Global GSM eavesdropping network.
GSM has been broken up to the point that a phone call or an SMS can be intercepted using an ordinary phone and a PC. The impact of this attack is still somewhat limited, because to eavesdrop, you need to be close to the target mobile phone. However, with a bit of ‘crowdsourcing’ we can overcome this ‘limitation’.
GSM Broken. Here’s a quick fix.
GSM has been broken up to the point that a phone call or an SMS can be intercepted using an ordinary phone and a PC. For ordinary people, this has little consequences. But targeted attacks, aimed at conversations of CEO’s or high ranking government officials, have become more likely. The same goes for targeted attacks against people that perform high value transactions using SMS based authentication.
The attack still has its limitations, and a fake base-station attack is maybe easier to perform. However, there is an easy solution to prevent this attack (and also the fake base-station attack, by the way). Force your mobile to use only UMTS (3G) communication. Make sure it does not fall-back to GSM. Certain phones have this option, like smartphones (although not always as an easily selectable option because 3G coverage is suboptimal).
If you think you are a possible high value target, get yourself such a phone. For the rest of the world: wait until your mobile network operator discontinues GSM and only uses UMTS.
GSM Broken.
Today Karsten Nohl presented the final blow to GSM security at the 27th Chaos Computer Club Congres 27C3. Last year he already presented his ongoing work on constructing the rainbow tables that allow a modern PC to recover the session key used to encrypt the communication between a mobile and the base station within a minute.
As I discussed back then, this did not immediately imply a practical attack to eavesdrop on GSM calls in real time.
The problem is that GSM uses frequency hopping to reduce interference on the channel from the mobile to the base station, and the command to switch to a particular frequency is encrypted as well. To decrypt a conversation one would therefore have to record all traffic on all possible frequencies. Once the session key is recovered (after a minute or so), one can use this to extract the conversation from the right parts in the recorded frequencies. The equipment to eavesdrop all frequencies in parallel is rather expensive.
However, Karsten has now further optimised the attack. First, the attack can now recover the session key in 20 seconds. But, more importantly, Karsten found that a session key is not refreshed with every communication (really, I am not making this up)! Instead it is reused for some time. This allows an attacker to first recover the current session key (using silent sms-es to a phone he wants to eavesdrop). Any call made with this phone can then be eavesdropped in real time using this session key. In fact, one can use a cheap phone with a reprogrammable hardware to do this.
This was all shown live during the presentation at 27C3.
Note that session key reuse also makes SMS based authentication less secure, at least for targetted attacks.
Using a mobile phone number as an authentic identifier
This idea came up when I saw a guy in the train today, carrying a cardboard box with a number written on it.
I stared at the box, and it took a short while before I realised the number was a phone number. I wondered why that was, and then it occurred to me that maybe the guy carrying the box was the recipient of the box. Maybe the phone number on the box was used to call him up to say his parcel was waiting for him…
SMS authenticatie: nog steeds waardevol (voor two-factor authentication).
Govcert raadt aanbieders van sms authenticatie diensten (zoals telebankieren of DigiD) aan om geen nieuwe diensten aan te beiden en voor bestaande diensten een hernieuwde risico analyse uit te voeren. Dit naar aanleiding van de nieuwste ontwikkelingen rondom het kraken van het encryptie algoritme A5/1 in mobiele telefoons (GSM).
leave a comment