In the next few blog posts we will focus on both landline and mobile telecommunication systems security. This is the first in a series of articles that will present the theoretical background behind a method to intercept calls and SMS in GSM networks, while the next article to follow will dive into technical implementation details.
GSM is rather old by today's standards, while the attack itself can considered already known and outdated. Nonetheless, it is still well applicable today, and, given the very competitive prices of second-hand market, the equipment needed is cheaper than ever. We wanted to take the opportunity to bring this the attention of the users, in an age where the phones are not only used for voice any more, but for sensitive data as well.
Using a fake base station that mimics the behavior of a legitimate base station of the mobile telephony operator, a malicious entity can convince mobile phones in a given area to hand their communication to it, effectively launching a ‘man in the middle' attack. This attack is possible only in GSM networks, since 3G employs mutual authentication, where the base station too has to authenticate its validity to the handset. However, it is relatively easy to use a jammer, jamming the 3G band. Almost every single handset nowadays is multi-band capable and it will thus fall back to GSM operation, where it can be intercepted using the fake base station method.
How a fake base station can emulate real ones
GSM telephony communications can easily be intercepted, without performing any cryptanalysis, using a fake base station. One of the fundamental security problems and a basic shortcoming of the GSM security planning was the fact that the GSM telephony network is not required to authenticate itself to the user. It is the user only that is required to authenticate himself in order to gain access to the network. In fact, the user must possess the proper SIM card (with the option of setting a PIN code too), inserted in his phone in order to access the provider's network and services. The user's legitimacy is therefore checked by comparing the SIM's credentials with the data stored in the network's database (user authentication). In GSM networks this basic principle of authentication is implemented only one-way since base stations do not employ any identity authentication mechanism. Respectively, mobile phones are not capable of assessing and certifying the legitimacy of the system they are connecting to and whether this system is actually part of their provider's network. On the other hand, 3G employs mutual authentication, where the base station is also required to authenticate its validity to the handset. Despite this, it is relatively easy to circumvent this security measure, by using a jammer, effectively jamming the 3G band. Almost every single handset nowadays is multi-band capable and it will thus fall back to GSM operation where it can be intercepted using the fake base station method.
A second major security shortcoming is that in GSM encryption is not mandatory and, if present, the specific encryption algorithm to be used can be negotiated between the phone and the base station. The result is that in case the base station does not support any encryption algorithms, following negotiation with the mobile phone the call can proceed without encryption. This way, a fake base station in the proximity of a user, without encryption supported (or having specifically disabled the encryption option) is all that is takes to intercept the communication using a simple man in the middle approach, where the malicious entity is placed between the original callers.
Given these shortcomings, the only thing an attacker has to do is activate a fake base station in a given area, pretending it is part of the network of the victim's provider. One of the fundamental characteristics of GSM proves to be a strong ally in this effort: Each handset constantly monitors a special data transmission channel-beacon (BCCH-broadcast control channel) from the nearby base stations in order to choose for its communication the one offering the best characteristics (usually the closest one). This way the device can save a lot of energy by transmitting in lower power and increasing its autonomy time and call quality. Hence, should the attacker install his equipment and start transmitting, overlapping in power the authentic base stations' signals, mobile phones located close-by will immediately start connecting with the fake station.
How attackers can circumvent the handset's security
Having deceived the phone into connecting to the fake base station, the next stage in the attack would be the neutralization of its encryption. Three algorithms handle the authentication and encryption in GSM: A3, A5 and A8. A5 is used for voice encryption. There exist various versions of this algorithm that offer different levels of security (A5/2, A5/1, A5/3 – sorted in strength order from lowest to highest). There is even a no-encryption-at-all version (A5/0). Under normal circumstances, the network keeps stored in its authentication center's database in the Home Location Register (HLR) the secret key Ki which is also stored in the user's SIM card and is never transmitted in the network. Since Ki is never transmitted, the network challenges the SIM sending a random 128bit number (RAND). Using algorithm A3, the SIM produces a 32 bit Signed Response (SRES) that is transmitted back to the network. It is this value that is being compared to the respective one stemming from the same calculation in the HLR. Should these values match, the SIM is authenticated. Finally, using Ki and RAND, algorithm A8 produces the session key Kc which is fed to the speech encryption algorithm A5. Table 1 presents these algorithms. Quite interestingly, both A3 and A8 algorithms were implemented in a single algorithm, namely COMP128.
Table 1 Authentication and encryption algorithms
|A3||Takes the 128 bit Subscriber Authentication Key (Ki) that is stored both in the SIM and in the HLR and produces a 32 bit Signed Response (SRES) as an output to a random 128 bit number (RAND) challenge which is send by the HLR.|
|A8||Produces a 64 bit Session Key (Kc) from the 128 bit random number (RAND) and the 128 bit Ki.|
|A5||Uses Kc and the sequence number of the transmitted frame to encrypt the speech. A5 is implemented into the phone.|
Of course, the Ki key is not known to the attacker, since it is securely stored in the SIM and the HLR and never transmitted. However, since the attacker in our scenario is actually the “provider”, he can accept whatever SRES the mobile phone sends. Indeed, the fake base station sends a RAND challenge, the handset computes the SRES and then, all the fake base station has to do is just accept this SRES, without actually running any checks. The SIM (and therefore the handset) will believe that it was properly authenticated.
However, the attacker still needs Ki to derive Kc in order to decrypt the voice transmission that will follow. Once again, system planning favors usability over security. As noted earlier, the corresponding GSM protocols allow for the negotiation and the agreement between the handset and the base station regarding to whether they will use an encryption algorithm, and if so, which one. Using the proper signaling messages, the fake base station informs the mobile phone that it does not have any encryption capability at all (A5/0) and thus the handset will communicate without using encryption. From that point on, using the proper equipment it is a trivial task to demodulate and record the rest of the call.
Another characteristic that facilitates these attacks is the fact that they are usually targeted, since a particular handset-target is being intercepted. Therefore a base station located 20-30 meters away from the target, transmitting with only a few dozen milliwatts of power can effectively overpower the legitimate provider's base station that is located some hundred meters away. Since the fake base station appears to be a better choice for the handset, it will happily hand over its communication to it.
So far, we have described the logic behind how the fake base station can deceive the handset and “capture” the communications of mobile phones that are located in its coverage area. In order for the victim's call to get through, a connection back to the normal network is also needed. As such, acting as a man in the middle, the attacker interconnects his system with the rest of the network, using a simple mobile or normal land line telephone that relays the communication back to the genuine network and the intended initial recipient. Of course, before the relaying, the contents of the call are recorded.
It must be noted that this attack only targets the victim's outgoing calls. Incoming calls are not intercepted, and they actually can't occur at all during the attack. The legitimate base station of the original network can't locate the handset anymore since it is camped on a base station not belonging to the operator. Therefore the network can't terminate calls to the handset, which appears to be out of coverage.
Next up: The technical side
Experience (followed by relative attacks as well) has shown that security is often put in second place behind usability and marketing needs. The lack of mutual authentication and the “flexibility” in accepting non-encrypted calls in GSM is a typical example. In the next post we will give the technical details to mount this attack, step by step, followed by the illustrative photos. We will be using a GSM tester but, besides this, it is also possible to use hardware and software from open-source projects such as OpenBTS. Stay tuned!