27C3: GSM cell phones even easier to tap
At the 27th Chaos Communication Congress (27C3) hacker conference, security researchers demonstrated how open source software on a number of revamped, entry-level cell phones can decrypt and record mobile phone calls in the GSM network. Using a normal laptop and a homemade monitoring device, team leader Karsten Nohl of Berlin's Security Research Labs explained that GSM mobile communications can be decrypted in "around 20 seconds." He said his team was able to record and playback entire conversations in plain text.
Last year, Nohl and his team showed how they managed to crack the A5/1 encryption algorithm used in GSM, in three months using 40 distributed computers. Since then, he says his team has considerably improved the rainbow tables needed for the attack; the tables are once again available from the BitTorrent peer-to-peer network. Nohl says he has also made a lot of progress with the other hardware and software needed for the attack. Furthermore, the scenario for the attack has been redesigned and refined.
Nohl explained that the tapping process is made easier because all of the mobile communications operators exchange information about the cell phone's location via the SS7 network, which does not protect private user information especially well. For instance, special internet services can query the Home Location Register (HLR), a central database for the mobile communications network that connects the directory number to the IMSI and is the starting point for a determination of the cell phone's location. The Temporary Mobile Subscriber Identity (TMSI), which is used as a geographically and temporally limited ID for a subscriber when making a connection, can also apparently be obtained in what Nohl calls an "SMS trick." When an empty or incomplete text message is sent to a cell phone number, you can try to use network feedback to find out whether the cell phone is within a particular base station's reach.
If TMSI allows a cell phone to be precisely addressed, the data can then be collected from voice communication in the cell phone network and subsequently decrypted. If a call is made or a text message sent over GSM, the cell phone to be addressed is first contacted via a signal channel. If the cell phone responds, communication switches to a control channel or another frequency – and only then does encryption begin. Once the crypto process has begun, the actual conversation takes place in a traffic channel. To reduce disturbances, frequencies are regularly changed in a process known as "frequency hopping."
While it used to take devices costing some €35,000 to tap GSM cell phones, Nohl says that in the next few years that price will drop to €5,000 because conventional hardware and such open source components as OpenBSC and OsmocomBB will then be used. He says this hardware and software can already tap and record "a large part of the spectrum." But his team figured that every cell phone should be able to record GSM data. With that goal in mind, they managed to turn a disposable Motorola device for €10 into a powerful telephone tapper.
Nohl’s assistant Sylvain Munaut explained that open source firmware was installed on the telephone, the code used to process signals in the RAM was adjusted, and encrypted data were filtered out. The "sniffer" was able to record comprehensive basic GSM data with a fast USB cable and a filter for the uplinks and downlinks of mobile communications with a base station. At the conference, Munaut demonstrated how a computer controlling four specially crafted cell phones and a current TMSI can address a target telephone and launch encrypted communication by sending a text message. When the first round of communications data is analysed, a session key can be retrieved and used to record the uplink and downlink of a subsequent telephone call with a compromised cell phone. A special audio tool, which has not been made public, is then used to tap the phone.
Nohl called on mobile communications operators and network equipment suppliers to finally implement the straightforward procedures that would improve GSM encryption. For instance, it would be much harder to decrypt communication if random numbers were used as filler material instead of the current standard bytes. Major network operators agreed to such a standard two years ago, but it is apparently still held up "in quality assurance at Nokia or Siemens" and not used in base stations. It would also be harder to determine a phone's location if a national home directory were used to send text messages. Session keys should also not be reused, and frequency hopping should be the norm. However, Nohl no longer supports the Chaos Computer Club’s (CCC) call made last year to completely revamp the encryption algorithm; he says it would take too long and be too expensive. In contrast, he says that a number of design flaws have been improved in UMTS, though the improvements will not really help as long as the latest generation of cell phones still often rely on GSM.
(Stefan Krempl / ehe)