gsm privacy attacks
play

GSM privacy attacks Karsten Nohl, nohl@srlabs.de Karsten Nohl, - PowerPoint PPT Presentation

Jun 19, 2023 •136 likes •600 views

GSM privacy attacks Karsten Nohl, nohl@srlabs.de Karsten Nohl, nohl@srlabs.de Agenda GSM attack history GSM attack vectors Attacking GSMs A 5/1 encryption Risk scenario: GSM payment GSM is global, omnipresent and wants to

  1. GSM privacy attacks Karsten Nohl, nohl@srlabs.de Karsten Nohl, nohl@srlabs.de

  2. Agenda  GSM attack history  GSM attack vectors  Attacking GSM’s A 5/1 encryption  Risk scenario: GSM payment

  3. GSM is global, omnipresent and wants to be hacked GSM 80% of encryption mobile introduced phone in 1987 … market … then 200+ disclosed countries and shown insecure in 5 billion 1994 users! Source:Wikipedia, Bitkom press statement July 28 th 2010

  4. We wanted to publicly demonstrate that GSM uses insufficient encryption Public break attempts … A5/1 shown academically broken A5/1 shown more … … and more … … and more broken. Broken with massive computation Rainbow table computation '97 '00 '03 '05 '06 '03/'08 Tables never released Too expensive Not enough known data in GSM packets … that didn't work.

  5. Industry responds to GSM cracking attempts by creating new challenges “ … the GSM call has to be identified and recorded from the radio interface. […] we strongly suspect the team developing the intercept approach has underestimated its practical complexity . A hacker would need a radio receiver system and the signal processing software necessary to process the raw radio data. ” – GSMA, Aug. ‘ 09 This talk introduces signal processing software to decode GSM calls Source: GSMA press statement

  6. Agenda  GSM attack history  GSM attack vectors  Attacking GSM’s A5/1 encryption  Risk scenario: GSM payment

  7. GSM networks are victim and source of attacks on user privacy SS7 GSM backend User data- base (HLR) Base station Phone network  GUI attacks,  Weak encryption  Over-the-air  Access to Attack phishing software private user  No network vectors installation data  Malware authentication (security optional) Covered in this lecture

  8. Network operator and manufacturer can install software on a phone Operator  Install or update software (SIM)  Update service books (BlackBerry) Encryption  Read phone book, text Messaging messages SIMToolkit Smart phone Java  Install, delete, update manufacturer any software  Read all data Source:DSTK standards WiP and S@T

  9. Telcos do not authenticate each other but leak private user data The global SS7 network “ send SMS to your subscriber x ” Telco Telco “ where in the world is your subscriber y ” “ HLR query ” can be abused Telco Telco  All telcos trust each other on the global SS7 network  SS7 is abused for security and privacy attacks; currently for SMS spam  SMS messages and caller ID can be spoofed

  10. Information leaked through SS7 network disclose user location Query Accessible to Location granularity  HLR query  Anybody on  General region (rural) the Internet to city part (urban)  Anytime  Network  Cell ID: precise interogation operators location -SMSC granularity accessible from the Internet-

  11. Agenda  GSM attack history  GSM attack vectors  Attacking GSM’s A5/1 encryption  Risk scenario: GSM payment

  12. GSM uses symmetric A5/1 session keys for call privacy Operator and Random nonce Session key phone share a Hash Master key master key to de- function rive session keys Random Random nonce nonce and session key Communi- cation A5/1- encrypted with sess- Operator Home Base station Cell phone ion key Location Register This talk discusses a technique for extrac- ting session keys

  13. A5/1 is vulnerable to pre-computation attacks Code book attacks  Code books break encryption functions with small keys  Code book provides a mapping from Secret state Output known output to secret state A52F8C02 52E91001  An A5/1 code book is 128 Petabyte 62B9320A 52E91002 and takes 100,000+ years to be C309ED0A 52E91003 computed on a PC This talk revisits techniques for computing an A5/1 code book fast and storing it efficiently

  14. Optimized A5/1 attack pre-computation takes just a few GPU-months Time on single threaded CPU: 100,000+ years 1 Parallelization  Bitslicing increases already large number of parallel computations by a factor of 256 2 Algorithmic tweaks  Compute 4 bits at once Cryptographic tweaks 3  Executing A5/1 for 100 extra clock cycles decreases key space by 85% Result: 1 month on 4 ATI GPUs *NVidia CUDA and ATI Brook GPUs are supported

  15. GPUs allow for massive parallelization of 1 code book computation Bitslicing: 1 PC with 3 graphics cards à 2 GPUs à 60 cores computes almost 100,000 A5/1 operations in parallel Source:iX 5/2010: Geheimnislos

  16. Algorithmic tweaks accelerate CUDA A5/1 2 engine significantly  Shift registers are expensive in software, while memory is cheap  Only a few state bits determine round function  Trade table lookups for shifts; optimal for CUDA: 4 shifts at once

  17. Balancing memory lookups and 2 computation maximizes throughput  Look-up tables (16kByte SRAM) enable parallelization of shifts  The tables are shared across 8 CUDA cores each 16

  18. A5/1 key space shrinks to 2 61 secret states 3 Relevant Ring with states: These states 2 64 states Rings with can be 2 61 states ignored for … … A5/1 attacks  LFSR used in older stream  Newer stream ciphers therefore ciphers preserve the full use NLFRs  The output space of NLFSR slowly output space of a function  However, they have collapses  The 100 extra A5/1 clocks in GSM statistical weaknesses shrink the output space by 85%

  19. Pre-computation tables store the code book condensed K K K E233 2F06 503A OCFE K K K DB18 B951 CAF3 77CF Collision K K K 22CB A8F3 CAF3 77CF K K K 87A4 49A6 118F B33F Longer chains := a) less storage, b) longer attack time 18 Source:c ’ t

  20. Distinguished point tables save hard disk lookups K K 7707 BEFO 6100 K K K B0F0 F415 44B2 A200 Collision K 44B2 A200 K K CA06 302F B400 Hard disk access only needed at distinguished points 19 Source:c ’ t

  21. Rainbow tables mitigate collisions K 1 K 2 K 3 E233 44B2 BBA8 1B22 Collision K 1 K 2 K 3 DB18 ODE3 44B2 5DE2 K 1 K 2 K 3 22CB 6C7A 55D2 922A K 1 K 2 K 3 87A4 11F6 362E C7D5 Rainbow tables have no mergers, but an exponentially higher attack time 20 Source:c ’ t

  22. The combination of both table optimizations provides best trade-off Start 1 2 - 5 6 7 End Distinguished points: Last 15 bits are zero 21

  23. Open source components fit together in analyzing GSM calls GnuRadio Airprobe Kraken Airprobe records data parses con- cracks A5/1 decodes from air trol data key voice Requires Requires  Software radio, ie. USRP  2TB of rainbow tables  Recommended for up-  CPU or ATI graphics card  SSD/RAID for fast cracking stream: BURX board 22

  24. Downstream can be recorded from large distances Upstream recor- ding range: Downstream 100-300m recording range: 5 – 35km 23

  25. GSM discloses more known keystream than assumed in previous attacks Known Unknown Channel Channel Assignment Timing known Frame with known or guessable plaintext Very early Early Late through 1. Empty Ack after ‘ Assignment complete ’ 2. Empty Ack after ‘ Alerting ’ Mobile “ Stealing 3. ‘ Connect Acknowledge ’ termi- bits ” nated 4. Idle filling on SDCCH (multiple frames) calls 5. System Information 5+6 (~1/sec) 6. LAPDm traffic Counting 1. Empty Ack after ‘ Cipher mode complete ’ Counting frames 2. ‘ Call proceeding ’ Network 3. ‘ Alerting ’ termi- 4. Idle filling (multiple frames) “ Stealing nated bits ” 5. ‘ Connect ’ calls 6. System Information 5+6 (~1/sec) 7. LAPDm Counting 24 Source:GSM standards

  26. Randomized padding would mitigate attack potential SDCCH trace 238530 03 20 0d 06 35 11 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238581 03 42 45 13 05 1e 02 ea 81 5c 08 11 80 94 03 98 93 92 69 81 2b 2b 2b 238613 00 00 03 03 49 06 1d 9f 6d 18 10 80 00 00 00 00 00 00 00 00 00 00 00 238632 01 61 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238683 01 81 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238715 00 00 03 03 49 06 06 70 00 00 00 00 00 04 15 50 10 00 00 00 00 0a a8 238734 03 84 21 06 2e 0d 02 d5 00 63 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238785 03 03 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b Randomization was specified in Padding in GSM Every byte of randomized 2008 (TS44.006) and should be has traditionally padding increasing attack implemented with high priority been predictable cost by two orders of Additionally needed: randomi- (2B) magnitude! zation of system information msg. 25

  27. GSM ’ s security must be overhauled Configuration tweaks and small standard modifi- Short cations render some GSM crackers useless, but do term not prevent cracking using newer tools. Upgrading GSM ’ s encryption function should be a mandatory security patch A5/1 A5/? Long term Replacing A5/1 with A5/3 may not be enough: • The A5/3 cipher is academically broken • The same master keys are used for A5/1 and A5/3 (weakest link security)

Recommend

Privacy (Section 7.2.5 on Privacy Attacks) sws2 1 [Peter Steiner,1993] 2 myth

Privacy (Section 7.2.5 on Privacy Attacks) sws2 1 [Peter Steiner,1993] 2 myth

Software and Web Security 2 More attacks on Clients: Privacy (Section 7.2.5 on Privacy Attacks) sws2 1 [Peter Steiner,1993] 2 myth reality Welcome user29. (IP address: 131.174.16.131) RU Nijmegen, NL; male german

1.11k views • 58 slides
Privacy Attacks Practicum Privacy & Fairness in Data Science CS848 Fall 2019 2 Module 1:

Privacy Attacks Practicum Privacy & Fairness in Data Science CS848 Fall 2019 2 Module 1:

Privacy Attacks Practicum Privacy & Fairness in Data Science CS848 Fall 2019 2 Module 1: Intro to Privacy 1. Privacy Attacks Practicum 2. Differential Privacy 3. Basic Algorithms 4. Designing Complex Algorithms & Composition 3

677 views • 44 slides
Privacy (Section 7.2.5 on Privacy Attacks) sws2 1 [Peter Steiner,1993] 2 myth

Privacy (Section 7.2.5 on Privacy Attacks) sws2 1 [Peter Steiner,1993] 2 myth

Software and Web Security 2 More attacks on Clients: More attacks on Clients: Privacy (Section 7.2.5 on Privacy Attacks) sws2 1 [Peter Steiner,1993] 2 myth reality y y Welcome user29. (IP address: (IP address:

691 views • 50 slides
Implementing Differential Privacy & Side-channel attacks CompSci 590.03 Instructor: Ashwin

Implementing Differential Privacy & Side-channel attacks CompSci 590.03 Instructor: Ashwin

Implementing Differential Privacy & Side-channel attacks CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 14 : 590.03 Fall 12 1 Outline Differential Privacy Implementations PINQ: Privacy Integrated Queries [McSherry SIGMOD

1.22k views • 40 slides
CS525: Who s Your Best Friend? Targeted Privacy Attacks In Location sharing Social Networks

CS525: Who s Your Best Friend? Targeted Privacy Attacks In Location sharing Social Networks

CS525: Who s Your Best Friend? Targeted Privacy Attacks In Location sharing Social Networks Wei Wang ECE Dept. Worcester Polytechnic Institute (WPI) Security and Privacy Problems in the mobile and cloud computing Security and Privacy

608 views • 19 slides
Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine

Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine

CS573 Data Privacy and Security Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine Learning Under Adversarial Settings Data privacy/confidentiality attacks membership attacks, model inversion

3.44k views • 63 slides
Privacy in Vehicular Ad-hoc Networks Nikolaos Alexiou, LCN, EE KTH alexiou@kth.se 2/10/2012

Privacy in Vehicular Ad-hoc Networks Nikolaos Alexiou, LCN, EE KTH alexiou@kth.se 2/10/2012

Privacy in Vehicular Ad-hoc Networks Nikolaos Alexiou, LCN, EE KTH alexiou@kth.se 2/10/2012 Outline Introduction VANETs: an overview VANET privacy - Anonymity - Location Privacy - VPKI Privacy Attacks Countermeasures

703 views • 42 slides
When Encryption is Not Enough Privacy Attacks in Content- Centric Networking ACM ICN 2017 1

When Encryption is Not Enough Privacy Attacks in Content- Centric Networking ACM ICN 2017 1

When Encryption is Not Enough Privacy Attacks in Content- Centric Networking ACM ICN 2017 1 Privacy with IP GET /a/b/c C S RESPONSE: <data> ACM ICN 2017 2 Privacy with IP secure channel GET /a/b/c C S RESPONSE: <data>

386 views • 37 slides
Insider attacks and RFID Privacy models Ton van Deursen and Saa Radomirovi c

Insider attacks and RFID Privacy models Ton van Deursen and Saa Radomirovi c

Insider attacks and RFID Privacy models Ton van Deursen and Saa Radomirovi c {ton.vandeursen, sasa.radomirovic}@uni.lu University of Luxembourg Financial support received from the Fonds National de la Recherche (Luxembourg) Ton van Deursen

144 views • 12 slides
Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks Chetan

Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks Chetan

Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks Chetan Kumar, Riazat Ryan, Ming Shao Department of Computer and Information Science, University of Massachusetts, Dartmouth Data Leakage: Limited time

294 views • 27 slides
Preserving Privacy in Social Networks Against Neighborhood Attacks Bin Zhou Jian Pei School of

Preserving Privacy in Social Networks Against Neighborhood Attacks Bin Zhou Jian Pei School of

Preserving Privacy in Social Networks Against Neighborhood Attacks Bin Zhou Jian Pei School of Computing Science, Simon Fraser University 8888 University Drive, Burnaby, B.C., V5A1S6 Canada { bzhou, jpei } @cs.sfu.ca Dell Ed Abstract

278 views • 10 slides
Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj

Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj

Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj Singh Gaur 1 , Vijay Laxmi 1 , Tushar Singhal 1 , Mauro Conti 2 1 Malaviya National Institute of Technology, Jaipur, India 2 University of Padua, Italy

882 views • 58 slides
Expectation-Maximization Tensor Factorization for Practical Location Privacy Attacks Takao

Expectation-Maximization Tensor Factorization for Practical Location Privacy Attacks Takao

Expectation-Maximization Tensor Factorization for Practical Location Privacy Attacks Takao Murakami (AIST*, Japan) *AIST: National Institute of Advanced Industrial Science & Technology 1 Outline [Shokri+,S&P11] [Gambs+,JCSS14]

370 views • 19 slides
Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul Kocher 1 , Jann Horn 2 , Anders Fogh 3 , Daniel Genkin 4 , Daniel Gruss 5 , Werner Haas 6 , Mike Hamburg 7 , Mortiz Lipp 5 , Stefan Mangard 5 ,

410 views • 13 slides
Protecting Brow ser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John

Protecting Brow ser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John

Protecting Brow ser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University Context-aw are Phishing Bank of America customers see: Wells Fargo customers see: Works in all major

340 views • 20 slides
Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World Crypto & Privacy ibenik , Croatia Outline Why physical attacks matter Implementation attacks and power analysis Leakage Detection

972 views • 52 slides
$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

Presentation Slides $ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

318 views • 13 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&P), 2019 (Dustin)

726 views • 44 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

Presentation Slides $ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

429 views • 13 slides
CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies US Privacy Laws Sources: Baase: A Gift of Fire and Quinn: Ethics for the Information Age Ethics Spring 2010 Privacy 1 Privacy The original

725 views • 45 slides
Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is

1.01k views • 76 slides
Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in

Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in

Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in many ways over the years. Usually privacy is concerned with the individual human being. We may talk about privacy as the control over your own

230 views • 21 slides

More recommend