[ad]
Well it looks like what happened to WEP all those years ago is going to happen to GSM now. The methods have been known, the theory is established but the breaking point is when freely available tools are published that makes it possible for anyone to perform the attacks even without really understanding what is going on.
The recent news about WPA2 being cracked generated a lot of discussion, mostly highly technical – which means that you don’t have to worry too much about WPA2 being insecure as the attack isn’t really viable and relies on the ‘attacker’ already being authenticated with the network. There are easily ways to do the same thing with good old ARP spoofing.
Independent researchers have made good on a promise to release a comprehensive set of tools needed to eavesdrop on cell phone calls that use the world’s most widely deployed mobile technology.
“The whole topic of GSM hacking now enters the script-kiddie stage, similar to Wi-Fi hacking a couple years ago, where people started cracking the neighbor’s Wi-Fi,” said Karsten Nohl, a cryptographer with the Security Research Labs in Berlin who helped spearhead the project. “Just as with Wi-Fi, where they changed the encryption to WPA, hopefully that will happen with GSM, too.”
The suite of applications now includes Kraken, software being released at the Black Hat security conference on Thursday that can deduce the secret key encrypting SMS messages and voice conversations in as little as 30 seconds. It was developed by Frank A. Stevenson, the same Norwegian programmer who almost a decade ago developed software that cracked the CSS encryption scheme protecting DVDs.
It seems that with this suite of tools and the right hardware kit it’ll be a LOT easier to snoop on GSM transmissions. This includes cracking the secret key for SMS messages as well as being able to listen to voice streams.
The rainbow tables required for the crack are rather large at 1.7TB but it allows the attack to be pulled off in a mere 30 seconds. And thankfully they are being offered freely rather than on a paid for basis. They are planning to push out a torrent for the files, which as long as people keep seeding it, will work well.
It has been designed to work seamlessly with 1.7TB worth of rainbow tables that are used to crack A5/1, a decades-old encryption algorithm used to protect cell phone communications using GSM, which is used by about 80 percent of the world’s mobile operators. A small confederation of researchers announced last year they were setting out to create the voluminous index, which exploits known weaknesses in the encryption formula.
Distributing the rainbow tables has proved to be a challenge to the project participants. Stevenson said people in Oslo, where he’s located, are welcome to exchange a blank hard disk for one that contains the data. Eventually, the group expects to make the tables available as a BitTorrent.
The GSM Alliance, which represents almost 800 operators in 219 countries, pooh poohed the universal snooping plan by characterizing the attack as theoretical and saying encryption wasn’t the only protection preventing eavesdropping on real-time communications.
That’s where another tool, called AirProbe, comes in. An updated version of the program, also to be distributed Thursday, works with USRP radios to record digital signals as they pass from an operator’s base station to a GSM handset. Combined with refinements in the open-source GNU radio, it works by pulling down voluminous amounts of data in real time as it travels to the targeted cell phone and storing only those packets that are needed to snoop on a call.
In all honestly I’m not really familiar with GSM protocols, encryption or their weaknesses as it’s not an area I’ve ever ventured into, so if any of you have any input on the above claims I’d be interested to hear it. Has this attack been possible for a while? Is it really a risk, or just another mostly theoretical attack depending on many factors to pull it off?
Either way it’s a pretty interesting story and I’ll be seeing where it goes.
Source: The Register
d3m4s1@d0v1v0 says
Wow this looks great! but at the same time worries me that anyone would be able to sniff conversations!
Amr Ali says
Well the cryptographic attack is very doable, the claims are correct, but apparently it is rather such a very low rated cryptographic weakness they have exploited as apparently the brute force search still requires a lot of resources (1.7TiB is no joke).
As for if this attack being done or discovered long ago before this guy come up with it. Absolutely, mostly in military rings and intelligence agencies.
Is it theoretical? .. I don’t believe so, but it is not just yet skiddie style attack, it still requires some hardware work, which is not exactly plug&play kind of thing.
I do see that in the near a better cryptographic attack will be found and the rainbow table will be thrown away or at least gets minimized a little. Maybe the hardware will get more easier to operate and assemble, but I’m doubtful about that as it will require proper funding and a business to be built around it, or a handful of DIY projects and research gets into place and eases things off a bit.
netinfinity says
You have the GSM cracking tools available here:
http://reflextor.com/trac/a51/browser/tinkering/Kraken
Arimus says
Even if the rainbow tables are large (they are) and its a brute force attack (it is, albeit optimized) the mere fact it only takes 30 seconds to break is the worry.
Cryptography needs to be such that the time taken to break the encryption is several orders of magnitude longer than the time in which the information is exploitable… for instance a message saying ‘attack this coordinate in 5 minutes’ only really needs to stand attack for 10 minutes to have been effective; the patrol locations of a SSN need to be protected for atleast 7 months (the average at sea time of the vessel is 6 months) – or decades if the same general area is in frequent use. So for any means an encryption that only lasts 30 seconds is not worth the time taken to encrypt the dammed thing in the first place.
Morgan Storey says
Arimus, this is time offset brute force, that’s what rainbow tables are. So if you didn’t have the rainbow tables it would take you years to decrypt a call.
Even with the rainbow tables being a torrent download away (and $100 on the 2tb drive to store them on) I can’t see a skiddie doing this any time soon due to the cost of the GSM hardware, but I am betting someone will write an instructable on how to build it with $100 worth of parts and then it will be on.
threethirty says
As a wannabe skript kiddie this excites me a lot. This could be extremely useful and fun,
kishfellow says
The tables can be optimized with flash drives or SSD… and cracking happens under 30 seconds. The attack is also possible on commercial equipment and cracks for A5/2 and A5/1 can be done in under 2 seconds, and one equipment promises to do the cracking in real time in a second or lesser.
So the threat is real, and the setup with USRP / Gnuradio works… The hardware setup (soldering, assembly) will take a few hours. Then there’s a bootable CD called OpenBootTS by Chris Paget to give you out of the box – configuration for GSM works. The CD expects you have familiarity and have already played with gsm, asterisk and openbts.
The cracking was first shown by THC, later by David Hulton, and then by Karsten Nohl / Chris Paget in CCC Conference.
Cheers,
Kish