26C3: GSM hacking made easy
On Sunday 27th of December at the 26th Chaos Communication Congress (26C3) in Berlin, security researchers published open source instructions for cracking the A5/1 mobile telephony encryption algorithm and for building an IMSI catcher that intercepts mobile phone communication. The Global System for Mobile Communications (GSM) standard for digital mobile phone networks, which is used by around four billion people in 200 countries, is quite insecure, explained cryptography expert Karsten Nohl in front of a large audience of hackers. While this has been known in academic circles since 1994, the evidence now produced leaves "no more room for playing hide and seek" said Nohl.
Nohl started his project for creating publicly available proof of the security holes in mobile phone communication systems last summer. The basic issue is a distributed passive attack on A5/1. This crypto algorithm, which has been considered insecure by the experts for a long time, uses a key that is allegedly short enough to make it susceptible to relatively simple attacks based, for instance, on a phone book lookup. To speed up such an – otherwise very time-consuming – attack, Nohl's freely available software employs various tricks. For instance, it uses modern graphics cards with CUDA support for the computations, distributes tasks across various computers on a network and compresses the code book and tables containing procedures such as the generation of rainbow tables so that they require less room and run faster.
Nohl and his team say they found the secret key for A5/1, which opens the door for intercepting GSM communication, more effortlessly than they had anticipated. "We thought we'd need six months, but we managed to do it with forty computers in three months instead", said the hardware hacker, who intends to demonstrate the actual process of cracking the algorithm in front of an audience at a separate 26C3 workshop on Wednesday. Among the factors working in favour of the hackers was that GSM apparently reveals a larger stream of key data than researchers assumed in earlier attacks.
According to Nohl, even the GSMA industry association, who is behind GSM, saw itself forced to offer tips on how to proceed after receiving the first indications of the newly discovered vulnerabilities. Nohl said the association pointed out that the main security aspect of GSM was not the encryption standard itself, but the method for changing the transmission channels used. Therefore, a hacker would need a receiving station and a program for processing the raw data. It appears the GSMA didn't realise that such a computer system can already be built by using the free OpenBTS software to set up a GSM base station.
This system can be used to intercept large portions of a network operator's communication spectrum and two such devices allow attackers to track down the channel changes and the secret key, said Nohl. According to the researcher, a corresponding implementation is currently being developed.
OpenBTS and the free Asterisk software for telephone systems previously helped the security experts build a budget IMSI catcher for active attacks on GSM. While the equivalent devices, mainly used by the German police and intelligence agencies to locate mobile phone users, can be purchased for around 1500 US dollars, the open source solution provides an even more low-cost alternative, said Nohl.
The only other things required are a USRP (Universal Software Radio Peripheral) board and a separate 52 MHz clock because the 64 MHz version isn't stable enough, said Nohl's colleague Chris Paget. The researchers explained that the home-made IMSI catcher needs to be configured in such a way that it sends out an operator's Mobile Country Code (MCC) and Mobile Network Code MNC. If the signal is stronger than that of an official mobile telephony networks' base station, the mobile phones in its range reportedly register with their IMSI numbers. The intercepted data can then apparently be decoded with Wireshark or caught using the Airprobe software.
Paget emphasised that the researchers have not used their open source solution on any operator's active mobile phone network, pointing out that this is illegal. However, the researchers were able to use the IMSI catcher for identifying serious GSM implementation flaws in a test environment, for instance, a current generation iPhone smoothly connected to a fictitious network created by the listening device. Even when the device gave an entirely different GSM frequency used in the US the connection could still be established, said the researchers. In addition, the hackers said they managed to influence the authentication process between the mobile phone and the base station in such a way that the phone in question froze completely and had to have its power disconnected. According to other reports from China, the colleagues of a student were still presented with "OpenBTS" as their apparent network operator long after a test with a comparable IMSI catcher had swiftly been terminated.
To Paget, this proves that "there are incredible flaws in every GSM protocol stack." Device manufacturers and mobile telephony providers only appear to check whether a phone is compatible with the respective protocol, he added. There is reportedly no checking of the interaction between the phone and the base station. Nohl believes that, on the whole, "GSM security needs a complete overhaul." The researcher doubts whether switching to A5/3 really solves the issue. According to a presentation by experts at the Asiacrypt conference a few weeks ago, this A5/1 successor could also prove too weak. While common keys are used for both methods, further attacks on the unsafe A5/1 are apparently also possible. According to Nohl, the relative ease with which the algorithm can be cracked is also likely to have an effect on networks like GPRS and 3G, because these networks also use encryption standards of the A5 family.