Vulnerabilities of Cellular and Satellite-based Voice and Data Networks Dan Veeneman dan@decodesystems.com www.decodesystems.com/blackhat/bh-2.ppt
Focus of this talk Practical security problems Industry responses Lessons (hopefully) learned from mistakes
Practical Operator Considerations Getting paid - Prevent (limit) subscriber fraud
- Ensure accurate clearing with other operators
Reduce churn Ensure sufficient capacity Provide CALEA compliance Maintain public perception of security Provide additional features (marketing)
Cellular Analog Digital - TDMA Digital - CDMA Digital - GSM
Cellular Signaling Control channel - Forward is continuous
- Reverse is shared
Voice (Traffic) channel - Assigned for the call
- Shared in digital systems
Analog Cellular Authentication is valid Electronic Serial Number (ESN) and Mobile Identification Number (MIN) pair Sent from mobile to base in the clear Early systems had just a “deny” list Not all systems initially available to each other for roaming verification
Phone Theft Automobile “smash and grab” Use until service is canceled Call-sell operations
Database Theft Dumpster diving Insider account maintenance Hack into authorization database Hack into switch maintenance port
Forward link has no authentication Mobiles lock to false outbound Cell phone suppressor Test equipment (ESN readers)
Network Interception Read pairs on link between base station and switch Microwave in many areas
Tumbling ESN/MIN pair sent to home system Pre-call validation not available First call allowed to go through “Tumble” through random ESN/MIN pairs
Cloning Replace legit ESN with snarfed ESN Reprogram MIN “Extension” phones Rewrite phone firmware (Chip in lower left corner is conveniently socketed)
Snarfing Tune scanner to control channel Decoder monitors inbound data Computer stores ESN/MIN pairs when the mobile registers AMPS data is simple FSK, in the clear
Subscription Fraud Sign up for service under false identity “Identity Theft”
Session Hijacking Overpower base station during legitimate call Use cell phone test mode to match Supervisory Audio Tone (SAT) Flashhook and place another call
Fighting Analog Fraud Legal - Illegal to eavesdrop
- Illegal to clone
- Illegal to possess equipment that might be used to clone
Technical - PINs
- Velocity checks
- Don’t allow more than one active at a time
- RF Fingerprinting
2G Authentication Generally, mobile is given a challenge and network checks the response US Digital Cellular - Cellular Authentication and Voice Encryption (CAVE)
- Control Message Encryption Algorithm (CMEA)
- Voice Privacy Mask (VPM)
GSM - A3 Authentication
- A8 cipher key generation
- A5 privacy
Cellular Authentication and Voice Encryption A-key, 64 bits (20 digits plus 6 check digits) RANDSSD: 56 bits Electronic Serial Number (ESN): 32 bits Shared Secret Data (SSD) - SSD_A: 64 bits, for authentication
- SSD_B: 64 bits, for encryption
Authentication Result, AUTHx: 18 bits Unique Challenge - Uses voice channel during call attempts
Global Challenge - Uses control channel, checks during registration, call attempt and call delivery
- All phones challenged with the same number
Authentication Phone attempts to access the network - indicates authentication capability
Serving MSC contacts HLR and AC - indicates whether it can do CAVE
- (if not, SSD cannot be shared, AC must do all the work)
- Gets profile
- Includes whether authentication should be done
- Generates random number RANDU and sends it to phone
Authentication Phone runs CAVE ( RANDU, SSD, MIN, ESN ) MSC runs CAVE ( RANDU, SSD, MIN, ESN ) At MSC, if received AUTHU matches local AUTHU, authentication is successful
Shared Secret Data Update Phone and AC update their SSD - AC generates RANDSSD
- Sends it to Serving MSC
- Computes SSD from RANDSSD, ESN, A-key
- MSC sends RANDSSD to phone
- Phone generates SSD from RANDSSD, ESN, A-key
Phone authenticates Base Station (or AC) - Generates RANDBS
- Calculates AUTHBS from RANDBS and new SSD
- Sends RANDBS to Serving MSC
- Either MSC or AC uses RANDBS and new SSD to calculate AUTHBS
- MSC sends AUTHBS to phone
- If phone AUTHBS and MSC AUTHBS match, phone stores new SSD
- Another authentication process is performed
- If successful, AC stores new SSD
Count Mobile maintains a 6-bit COUNT variable Incremented on instruction from AC AC maintains COUNT for each mobile COUNT values must match in order for mobile to gain access
Weaknesses Information sent in the clear on interconnection networks (SS7, etc) Secret information held in vulnerable locations (HLR, VLR, etc) CMEA “broken” Small keysize Poor A-keys VPM fixed for the length of the call - XOR against known voice (e.g. silence)
Handsets and SIMs International Mobile Equipment Identifier (IMEI) International Mobile Subscriber Identity (IMSI)
GSM Network Elements AuC: Authentication Center BTS: Base Transceiver Station BSC: Base Station Controller EIR: Equipment Identity Register (white, black, grey) HLR: Home Location Register ME: Mobile Equipment MSC: Mobile Switching Center OMC: Operations & Maintenance Center SIM: Subscriber Identity Module Visitor Location Register
GSM Security Goals
Anonymity Temporary identifiers. When a user first switches on his radio set, the real identity is used, and a temporary identifier is then issued. From then on the temporary identifier is used.
Authentication A random challenge is issued to the mobile Mobile encrypts the challenge using the authentication algorithm (A3) and the key assigned to the mobile (Ki) Mobile sends response back (SRES) Network checks that the response to the challenge is correct.
User data and signaling privacy A8 algorithm to compute Kc Used to encrypt the airlink A5 series privacy algorithms
Cryptographic Algorithms A3 and A8 are in the SIM - Operators can choose their own A3/A8
- COMP-128 provided as example algorithm
- Can securely pass (RAND,SRES,Kc) while roaming
A5 is built into the hardware
GSM weaknesses COMP-128 leaks Ki (April 1998) A8 has effective security of 54 bits A5 - 64-bit key (Kc) and 22-bit frame number, three shift registers
- A5/1 (western Europe)
- A5/2 (used in North America)
- A5/0 (no encryption)
Rogue base station Unencrypted network links - Eavesdropping
- Query HLR/AuC for new triples
Kc refreshed only occasionally
Subscriber Identity Module C1: Supply voltage C2: Reset signal C3: Clock signal C4: Reserved C5: Ground C6: Programming voltage C7: Input/Output - Baudrate is (clock frequency) / 372.
C8: Reserved
Talking to a SIM Defined by ETSI document GSM 11.11 Five bytes: - Class of instruction (CLA)
- Instruction Code (INS)
- Parameter 1 (P1)
- Parameter 2 (P2)
- Parameter 3 (P3)
- (length of optional data segment)
SIM card readers may require additional bytes
Listening to a SIM Three fields: - Data
- Status Word 1 (SW1)
- Status Word 2 (SW2)
90 00 is normal response
SIM Commands
SIM Conversation
SIM Conversation
SIM Conversation
SIM Conversation
SIM attacks Repeated authenticate, leaks Ki - (New SIMs have a limit (about 50k) on the number of times the authentication algorithm can be run)
Side-channel attacks - Power consumption
- Timing
- Electromagnetic emanations
COMP-128 Updates COMP128-2 - 54-bit Kc
- Secret algorithm
COMP128-3 - 64-bit Kc
- Secret algorithm
Proposal for new A3A8 based on MILENAGE - Milenage based on Rijndael (AES)
- Algorithm will be public
New A3A8 requires - AuC software upgrade
- New SIMs
A5/3 Based on the Kasumi algorithm - 3GPP confidentiality and integrity algorithms.
Kasumi derived from the MISTY algorithm, created by Mitsubishi. Specifications are publicly available on the 3GPP web site (www.3gpp.org).
Cellular Jamming Low-power private base station transmits a forward link overhead message Mobiles register with base station Base station never sends a page The FCC view on this: The Communications Act of 1934, as amended, and the Commission's rules do not permit the use of transmitters designed to prevent or jam the operation of wireless devices in hospitals, theaters and other locations. Section 302(a) of the Communications Act, 47 USC 302(a), prohibits the manufacture, importation, sale, offer for sale, or use of devices that fail to comply with the regulations promulgated pursuant to this section. Based on the above, the operation of transmitters designed to jam wireless communications is a violation of 47 USC 301, 302(a), and 333. The manufacture, importation, sale or offer for sale, including advertising, of such transmitters is a violation of 47 USC 302(a). Parties in violations of these provisions may be subject to the penalties contained within 47 USC 501-510. Fines for a first offense can range as high as $11,000 for each violation or imprisonment for up to one year. The equipment can also be seized and forfeited to the U.S. Government. These regulations apply to all transmitters that are designed to cause interference to, or prevent the operation of, other radio communication systems.
Satellite Networks Big LEOs Little LEOs Mobile Satellite Ventures INTELSAT INMARSAT VSAT GPS
Big LEO Constellation of satellites in Low Earth Orbit (as opposed to geosynchronous) Base stations in the sky Linked to network of ground stations Voice as primary service 1610 to 1626.5 MHz up 2483.5 to 2500 MHz down
Iridium $5 billion 66 satellites (plus spares) TDMA, processing on-board 1621.35 to 1626.5 up and down 2.4 kbps data service Service start November 1998 Bankruptcy in August 1999, only 55,000 customers
Iridium Satellite LLC Paid $25M for Iridium assets Relaunched commercial service in 2001 Large government contract ($72M/2 years via DISA) Dedicated gateway earth station in Hawaii Defense Information Systems Agency - Department of Defense
- Department of State
- Inter-satellite links
Enough money to replenish satellites?
Globalstar Loral, Qualcomm 48 satellites in LEO Start of operations February 2000 Currently under bankruptcy protection Bent-pipe CDMA service Underpowered satellites
ICO $4.7 billion Hughes-built satellites 10 satellites in Medium Earth Orbit (MEO) GSM-based New ICO Craig McCaw Merged with Teledesic
Orbcomm (Little LEO) 28 satellites 14 earth stations VHF operation Data only Store and Forward if ground station not in view “GlobalGrams” = X.400 e-mail Latency
Mobile Satellite Ventures Motient - AMSC-1 ($500M)
- Spar Aerospace
TMI Mobile satellite voice and data L-band Digital voice
Interception Gateways require tapping - FBI, CALEA requirements
- Iridium agreement
- Globalstar agreement
- TMI on-demand access
- National intelligence and police forces
Test equipment Limited use of encryption Modifiable phone equipment
INTELSAT Was a consortium of nations as signatories Now privatized Large fleet in geostationary orbit Primarily telephone and television traffic Carries unencrypted voice, data and fax
INMARSAT International Maritime Satellite Organization AOR, POR, IOR coverage L-band
Global Positioning System 24 satellites Selective Availability turned off May 2000 30 meter accuracy Can be jammed (denial of service) Can be spoofed
GPS Frequencies L1: 1575.42 MHz: Coarse Acquisition (C/A) code L2: 1227.60 MHz: Precise (P) or Y (encrypted) code L3: 1381.05 MHz: Nuclear burst detectors L4: 1841.40 MHz: Ionospheric correction (under study) L5: 1176.45 MHz: Civilian safety-of-life signal (proposed)
GPS Enhancements
GLONASS Global Orbital Navigation Satellite System 1606 to 1616 MHz Full operational status achieved once
Satellite Failures PanAmSat Galaxy 4 - Attitude control and backup failed
- Major supplier of service to paging towers
AT&T Telstar 401 - launched 1993, failed 11 January 1997
- abrupt failure, solar activity? (large solar flare 6 January 1997)
Galaxy 7 - Primary control processor failed June1998. Secondary processor failed November 2000.
- Suspected electrical shorts in spacecraft control processor (SCP).
Solidaridad 1 - Primary SCP failed May 1999. Secondary SCP failed August 2000.
Anik E1 - 1996, Power Subsystem Failure, Partial Loss
EchoStar 4 - 1998, Solar Array Failed to Deploy, reduced electrical power available
Questions?
Satellite Glossary
Satellite Glossary (con’t)
Satellite Glossary (con’t)
Satellite Glossary (con’t)
Satellite Glossary (con’t)
Dostları ilə paylaş: |