Cellphone Security

1
Cellphone Security

• David WagnerU.C. Berkeley

2
Cellular Systems Overview

• Cellphone standards from around the world

North America Analog AMPS
North America Digital CDMA, TDMA, N-AMPS
Europe Digital GSM
3
Cellular Crypto Algorithms
Confidentiality Authentication Keying
US Analog None None None
US Digital XOR mask CMEA (ORYX) CAVE CAVE
GSM A5/0, A5/2, or A5/1 (soon A5/3) COMP128 (COMP128-2, 3DES-CBC-MAC) COMP128 (same)
4
Cellular Crypto Algorithms
Confidentiality Authentication Keying
US Analog None None None
US Digital XOR mask CMEA (ORYX) CAVE CAVE
GSM A5/0, A5/2, or A5/1 (soon A5/3) COMP128 (COMP128-2, 3DES-CBC-MAC) COMP128 (same)
5
Cellular Crypto Algorithms
Confidentiality Authentication Keying
US Analog None None None
US Digital XOR mask CMEA (ORYX) CAVE CAVE
GSM A5/0, A5/2, or A5/1 (soon A5/3) COMP128 (COMP128-2, 3DES-CBC-MAC) COMP128 (same)
6
Part INorth American Analog Systems
7
Overview of US Analog Protocol

• Everything goes in the clear

Home agent
PSTN
8
Vulnerabilities Early Frauds

• At first, billing was done offline when roaming
• Then criminals discovered one could pick a random
  MIN/ESN pair and make free calls
• So, providers added blacklists to base stations
• But the first use of any MIN/ESN pair was
  unauthenticated, so criminals made very long
  calls
• Later, tumbling use a new MIN/ESN pair each time
• Countermeasure realtime positive authentication
• But cloning attacks became deadly eavesdrop on
  MIN/ESN pair from a legitimate user, replay them
  later
• Tumbling cloning makes fraud hard to detect,
  black boxes widely available

9
Impacts of Fraud

• Fraud a big problem in analog system
• ? 5 of calls were fraudulent ( 1995)(In
  Oakland on Friday night, reportedly 60-70)
• US losses ? 650 million/year (? 2 of revenue)
• Attackers got organized sophisticated
• And early weaknesses gave criminals the capital
  and training to break future systems

10
Vulnerabilities Privacy

• Anyone can eavesdrop on voice calls
• Scanners (were) widely available
• ?10-15 million scanners sold on US mass market
• ?50 million users of US analog cellphones

It seems plausible that the majority of US analog
cellphone users may have had one of their calls
intercepted at some point.
11
Summary on Analog Cellphones

• Everything that could go wrong, has
• Threat models changed
• Security architecture didnt scale up with
  deployment
• We trained funded a criminal underground

Analog cellphones are totally insecure.
12
Part IINorth American Digital Systems
13
Overview of US Digital Protocol

• Crypto is used on the air link

Home agent
PSTN
(SRES, k) CAVE(AK, RAND)
14
Cryptanalysis

• Voice privacy is XOR with 520-bit mask
• Breakable in realtime via ciphertext-only attack
  Bar92 also, first frame is often silence (all
  zeros)
• Control channel uses CMEA, a variable-width block
  cipher with 2 rounds
• Breakable in hours with 80 known texts WSK97
• ORYX, a LFSR-based stream cipher, was proposed
  for data traffic
• Breakable in realtime via ciphertext-only attack
  WSDKMS98
• CAVE is a dedicated hash with 64-bit key
• Best attack I know needs 221 chosen texts Wag97

15
Why the Crypto May Not Matter

• Few base stations support encryption
• It costs more
• Some handsets have AK 0
• Key management considered too expensive

Security of US digital cellphones rests primarily
on cost of digital scanners and existence of
easier targets.
And many digital phones will fall back to analog,
in areas of poor coverage.
16
Part IIIGSM
17
Overview of GSM Protocol

• A review of the crypto

Home agent
PSTN
SIM
(SRES, Kc) A38(Ki, RAND)
18
Cryptanalysis of COMP128

• Is it secure?
• Well, it has lots of rounds
• The keyed map fk r ? r'is applied 8 times
• But beware collisions!
• Attempt 1 flip a bit in r0and hope for an
  internal collision

19
Cryptanalysis of COMP128
r8

• Is it secure?
• Well, it has lots of rounds
• The keyed map fk r ? r'is applied 8 times
• But beware collisions!
• Attempt 2 Modify bothr0 and r8, and look for
  aninternal collision BGW98

It works!
20
Cryptanalysis of A5/1
R1
R2
Ri clocks just whenCi Majority(C1,C2,C3)
R3

• Fix a 16-bit a let S k A5(k) a
  anydefine f 0,148 ? S so that f(x) k
  with A5(k) a x, noting that f can be computed
  efficientlydefine g 0,148 ? 0,148 by a
  g(x) A5(f(x))
• Apply Hellmans time-space tradeoff to g BSW00
• Breaks A5/1 with 224 work per key, 236 space,
  248 precomputation

21
Description of A5/2

• Add a 17-bit LFSR, R4, that is clocked normally
• Clock control of R1, R2, R3 is a non-linear
  function of R4
• Output is quadratic function of R1, R2, R3
• After key loaded, one bit of each register is
  forced to be set (!!!)

22
One Evaluation of A5/2

• The resource budget for the project was 15.75
  man-months The results of the mathematical
  analysis did not identify any features of A5/2
  which could be exploited as the basis for a
  practical eavesdropping attack on the GSM radio
  path All members of SAGE stated that they were
  satisfied that A5/2 was suitable to protect
  against eavesdropping on the GSM radio path
• -- ETSI TR 278

23
Attacking A5/2

• If you can get keystreamfrom two frames 211
  apart
• R4 will be the same for both,due to the
  clobbered bit (hmm)
• Guess R4 then the clocking forR1, R2, R3 is
  known (double hmm)
• Now solve for R1, R2, R3
• Keystream difference is a linear function of R1,
  R2, R3 difference, so can solve using linear
  algebra
• This reveals the key
• Complexity 216 simple dot-products ? realtime!
• Our code breaks A5/2 in 10 milliseconds BGW99

24
Concluding Thoughts

• Attacks are known on most of the cryptographic
  algorithms found in todays cellphones
• Questions?

25
Attacking A5/2

• Get keystream from two frames 211 apart
• R4 will be the same for both, due to the
  clobbered bit
• Guess R4 then the clocking for R1, R2, R3 is
  known
• Solve for R1, R2, R3
• Keystream difference is a linear function of R1,
  R2, R3 difference, so solve using linear algebra
• Complexity 216 simple dot-products ? realtime!

26
The security risk RF leakage
27
The outsider threat
Lesson build in security from the start
28
Keeping the outsider at bay
network
k
basestation
k
k
k
k
k
A simple approachglobal shared keys
29
Global shared keys

• Advantages
• Simple reasonable performance
• Limitations
• No security against insider attacks
• What if a mote is compromised or stolen?

30
Part IISecurity against insiders

• Tolerating compromised motes

31
Defending against insider attacks
k1, , k5
network
basestation
k1
k2
k3
k4
k5
per-mote keying
32
Per-mote keying

• Advantages
• Simple reasonable performance
• Lost motes dont reveal rest of networks keys
• Disadvantages
• Motes cant talk to each other without the help
  of the base station

33
Per-mote keying

• Advantages
• Simple reasonable performance
• Lost motes dont reveal rest of networks keys
• Disadvantages
• Motes cant talk to each other without the help
  of the base station
• Insiders can still falsify sensor readings

34
An example
f(67, , 68)
network
basestation
67
where f(x1, , xn) (x1 xn) / n
64
69
71
68
Computing the average temperature
35
An example an attack
result is drastically affected
f(67, , 1,000)
network
basestation
67
where f(x1, , xn) (x1 xn) / n
64
69
71
68
X
1,000
Computing the average temperature
36
Resilient aggregation

• Some theory
• For f ?n ? ?, a random variable X on ?n,and s
  StdDevf(X), define Pow(A) E(f(A(X))
  f(X))21/2 / s
• Say f is (m, a)-resilient if Pow(A) a for
  alladversaries A ?n ? ?n modifying only m of
  their inputs
• Example the average is not (m, a)-resilient
  for any constant a

37
Relevance of resilience

• Intuition
• The (m, a)-resilient functions are the ones that
  can be meaningfully and securely computed in the
  presence of m malicious insiders.
• Formalism
• Theorem. If f isnt (m, a)-resilient, m insiders
  can bias f(...) by at least a s, on average.If
  f is (m, a)-resilient, it can be computed
  centrally with bias at most a s, for m insiders.

38
Examples
f is (m, a)-resilient, where
average a 8
average, discarding 5 outliers a 1.65 m/n1/2 for m lt 0.05 na 8 for m gt 0.05 n
median a m/n1/2 for m lt 0.5 n
max a 8
95th percentile max a O(m/n1/2) for m lt 0.05 n
count a m/(p(1p)n)1/2
(assuming n independent Gaussian/Bernoulli
distributions)
39
Primitives for aggregation (1)

• Computing with histograms
• Theorem. If f is a (m, a)-resilient, symmetric
  function with ?i ?f/?xi ß, f can be computed
  securely using a histogram with buckets of width
  w. With m insiders, the bias will be at most
  about a s 0.5wß.

40
Primitives for aggregation (2)

• Computing with random sampling
• Idea in progress. If f is a (m, a)-resilient,
  symmetric function with ?i ?f/?xi ß, perhaps
  f can be computed securely by sampling the values
  at k randomly selected motes.

41
But An important caveat!
4
network
2
2
1
0
1
1
Aggregation in the network introduces new
challenges
42
Summary

• Crypto helps, but isnt a total solution
• Be aware of the systems tradeoffs
• Seek robustness against insider attack
• Resilience gives a way to think about insiders
• The law of large numbers is your friend
• Feedback?

43
Cryptanalysis of COMP128

• Is it secure?
• Well, it has lots of rounds
• The keyed map fk r ? r'is applied 8 times
• But beware collisions!