Upload
gelson-fernandes-fernandes
View
218
Download
0
Embed Size (px)
Citation preview
7/31/2019 Shmoocon Feb08 Gsm
1/21
Intercepting GSM TrafficIntercepting GSM Traffic
David Hultonh1kari
http://wiki.thc.org/gsm
http://www.openciphers.orghttp://www.picocomputing.comhttp://www.toorcon.org
mailto:[email protected]://wiki.thc.org/gsmhttp://www.openciphers.org/http://www.picocomputing.com/http://www.toorcon.org/http://www.toorcon.org/http://www.picocomputing.com/http://www.openciphers.org/http://wiki.thc.org/gsmmailto:[email protected]7/31/2019 Shmoocon Feb08 Gsm
2/21
February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
AgendaAgenda
Intro GSM
Receiving GSM signals
Cracking A5/1
7/31/2019 Shmoocon Feb08 Gsm
3/21
February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
Intro to GSMIntro to GSM
Widely deployed AT&T
T-Mobile
Most other country's carriers Security
Authentication (A3/A8)
Encryption (A5)
7/31/2019 Shmoocon Feb08 Gsm
4/21
February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
Intercepting TrafficIntercepting Traffic
Intercepting Traffic Nokia 3310 / Ericsson / TSM
USRP (gssm Project)
TI's OMAP dev kit Commercial Interceptors
7/31/2019 Shmoocon Feb08 Gsm
5/21
February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
What now?What now?
Various hardware will capture traffic Turns out that many basestations send SMSs
unencrypted
What about capturing conversations? Some countries don't use any encryption (A5/0)
or weak encryption (A5/2)
The US and most countries use A5/1
7/31/2019 Shmoocon Feb08 Gsm
6/21
February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
A5/1 CrackingA5/1 Cracking
A8(Ki) A8(Ki)Authenticate
A5(Kc) A5(Kc)Conversation
Kc Kc
7/31/2019 Shmoocon Feb08 Gsm
7/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
A5/1 CrackingA5/1 Cracking
Frame Frame
Plain-text Plain-text
A5(Kc,Frame) A5(Kc,Frame)+ +
7/31/2019 Shmoocon Feb08 Gsm
8/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
A5/1 CrackingA5/1 Cracking
Clock in 64-bit Kc and 22-bit frame number Clock for 100 cycles Clock for 114 times to generate 114-bits
7/31/2019 Shmoocon Feb08 Gsm
9/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
A5/1 CrackingA5/1 Cracking
Other attacks are academic BS. 3-4 Frames. Fully passive.
Combination of Rainbow Table attack and
others.
7/31/2019 Shmoocon Feb08 Gsm
10/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
Sliding WindowSliding Window
[0|1|1|0|1|0..........|1|0|1|1]
[ 64 bit Cipherstream 0 .][ 64 bit Cipherstream 1 ......]
[ 64 bit Cipherstream 2 ...]
.
[ 64 bit Cipherstream 50 ...]
7/31/2019 Shmoocon Feb08 Gsm
11/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
Sliding WindowSliding Window
Total of 4 frames with 114-bits 114 64 + 1 = 51 keystreams per frame
51 x 4 frames = 204 keystreams total
7/31/2019 Shmoocon Feb08 Gsm
12/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
Rainbow TableRainbow Table
64-bits keystream
Password Lanman Hash
7/31/2019 Shmoocon Feb08 Gsm
13/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
Rainbow TableRainbow Table
Build a table that maps 64-bits of keystreamback to 64-bits of internal A5/1 state
204 data points means we only need 1/64th ofthe whole keyspace
258 = 288,230,376,151,711,744
About 120,000 times larger than the largestLanman Rainbow Table
7/31/2019 Shmoocon Feb08 Gsm
14/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
How do we do this??How do we do this??
1 PC 550,000 A5/1's per second
33,235 years
Currently using 68 Pico E-16 FPGAs 72,533,333,333 A5/1's per second
3 months
Building new hardware to speed this up
7/31/2019 Shmoocon Feb08 Gsm
15/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
HardwareHardware
7/31/2019 Shmoocon Feb08 Gsm
16/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
Rainbow TableRainbow Table
Cheap Attack (~30 min) 6 350GB Hard Drives (2TB)
1 FPGA (or a botnet)
Optimal Attack (~30 sec) 16 128GB Flash Hard Drives (2TB)
32 FPGAs
Can speed it up with more FPGAs
7/31/2019 Shmoocon Feb08 Gsm
17/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
Reverse ClockingReverse Clocking
Load A5/1 internal state Reverse clock with known keystream back to after Kc
was clocked in Will resolve to multiple possible A5/1 states
7/31/2019 Shmoocon Feb08 Gsm
18/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
Reverse ClockingReverse Clocking
Reverse all 3 A5/1 internal states The common state will be the correct one
Use the internal state and clock forward to
decrypt or encrypt any packet Can solve linear equations to derive key
But isn't really necessary
7/31/2019 Shmoocon Feb08 Gsm
19/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
ConclusionsConclusions
Tables will be finished in March Commercial version in Q2/08
Will be scalable to whatever decryption time
period is required
7/31/2019 Shmoocon Feb08 Gsm
20/21February 15th, 2008February 15th, 2008 ShmooCon 4ShmooCon 4
Threats & FutureThreats & Future
GSM security has to become secure. Data/Identity theft, Tracking
Unlawful interception
Attacks on GSM Infrastructure Receiving and cracking GSM will become
cheaper and easier
7/31/2019 Shmoocon Feb08 Gsm
21/21February 15th 2008February 15th 2008 ShmooCon 4ShmooCon 4
Thank You! Questions?Thank You! Questions?
David Hulton http://www.picocomputing.com
http://www.openciphers.org
ToorCon Seattle http://seattle.toorcon.org
Seattle - April 18th-20th, 2008
ToorCon 10
http://www.toorcon.org San Diego - Sept 24th-28th, 2008
ToorCamp!
Near Seattle - Spring, 2009