Note: This document is provided only for Educational use and for better understanding of GSM security concern.Donot use this information for any unlaw ful activity.
Introduction to GSM Security
The GSM standard was designed to be a secure mobile phone system with strong subscriber authentication and encryption. The security model and algorithms were developed in secrecy and were never published. Eventually some of the algorithms and specifications were found out using reverse engineering. The algorithms have been studied since and critical errors have been found. Thus, after a closer look at the GSM standard, one can see that the security model is not all that good. An attacker can go through the security model or even around it, and attack other parts of a GSM network, instead of the actual phone call. Although the GSM standard was supposed to prevent phone cloning and over-the-air eavesdropping, both of these are possible with little additional work compared to the analog mobile phone systems and can be implemented through various attacks.
Weaknesses of GSM
·The authentication process in GSM technology considers only a one-sided authentication. The Mobile Station has to prove, that it is permitted to access the network, but there is no verification of the Base Station
·It is necessary for a Mobile Station to transmit the current location in short periods to the Base Station. This can be abused to track and record the movement profile of a subscriber.
·GSM was designed to be only as secure as the fixed network to which they connect.
·GSM provides only access security, but the security part of fixed network portion isn’t protected.
·In GSM there is no Explicit confirmation to the Home network that authentication is properly used when customer roam in different network.
·Lack of confidence in cryptographic algorithms.
The GSM encryption ciphers were kept secret until 1999, when Marc Briceno of the University of California at Berkeley managed to reconstruct the algorithms used.
Researchers at the Technion-Israel Institute of Technology in Haifa found a way to defeat the GSM security system (A5/2), exploiting a flaw in the way the encryption is applied.
GSM Security Model
The GSM Security Model is based on a shared secret between the subscriber's home network's HLR and the subscriber's SIM. The shared secret, called Ki, is a 128-bit key used to generate a 32-bit signed response, called SRES, to a Random Challenge, called RAND, made by the MSC, and a 64-bit session key, called Kc, used for the encryption of the over-the-air channel. When a MS first signs on to a network, the HLR provides the MSC with five triples containing a RAND, a SRES to that particular RAND based on the Ki and a Kc based again on the same Ki. Each of the triples are used for one authentication of the specific MS. When all triples have been used the HLR provides a new set of five triples for the MSC.
When the MS first comes to the area of a particular MSC, the MSC sends the Challenge of the first triple to the MS. The MS calculates a SRES with the A3 algorithm using the given Challenge and the Ki residing in the SIM. The MS then sends the SRES to the MSC, which can confirm that the SRES really corresponds to the Challenge sent by comparing the SRES from the MS and the SRES in the triple from the HLR. Thus, the MS has authenticated itself to the MSC. The MS then generates a Session Key, Kc, with the A8 algorithm using, again, the Challenge from the MSC and the Ki from the SIM. The BTS, which is used to communicate with the MS, receives the same Kc from the MSC, which has received it in the triple from the HLR. Now the over-the-air communication channel between the BTS and MS can be encrypted Each frame in the over-the-air traffic is encrypted with a different key stream. This key stream is generated with the A5 algorithm. The A5 algorithm is initialized with the Kc and the number of the frame to be encrypted, thus generating a different key stream for every frame.
This means that one call can be decrypted when the attacker knows the Kc and the frame numbers. The frame numbers are generated implicitly, which means that anybody can find out the frame number at hand. The same Kc is used as long as the MSC does not authenticate the MS again, in which case a new Kc is generated. In practice, the same Kc may be in use for days. Only the over-the-air traffic is encrypted in a GSM network. Once the frames have been received by the BTS, it decrypts them and send them in plaintext to the operator's backbone network.
Hacking the Signaling Network
The air waves between the MS and the BTS are not the only vulnerable point in the GSM system. As stated earlier, the transmissions are encrypted only between the MS and the BTS. After the BTS, the traffic is transmitted in plain text within the operator’s network. This opens up new possibilities. If the attacker can access the operator's signaling network, he will be able to listen to everything that is transmitted, including the actual phone call as well as the RAND, SRES and Kc.
Accessing the signaling network is not very difficult. Although the BTSs are usually connected to the BSC through a cable, some of them are connected to the BSC through a microwave. This link would be relatively easy to access with the right kind of equipment. The microwave link might be encrypted, however, depending on the hardware manufacturer, thus making it slightly more difficult to monitor it . It is really a question about whether the attacker wants to crack the A5 encryption protecting the session of a specific MS or the encryption between the BTS and the BSC and gaining access to the backbone network. The ability to tap on to the data transmitted between the BTS and BSC would enable the attacker to either monitor the call by eavesdropping on the channel throughout the call or he could retrieve the session key, Kc, by monitoring the channel, intercept the call over the air and decrypt it on the fly.
Read this link for more info about GSM A5 encryption algorithm
Hacking a Mobile Fone User Through IMSI-CATCHER
The GSM specification requires the handset to authenticate to the network, but does NOT require the network to authenticate to the handset. This well-known security hole can be exploited by an IMSI-catcher.Even the service provider cannot notice the use of IMSI-catcher.
An IMSI-catcher is a device for forcing the transmission of the IMSI and intercepting GSM mobile phone calls.The IMSI-catcher acts as a base station and logs the IMSI numbers of all the mobile stations in the area, as they attempt to attach to the IMSI-catcher. It allows forcing the mobile phone connected to it to use no call encryption ( A5/0 mode), making the call data easy to intercept and convert to audio.
Working OF IMSI-CATCHER
The basic principle of GSM is, a mobile station always connects to the base station which provides the best reception. An attacker can easily enforce this kind of a setting, i.e., make a victim device connect to him instead of a real base station by drowning the real base stations that are present by sending its beacons with higher transmitting power.
Thus the IMSI-CATCHER creates the same scenario and acts as a fake basestation, so the victim's mobile attaches with the hackers IMSI-CATCHER assuming it as the real base station.
Now During the connection setup the attacker sends the security capabilities of the victim mobile station to the attached visitor network.
The attacker sends the TMSI of the victim mobile station to the visited network, which he obtained during the connection setup. If the current TMSI is unknown to the attacker, he sends a faked TMSI.
If the network cannot resolve the fake TMSI, it sends an identity request to the attacker. The attacker replies with the IMSI of the victim.
The visited network requests the authentication information about the victim device from its home network. The home network provides the authentication information to the visited network. The network sends RAND and AUTN to the attacker. The attacker disconnects from the visited network. Thus attacker obtains an authentication token.