 1. Start with Sylvain s burst_ind branch 2. Pimp the USB cable 3. Add multi-time-slot support 4. Multiplex data from multiple phones 5. Channel decoding 6. RLC parsing (block defrag) 7. LLC parsing (more block defrag) 8. Optional Native RLC / LLC decoder 9

GPRS decode consists of 16 decoding chains Osmocom BB Raw data GPRS decode gsmtap Wireshark 2x (UL, DL) TS0 TS1...TS7 Frame FIFO Channel decoding 4 modes [ Same decode process ] RLC parsing TBF queues + block defrag LLC message 10

GPRS overcapsulates Frame FIFO Channel decoding (4 modes) RLC parsing TBF queues + block defrag LLC message Good block X Missing block Example X X BSN 0 1 2 3 4 5 127 Demux of 32 identifiers in 2 directions BSN 3 BSN 4 BSN 5 LLC 0 LLC 1 LLC 2 LLC 3 LLC 4 Padding [ 63 x the same decode chain ] 11

Some GPRS networks do not use any encryption Supposedly encryption hinders in-line data monitoring. Hence some commercial networks use GEA/0 no encryption! Now off to some actual cryptanalysis on all the other networks 12

GEA/1 mostly mitigates A5/1 s rainbow table attacks but opens new crypto holes Bold = better A5/1 GEA/1 Relevant for Key size 64bit 64bit Brute force/(tmto) Internal state 64bit 96bit TMTO LFRSs 3 3 Output nonlinearity degree 1 degree 4 Non-linear update Yes No Algebraic attacks Output 114bit up to 1500 bytes 13

GPRS lacks good nonlinearity 14

Agenda GPRS basics Practical GPRS attacks Mitigation measures 15

Not securing mobile data would be negligent GPRS is here to stay Mobile data traffic* [TB/month] Securing GPRS requires actions from networks and application authors A Short term mitigation: Application must protect themselves B Mid/long term need: Networks must upgrade encryption *Source: Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update (February 1, 2011) 16

A Mobile applications should start using internetgrade encryption Example iphone applications GPRS / Internet Well encrypted* Not encrypted SMS Mail Most critical applications 20% of tested messaging apps Many mobile web sites Some mobile application and most mobile web sites send data unencrypted over GPRS SSL, proudly used on the internet since 1994, could easily protect all this data *Some ios versions use vulnerable SSL implementations that can be abused in a fake base station attack 17

B GPRS network wish list Continuous improvements Immediately Switch on encryption Mid term Add mutual authentication Long term Upgrade to USIM + 128bit GEA/4 Mobile data finally secure against todays threats 1. Deploy Java applet to SIM card Network operator 2. Execute mutual authentication from Java Applet before generating GPRS key 3. Use GEA/3 to secure connection 18

GPRS currently is a risk to mobile societies Lots of thanks to Mate Soos, Dieter Spaar, Harald Welte, Sylvain Munaut and Dexter Risk: The level of protection widely differs among networks but is typically outdated. Mitigation: Protect applications through SSL and start demanding better protection from your operator Osmocom GPRS sniffing tutorial: srlabs.de/gprs Questions? Karsten Nohl, nohl@srlabs.de Luca Melette, luca@srlabs.de 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback