Vulnerabilities of Cellular and Satellitebased Voice and Data Networks

1
Vulnerabilities of Cellular and Satellite-based
Voice and Data Networks

• Dan Veeneman
• dan_at_decodesystems.com
• www.decodesystems.com/blackhat/bh-2.ppt

2
Focus of this talk

• Practical security problems
• Industry responses
• Lessons (hopefully) learned from mistakes

3
Practical Operator Considerations

• Getting paid
• Prevent (limit) subscriber fraud
• Ensure accurate clearing with other operators
• Reduce churn
• Ensure sufficient capacity
• Provide CALEA compliance
• Maintain public perception of security
• Provide additional features (marketing)

4
Cellular

• Analog
• Digital - TDMA
• Digital - CDMA
• Digital - GSM

5
Cellular Signaling

• Control channel
• Forward is continuous
• Reverse is shared
• Voice (Traffic) channel
• Assigned for the call
• Shared in digital systems

6
Analog Cellular

• Authentication is valid Electronic Serial Number
  (ESN) and Mobile Identification Number (MIN) pair
• Sent from mobile to base in the clear
• Early systems had just a deny list
• Not all systems initially available to each other
  for roaming verification

7
Phone Theft

• Automobile smash and grab
• Use until service is canceled
• Call-sell operations

8
Database Theft

• Dumpster diving
• Insider account maintenance
• Hack into authorization database
• Hack into switch maintenance port

9
Rogue Base Station

• Forward link has no authentication
• Mobiles lock to false outbound
• Cell phone suppressor
• Test equipment (ESN readers)

10
Network Interception

• Read pairs on link between base station and
  switch
• Microwave in many areas

11
Tumbling

• ESN/MIN pair sent to home system
• Pre-call validation not available
• First call allowed to go through
• Tumble through random ESN/MIN pairs

12
Cloning

• Replace legit ESN with snarfed ESN
• Reprogram MIN
• Extension phones
• Rewrite phone firmware
• (Chip in lower left corner is conveniently
  socketed)

13
Snarfing

• Tune scanner to control channel
• Decoder monitors inbound data
• Computer stores ESN/MIN pairs when the mobile
  registers
• AMPS data is simple FSK, in the clear

14
Subscription Fraud

• Sign up for service under false identity
• Identity Theft

15
Session Hijacking

• Overpower base station during legitimate call
• Use cell phone test mode to match Supervisory
  Audio Tone (SAT)
• Flashhook and place another call

16
Fighting Analog Fraud

• Legal
• Illegal to eavesdrop
• Illegal to clone
• Illegal to possess equipment that might be used
  to clone
• Technical
• PINs
• Customers hated this
• Velocity checks
• Good for roaming, not great for local clones
• Dont allow more than one active at a time
• RF Fingerprinting

17
2G Authentication

• Generally, mobile is given a challenge and
  network checks the response
• US Digital Cellular
• Cellular Authentication and Voice Encryption
  (CAVE)
• Control Message Encryption Algorithm (CMEA)
• Voice Privacy Mask (VPM)
• GSM
• A3 Authentication
• A8 cipher key generation
• A5 privacy

18
Cellular Authentication and Voice Encryption

• A-key, 64 bits (20 digits plus 6 check digits)
• RANDSSD 56 bits
• Electronic Serial Number (ESN) 32 bits
• Shared Secret Data (SSD)
• SSD_A 64 bits, for authentication
• SSD_B 64 bits, for encryption
• Authentication Result, AUTHx 18 bits
• Unique Challenge
• Uses voice channel during call attempts
• Global Challenge
• Uses control channel, checks during registration,
  call attempt and call delivery
• All phones challenged with the same number

19
Authentication

• Phone attempts to access the network
• indicates authentication capability
• Serving MSC contacts HLR and AC
• indicates whether it can do CAVE
• (if not, SSD cannot be shared, AC must do all the
  work)
• Gets profile
• Includes whether authentication should be done
• Generates random number RANDU and sends it to
  phone

20
Authentication

• Phone runs CAVE ( RANDU, SSD, MIN, ESN )
• Produces AUTHU
• Sends AUTHU to MSC
• MSC runs CAVE ( RANDU, SSD, MIN, ESN )
• Produces local AUTHU
• At MSC, if received AUTHU matches local AUTHU,
  authentication is successful

21
Shared Secret Data Update

• Phone and AC update their SSD
• AC generates RANDSSD
• Sends it to Serving MSC
• Computes SSD from RANDSSD, ESN, A-key
• MSC sends RANDSSD to phone
• Phone generates SSD from RANDSSD, ESN, A-key
• Phone authenticates Base Station (or AC)
• Generates RANDBS
• Calculates AUTHBS from RANDBS and new SSD
• Sends RANDBS to Serving MSC
• Either MSC or AC uses RANDBS and new SSD to
  calculate AUTHBS
• MSC sends AUTHBS to phone
• If phone AUTHBS and MSC AUTHBS match, phone
  stores new SSD
• Another authentication process is performed
• If successful, AC stores new SSD

22
Count

• Mobile maintains a 6-bit COUNT variable
• Incremented on instruction from AC
• AC maintains COUNT for each mobile
• COUNT values must match in order for mobile to
  gain access

23
Weaknesses

• Information sent in the clear on interconnection
  networks (SS7, etc)
• Secret information held in vulnerable locations
  (HLR, VLR, etc)
• CMEA broken
• Small keysize
• Poor A-keys
• VPM fixed for the length of the call
• XOR against known voice (e.g. silence)

24
Global System for Mobiles

• Handsets and SIMs
• International Mobile Equipment Identifier (IMEI)
• International Mobile Subscriber Identity (IMSI)

25
GSM Network Elements

• AuC Authentication Center
• BTS Base Transceiver Station
• BSC Base Station Controller
• EIR Equipment Identity Register (white, black,
  grey)
• HLR Home Location Register
• ME Mobile Equipment
• MSC Mobile Switching Center
• OMC Operations Maintenance Center
• SIM Subscriber Identity Module
• Visitor Location Register

26
GSM Security Goals
The objective of security for GSM system is to
make the system as secure as the public switched
telephone network. The use of radio at the
transmission media allows a number of potential
threats from eavesdropping the transmissions. It
was soon apparent in the threat analysis that the
weakest part of the system was the radio path, as
this can be easily intercepted. The GSM MoU
Group produces guidance on these areas of
operator interaction for members. The technical
features for security are only a small part of
the security requirements, the greatest threat is
from simpler attacks such as disclosure of the
encryption keys, insecure billing systems or
corruption ! A balance is required to ensure that
these security processes meet these requirements.
At the same time a judgment must be made of the
cost and effectiveness of the security
measures. Charles Brookson Chairman GSM MoU
Security Group Mercury one2one
27
Anonymity

• Temporary identifiers.
• When a user first switches on his radio set, the
  real identity is used, and a temporary identifier
  is then issued.
• From then on the temporary identifier is used.

28
Authentication

• A random challenge is issued to the mobile
• Mobile encrypts the challenge using the
  authentication algorithm (A3) and the key
  assigned to the mobile (Ki)
• Mobile sends response back (SRES)
• Network checks that the response to the challenge
  is correct.

29
User data and signaling privacy

• A8 algorithm to compute Kc
• Used to encrypt the airlink
• A5 series privacy algorithms

30
Cryptographic Algorithms

• A3 and A8 are in the SIM
• Operators can choose their own A3/A8
• COMP-128 provided as example algorithm
• Can securely pass (RAND,SRES,Kc) while roaming
• A5 is built into the hardware
• A5/1 - more secure
• A5/2 - less secure
• Unencrypted

31
GSM weaknesses

• COMP-128 leaks Ki (April 1998)
• A8 has effective security of 54 bits
• (last 10 bits set to 0)
• A5
• 64-bit key (Kc) and 22-bit frame number, three
  shift registers
• A5/1 (western Europe)
• A5/2 (used in North America)
• A5/0 (no encryption)
• Rogue base station
• Unencrypted network links
• Eavesdropping
• Query HLR/AuC for new triples
• Kc refreshed only occasionally

32
Subscriber Identity Module

• C1 Supply voltage
• (4.5 to 5.5 volts DC).
• C2 Reset signal
• C3 Clock signal
• (1 to 5 MHz, external)
• C4 Reserved
• C5 Ground
• C6 Programming voltage
• (if available)
• C7 Input/Output
• Baudrate is (clock frequency) / 372.
• C8 Reserved

33
Talking to a SIM

• Defined by ETSI document GSM 11.11
• Five bytes
• Class of instruction (CLA)
• (always 0xA0 for GSM)
• Instruction Code (INS)
• Parameter 1 (P1)
• Parameter 2 (P2)
• Parameter 3 (P3)
• (length of optional data segment)
• SIM card readers may require additional bytes

34
Listening to a SIM

• Three fields
• Data
• (variable length)
• Status Word 1 (SW1)
• Status Word 2 (SW2)
• 90 00 is normal response

35
SIM Commands
COMMAND INS P1 P2 P3 SELECT A4 00 00 02 STAT
US F2 00 00 length READ BINARY B0 offset
(high) offset (low) length UPDATE
BINARY D6 offset (high) offset (low) length READ
RECORD B2 record number mode length UPDATE
RECORD DC record number mode length SEEK A2 00
type/mode length INCREASE 32 00 00 03 VERIFY
CHV 20 00 CHV number 08 CHANGE CHV 24 00 CHV
number 10 DISABLE CHV 26 00 01 08 ENABLE
CHV 28 00 01 08 UNBLOCK CHV 2C 00 00 (for
CHV1) 10 02 (for CHV2) 10 INVALIDATE 04 00
00 00 REHABILITATE 44 00 00 00 RUN GSM
ALG 88 00 00 00 SLEEP FA 00 00 00 GET
RESPONSE C0 00 00 length
36
SIM Conversation
Setup card for access Activating card...01
Sending ATR 1... Sending Inverse ATR 1...3F 2F
00 80 69 AF 02 04 01 31 00 00 00 0E 83 3E 9F 16
37
SIM Conversation
Read Master File A0 A4 00 00 02 Select
file A4 ok 3F 00 Master File 9F
16 file access ok, 0x16 byte response A0 C0
00 00 16 Read 0x16 byte response C0 85 14 00
00 3F 00 01 80 FF FF FF 43 09 89 03 09 04 00 83
8A 83 8A 90 00 Master File Header MF/DF
RFU 85 14 Free Memory 00 00 File ID 3F
00 (MF) File Type 01 (Master File) RFU
80 FF FF FF 43 Length 09 File
characteristics 89 Clock stop
Allowed, low level preferred Required speed
13/8 CHV Disabled Child DFs
03 Child EFs 09
CHVs, Unblock CHVs, etc 04 RFU
00 CHV1 Status 83
(Initialized, 3 remaining) Unblock CHV1 Status
8A (Initialized, 10 remaining) CHV2 Status
83 (Initialized, 3 remaining)
Unblock CHV2 Status 8A (Initialized, 10
remaining)
38
SIM Conversation
Read Dedicated File A0 A4 00 00 02 Select
file A4 ok 7F 20 GSM Dedicated File 9F
16 access ok, 0x16 byte response A0 C0 00 00
16 Read 0x16 byte response C0 85 14 00 04 7F
20 02 00 FF FB FF 23 09 99 00 19 04 00 83 8A 83
8A 90 00 Dedicated File Header MF/DF RFU
85 14 Free Memory 00 04 File ID 7F 20
(DF-GSM) File Type 02 (Directory File)
RFU 00 FF FB FF 23 Length 09
File characteristics 99 Clock stop
Allowed, low level preferred Required speed
13/8 CHV Disabled Child DFs
00 Child EFs 19
CHVs, Unblock CHVs, etc 04 RFU
00 CHV1 Status 83
(Initialized, 3 remaining) Unblock CHV1 Status
8A (Initialized, 10 remaining) CHV2 Status
83 (Initialized, 3 remaining)
Unblock CHV2 Status 8A (Initialized, 10
remaining)
39
SIM Conversation
Read Elementary File A0 A4 00 00 02 Select
file A4 ok 6F 07 (GSM) EF-IMSI 9F
0F access ok, 0x0F byte response A0 C0 00 00
0F Read 0x0F byte response C0 85 0D 00 09 6F
07 04 00 1B FF 1B 23 02 00 00 90 00 Elementary
File Information EF RFU 85 0D File
Size 00 09 File ID 6F 07 ((GSM)
EF-IMSI) File Type 04 (Elementary File)
RFU 00 Access 1B FF 1B
Read/Seek CHV1 Update Admin 11
Increase Never RFU Never
Rehabilitate CHV1 Invalidate Admin 11
Status 23 (Not Invalidated) Length
02 EF Structure 00 (Transparent) Record
Length 00 A0 B0 00 00 09 Read file, 9
bytes B0 08 39 01 13 10 00 43 98 44 90 00 IMSI
40
SIM Conversation
Select GSM Dedicated File A0 A4 00 00
02 Select File A4 ok 9F 16 GSM
Dedicated File Perform A3A8 computation A0 88 00
00 10 A3A8 with 0x10 bytes 88 ok 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 RAND
challenge 9F 0C ok, 0x0C bytes waiting A0
C0 00 00 0C get response C0 D0 70 89 C4 8F 23
C4 EB 59 78 EC 00 90 00 Perform A3A8
computation A0 88 00 00 10 A3A8 with 0x10
bytes 88 ok 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 01 RAND challenge 9F 0C ok,
0x0C bytes waiting A0 C0 00 00 0C get
response C0 9B 8E 05 84 FF 8A E8 60 45 A7 30 00
90 00
41
SIM attacks

• Repeated authenticate, leaks Ki
• (New SIMs have a limit (about 50k) on the number
  of times the authentication algorithm can be run)
• Side-channel attacks
• Power consumption
• Timing
• Electromagnetic emanations

42
COMP-128 Updates

• COMP128-2
• 54-bit Kc
• Secret algorithm
• COMP128-3
• 64-bit Kc
• Secret algorithm
• Proposal for new A3A8 based on MILENAGE
• Milenage based on Rijndael (AES)
• Algorithm will be public
• New A3A8 requires
• AuC software upgrade
• New SIMs

43
A5/3

• Based on the Kasumi algorithm
• 3GPP confidentiality and integrity algorithms.
• Kasumi derived from the MISTY algorithm, created
  by Mitsubishi.
• Specifications are publicly available on the 3GPP
  web site (www.3gpp.org).

44
Cellular Jamming

• Low-power private base station transmits a
  forward link overhead message
• Mobiles register with base station
• Base station never sends a page
• The FCC view on this
• The Communications Act of 1934, as amended, and
  the Commission's rules do not permit the use of
  transmitters designed to prevent or jam the
  operation of wireless devices in hospitals,
  theaters and other locations. Section 302(a) of
  the Communications Act, 47 USC 302(a), prohibits
  the manufacture, importation, sale, offer for
  sale, or use of devices that fail to comply with
  the regulations promulgated pursuant to this
  section.
• Based on the above, the operation of transmitters
  designed to jam wireless communications is a
  violation of 47 USC 301, 302(a), and 333. The
  manufacture, importation, sale or offer for sale,
  including advertising, of such transmitters is a
  violation of 47 USC 302(a). Parties in violations
  of these provisions may be subject to the
  penalties contained within 47 USC 501-510. Fines
  for a first offense can range as high as 11,000
  for each violation or imprisonment for up to one
  year. The equipment can also be seized and
  forfeited to the U.S. Government. These
  regulations apply to all transmitters that are
  designed to cause interference to, or prevent the
  operation of, other radio communication systems.

45
Satellite Networks

• Big LEOs
• Little LEOs
• Mobile Satellite Ventures
• INTELSAT
• INMARSAT
• VSAT
• GPS

46
Big LEO

• Constellation of satellites in Low Earth Orbit
  (as opposed to geosynchronous)
• Base stations in the sky
• Linked to network of ground stations
• Voice as primary service
• 1610 to 1626.5 MHz up
• 2483.5 to 2500 MHz down

47
Iridium

• 5 billion
• 66 satellites (plus spares)
• TDMA, processing on-board
• 1621.35 to 1626.5 up and down
• 2.4 kbps data service
• Service start November 1998
• Bankruptcy in August 1999, only 55,000 customers

48
Iridium Satellite LLC

• Paid 25M for Iridium assets
• Relaunched commercial service in 2001
• Large government contract (72M/2 years via DISA)
• Dedicated gateway earth station in Hawaii
• Defense Information Systems Agency
• Department of Defense
• Department of State
• Inter-satellite links
• Enough money to replenish satellites?

49
Globalstar

• Loral, Qualcomm
• 48 satellites in LEO
• Start of operations February 2000
• Currently under bankruptcy protection
• Bent-pipe
• CDMA service
• Underpowered satellites
• Recharge over oceans
• 9.6 kbps data

50
ICO

• 4.7 billion
• Hughes-built satellites
• 10 satellites in Medium Earth Orbit (MEO)
• GSM-based
• New ICO
• Craig McCaw
• Merged with Teledesic

51
Orbcomm (Little LEO)

• 28 satellites
• 14 earth stations
• VHF operation
• Data only
• Store and Forward if ground station not in view
• GlobalGrams X.400 e-mail
• Latency

52
Mobile Satellite Ventures

• Motient
• AMSC-1 (500M)
• Spar Aerospace
• TMI
• MSAT-1 (identical)
• Mobile satellite voice and data
• L-band
• Digital voice

53
Interception

• Gateways require tapping
• FBI, CALEA requirements
• Iridium agreement
• Globalstar agreement
• TMI on-demand access
• National intelligence and police forces
• Test equipment
• Limited use of encryption
• Modifiable phone equipment

54
INTELSAT

• Was a consortium of nations as signatories
• Now privatized
• Large fleet in geostationary orbit
• Primarily telephone and television traffic
• Carries unencrypted voice, data and fax
• Used by US DoD for UAV datalink

55
INMARSAT

• International Maritime Satellite Organization
• AOR, POR, IOR coverage
• L-band

56
Global Positioning System

• 24 satellites
• Selective Availability turned off May 2000
• 30 meter accuracy
• Can be jammed (denial of service)
• Can be spoofed

57
GPS Frequencies

• L1 1575.42 MHz Coarse Acquisition (C/A) code
• L2 1227.60 MHz Precise (P) or Y (encrypted)
  code
• L3 1381.05 MHz Nuclear burst detectors
• L4 1841.40 MHz Ionospheric correction (under
  study)
• L5 1176.45 MHz Civilian safety-of-life signal
  (proposed)

58
GPS Enhancements
The new architecture also requires new user
equipment and an upgraded ground control segment,
as well as M-Code. All of those elements should
be in place by 2008, when 18 satellites with
M-Code - 12 IIRs and 6 IIFs - will be up.
59
GLONASS

• Global Orbital Navigation Satellite System
• 1606 to 1616 MHz
• Full operational status achieved once

60
Satellite Failures

• PanAmSat Galaxy 4
• Attitude control and backup failed
• Major supplier of service to paging towers
• ATT Telstar 401
• launched 1993, failed 11 January 1997
• abrupt failure, solar activity? (large solar
  flare 6 January 1997)
• Galaxy 7
• Primary control processor failed June1998.
  Secondary processor failed November 2000.
• Suspected electrical shorts in spacecraft control
  processor (SCP).
• Solidaridad 1
• Primary SCP failed May 1999. Secondary SCP
  failed August 2000.
• Anik E1
• 1996, Power Subsystem Failure, Partial Loss
• EchoStar 4
• 1998, Solar Array Failed to Deploy, reduced
  electrical power available

61
Questions?
62
Satellite Glossary
BEACON Modulated oscillator, usually
containing telemetry. Sometimes referred to
as a pilot. Used to locate a satellite and
determine received signal strength. BEAM
Uplink or downlink channel to or from the
satellite. May cover a wide area, or be
focused on a particular location (spot
beam). BENT PIPE Big repeater in the sky.
Simply repeats uplinked signal on downlink side,
with amplification. Also called
non-processing. DOWNLINK, UPLINK Downlink is
signal from satellite to ground station.
Uplink is signal from ground station to the
satellite.
63
Satellite Glossary (cont)
EOL End of Life. Satellite lifetimes, barring
accident or other damaging incident, are
determined by the amount of maneuvering fuel
(typically hydrazine) on-board. When the
fuel runs out the satellite can no longer be
maneuvered to stay in it's assigned orbital
location. The orbit then becomes inclined.
Current satellites have an expected life of 10 -
15 years. ECLIPSE Satellite's solar panels
are blocked by the earth (22 days before and
after spring and autumn equinox, maximum of 70
minutes) or the moon (irregular). EIRP
Effective Isotropic Radiated Power. A measure of
satellite transmitter strength, usually in
dBw (decibels above one watt).
64
Satellite Glossary (cont)
FDMA, TDMA, CDMA, DAMA Modulation schemes to
allow resource (bandwidth) sharing. Frequency
Division Muliple Access standard for video.
Time Division Multiple Access standard for
telephone, most data. Code Division Multiple
Access spread spectrum, originally military.
Demand Assign Multiple Access shared data
systems, including VSAT. FEEDERLINK
Communications link between the ground station
and the satellite. This link is distinct from
the user links. FOOTPRINT Geographic area on
the earth covered by a particular satellite beam.
65
Satellite Glossary (cont)
INCLINED ORBIT When maneuvering fuel runs
out. Requires tracker at ground station.
Traces a figure-eight pattern above and below the
equator over 24 hours. INMARSAT
International Maritime Satellite Organization.
Covers Atlantic (AOR East and West), Pacific
(POR) and Indian (IOR) Oceans. Has spares in
orbit, not always in contact with TTC. LOOK
ANGLE Elevation from a given location to a
satellite. 90 degrees is directly overhead,
0 degrees is on the horizon. PSEUDOLITE
Pseudo-satellite. Ground-based or airborne
transmitter emitting satellite-like signals.
66
Satellite Glossary (cont)
TRANSPONDER Discrete frequency slot assigned
to an uplink/downlink. TTC Telemetry,
Tracking and Command. Ground Station monitoring
and controlling satellite operation. TWT
Traveling-Wave Tube amplifier. Has nearly flat
response across a wide bandwidth. Newer
satellites are using solid state
amplifiers. VSAT Very Small Aperture
Terminal. Usually dedicated data links in a star
configuration. Popular with gas stations for
credit card verification car dealers for sales
information.