Return to Video

Mobile network attack evolution

  • 0:00 - 0:12
    applause
  • 0:12 - 0:16
    Karsten: Thank you very much
    and a very good evening.
  • 0:16 - 0:21
    We're here yet again to talk about mobile
    network attacks, and we're going to give this talk
  • 0:21 - 0:24
    a somewhat different spin.
  • 0:24 - 0:32
    Instead of focusing on giving out new vulnerabilities,
    and then hinting at how a fix could be,
  • 0:32 - 0:37
    and suggesting that somebody else would be
    responsible for implementing these fixes.
  • 0:37 - 0:43
    We wanna look at those later stages of the
    attack evolution today.
  • 0:43 - 0:50
    And make sure we don't keep re-creating new
    results while old ones are not being resolved yet.
  • 0:50 - 0:53
    Rest assured there will also be new attacks.
  • 0:53 - 0:56
    We need to deliver on that every year.
  • 0:56 - 1:05
    But we want to make sure specifically, to introduce
    some dynamics that help everybody,
  • 1:05 - 1:09
    for networks to become more secure.
  • 1:09 - 1:19
    My primary goal today is to enable all of you to help
    with that evolution, and to do some of the research
  • 1:19 - 1:23
    that we've been doing in Berlin so far, all over the world.
  • 1:23 - 1:31
    There will be a couple of tool releases, and a
    couple of, hopefully, evolution drivers
  • 1:31 - 1:38
    In the end, for us security researchers to be successful in
    making the world better, we need industry.
  • 1:38 - 1:45
    As painful as that sounds, we need somebody to put
    in a fix, and we haven't been very good
  • 1:45 - 1:51
    about keeping check on those people that need to put
    in fixes for the research that we've been doing
  • 1:51 - 1:56
    over the last couple of years, and we're going
    to complete the picture today.
  • 1:56 - 2:05
    by talking a little bit about what networks have
    been doing around research in two areas.
  • 2:05 - 2:12
    SIM card attacks, a topic of this year where networks
    found themselves in a critical situation
  • 2:12 - 2:20
    at risk of large parts of the subscriber base being
    remotely infected, not in the phone, but in the SIM card.
  • 2:20 - 2:27
    So there has been fruitful discussion with industry,
    and lots of responses, but not enough.
  • 2:27 - 2:33
    Much more so around GSM intercept, a topic that
    probably the NSA discussions have moved
  • 2:33 - 2:39
    into everbodys mind again, but one that was really
    luring for a decade now, that anybody can
  • 2:39 - 2:42
    intercept your phonecalls at any time.
  • 2:42 - 2:46
    and again, here we want to check on the network
    operators, and make sure that they are
  • 2:46 - 2:53
    forced into putting in the protection that we deserve.
  • 2:53 - 3:00
    We first discussed SIM card attacks publicly in August
    of this year, after a few months of
  • 3:00 - 3:09
    responsible disclosure, and we found
    a combination of three vulnerabilities,
  • 3:09 - 3:16
    that led to a potentially terrible situation for networks.
  • 3:16 - 3:24
    The first fragment that we found was the ability
    to send binary text messages from one subscriber
  • 3:24 - 3:30
    to really any other subscriber, so networks
    allowed traffic that has no place to be routed
  • 3:30 - 3:36
    through networks, there's no such thing as network
    neutrality in mobile networks of course,
  • 3:36 - 3:43
    they shouldn't be routing internal management applications through what basically is
  • 3:43 - 3:47
    the IP space, or the phone number space of subscribers.
  • 3:47 - 3:53
    The second thing we found is that the services that
    these messages reach on the SIM cards are
  • 3:53 - 4:02
    often badly protected cryptographically. In particular
    we were finding lots of cards that used DES keys
  • 4:02 - 4:09
    56-bit from the seventies, that has long been
    phased out in pretty much any other application.
  • 4:09 - 4:11
    SIM cards still use old keys like that.
  • 4:11 - 4:18
    And thirdly we found that applications you
    could install through those DES keys
  • 4:18 - 4:24
    can break out of the sandbox of the Java protection
    parameter, and then access all kinds of data
  • 4:24 - 4:29
    on the SIM card that no Java was supposed to access.
  • 4:29 - 4:36
    And combining those three made for a remote
    SIM cloning vector at massive scale.
  • 4:36 - 4:41
    And networks raced to fix those on at least
    two of the three layers.
  • 4:41 - 4:48
    They put in filtering so the network, the SMS
    messages would not reach the phone any more.
  • 4:48 - 4:52
    And they upgraded DES keys to triple DES keys.
  • 4:52 - 4:57
    But most networks left it at that without really
    thinking through the problem and without really
  • 4:57 - 5:02
    understanding the root causes of what
    made the SIM card so vulnerable.
  • 5:02 - 5:07
    So I want to go into the first two categories, since
    the third one wasn't adressed even until today, and
  • 5:07 - 5:12
    show how the industry response
    was in large part insufficient.
  • 5:12 - 5:18
    And I shouldn't generalise as I do now, because
    some network operators have responded very
  • 5:18 - 5:24
    responsibly, but by and large networks shrugged
    us off or put in quick fixes and then moved on to
  • 5:24 - 5:31
    their daily business of making networks faster
    and faster and faster, but rarely more secure.
  • 5:31 - 5:37
    So let's look at filtering first, and what
    goes wrong with filtering.
  • 5:37 - 5:44
    Networks, many networks started filtering at
    around the time when we presented this publicly,
  • 5:44 - 5:52
    around Black Hat and OHM camp, and they put in
    one specific filtering rule that was not surprisingly
  • 5:52 - 5:57
    the exact message that we used in demonstrations
    at Black Hat and at OHM to demonstrate this
  • 5:57 - 6:04
    class of vulnerabilities, but did not understand
    how much broader the vulnerabilty class is.
  • 6:04 - 6:14
    So to put this in a comparison to computer security,
    if you tell somebody that they have a problem in a
  • 6:14 - 6:22
    TCP stack, let's say in the linux implementation,
    and you demo it by sending packets to the ssh daemon,
  • 6:22 - 6:28
    the fix that they implemented is to block port 22, not
    understanding that of course this exact same
  • 6:28 - 6:32
    vulnerability is also present on any
    other exposed TCP service,
  • 6:32 - 6:38
    And there's bunches of ways to format
    an SMS to reach the SIM card.
  • 6:38 - 6:45
    Some have come out of the standard, others are
    just fragments of wrong implementations on phones.
  • 6:45 - 6:50
    In particular some recent android phones will
    route pretty much anything to the SIM card.
  • 6:50 - 6:56
    and that's pretty convenient, because the SIM card
    will look at the message and then discard it, if it's not
  • 6:56 - 7:00
    properly formatted for a SIM card.
  • 7:00 - 7:03
    So the implementor of the android
    phone took the easy way.
  • 7:03 - 7:08
    Just put everything to the SIM card, it will
    decide what it wants and what it doesn't want.
  • 7:08 - 7:15
    Of course with a phone like that no level of network
    filtering, no filtering whatever TCP port will protect it,
  • 7:15 - 7:19
    Since normal user messages sometimes
    get forwarded to the phone.
  • 7:19 - 7:27
    So the industry response was a bit insufficient here
    and we'd like to see more testing of networks
  • 7:27 - 7:34
    and when we talk about tools we will perhaps
    enable you to do exactly that type of testing,
  • 7:34 - 7:40
    The second area where the industry response falls
    way short of understanding the problem,
  • 7:40 - 7:45
    again I'm generalising here, is that the
    configuration of the SIM cards.
  • 7:45 - 7:53
    We did discuss the problem with DES keys, that you
    can break a 56-bit DES key in a minute or so using
  • 7:53 - 8:00
    a rainbow table, and that of course, this is terrible
    if those services are reachable remotely.
  • 8:00 - 8:07
    And networks then went in to look at
    configurations, and lot of them came out
  • 8:07 - 8:11
    saying "We made sure everything is
    triple-DES on our SIM cards"
  • 8:11 - 8:19
    or at least a few places there was still DES in older
    profiles, we patched them to now be triple-DES.
  • 8:19 - 8:25
    Again that falls way short of
    understanding the core issue.
  • 8:25 - 8:29
    Here's a bit of technical background so you can
    appreciate what's going on in the SIM card.
  • 8:29 - 8:35
    There's a collection of keys, up to sixteen keysets,
    and each keyset can have keys for signing and
  • 8:35 - 8:40
    encryption and so forth, and those keys have
    a specific type, DES or triple-DES for instance,
  • 8:40 - 8:44
    sometimes even AES on very new cards.
  • 8:44 - 8:50
    And then there's applications on the SIM card
    and these applications, there's up to sixteen million
  • 8:50 - 8:51
    application identifiers.
  • 8:51 - 8:56
    Of course no sixteen million applications fit on a card,
    so some of these are present on
  • 8:56 - 9:04
    every SIM card, and the application gets to
    choose which keys get what level of access.
  • 9:04 - 9:08
    And what seems to have happened in August is that
    the networks go through this first application,
  • 9:08 - 9:14
    the standard application and make sure that triple-DES
    keys are required for signature or encryption or
  • 9:14 - 9:20
    better, even both. And then the DES keys they
    had there, they upgraded to triple-DES.
  • 9:20 - 9:26
    However we find in a surprisingly large number
    of SIM cards the following situation:
  • 9:26 - 9:35
    One of the other sixteen million applications says
    we use this keyset, but we require none of it.
  • 9:35 - 9:42
    So you send a command to that SIM TAR specifying
    this keyset, and you're not required to do
  • 9:42 - 9:45
    signatures or encryption.
  • 9:45 - 9:51
    And at that point it doesn't matter if you use triple-DES
    or AES or whatever algorithm, this SIM card
  • 9:51 - 9:55
    will accept any command sent to it.
  • 9:55 - 10:00
    And again that kind of being obvious to check for
    when you're going through your inventory of
  • 10:00 - 10:08
    SIM cards, but that requires a deeper level
    of understanding of these attacks than most
  • 10:08 - 10:13
    operators seem to have developed for this issue.
  • 10:13 - 10:20
    So I hope this again helps to carry the point that to
    drive the co-evolution of attacks and defenses,
  • 10:20 - 10:27
    industry is required to think through the attacks and
    understand what exactly the attack parameter is.
  • 10:27 - 10:41
    To make sure it gets across very visually now, I'd like
    to get Luca to demo the attack as we think
  • 10:41 - 10:44
    it would play out in the real world.
  • 10:44 - 10:51
    and just as one sentence of introduction perhaps,
    this is coming from a very recent SIM card
  • 10:51 - 10:57
    one that we picked up when we started playing
    with the iPhone 5 as fingerprint reader.
  • 10:57 - 11:06
    It's just an US SIM card, and Luca,
    what are you going to do now?
  • 11:09 - 11:11
    Can you switch on his microphone please?
  • 11:11 - 11:20
    Luca: Ok, so as Karsten said we found this
    particularily interesting SIM card and
  • 11:20 - 11:28
    the last one we found was very recent, it's a
    nano SIM and it goes into an iPhone 5.
  • 11:28 - 11:37
    I'm going to show you what can we do to
    bypass the filterset operators have now.
  • 11:37 - 11:56
    So we put it into the phone. I have here a BTS,
    that emulates the real operator network.
  • 11:56 - 12:01
    Karsten: Of course that's a default way to bypass
    any type of filtering that the real network may be
  • 12:01 - 12:10
    Luka: So now the mobile is connecting, and I'm trying
    to show you better, my BTS is sending some SMS's,
  • 12:10 - 12:18
    as soon as the mobile is close to the BTS, and
    it tries to register, because it thinks it is
  • 12:18 - 12:28
    the home network, I send my application, that
    is completly installed without any warning,
  • 12:28 - 12:31
    or anything on the iPhone.
  • 12:31 - 12:34
    umm
  • 12:34 - 12:43
    I want to show you something here, so this is the
    first command and it's a delete, since I've already
  • 12:43 - 12:45
    installed the application many times, I first delete it.
  • 12:45 - 12:47
    and then I install it again.
  • 12:47 - 12:50
    Karsten: So this is remote application management.
  • 12:50 - 12:54
    On a recent SIM card, that requires
    no security whatsoever, you can put in
  • 12:54 - 13:01
    whatever Java software you'd
    like to run on this SIM card.
  • 13:01 - 13:06
    Luka: Ok, so it's finished, took a couple
    of seconds, ten seconds, I dunno.
  • 13:06 - 13:13
    and now the SIM card is infected with a malware,
    that every five minutes sends the current location of
  • 13:13 - 13:18
    the user to the attackers number.
  • 13:18 - 13:26
    Since the iPhone doesn't show anything, I'm
    going to put this SIM card into another phone,
  • 13:26 - 13:32
    so you can see it better, and you can also
    have a proof that it's on the SIM card.
  • 13:38 - 13:43
    It's not very easy with the nano SIM
    into a normal phone.
  • 13:43 - 13:50
    so this is the other phone, I have a ok..
  • 13:53 - 13:58
    Karsten: So the virus stays with the SIM
    card (when moved to) another phone
  • 13:57 - 14:02
    Luka:I'm going to turn it on now.
  • 14:05 - 14:08
    Yeah.
  • 14:15 - 14:21
    Hopefully it will register to the home network.
  • 14:26 - 14:28
    Yeah.
  • 14:32 - 14:35
    Karsten: Is it still set to manual?
  • 14:35 - 14:38
    Luka: Yeah, it did register.
  • 14:43 - 14:45
    Yeah,
  • 14:45 - 14:51
    So we are actually replaying the
    attack again, just for fun.
  • 14:51 - 14:53
    Karsten: Oops.
  • 14:57 - 15:00
    Luka: [sigh]
    Karsten: Bear with us, this is a complex demo
  • 15:00 - 15:05
    lots of moving parts.
    Luka: What I can do is delete the SMS
  • 15:09 - 15:13
    Luka: So is it showing someting now?
  • 15:20 - 15:23
    Ok, I'll just try again.
  • 15:26 - 15:34
    Oh, actually I have a better idea,
    so now I stop my fake BTS
  • 15:34 - 15:36
    Karsten: yeah, better connect to the real network.
  • 15:36 - 15:40
    Luka: and I let it connect to the real network.
  • 15:51 - 15:55
    Okay. Let's see.
  • 16:03 - 16:07
    Karsten: You're confident the virus
    got deployed the second time?
  • 16:07 - 16:13
    Luka: Umm, that's actually a nice...
  • 16:13 - 16:17
    Okay, yeah that was a.
  • 16:17 - 16:20
    Karsten: Ok, lets come back to you
    in a couple of minutes then.
  • 16:20 - 16:23
    When you've prepared this, but everybody
    got the idea roughly right,
  • 16:23 - 16:29
    what should have happend; He's catching
    the phone or any of your phones really,
  • 16:29 - 16:35
    he can test for vulnerabilities by sending
    SMS, hundreds of them, not sixteen million,
  • 16:35 - 16:40
    he has to prepare a little bit, know where
    a vulnerability could be, and then once
  • 16:40 - 16:47
    he finds an unprotected application, he just sends
    a bunch of binary SMSs and combine that Java file.
  • 16:47 - 16:53
    and that java file installs on the SIM card and
    it stays installed on the SIM card,
  • 16:53 - 16:59
    and it will every five minutes send the
    current location via SMS to his number,
  • 16:59 - 17:04
    or do any other thing that the Java on
    the SIM card is allowed to do.
  • 17:04 - 17:12
    It could even try to exploit the other parts of the SIM
    card through that unpatched Java vulnerability that
  • 17:12 - 17:18
    a lot of these SIM cards still have.
  • 17:18 - 17:20
    Installing the virus again?
  • 17:20 - 17:25
    Luka: It's installing again.
  • 17:28 - 17:34
    Luka: This was just the best case we found so
    you can actually install an application inside the SIM,
  • 17:34 - 17:42
    in case this is not available, another choice is just
    reading the current ciphering key from the SIM.
  • 17:43 - 17:46
    Karsten: Yeah, so there's a lot of these..
  • 17:46 - 17:50
    Luka: So this is the message I was waiting for.
  • 17:50 - 17:56
    Karsten: So this older Nokia phone is the only phone
    we ever found that asked whether you allow your
  • 17:56 - 18:02
    SIM card to send anything back to the attacker.
    The iPhone just does it by default without asking you.
  • 18:02 - 18:05
    Luka: Press yes.
  • 18:05 - 18:11
    applause
  • 18:11 - 18:14
    Luka: Oh it's a bit small there. I try to copy
  • 18:14 - 18:16
    Karsten: Did you want to show more Luka?
  • 18:16 - 18:26
    Luka: Yeah the phone now sent the SMS to me,
    and I want to show how it looks like, so
  • 18:26 - 18:29
    hmm no.
  • 18:34 - 18:39
    Something like this? Nope
  • 18:41 - 18:41
    sighs
  • 18:41 - 18:49
    I want to enlarge this, so in this little field, there is
    the current network, the location area and cell-ID.
  • 18:49 - 18:56
    So basically it's a very precise location
    information about the user.
  • 18:56 - 18:59
    applause
  • 18:59 - 19:01
    Karsten: thank you.
  • 19:01 - 19:04
    applause
  • 19:04 - 19:10
    Luka: And the best is that this message is not filtered by the operator since it's a normal text SMS.
  • 19:10 - 19:12
    So it goes through.
  • 19:12 - 19:18
    Karsten: So a persistant virus on a modern SIM
    card, I think that's what was needed to
  • 19:18 - 19:23
    give the industry another nudge to
    deeply understand this.
  • 19:23 - 19:30
    Now to create some further nudges from you all,
    and to fulfill that goal that I stated going in,
  • 19:30 - 19:38
    to enable everybody to do these tests yourself,
    we wanna release a tool today that condenses all
  • 19:38 - 19:43
    the SIM card knowledge that we collected
    over the last couple of years.
  • 19:43 - 19:51
    It's an open source tool, written in Java, that was
    the easiest to speak to SIM cards with, and it tests
  • 19:51 - 19:59
    for all the vulnerabilites we discussed in August,
    including things like triple-DES downgrade which
  • 19:59 - 20:03
    a lot of operators seem to not
    have understood quite yet.
  • 20:03 - 20:08
    But it also detects these more recent vulnerabilities.
  • 20:08 - 20:14
    Now scanning these sixteen million possibilites on
    a SIM card, and each sixteen keys for them,
  • 20:14 - 20:17
    that takes a long time, and some older
    slower SIM cards up to two weeks.
  • 20:17 - 20:26
    So one thing the tool does is pre-select these
    TAR's smartly, so it only takes a couple of minutes.
  • 20:26 - 20:32
    It does run on a normal smart card reader,
    PC/SC interface, as well as the Osmocom phone
  • 20:32 - 20:34
    awesome opensource project also.
  • 20:34 - 20:39
    We patched it a little bit to now act as a smartcard
    reader. So of course it can communicate
  • 20:39 - 20:41
    with a SIM card.
  • 20:41 - 20:47
    So if you have any of those; PC/SC reader or an
    Osmocom phone and a couple of minutes of time,
  • 20:47 - 20:51
    download the software and please run the tests,
    make sure you're not affected, and if you are
  • 20:51 - 20:56
    be very vocal to your network operator and
    demand that these things get removed.
  • 20:56 - 21:04
    applause
  • 21:04 - 21:07
    Thank you.
  • 21:07 - 21:14
    Looking at similar technology or similar weaknesses,
    let's revisit the topic of GSM intercept,
  • 21:14 - 21:23
    and I'll again try to make the point that networks may
    be casually interested in fixing some bugs that
  • 21:23 - 21:31
    they may not have fully understood, so they only did
    half the fixes or not at all and again I think this is
  • 21:31 - 21:36
    of high urgency, understanding now how many
    people are intercepting our phone calls.
  • 21:36 - 21:44
    Network operators are supposed to protect us on
    all the frequencies we use and while 3G and 4G
  • 21:44 - 21:53
    bring pretty ok cryptography with longer key
    lengths, most of our calls still go over 2G,
  • 21:53 - 21:55
    this standard from the eighties.
  • 21:55 - 22:02
    It's the only technology that can cover large areas,
    and even in cities where the cell sizes don't
  • 22:02 - 22:07
    have to be so large, these frequencies have to
    get used because all frequencies are full.
  • 22:07 - 22:15
    We have a frequency scarcity, so 2G frequencies are
    certainly still used by everybody, almost every day.
  • 22:15 - 22:20
    and on 2G there are two different encryption
    standards that are found in the wild.
  • 22:20 - 22:27
    There's A5/1, the first encryption cipher, the one
    that was originally invented along with GSM, back in
  • 22:27 - 22:35
    the eighties, and then there's A5/3, a ten year
    old encryption standard, that's supported by
  • 22:35 - 22:41
    newer phones, I would say about half the phones
    in current use support this A5/3 cipher.
  • 22:41 - 22:44
    where the other ones will always default to A5/1.
  • 22:44 - 22:51
    And the network would have to support both of them
    in a secure way or as secure as possible way
  • 22:51 - 22:54
    to sufficiently protect their customers.
  • 22:54 - 22:59
    Let's visit each of them in turn.
  • 22:59 - 23:08
    To break A5/1 with tools like the ones we released
    some five years ago now, you have to have
  • 23:08 - 23:17
    some attack surface. It's not enough to have
    a tool that can break an A5/1 packet, you also
  • 23:17 - 23:21
    need to know what's inside the A5/1 packet.
  • 23:21 - 23:26
    So for one of all these packets you have to predict
    the content, you break the key from it, and
  • 23:26 - 23:30
    then you can decrypt the rest of them as well.
  • 23:30 - 23:34
    So you've got to start somewhere
    to then break the rest of it.
  • 23:34 - 23:40
    And I believe no spy agency would have a
    better way of breaking A5/1 over the air.
  • 23:40 - 23:43
    They also have to rely on some attack surface.
  • 23:43 - 23:50
    So if everything is unpredicable, it basically
    becomes XOR'ing random numbers.
  • 23:50 - 23:59
    The GSMA and later the 3GPP, the standardisation
    bodies, that tried to make the mobile world
  • 23:59 - 24:06
    a little bit more secure, they worked hard
    some five years ago to amend standards for
  • 24:06 - 24:08
    this attack surface to go away.
  • 24:08 - 24:15
    So in a standard trace as we see it in too many
    networks pretty much everything that is
  • 24:15 - 24:19
    encrypted is predictable, at least in the call setup.
  • 24:19 - 24:28
    So the phone starts unencrypted, it receives
    a ciphering mode command and it will then
  • 24:28 - 24:36
    encrypt every single packet it sends, and also
    expect packets it receives to be encrypted,
  • 24:36 - 24:38
    including some that actually make sense, where it
  • 24:38 - 24:43
    says, "Here, you phone with that TMSI, have
    another TMSI", but also things are
  • 24:43 - 24:49
    encrypted that carry not content whatsoever, like
    a null frame, that says the network is supposed to
  • 24:49 - 24:55
    speak now, but it has nothing to say, but also things
    with static content, like these system information
  • 24:55 - 25:02
    messages. This exact same message was sent
    maybe a second earlier unencrypted.
  • 25:02 - 25:09
    And once it switches on encryption the phone
    expects this also to be encrypted.
  • 25:09 - 25:14
    Then there's messages with very little content
    and again null frames. Things that bascially have
  • 25:14 - 25:19
    no meaning whatsoever. Assignment to certain
    frequencies, there are not many frequencies
  • 25:19 - 25:26
    to choose from so this is mostly predictable,
    and all of this is to be considered attack surface.
  • 25:26 - 25:30
    And there are two standards, padding randomisation,
    which takes shorter messages and
  • 25:30 - 25:38
    appends random bytes, and SI5 randomisation which
    takes longer messages but scrambles that content,
  • 25:38 - 25:42
    that removes this attack surface almost entirely.
  • 25:42 - 25:49
    The little bit of attack surface that's left is due
    to vendor specific communications, and
  • 25:49 - 25:52
    this needs to be fixed vendor by vendor.
  • 25:52 - 25:59
    But by just putting in those two standards,
    A5/1 calls should be protected from at least
  • 25:59 - 26:02
    the tools that we can think of.
  • 26:02 - 26:07
    Now given that this is five years ago that these
    were standardised and that there is a lot of
  • 26:07 - 26:15
    pressure on security these days. You'd imagine
    that these fixes, just tiny software fixes,
  • 26:15 - 26:21
    would be deployed thoroughly, however we
    rarely see networks that do either of them,
  • 26:21 - 26:24
    and we've never seen a network
    that does both these fixes.
  • 26:24 - 26:30
    So somewhere along the way, between the
    GSMA and 3GPP who write the standards
  • 26:30 - 26:33
    and you as a customer, that idea got lost.
  • 26:33 - 26:39
    And it's not a difficult idea, to throw in some
    random numbers, instead of static values,
  • 26:39 - 26:45
    or to take a message and scramble its contents.
    These things should be pretty straight forward to
  • 26:45 - 26:51
    implement, and we've seen both ideas in the wild,
    so there is proof that at least some vendors
  • 26:51 - 26:52
    have implemented these features.
  • 26:52 - 26:58
    However the networks do not
    seem to be using them at all.
  • 26:58 - 27:04
    The same attack surface then would open up for
    A5/3 if somebody had a much bigger computer
  • 27:04 - 27:09
    to decrypt it. And by much bigger
    I mean about a million dollars.
  • 27:09 - 27:15
    So A5/3 is now ten years old and ten years
    ago it seemed like a great idea to take
  • 27:15 - 27:22
    a 64-bit stream cipher and make a 64-bit block
    cipher out of it, you don't have to mess
  • 27:22 - 27:28
    with key generation or anything, it becomes
    much more secure, and in fact it did,
  • 27:28 - 27:31
    two million times more secure.
  • 27:31 - 27:38
    But guess who's going to spend a million dollars
    to break your A5/3 encrypted call, this year right.
  • 27:38 - 27:44
    and not just that one agency, every agency has a
    spare one million dollar to build an A5/3 cracker.
  • 27:44 - 27:49
    So industry took ten years to implement
    this standard, and now that they do,
  • 27:49 - 27:55
    in Germany for instance two networks just
    started this past month to roll out A5/3,
  • 27:55 - 27:58
    now it's already outdated.
  • 27:58 - 28:03
    Guess what, the next standard was developed
    five years ago again. A5/4 it's called,
  • 28:03 - 28:07
    it blows up the key size to a good 128-bit,
  • 28:07 - 28:13
    it steals that from the 3G part of the SIM card,
    but every SIM card these days is a 3G sim card.
  • 28:13 - 28:21
    So somehow we are always ten years behind
    the state of the art in cryptography, and
  • 28:21 - 28:29
    ten years behind what even industry describes,
    prescribes themselves to implement.
  • 28:29 - 28:35
    We want that to change, and again we want you
    to help us change that by creating awareness
  • 28:35 - 28:39
    around where networks put in
    what type of countermeasures.
  • 28:39 - 28:44
    It's not enough for them to standardise
    padding randomisation and SI5 randomisation,
  • 28:44 - 28:49
    It's not enough for them to specify A5/3 and
    A5/4, they actually need to deploy it.
  • 28:49 - 28:56
    And here's three tools you can
    use to create some visibility.
  • 28:56 - 29:00
    The first two we're releasing today, and the
    third one has always been available, there's just
  • 29:00 - 29:04
    an incremental patch from us today.
  • 29:04 - 29:10
    First one runs on an android phone and
    it allows you to record network traces.
  • 29:10 - 29:16
    Those network traces of course tell you what type
    of encryption is used, whether keys get rolled over,
  • 29:16 - 29:22
    whether your temporary identity gets
    changed regularly, and so forth.
  • 29:22 - 29:28
    The second tool is basically the same running on a
    linux computer, if you want to have the data for
  • 29:28 - 29:37
    further analysis, with the xgoldmontool,
    Tobias Engel's tool.
  • 29:37 - 29:41
    And then the third possibility for aquiring
    the same data, not just for your own phone, but
  • 29:41 - 29:48
    basically everybody in the cell you're connected to,
    is the OsmocomBB open source project.
  • 29:48 - 29:53
    Sylvain put in a lot of work a few years ago
    and created this burst_ind branch,
  • 29:53 - 30:00
    we extended it just a little bit to run much more
    stable and to really help as a capturing tool.
  • 30:00 - 30:06
    So any of these tools now helps you to look at
    what configurations your network is using,
  • 30:06 - 30:12
    and perhaps interpret this yourself, and to
    check whether they are using the latest
  • 30:12 - 30:14
    encryption and what not.
  • 30:14 - 30:21
    We'd much appreciate if you shared some of
    that information with us, and we could then again
  • 30:21 - 30:27
    help other by sharing this further and
    interpreting the information, and to make that
  • 30:27 - 30:34
    even easier, we put all these tool in a Live-ISO
    that you can put on a USB stick and boot
  • 30:34 - 30:40
    with it. That has all the tools on it, the network
    measurement tools, it has the SIM tester on it,
  • 30:40 - 30:47
    it has all the stuff on it, catch-a-catcher to
    find IMSI catchers in your vincinity.
  • 30:47 - 30:55
    It has an option to send data to a website called
    gsmmap.org and along with all these tools we
  • 30:55 - 31:02
    are releasing today, a new version of the GSM
    map website, much more colourful than before,
  • 31:02 - 31:06
    but also much more usable we hope.
  • 31:06 - 31:16
    So here's the new GSM map, and this now
    interprets a lot of network traces that many of you
  • 31:16 - 31:25
    collected over the last couple of years, with Sylvains
    burst_ind setup, and for those countries where
  • 31:25 - 31:31
    we have a little bit of data we do estimates,
    these are the striped countries here,
  • 31:31 - 31:41
    and for those networks where we have a lot of data,
    we try to track the network security over time.
  • 31:41 - 31:46
    So this for instance are the four german networks,
    and you see how over time they actually do change
  • 31:46 - 31:55
    their security settings. T-Mobile for instance,
    the high-flyer here, they had a big drop in
  • 31:55 - 32:02
    network security, intercept this is, by switching off some
    of the randomisation, earlier this year, but then
  • 32:02 - 32:09
    after they did that they started rolling out A5/3,
    so somehow they're trading in security features,
  • 32:09 - 32:17
    one for the other. This now on an aggregate level
    tells you how secure your network currently is,
  • 32:17 - 32:25
    against intercept, basically spy agencies listening
    in to your calls, impersonation, that is other
  • 32:25 - 32:31
    people using your phone identity to conduct
    some transaction, and against tracking, that is
  • 32:31 - 32:37
    somebody following your whereabouts by electronic
    means. Basically information exposed through
  • 32:37 - 32:39
    HLR queries remotely.
  • 32:39 - 32:43
    And you see how networks
    differ in these catgories.
  • 32:43 - 32:48
    This map by the way is where contributions came
    from. So a lot of these of course are collected
  • 32:48 - 32:51
    by us in Berlin.
  • 32:51 - 32:55
    But thank you so much to all of you who sent
    in all these traces from all these places that
  • 32:55 - 32:58
    none of us have ever been to.
  • 32:58 - 33:03
    So it's absolutely fabulous to see what
    coverage we've gained here.
  • 33:03 - 33:10
    Still a lot of striped and white countries,
    so we hope to complete the picture, but
  • 33:10 - 33:12
    we need everybody's help.
  • 33:12 - 33:18
    And hopefully with the tools we released
    today it becomes so much easier to push
  • 33:18 - 33:22
    data up here, that this will
    soon be filled a lot more.
  • 33:22 - 33:27
    Now for those countries that we have a lot of
    data, and that is twenty-seven countries total,
  • 33:27 - 33:36
    we are releasing detailed reports today
    also, that interpret these measurements and
  • 33:36 - 33:42
    rank the networks, but also explain a little bit
    of how we measure these things, but then give you
  • 33:42 - 33:48
    detailed technical measurements on what encryption
    is used, for what types of transactions are
  • 33:48 - 33:51
    authenticated and so forth.
  • 33:51 - 33:53
    applause
  • 33:53 - 33:54
    Thank you.
  • 33:54 - 34:01
    applause
  • 34:01 - 34:07
    So if your country is one of the twenty-seven,
    we'd love if you read the report.
  • 34:07 - 34:12
    If it isn't we'd love for you to download the tools
    and make sure we can publish a report next month.
  • 34:12 - 34:19
    So these will be refreshed every month, hopefully
    forever, or until every network fulfills every
  • 34:19 - 34:23
    security goal imaginable and then we
    will shut down our website.
  • 34:23 - 34:26
    laughter
  • 34:26 - 34:36
    So that's GSM Map, the new website, and
    you saw all the tools that are available now.
  • 34:36 - 34:42
    You may notice that GSM map does not
    yet have a security metric on SIM cards.
  • 34:42 - 34:48
    Just because our measurements are
    too sparse to paint a good picture.
  • 34:48 - 34:57
    We'd like to start calling out the networks that do
    bad SIM card security, but again we need your help
  • 34:57 - 35:03
    to scan your SIM cards, and to make sure we get
    some fair comparison among all the networks.
  • 35:03 - 35:09
    Just as a heads up, we found about in every other
    network where we have a lot of SIM cards to test,
  • 35:09 - 35:12
    vulnerabilites like the ones we discussed today.
  • 35:12 - 35:17
    So there should be a good chance if you have
    couple of SIM cards at home, to find at least a few
  • 35:17 - 35:19
    that are actually vulnerable.
  • 35:19 - 35:24
    And if you do you can start installing Java
    on them and playing around with them.
  • 35:24 - 35:35
    Allright, that was everything we wanted to discuss.
    A round of thank you, in particular to Lukas and Linus
  • 35:35 - 35:41
    who have put in many months of really hard work
    to get these tools ready for release today,
  • 35:41 - 35:48
    they were just about ready this morning after many
    months of working on them, so thanks to them.
  • 35:48 - 35:52
    But thanks to everybody else also, who were
    involved. There's just a long list of people
  • 35:52 - 35:56
    who contributed a month or two of work.
  • 35:56 - 36:03
    Thanks to the open technology fund for sponsoring
    this research and for helping us fight
  • 36:03 - 36:11
    bad security in the world and raising awareness
    around where bad security is implemented.
  • 36:11 - 36:18
    Thank you to all of you for using our tools to take
    this research to places that we could not have imagined.
  • 36:18 - 36:19
    Thanks.
  • 36:19 - 36:25
    applause
  • 36:25 - 36:30
    Herald: Thank you very much Karsten and Luca.
    So we have quite some time left, so as always if
  • 36:30 - 36:36
    you have questions, in the room, please line up
    behind the four microphones on the ground floor.
  • 36:36 - 36:40
    If you have questions from the web, or
    if you have questions on the streams,
  • 36:40 - 36:45
    please write them on twitter or on IRC
    and we will ask them here live in the room.
  • 36:45 - 36:49
    And I think we'll start with two
    questions from the internet please.
  • 36:49 - 36:52
    Karsten: One quick...
    Signal angel: Okay Herald angel: Wait please.
  • 36:52 - 36:57
    Karsten: One quick heads-up before the first
    people start leaving, if you're interested in playing
  • 36:57 - 37:02
    with the tools or at least seeing them being
    played with there's a workshop that will start
  • 37:02 - 37:10
    at six in Saal D, so if you want to see the live-ISO
    and all its components and perhaps
  • 37:10 - 37:15
    take a USB stick home, we brought plenty to
    play with, saal D is where we'll meet you in a few
  • 37:15 - 37:18
    minutes. Sorry, go ahead with the questions.
  • 37:18 - 37:21
    Herald: Okay, two questions
    from the internet now.
  • 37:21 - 37:29
    Signal angel: So first one: there are still many low
    hanging fruits, so what about SS7 networks, did you
  • 37:29 - 37:35
    investigate them and their way of communicating with
    each other. Can you tell us anything what happened
  • 37:35 - 37:38
    with the industry in the last year there?
  • 37:38 - 37:45
    Karsten: Sure, yeah, SS7 is another decades old
    technology that was built with a wrong threat model.
  • 37:45 - 37:50
    Basically everybody who connects to the network
    is trusted, but you have to connect to every
  • 37:50 - 37:56
    other telco in the world to route calls to them,
    so there's some disagreement in the threat model.
  • 37:56 - 38:02
    And people find SS7 vulnerabilites wherever
    they look, both in the configuration, stuff like,
  • 38:02 - 38:08
    you know, the SIM filtering, the SMS filtering,
    the same kinds of topics come up in SS7,
  • 38:08 - 38:15
    where of course you want to block unneeded traffic,
    and networks are really bad at that typically.
  • 38:15 - 38:22
    But also people find implementation bugs on
    boxes that are connected to SS7 and those are
  • 38:22 - 38:24
    really, really hard to research.
  • 38:24 - 38:29
    The boxes are very expensive, so you can't just
    research it in isolation, and everybody who is
  • 38:29 - 38:36
    running a box like that, will probably put you
    in jail if you ever attempted to break them,
  • 38:36 - 38:40
    if you started to do some fuzz testing on them.
  • 38:40 - 38:47
    So SS7 unfortunately isn't really prime for open
    research. It actually requires what I showed
  • 38:47 - 38:53
    on the first slide, kind of a co-evolution where
    the networks let the hackers in, so that they
  • 38:53 - 38:58
    then learn what other hackers could have
    done to them, and I don't see many networks
  • 38:58 - 39:01
    to be ready for that yet.
  • 39:01 - 39:07
    Definitely a topic with lots of low hanging fruit,
    but no easy way to research it.
  • 39:07 - 39:09
    Signal angel: Okay, thank you.
  • 39:09 - 39:12
    Signal Angel: Should we go on with the second one?
    Karsten: Yes
  • 39:12 - 39:18
    Signal Angel:Has there been any testing using
    parallel application only SIM card overlay
  • 39:18 - 39:23
    to block apps on the primary SIM card
    so that's probably a strange question,
  • 39:23 - 39:29
    but the MuVuCo? project is mentioned here, or
    did you investigate any other simple way to block
  • 39:29 - 39:31
    the Java card bits?
  • 39:31 - 39:37
    Karsten: So I think I understood the question as,
    is there any easy way of putting in another layer
  • 39:37 - 39:43
    of protection just in front of your SIM card? I guess
    we can't ask the person asking the question right?
  • 39:43 - 39:48
    But if that were the question then the answer is,
    of course you can put all kinds of proxy stuff
  • 39:48 - 39:54
    in between your phone and your SIM card, there's
    a nice open source project called SIMtrace,
  • 39:54 - 39:59
    That then means you carry a little computer next
    to your phone whenever you use it and of course
  • 39:59 - 40:05
    that's impractical, so that would be a forensic tool
    perhaps to investigate what people are currently
  • 40:05 - 40:09
    doing to your SIM card, when you already have
    a suspicion that something is going on, but
  • 40:09 - 40:15
    there's no practical way to get a phone to give
    you that level of access, even on android, the part of
  • 40:15 - 40:24
    the operating system, the system that speaks with
    the SIM card is usually more baseband than android
  • 40:24 - 40:33
    or at the very least a proprietary device driver type.
    So I can't think of any usable phone where
  • 40:33 - 40:39
    you could easily implement a SIM card firewall
    for instance, but I'd love to learn about them
  • 40:39 - 40:42
    if they do exist.
  • 40:42 - 40:45
    Herald: Okay we take a question from microphone four.
  • 40:45 - 40:50
    Question: Did you investigate any upstream
    vulnerabilities from or to the baseband
  • 40:50 - 40:56
    or to the average phone OS, so for instance
    if you have infiltrated the SIM card can you do
  • 40:56 - 41:00
    any stuff to an iPhone or something?
  • 41:00 - 41:06
    Karsten: Good question, and no we haven't and
    I wouldn't think that that would be the most
  • 41:06 - 41:11
    fruitful vector, because the interface between
    a SIM card and a phone is pretty defined,
  • 41:11 - 41:18
    very narrow channel. So I'd think that a phone
    baseband is much easier exploited like Ralph did it
  • 41:18 - 41:24
    a couple of years ago, emulating a network and
    sending commands, that interface is much wider
  • 41:24 - 41:29
    and has many more protocols running that
    could potentially be exploit targets.
  • 41:29 - 41:31
    Good question though, thank you.
  • 41:31 - 41:33
    Herald: Okay, number three please.
  • 41:33 - 41:39
    Question: You showed the map broken down by
    country, would it make sense to look at smaller
  • 41:39 - 41:44
    districts or regions, do we have differences
    within one country for example the US.
  • 41:44 - 41:50
    Karsten: That's a good question, and we have
    occasionally come across a country where
  • 41:50 - 41:54
    there's configuration differences in different
    parts of the country, like for instance in Germany
  • 41:54 - 42:00
    right now, two of the network operators are
    rolling out A5/3, but they go location by location.
  • 42:00 - 42:08
    So there's two zones right now, but those are
    going away over time because the goal of course is
  • 42:08 - 42:14
    to implement the security feature everywhere.
    There are networks though where they
  • 42:14 - 42:18
    purchase one part of the country from one vendor
    and another part from another vendor, and
  • 42:18 - 42:23
    where security patches just don't get deployed
    everywhere, and we would like to track that
  • 42:23 - 42:29
    more accurately. Currently it's just averaged.
    What we need to track it more accurately is
  • 42:29 - 42:35
    constant measurements from more places. So
    currently what our metric does is try to fairly
  • 42:35 - 42:40
    combine information from different location
    and then average them even though for instance
  • 42:40 - 42:47
    in Germany, of course Berlin is dominating in
    our measurement set, and some other locations
  • 42:47 - 42:53
    I think, thank you CCC Munich, are contributing
    too, but if there were somewhere in
  • 42:53 - 42:59
    the middle of Germany, some extra security
    feature, we would not learn about it for a long time.
  • 42:59 - 43:08
    You see this route? This is from last years trip from Hamburg
    to Berlin, when everybody came to the CCC. laughter
  • 43:08 - 43:14
    So we are not distinguishing by country yet,
    but if the information is ever there to see
  • 43:14 - 43:17
    a clear border we'll definitely do that.
  • 43:17 - 43:20
    Herald: Question from number four please.
  • 43:20 - 43:26
    Question: Yes, I wanted to ask, you showed that
    you were simulating a BTS somewhere around
  • 43:26 - 43:32
    the middle of the talk, and I was wondering where
    you using any of the known OpenBTS or OsmoBTS
  • 43:32 - 43:35
    solutions or anything else?
  • 43:35 - 43:45
    Luca: It's a patched version of OpenBSC. It's just
    a few lines, there is a nice function that triggers
  • 43:45 - 43:51
    the software to send the SMS on queue for a
    user as soon as the user logs in, and as soon as
  • 43:51 - 43:56
    the user does this I put a lot of SMS's
    in the queue, so I can send it.
  • 43:56 - 44:04
    Karsten: Yeah there are OpenBSC, OpenBTS,
    OsmocomBB project, they are an enormous help in
  • 44:04 - 44:09
    our research, we could have done none of this,
    had we had to implement all of this in open source.
  • 44:09 - 44:15
    So they're very, very useful, and thank you
    to everybody who've contributed to them.
  • 44:15 - 44:17
    Herald: Another question from number four please.
  • 44:17 - 44:23
    Question: Banks and other organisations love
    to send one-time tokens via SMS, from what I
  • 44:23 - 44:33
    understand the talk, would it be in the range of the
    regular criminal to exploit this and steal those tokens?
  • 44:33 - 44:40
    Karsten: With GSM intercept yes, you can read
    other people's SMS when they're A5/1 encrypted,
  • 44:40 - 44:47
    however you have to be close to them, in a
    proximity of let's say two kilometers, and it's probably
  • 44:47 - 44:53
    unlikely that the person who infected your online
    banking credentials, stole them from your infected
  • 44:53 - 45:00
    computer, is also your neighbour. Those two
    groups seem to overlap in locations.
  • 45:00 - 45:04
    With the SIM card vulnerabilities though,
    you can do lots of stuff, you can send SMS,
  • 45:04 - 45:09
    you can redirect calls, you can steal decryption
    keys, the only thing you can't do is read people's
  • 45:09 - 45:15
    incoming SMS. So banks got lucky there.
  • 45:15 - 45:20
    Q: Thanks
    Herald: We have another question from the internet.
  • 45:20 - 45:27
    Q: Wouldn't it be easier to just reinvent maybe a more
    nerd driven mobile network from scratch, than
  • 45:27 - 45:33
    to mess around with all this industry stuff
    that has piled up for years now?
  • 45:33 - 45:39
    Karsten: Well, that's interesting, things do not
    really pile up as people imagine them, so the
  • 45:39 - 45:45
    One of the big drivers of the OpenBSC project
    I understand was the availability of really cheap
  • 45:45 - 45:49
    base stations. Why were they available? Because
    people threw them away and replaced
  • 45:49 - 45:54
    them with newer base stations, and they do
    that every time they add a new technology.
  • 45:54 - 45:59
    So when they added 3G they threw away the 2G
    base stations, and replaced them with combined
  • 45:59 - 46:02
    2G/3G base stations, same with 4G now.
  • 46:02 - 46:08
    So as 4G is being rolled out all over Germany,
    everything gets thrown away and
  • 46:08 - 46:14
    replaced. There isn't so much legacy in terms of
    installed boxes, the legacy is more the protocol,
  • 46:14 - 46:22
    so if you throw away one end of the connection
    and not the other you maintain the old protocol,
  • 46:22 - 46:27
    but then when you throw away the other side,
    you again maintain it because it's kind of the logical
  • 46:27 - 46:37
    legacy. So I don't think there's an easy fix to that.
    This is just very high-scalability engineering where
  • 46:37 - 46:44
    things have to work in extreme corner cases, and I
    think all the tools are there for the existing networks
  • 46:44 - 46:51
    to get fixed, it's just a question of priority. At the
    investment that a 4G network costs, a single one,
  • 46:51 - 46:57
    you can probably make the entire world use
    A5/3 and upgrade to secure SIM cards.
  • 46:57 - 47:02
    So the money is there, it's just a question of
    priority that keeps the networks away from
  • 47:02 - 47:04
    deploying these software patches.
  • 47:04 - 47:08
    In the end it's single lines of code.
  • 47:08 - 47:11
    Herald: Ok, we have another question in
    the room from microphone number three.
  • 47:11 - 47:18
    Q: Quick question, for tools that you are offering
    can they work with some kind of passive recording
  • 47:18 - 47:25
    device, for example can you collect data for gsmmap
    using the OsmoSDR tools? The ones that use
  • 47:25 - 47:31
    the simple DVB-tuners to listen to the spectrum.
  • 47:31 - 47:37
    Harald: Luca, do you know OsmoSDR?
    Luca: Yeah, I think that's more focused on being
  • 47:37 - 47:43
    a BTS than a sniffer device, but I think you can use
    it as a sniffer device, it's just that then you need
  • 47:43 - 47:49
    to process the data in a different way, really the
    easiest is to use the Osmocom mobile phone,
  • 47:49 - 47:55
    and it does this and it's what we use for the
    Live-ISO. There are many models actually, so.
  • 47:55 - 48:00
    Karsten: What would you consider the
    advantage of using an OsmoSDR?
  • 48:00 - 48:05
    Q:It's mostly because it doesn't require a phone
    or a SIM card or anything, The question is can it
  • 48:05 - 48:08
    work passively without being,
    without sending anything?
  • 48:08 - 48:13
    Karsten: Yeah, the phone he just held up,
    that captures traffic with no SIM card and
  • 48:13 - 48:21
    without connecting to a network, it does so passively
    by latching on to a cell, passively, just hearing what
  • 48:21 - 48:28
    is happening on the broadcast channel, and as soon
    as the cell starts communicating with another phone
  • 48:28 - 48:34
    it jumps to that frequency and also listens to
    the traffic. So that's already a passive setup.
  • 48:34 - 48:40
    And the C139 I think is the most available Osmocom
    phone, you can still get that for twelve dollars
  • 48:40 - 48:47
    in China. So I don't think there's any reason to
    reimplement that for any other platform if there's
  • 48:47 - 48:49
    already a twelve dollar solution.
  • 48:49 - 48:54
    Q: Thank you.
    Herald: And we take another question from the internet
  • 48:54 - 48:58
    Q: Actually some people are complaining that
    they have no signal in this room, could that be
  • 48:58 - 49:02
    caused by you, or is the range not that large?
  • 49:02 - 49:09
    Karsten: Well, we add choices for signal, we don't
    take them away, so this is just an additional BTS.
  • 49:09 - 49:10
    laughter
  • 49:10 - 49:12
    Q: Okay, thank you.
  • 49:12 - 49:18
    Herald: Ok, are there any other questions,
    now is the time to ask. If not I ask you again
  • 49:18 - 49:22
    for a warm round of applause for Karsten and Luca
  • 49:22 - 49:25
    applause
  • 49:25 - 49:34
    subtitles created by c3subtitles.de
Title:
Mobile network attack evolution
Video Language:
English
Duration:
49:33

English subtitles

Revisions Compare revisions