Geekly Articles each Day
📜 ⬆️ ⬇️

GSM-traps: another hello from Big Brother



I suggest today to talk about the hidden and unexplored area - GSM-communication. Why the unknown, you ask? After all, everyone carries a cell phone in his pocket, almost all preschoolers go with them, and do base stations hang on every pillar? Alas, the average man thinks that everything is simple and transparent: makes calls, sends SMS. And rarely thinks about the processes that ensure all these actions. In this article I will try to show that GSM-communication is, on the one hand, a very opaque topic, and on the other, the penetration of vulnerabilities. More specifically, let's talk about the so-called IMSI-traps (or IMSI-catchers).


')

Introduction


Let's start from afar, namely from the fact that GSM-communication is very difficult to study. You can not just take © and experiment with mobile communications. Do you want to build a device and connect to the network, analyze the protocol? Bummer - communication processors do not have the necessary API and especially open source. In essence, these are black boxes behind seven locks. The maximum that they “expose” is a primitive interface based on AT commands. Although, to be precise, sometimes a little more - but more on that later.

Raise your server your base station? It is long, expensive and you can come. There are great projects like OpenBTS and SDR (software defined radio), but make no mistake. First, a full-fledged cellular network consists of many components, and secondly, the necessary iron is indecently expensive. Here is such an injustice.


Would you like to buy OpenBTS development kit (2.5G networks) from Range Networks for $ 3300?


Ettus produces such geek devices for experiments in cellular networks up to 6 GHz. Price about $ 4,000.

IMSI traps. What is it?


But back to the topic of the article. IMSI traps are mobile spurious base stations that special services include in various circumstances in different places. Mobile phones "cling" to these stations, which actually act in the role of Man-in-the-middle. As a result, we have the interception of conversations, SMS and Internet traffic. The facts of the use of such devices are classified. In Germany, for example, in 2002, a law was passed allowing special services to use such devices, but it was not without stormy public debates. And somewhere and the debate does not reach. However, there is indirect evidence. As a rule, traps are included in places of popular unrest, or around objects of high state importance. Often, IMSI-identifiers of particularly interesting personalities are entered into the filtering list, and then they work only with the phones of specific people.

And now we will get acquainted with IMSI traps in more detail. To begin with, we classify their behavior. It can support 2 modes - active and passive. In the active trap acts as a base station. In the passive, it monitors the channel and other base stations. The most interesting, of course, is the active mode. We describe its functions.

Pretend to be a base station


According to the GSM algorithm, the cell phone usually selects the station with the strongest signal. This is reasonable - you can reduce the transmitter power and save battery. Thus, the trap “takes” the phones to itself. Then she requests from his phone ...

This happens within the framework of standard GSM stack protocols. So, we went to a specific person.


IMSI-trap "StingRay" famous company Harris

Communication failure


It is possible to leave the subscriber without communication: first, “seize” by yourself, and then cut off, and so on ad infinitum. And you can issue garbage or obviously incorrect packages.

Interception of conversations


Most delicious. Everything is not so simple, but easier than it could be.
As you know, GSM provided protection against unauthorized removal of information. There are several modes:

As the well-known hacker Harald Welte has shown, the entire protection scheme in GSM is in places based on the popular Security through obscurity principle and contains fundamental vulnerabilities. At the same time, the pillars of the GSM industry have ignored these facts for years - everyone is happy with everything.

How does this happen


We describe the algorithm of how the trap is wedged into this system.
Immediately, we note that if the operator initially applies A5 / 2 everywhere, then the task becomes trivial - this cipher is opened in real time. But the operators are not really idiots, so they use the A5 / 1. The base station announces this protocol and the phone “agrees” to it, everyone is happy.

All A5 ciphers work on a key that is stored both on the operator and on the SIM card. It is unique for each subscriber and the cryptochip SIM card is responsible for its safety. From this it follows that the trap in relation to the original base station “pretends” to be the subscriber device on the A5 / 1 algorithm, and for a real phone it “pretends” to the base station on the A5 / 2 algorithm, which is opened on the fly. Thus, the trap retrieves the secret key of the subscriber and reconstructs the session with the base station. It is done. How to find out that your phone has switched to a weak cipher? Usually nothing: the cellular industry cares about people - you know less, sleep better. However, in nature, there are still some phone models that somehow signal, and these are not smartphones. Somewhere there is an icon, and somewhere an imperceptible line flows into the log, but this is usually associated with the transition to A5 / 0. In any case, all this is rather an exception to the rule.

Opposition


Naturally, the fighters against Big Brother do not disregard this matter.
This is how the SnoopSnitch project appeared - this is an Android program that helps in detecting IMSI traps in everyday life. The principle of its work is to regularly collect statistics about the surrounding base stations: their characteristics and location. In case of detection of deviations from the usual picture, the program issues a warning. Here you can upload your data to the server - a global knowledge base about all base stations in the world is being formed there.

Unfortunately, the program is not available for most phones. This is due to the peculiarity of her work. As already noted, in the GSM industry, any technical details are diligently washed out, but something is leaking out. Qualcomm baseband processors have a special diagnostic interface (software) through which it is possible to inform about various events in the life of cellular communication. In the best traditions of the genre, this interface is not available to normal Android applications, but it is still available with root. If you have a phone on the Qualcomm chipset, then maybe you are lucky. Let's get acquainted with the interface in more detail.

To begin with, let's dump the core for Qualcomm. It is called msm - according to the series of the Qualcomm SoC.

igor@igoryan:~$ git clone https://android.googlesource.com/kernel/msm   «msm»… remote: Sending approximately 1.01 GiB ... remote: Counting objects: 71639, done remote: Finding sources: 100% (8333/8333) remote: Total 3952476 (delta 3262538), reused 3952419 (delta 3262538)  : 100% (3952476/3952476), 1.01 GiB | 4.24 MiB/s, .  : 100% (3262538/3262538), .  … .

Choose some branch:

 igor@igoryan:~/msm$ git checkout android-msm-shamu-3.10-lollipop-release  : 100% (45604/45604), .  android-msm-shamu-3.10-lollipop-release    android-msm-shamu-3.10-lollipop-release  origin.     «android-msm-shamu-3.10-lollipop-release»

This is where the coveted driver lives:

 igor@igoryan:~/msm$ cd drivers/char/diag/

We read the Kconfig kernel configuration file:

 config DIAG_CHAR tristate "char driver interface and diag forwarding to/from modem" default m depends on USB_G_ANDROID || USB_FUNCTION_DIAG || USB_QCOM_MAEMO depends on ARCH_MSM help Char driver interface for diag user space and diag-forwarding to modem ARM and back. This enables diagchar for maemo usb gadget or android usb gadget based on config selected. endmenu

As you can see, the driver allows you to communicate with the modem in bidirectional mode: send some commands and receive some info. In the user space world, the driver finds itself as a device / dev / diag_char. A cursory examination of the source code shows that the driver provides only a transport of arbitrary data, and does not contain any hooks on the data content itself. All that he does, it defines a certain primitive packet format: start-byte, data, stop-byte, CRC. How predictable everything is!

Data analysis from diagnostic interface


The guys from SnoopSnitch managed to reverse the useful data themselves and based on their analysis. Here are the parameters that they take into account.

MCC / MNC


Mobile Country Code - country code. For Russia it is 250. 2 digits are added to it, identifying the operator, and a full-fledged MNC (Mobile Network Code) is obtained. A list of all MNCs can be viewed here: mcclist.com/mobile-network-codes-country-codes.asp

LAC


A Location Area Code is a kind of geographic area code that is served by a single base station controller (BSC). When an incoming call occurs, all base stations in a given zone are notified at the same time.

Cell id


Cell ID, i.e. base station.

Longitude, Latitude


Longitude and latitude of the base station.

ARFCN


Absolute radio-frequency channel number is an identifier that uniquely identifies a pair of frequencies used for receiving and transmitting. For example, numbers 512–885 are assigned to the GSM 1800 range. In this case, the transmission frequency is calculated using the formula 1710.2 + 0.2 · (n − 512), and the receiving frequency = transmission frequency + 95.

Actually, the events associated with the network:

Location Update


When the phone goes from one Location Area to another, it sends this message to stations. He also sends it periodically.

PAGING messages


PAGING is the process of finding a specific subscriber to send him an SMS message or call. If an SMS arrives, the program registers the SMS center address (SMSC) and message type: normal, Silent or Binary.

And now we will describe directly the criteria on the basis of which the program finds traps.

1. Replaced LAC or Cell ID, while the frequency remained unchanged. Indeed, often a trap occupies an existing frequency, while providing a stronger signal than the original station. But this metric is very unreliable. First, the phone can be in the coverage area of ​​two stations from different LACs, and simply jump from one to another, staying on the same channel. Secondly, the operator himself can give a command to a station to switch to another LAC.

2. The LAC of the current station is different from the LAC of the surrounding stations. The task of the trap is to achieve the Location Update from the phone, since only in this case it can “pull” the necessary information from it. Therefore, it announces another LAC, providing a stronger signal. But there is a pitfall - legal femto cells may also have another LAC: it depends on the settings of the cell, the operator and the weather on Mars.

3. With the Cell ID - LAC pair unchanged, the channel number has changed. The trap is often masked as the unused frequency of an already existing base station.

4. LAC contains a single station. As already stated in clause 2, one usually seeks to initiate a Location Update. The easiest way to achieve this is to raise a pseudo-tower with a different and the strongest signal from all LACs. Reef: in places with poor coverage (usually outside the city) it often happens that the phone “sees” only one station, and here it is pointless to guess.

5. The station does not report information about its neighbor stations, although this should occur under dense coverage. The trap does not announce other stations, so that the phone “does not have the temptation” to switch to them. And sometimes they are cunning: they announce non-existent frequencies of either existing or non-existent neighboring stations.

6. Announcement of a deliberately high CRO (Channel Reselection Offset). This is one of the parameters that affects the algorithm for selecting the best base station by the phone.

7. Disable encryption, while it was previously on the same pair of LAC / Cell. A trap can switch the phone from A5 / 3 to A5 / 0, thereby turning off encryption in general, or to a weak A5 / 2 algorithm.

8. The CIPHER MODE COMPLETE message does not contain IMEISV. Here it is necessary to explain in more detail the whole process of authentication and encryption in GSM. Connecting to a GSM network consists of three stages: authentication, generation of an encryption key, and selection of an encryption mode.

1. Authentication


The subscriber's SIM card stores a 128-bit key - Subscriber Authentication Key. Exactly the same is kept by the operator. Since the SIM card is formally owned by the operator, and the key itself is stored in a secure manner, this is considered reliable.

Steps:
  1. the station generates a random 128-bit number and sends it to the subscriber;
  2. both sides feed the input of the A3 algorithm, a number and a common key, get a 32-bit SRES number (from Signed Response);
  3. the subscriber sends a response with this number, and the station compares with his; if everything came together, the subscriber is authenticated.


By the way, the authentication of the station itself is not provided. Is it an accident? ..

2. Generation of encryption key


Here the procedure is identical, except for the fact that the random number and key are input to the A8 algorithm, and the result is the 64-bit A5 symmetric encryption key.

Select encryption mode


The station sends the CIPHER MODE SELECT command to the phone, reporting the required encryption mode: A5 / 0, A5 / 1, A5 / 2 or A5 / 3. However, in this message there is also the REQUEST_IMEISV flag, which means that the phone must inform CIPHER MODE COMPLETE in its reply message with its unique identifier, and this message is already encrypted in a previously agreed key. By default, the flag is always set. However, a trap may not transmit this flag, as a result, the CIPHER MODE COMPLETE message will contain predictable static information. After that, a standard attack on the known plaintext (known plain text attack) is performed, and the key is opened. So, criterion №8 catches the absence of this flag. There is also an additional sign - a long wait for confirmation of receipt by the station CIPHER MODE COMPLETE. Indeed, opening a key takes time.

9. After the Location Update, there is a standard request to the subscriber for identification information (IMEI, IMSI), and then the station rejects the phone, forcing the new Location Update to be made. All this is a sign of a trap operating in the mode of collecting information.

10. If the station announces a different encryption mode that is different from the usual one for a given locality or operator, then this is either a trap, or an operator overlooked, or a hardware failure, or so conceived. But it is taken into account.

11. The interval of the regular Location Update is too small. The phone must periodically send a Location Update - even if it does not migrate from one cell to another. And the value of the period comes from the station. The standard value is 1-4 hours. But a trap can spread out knowingly small timeouts in order to more “hook up” phones.

12. Paging occurred, followed by no SMS or conversation. This is a typical test of whether the “victim” is in the coverage area at a particular point in time.

13. A data channel was established (Traffic Channel, or TCH), but neither SMS nor conversation was followed. Either he followed, but after an unusually long time. According to the protocol, after establishing this channel, the phone continuously sends empty confirmations until the channel closes. These confirmations can be used by a trap for more accurate positioning of the phone.

14. Suspicious list of neighboring stations (Neighboring Cells). Each station transmits to the telephone connected to it a list of surrounding stations. But if it is a trap, then it will be absent from these lists - unlike other, legitimate stations.

15. Splitting into a large number of groups (Paging Group). Each station integrates all connected phones into groups. This is necessary to optimize resources. When an incoming call occurs, all phones in this group receive an alert on the corresponding logical channel. When a false station wants to return a subscriber to its native cellular network, it sends incorrect data on the channel of the group to which the subscriber belongs. As a result, all team members will begin the Cell Reselection procedure. In order to affect as few subscribers as possible, a false station makes them small, and the number of groups will be large, which is a sign of the work of the trap.

As we see, there are many criteria, each of which individually is not a 100% guarantee of trap detection. Instead, a probabilistic estimate is proposed.

Conclusion


With this article, I wanted to arouse interest in the GSM standard, which is used by about ⅘ mobile users of the world. As we have seen, the basis of GSM security is not so much cryptographic security as a high “entrance ticket” to this area. Telecommunications equipment manufacturers and operators dominate here, and vulnerability discussions rarely go beyond hacker conferences. Fortunately, with the advent of the new standard UMTS security has been enhanced. Here are the main innovations:

But hackers, too, are not asleep. We will wait for new vulnerabilities in 3G and 4G networks!

useful links


Source: https://habr.com/ru/post/280886/

More articles:


All Articles