GSM Toutorials

7/27/2019 GSM Toutorials

1/42

Mario agalj

University of Split

8.1.2013.

Security of Cellular Networks:

Man-in-the Middle Attacks

Security in the GSM system by Jeremy Quirke, 2004


2/42

Introduction

Nowadays, mobile phones are used by 80-90% of theworlds population (billion of users)

Evolution

1G:analog cellular networks

2G: digital cellular networks with GSM (Global System for Mobile

Communications) beign the most popular and the most widely used

standard (circuit switching)

other 2G: technologies IS-95 CDMA based (US), PDC (Japan), etc.

2.5G: GPRS (General Packet Radio Service) packet switching 2.75G: EDGE faster data service

3G: UMTS (CDMA based), HSPA for data traffic (e.g., 5-10 Mbps)

other 3G: CDMA2000 (US, S. Korea)

4G: LTE (OFDM based), peak data rates of 100Mbps2

GSM security specifications


3/42

Cellular Network ArchitectureA high level view

3

External

Network

Cellular Network

Mobile

Station Base

Station

Mobile

Switching

Center

Databases

(e.g., Home

Location Register)

EPFL, JPH


4/42

Cellular Network ArchitectureRegistration Process

4

Tune on the strongest signal

Nr: 079/4154678

EPFL, JPH


5/42

Cellular Network ArchitectureService Request

5

079/4154678

079/8132627 079/4154678

079/8132627

EPFL, JPH


6/42

Cellular Network ArchitecturePaging Broadcast (locating a particular mobile station in case of mobile

terminated call)

6

079/8132627?

079/8132627?

079/8132627?

079/8132627?

Note: paging makes sense only over a smallarea

EPFL, JPH


7/42

Cellular Network ArchitectureResponse

7

079/8132627

079/8132627

EPFL, JPH


8/42

Cellular Network ArchitectureChannel Assignement

8

Channel

47

Channel

47Channel

68

Channel

68

EPFL, JPH


9/42

Cellular Network ArchitectureConversation

9EPFL, JPH


10/42

Cellular Network ArchitectureHandover (or Handoff)

10EPFL, JPH


11/42

Cellular Network ArchitectureMessage Sequence Chart

11

Caller BaseStationSwitch Base

StationCallee

Periodic registration Periodic registration

Service request Service request

Ring indicationRing indication

Page requestPage requestPaging broadcast Paging broadcast

Paging responsePaging response

Assign Ch. 47Tune to Ch.47

Assign Ch. 68 Tune to Ch. 68

Alert tone

User responseUser responseStop ring indicationStop ring indication

EPFL, JPH


12/42

GSM System Architecture

Based on Mobile Communications: Wireless

Telecommunication Systems


13/42

Architecture of the GSM system

GSM is a PLMN (Public Land Mobile Network) several providers setup mobile networks following the GSM

standard within each country

components

MS (mobile station)

BS (base station)

MSC (mobile switching center)

LR (location register)

subsystems RSS (radio subsystem): covers all radio aspects

NSS (network and switching subsystem): call forwarding, handover,

switching

OSS (operation subsystem): management of the network

13


14/42

GSM: overview

fixed network

BSC

BSC

MSC MSC

GMSC

OMC, EIR,AUC

VLR

HLR

NSS

with OSS

RSS

VLR

14

Please check http://gsmfordummies.com/architecture/arch.shtml


15/42

BSS

radiosubsystem

MS MS

BTS

BSCBTS

BTS

BSCBTS

network and switchingsubsystem

MSC

MSC

fixednetworks

IWF

ISDN

PSTN

PSPDNCSPDN

SS7

EIR

HLR

VLR

ISDN

PSTN

GSM: system architecture

15


16/42

System architecture: radio subsystem

Components

MS (Mobile Station)

BSS (Base Station Subsystem):

consisting of

BTS (Base Transceiver Station):

sender and receiver

BSC(Base Station Controller):

controlling several transceivers

BSS

radiosubsystem

network and switchingsubsystem

MS MS

BTS

BSC MSCBTS

BTS

BSCBTS

MSC

16


17/42

Radio subsystem

The Radio Subsystem (RSS) comprises the cellular mobilenetwork up to the switching centers

Components

Base Station Subsystem (BSS):

Base Transceiver Station (BTS): radio components including sender,

receiver, antenna - if directed antennas are used one BTS can cover

several cells

Base Station Controller (BSC): switching between BTSs, controlling BTSs,

managing of network resources, mapping of radio channels onto

terrestrial channels

Mobile Stations (MS)

17


18/42

possible radio coverage of the cell

idealized shape of the cellcell

segmentation of the area into cells

GSM: cellular network

use of several carrier frequencies

not the same frequency in adjoining cells

cell sizes vary from some 100 m up to 35 km depending on user density,

geography, transceiver power etc. hexagonal shape of cells is idealized (cells overlap, shapes depend on

geography)

if a mobile user changes cells

handover of the connection to the neighbor cell

18


19/42

System architecture: network and

switching subsystemComponents

MSC(Mobile Services Switching Center)

IWF(Interworking Functions)

ISDN (Integrated Services Digital Network)

PSTN (Public Switched Telephone Network)

PSPDN (Packet Switched Public Data Net.)

CSPDN (Circuit Switched Public Data Net.)

Databases

HLR(Home Location

Register)

VLR (Visitor Location Register)

EIR (Equipment Identity Register)

networksubsystem

MSC

MSC

fixed partnernetworks

IWF

ISDN

PSTN

PSPDN

CSPDN

SS7

EIR

HLR

VLR

ISDN

PSTN

19


20/42

Network and switching subsystem

NSS is the main component of the public mobile network GSM switching, mobility management, interconnection to other networks,

system control

Components

Mobile Services Switching Center (MSC)controls all connections via a separated network to/from a mobile terminal

within the domain of the MSC - several BSC can belong to a MSC

Databases (important: scalability, high capacity, low delay)

Home Location Register (HLR)

central master database containing user data, permanent and semi-permanentdata of all subscribers assigned to the HLR (one provider can have several HLRs)

Visitor Location Register (VLR)

local database for a subset of user data, including data about all user currently in

the domain of the VLR

20


21/42

Mobile Services Switching Center

The MSC (mobile switching center) plays a central role inGSM

switching functions

additional functions for mobility support

management of network resources

interworking functions via Gateway MSC (GMSC)

integration of several databases

21


22/42

Operation subsystem

The OSS (Operation Subsystem) enables centralized operation,management, and maintenance of all GSM subsystems

Components

Authentication Center (AUC)

generates user specific authentication parameters on request of a VLR

authentication parameters used for authentication of mobile terminals and

encryption of user data on the air interface within the GSM system

Equipment Identity Register (EIR)

registers GSM mobile stations and user rights

stolen or malfunctioning mobile stations can be locked and sometimes even

localized

Operation and Maintenance Center (OMC)

different control capabilities for the radio subsystem and the network subsystem

22


23/42

Mobile Terminated Call

PSTNcalling

stationGMSC

HLR VLR

BSSBSSBSS

MSC

MS

1 2

3

4

5

6

7

8 9

10

11 12

1316

10 10

11 11 11

14 15

17

1: calling a GSM subscriber2: forwarding call to GMSC

3: signal call setup to HLR

4, 5: request MSRN (roaming

number) from VLR

6: forward responsibleMSC to GMSC

7: forward call to

current MSC

8, 9: get current status of MS

10, 11: paging of MS

12, 13: MS answers

14, 15: security checks

16, 17: set up connection

23

Please check http://gsmfordummies.com/gsmevents/mobile_terminated.shtml


24/42

Mobile Originated Call

PSTN GMSC

VLR

BSS

MSC

MS1

2

6 5

3 4

9

10

7 8

1, 2: connection request3, 4: security check

5-8: check resources (free circuit)

9-10: set up call

24


25/42

Mobile Terminated and Mobile Originated Calls

BTSMS

paging request

channel request

immediate assignment

paging response

authentication request

authentication response

ciphering command

ciphering complete

setup

call confirmed

assignment command

assignment complete

alerting

connect

connect acknowledge

data/speech exchange

BTSMS

channel request

immediate assignment

service request

authentication request

authentication response

ciphering command

ciphering complete

setup

call confirmed

assignment command

assignment complete

alerting

connect

connect acknowledge

data/speech exchange

MTC MOC

25


26/42

Security in GSM

Based on:Security in the GSM system by Jeremy Quirke

The GSM Standard (An overview of its security) by SANS InstituteInfoSec Reading Room

Mobile Communications: Wireless Telecommunication Systems


27/42

Security Services in GSM

Access control/authentication

user


28/42

Security Services in GSMAuthentication

SIM (Subscriber Identity Module) card

smartcard inserted into a mobiel phone

contains all necessary details to obtain access to an account

unique IMSI (International Mobile Subscriber Identity)

Ki - the individual subscriber authentication key (128bit, used to generate all

other encryption and authentication keying GSM material)

highly protected the mobile phone never learns this key, mobile only forwardsany required material to the SIM

known only to the SIM and network AUC (Authentication Center) SIM unlocked using a PIN or PUK

authentication (A3 algorithm) and key generation (A8 algorithm)

is performed in the SIM

SIM contains a microprocessor 28


29/42


A3

RANDKi

128 bit 128 bit

SRES* 32 bit

A3

RAND Ki

128 bit 128 bit

SRES 32 bit

SRES* =? SRES SRES

RAND

SRES

32 bit

mobile network SIM

AC

MSC

SIM

Ki: individual subscriber authentication key SRES: signed response 29


30/42


Kc: Session encryption key generated together with SRES 30


31/42

Security Services in GSMEncryption

A8

RANDKi

128 bit 128 bit

Kc64 bit

A8

RAND Ki

128 bit 128 bit

SRES

RAND

encrypted

data

mobile network (BTS) MS with SIM

AC

BTS

SIM

A5

Kc

64 bit

A5

MSdata data

cipherkey

31


32/42

Security Services in GSMAuthentication and Encryption

A3 and A8 algorithms are both run in SIM at the same time on the

same input (RAND, Ki)

A3A8 = COMP128v1, COMP128v2, COMP123v3 (serious weaknesses known)

not used in UMTS

Encryption algorithm A5

symmetric encryption algorithm

voice/data encryption performed by a phone using generated encryption key Kc

32


33/42

Security Services in GSMEncryption

A5 algorithms

A5/0 no encryption used

A5/1 and A5/2 developed far from public domain and later found

flawed

stream ciphers based on linear feedback shift registers

A5/2 completely broken (not used anymore in GSM)

A5/1 is a bit stronger but also broken by many researchers

A5/3 is a block cipher based on Kasumi encryption algorithm used in UMTS, GSM, and GPRS mobile communications systems

public and reasonably secure (at least at the moment)

33


34/42

Security Services in GSMSummary

34


35/42

Security Weaknesess in GSM

A mobile phone does not authenticate the base station!

only mobile authenticate to BS (one-way authentication)

fake BS and man-in-the middle attacks possible

attacker does not have to know authentication key Ki

A5/0 - No Encryption algorithm is a valid choice in GSM

for voice, SMS, GPRS, EDGE services

Many weaknesses in A5 family of encryption algorithms

35


36/42

Security Weaknesess in GSM

36


37/42

Security Services in GSMAnonymity

Preventing eavesdropper (listening attacker) from determining if a

particular subscriber is/was in the given area

location privacy

thanks to long ranges a very powerful attack

attacker uses IMSI (International Mobile Subscriber Identity) IMSI Catchers

To preserve location privacy GSM defines TMSI (Temporary Mobile

Subscriber Identity)

when a phone turned on, IMSI from SIM transmitted in clear to the AUC

after this TMSI is assigned to this user for location privacy

after each location update or a predefined time out, a new TMSI is assigned to the

mobile phone

a new TMSI is sent encrypted (whenever possible)

VLR database contains mapping TMSI to IMSI37


38/42


38


39/42


39


40/42

Security Weaknesess in GSMAttack Against the Anonymity Service

GSM provisions for situation when the network somhow

loses track of a particular TMSI in this case the network must ask the subscriber its IMSI over the radio link

using the IDENTITY REQUEST and IDENTITY RESPONSE mechanism

however, the connection cannot be encrypted if the network does not knowthe IMSI and so the IMSI is sent in plain text

the attacker can use this to map known TMSI and unknown and user-specific

IMSI

40


41/42

Countermeasures: UMTS

UMTS defines 2-way authentication and mandates the

use of stronger encryption and authentication primitives

prevents MITM attacks by a fake BS, but be cautious...

Still many reasons to worry about

most mobiles support < 3G standards (GPRS, EDGE)

when signal is bad, hard to supprot UMTS rates

mobile providers already invested a lot of money and do not give up uponold BSS equippment

femtocells

41


42/42

Many Reason to Worry About Your Privacy

http://www.theregister.co.uk/2008/05/20/tracking_phones/

http://www.theregister.co.uk/2011/10/31/met_police_datong_mo

bile_tracking/ (check also http://www.pathintelligence.com)

http://docs.google.com/viewer?url=https%3A%2F%2Fmedia.black

hat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-

Pico_Mobile_Attacks-Slides.pdf

http://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-

labs.tu-berlin.de%2Fbh2011.pdf
http://www.theregister.co.uk/2008/05/20/tracking_phones/http://www.theregister.co.uk/2011/10/31/met_police_datong_mobile_tracking/http://www.theregister.co.uk/2011/10/31/met_police_datong_mobile_tracking/http://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-labs.tu-berlin.de%2Fbh2011.pdfhttp://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-labs.tu-berlin.de%2Fbh2011.pdfhttp://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-labs.tu-berlin.de%2Fbh2011.pdfhttp://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-labs.tu-berlin.de%2Fbh2011.pdfhttp://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-labs.tu-berlin.de%2Fbh2011.pdfhttp://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-labs.tu-berlin.de%2Fbh2011.pdfhttp://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-labs.tu-berlin.de%2Fbh2011.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://www.theregister.co.uk/2011/10/31/met_police_datong_mobile_tracking/http://www.theregister.co.uk/2011/10/31/met_police_datong_mobile_tracking/http://www.theregister.co.uk/2008/05/20/tracking_phones/

GSM Toutorials

Documents

Transcript of GSM Toutorials