Vulnerabilities of Cellular and Satellite-based Voice and Data Networks Dan Veeneman

Vulnerabilities of Cellular and Satellite-based Voice and Data Networks

• Dan Veeneman

• dan@decodesystems.com

• www.decodesystems.com/blackhat/bh-2.ppt

Focus of this talk

• Practical security problems

• Industry responses

• Lessons (hopefully) learned from mistakes

Practical Operator Considerations

• Getting paid

• Prevent (limit) subscriber fraud
• Ensure accurate clearing with other operators

• Reduce churn

• Ensure sufficient capacity

• Provide CALEA compliance

• Maintain public perception of security

• Provide additional features (marketing)

Cellular

• Analog

• Digital - TDMA

• Digital - CDMA

• Digital - GSM

Cellular Signaling

• Control channel

• Forward is continuous
• Reverse is shared

• Voice (Traffic) channel

• Assigned for the call
• Shared in digital systems

Analog Cellular

• Authentication is valid Electronic Serial Number (ESN) and Mobile Identification Number (MIN) pair

• Sent from mobile to base in the clear

• Early systems had just a “deny” list

• Not all systems initially available to each other for roaming verification

Phone Theft

• Automobile “smash and grab”

• Use until service is canceled

• Call-sell operations

Database Theft

• Dumpster diving

• Insider account maintenance

• Hack into authorization database

• Hack into switch maintenance port

Rogue Base Station

• Forward link has no authentication

• Mobiles lock to false outbound

• Cell phone suppressor

• Test equipment (ESN readers)

Network Interception

• Read pairs on link between base station and switch

• Microwave in many areas

Tumbling

• ESN/MIN pair sent to home system

• Pre-call validation not available

• First call allowed to go through

• “Tumble” through random ESN/MIN pairs

Cloning

• Replace legit ESN with snarfed ESN

• Reprogram MIN

• “Extension” phones

• Rewrite phone firmware

• (Chip in lower left corner is conveniently socketed)

Snarfing

• Tune scanner to control channel

• Decoder monitors inbound data

• Computer stores ESN/MIN pairs when the mobile registers

• AMPS data is simple FSK, in the clear

Subscription Fraud

• Sign up for service under false identity

• “Identity Theft”

Session Hijacking

• Overpower base station during legitimate call

• Use cell phone test mode to match Supervisory Audio Tone (SAT)

• Flashhook and place another call

Fighting Analog Fraud

• Legal

• Illegal to eavesdrop
• Illegal to clone
• Illegal to possess equipment that might be used to clone

• Technical

• PINs
• Customers hated this
• Velocity checks
• Good for roaming, not great for local clones
• Don’t allow more than one active at a time
• RF Fingerprinting

2G Authentication

• Generally, mobile is given a challenge and network checks the response

• US Digital Cellular

• Cellular Authentication and Voice Encryption (CAVE)
• Control Message Encryption Algorithm (CMEA)
• Voice Privacy Mask (VPM)

• GSM

• A3 Authentication
• A8 cipher key generation
• A5 privacy

Cellular Authentication and Voice Encryption

• A-key, 64 bits (20 digits plus 6 check digits)

• RANDSSD: 56 bits

• Electronic Serial Number (ESN): 32 bits

• Shared Secret Data (SSD)

• SSD_A: 64 bits, for authentication
• SSD_B: 64 bits, for encryption

• Authentication Result, AUTHx: 18 bits

• Unique Challenge

• Uses voice channel during call attempts

• Global Challenge

• Uses control channel, checks during registration, call attempt and call delivery
• All phones challenged with the same number

Authentication

• Phone attempts to access the network

• indicates authentication capability

• Serving MSC contacts HLR and AC

• indicates whether it can do CAVE
• (if not, SSD cannot be shared, AC must do all the work)
• Gets profile
• Includes whether authentication should be done
• Generates random number RANDU and sends it to phone

Authentication

• Phone runs CAVE ( RANDU, SSD, MIN, ESN )

• Produces AUTHU
• Sends AUTHU to MSC

• MSC runs CAVE ( RANDU, SSD, MIN, ESN )

• Produces local AUTHU

• At MSC, if received AUTHU matches local AUTHU, authentication is successful

Shared Secret Data Update

• Phone and AC update their SSD

• AC generates RANDSSD
• Sends it to Serving MSC
• Computes SSD from RANDSSD, ESN, A-key
• MSC sends RANDSSD to phone
• Phone generates SSD from RANDSSD, ESN, A-key

• Phone authenticates Base Station (or AC)

• Generates RANDBS
• Calculates AUTHBS from RANDBS and new SSD
• Sends RANDBS to Serving MSC
• Either MSC or AC uses RANDBS and new SSD to calculate AUTHBS
• MSC sends AUTHBS to phone
• If phone AUTHBS and MSC AUTHBS match, phone stores new SSD
• Another authentication process is performed
• If successful, AC stores new SSD

Count

• Mobile maintains a 6-bit COUNT variable

• Incremented on instruction from AC

• AC maintains COUNT for each mobile

• COUNT values must match in order for mobile to gain access

Weaknesses

• Information sent in the clear on interconnection networks (SS7, etc)

• Secret information held in vulnerable locations (HLR, VLR, etc)

• CMEA “broken”

• Small keysize

• Poor A-keys

• VPM fixed for the length of the call

• XOR against known voice (e.g. silence)

Global System for Mobiles

• Handsets and SIMs

• International Mobile Equipment Identifier (IMEI)

• International Mobile Subscriber Identity (IMSI)

GSM Network Elements

• AuC: Authentication Center

• BTS: Base Transceiver Station

• BSC: Base Station Controller

• EIR: Equipment Identity Register (white, black, grey)

• HLR: Home Location Register

• ME: Mobile Equipment

• MSC: Mobile Switching Center

• OMC: Operations & Maintenance Center

• SIM: Subscriber Identity Module

• Visitor Location Register

GSM Security Goals

Anonymity

• Temporary identifiers.

• When a user first switches on his radio set, the real identity is used, and a temporary identifier is then issued.

• From then on the temporary identifier is used.

Authentication

• A random challenge is issued to the mobile

• Mobile encrypts the challenge using the authentication algorithm (A3) and the key assigned to the mobile (Ki)

• Mobile sends response back (SRES)

• Network checks that the response to the challenge is correct.

User data and signaling privacy

• A8 algorithm to compute Kc

• Used to encrypt the airlink

• A5 series privacy algorithms

Cryptographic Algorithms

• A3 and A8 are in the SIM

• Operators can choose their own A3/A8
• COMP-128 provided as example algorithm
• Can securely pass (RAND,SRES,Kc) while roaming

• A5 is built into the hardware

• A5/1 - more secure
• A5/2 - less secure
• Unencrypted

GSM weaknesses

• COMP-128 leaks Ki (April 1998)

• A8 has effective security of 54 bits

• (last 10 bits set to 0)

• A5

• 64-bit key (Kc) and 22-bit frame number, three shift registers
• A5/1 (western Europe)
• A5/2 (used in North America)
• A5/0 (no encryption)

• Rogue base station

• Unencrypted network links

• Eavesdropping
• Query HLR/AuC for new triples

• Kc refreshed only occasionally

Subscriber Identity Module

• C1: Supply voltage

• (4.5 to 5.5 volts DC).

• C2: Reset signal

• C3: Clock signal

• (1 to 5 MHz, external)

• C4: Reserved

• C5: Ground

• C6: Programming voltage

• (if available)

• C7: Input/Output

• Baudrate is (clock frequency) / 372.

• C8: Reserved

Talking to a SIM

• Defined by ETSI document GSM 11.11

• Five bytes:

• Class of instruction (CLA)
• (always 0xA0 for GSM)
• Instruction Code (INS)
• Parameter 1 (P1)
• Parameter 2 (P2)
• Parameter 3 (P3)
• (length of optional data segment)

• SIM card readers may require additional bytes

Listening to a SIM

• Three fields:

• Data
• (variable length)
• Status Word 1 (SW1)
• Status Word 2 (SW2)

• 90 00 is normal response

SIM Commands

SIM Conversation

SIM Conversation

SIM Conversation

SIM Conversation

SIM Conversation

SIM attacks

• Repeated authenticate, leaks Ki

• (New SIMs have a limit (about 50k) on the number of times the authentication algorithm can be run)

• Side-channel attacks

• Power consumption
• Timing
• Electromagnetic emanations

COMP-128 Updates

• COMP128-2

• 54-bit Kc
• Secret algorithm

• COMP128-3

• 64-bit Kc
• Secret algorithm

• Proposal for new A3A8 based on MILENAGE

• Milenage based on Rijndael (AES)
• Algorithm will be public

• New A3A8 requires

• AuC software upgrade
• New SIMs

A5/3

• Based on the Kasumi algorithm

• 3GPP confidentiality and integrity algorithms.

• Kasumi derived from the MISTY algorithm, created by Mitsubishi.

• Specifications are publicly available on the 3GPP web site (www.3gpp.org).

Cellular Jamming

• Low-power private base station transmits a forward link overhead message

• Mobiles register with base station

• Base station never sends a page

• The FCC view on this:

• The Communications Act of 1934, as amended, and the Commission's rules do not permit the use of transmitters designed to prevent or jam the operation of wireless devices in hospitals, theaters and other locations. Section 302(a) of the Communications Act, 47 USC 302(a), prohibits the manufacture, importation, sale, offer for sale, or use of devices that fail to comply with the regulations promulgated pursuant to this section.

• Based on the above, the operation of transmitters designed to jam wireless communications is a violation of 47 USC 301, 302(a), and 333. The manufacture, importation, sale or offer for sale, including advertising, of such transmitters is a violation of 47 USC 302(a). Parties in violations of these provisions may be subject to the penalties contained within 47 USC 501-510. Fines for a first offense can range as high as $11,000 for each violation or imprisonment for up to one year. The equipment can also be seized and forfeited to the U.S. Government. These regulations apply to all transmitters that are designed to cause interference to, or prevent the operation of, other radio communication systems.

Satellite Networks

• Big LEOs

• Little LEOs

• Mobile Satellite Ventures

• INTELSAT

• INMARSAT

• VSAT

• GPS

Big LEO

• Constellation of satellites in Low Earth Orbit (as opposed to geosynchronous)

• Base stations in the sky

• Linked to network of ground stations

• Voice as primary service

• 1610 to 1626.5 MHz up

• 2483.5 to 2500 MHz down

Iridium

• $5 billion

• 66 satellites (plus spares)

• TDMA, processing on-board

• 1621.35 to 1626.5 up and down

• 2.4 kbps data service

• Service start November 1998

• Bankruptcy in August 1999, only 55,000 customers

Iridium Satellite LLC

• Paid $25M for Iridium assets

• Relaunched commercial service in 2001

• Large government contract ($72M/2 years via DISA)

• Dedicated gateway earth station in Hawaii

• Defense Information Systems Agency

• Department of Defense
• Department of State
• Inter-satellite links

• Enough money to replenish satellites?

Globalstar

• Loral, Qualcomm

• 48 satellites in LEO

• Start of operations February 2000

• Currently under bankruptcy protection

• Bent-pipe

• CDMA service

• Underpowered satellites

• Recharge over oceans

• 9.6 kbps data

ICO

• $4.7 billion

• Hughes-built satellites

• 10 satellites in Medium Earth Orbit (MEO)

• GSM-based

• New ICO

• Craig McCaw

• Merged with Teledesic

Orbcomm (Little LEO)

• 28 satellites

• 14 earth stations

• VHF operation

• Data only

• Store and Forward if ground station not in view

• “GlobalGrams” = X.400 e-mail

• Latency

Mobile Satellite Ventures

• Motient

• AMSC-1 ($500M)
• Spar Aerospace

• TMI

• MSAT-1 (identical)

• Mobile satellite voice and data

• L-band

• Digital voice

Interception

• Gateways require tapping

• FBI, CALEA requirements
• Iridium agreement
• Globalstar agreement
• TMI on-demand access
• National intelligence and police forces

• Test equipment

• Limited use of encryption

• Modifiable phone equipment

INTELSAT

• Was a consortium of nations as signatories

• Now privatized

• Large fleet in geostationary orbit

• Primarily telephone and television traffic

• Carries unencrypted voice, data and fax

• Used by US DoD for UAV datalink

INMARSAT

• International Maritime Satellite Organization

• AOR, POR, IOR coverage

• L-band

Global Positioning System

• 24 satellites

• Selective Availability turned off May 2000

• 30 meter accuracy

• Can be jammed (denial of service)

• Can be spoofed

GPS Frequencies

• L1: 1575.42 MHz: Coarse Acquisition (C/A) code

• L2: 1227.60 MHz: Precise (P) or Y (encrypted) code

• L3: 1381.05 MHz: Nuclear burst detectors

• L4: 1841.40 MHz: Ionospheric correction (under study)

• L5: 1176.45 MHz: Civilian safety-of-life signal (proposed)

GPS Enhancements

GLONASS

• Global Orbital Navigation Satellite System

• 1606 to 1616 MHz

• Full operational status achieved once

Satellite Failures

• PanAmSat Galaxy 4

• Attitude control and backup failed
• Major supplier of service to paging towers

• AT&T Telstar 401

• launched 1993, failed 11 January 1997
• abrupt failure, solar activity? (large solar flare 6 January 1997)

• Galaxy 7

• Primary control processor failed June1998. Secondary processor failed November 2000.
• Suspected electrical shorts in spacecraft control processor (SCP).

• Solidaridad 1

• Primary SCP failed May 1999. Secondary SCP failed August 2000.

• Anik E1

• 1996, Power Subsystem Failure, Partial Loss

• EchoStar 4

• 1998, Solar Array Failed to Deploy, reduced electrical power available

Questions?

Satellite Glossary

Satellite Glossary (con’t)

Satellite Glossary (con’t)

Satellite Glossary (con’t)

Satellite Glossary (con’t)