In one of the previous installments of our GSM saga we mentioned an urban legend of hijacking encryption keys on the fly. It presupposes someone can clone your SIM card without any physical manipulations, even if it would be a temporary clone. However, the Ki key is stored locally on a SIM card and in the carrier’s database, so it does not even leave its home. So, what’s the trick?
In theory, an adversary can establish a fake base station emitting strong signal and imitate legitimate requests to SRES by sending random RAND requests (if you are unsure what it all means, it’s time to check out the first part of the story). Using this method, an attacker is able to calculate Ki with help of crypto analysis — just the way they would do it when having physical access to the SIM card.
— Kaspersky Lab (@kaspersky) January 5, 2016
However, this method is quite complex: the crypto analysis takes quite some time and requires a lot of faux requests. While the attacker is busy bombarding the victim with RANDs, the owner of the target phone might leave the fake base station’s radio range, and the adversary would need to follow the victim with the equipment. Well, if we are talking about a well-planed targeted attack, the equipment may be deployed somewhere around the home location. The success of the attack depends on the encryption algorithm: if the carrier uses COMP128v2, the hack may not work.
In fact, over-the-air attacks are primarily designed to allow an adversary to eavesdrop on the subscriber’s conversations. As we already know, over-the-air communication is encrypted (except for special cases, when encryption is disabled during law enforcement operations) primarily for this reason: restricting ability to listen to private conversations. The encryption uses the A5 algorithm with a 64 bit key. A5 has two versions: the more sustainable A5/1 and the less resilient A5/2, which is shipped without restrictions to all ‘potential adversary’ countries.
— Kaspersky Lab (@kaspersky) March 16, 2016
To do it justice, even a A5/1 key is not a 64 bit but a 54 bit key: the first ten bits are ‘low bits’, which are there for the purpose of simplicity. A5/2 is designed to ease the task for secret services working overseas.
Before, the method of hacking A5/1 was based on brute-forcing locally stored data and required so much time, that the information in question would lose its relevance before the hack is completed. But today’s PCs (well, not even “today’s”, as the corresponding PoC was first demonstrated back in 2010) are able to crack it in seconds and calculate the key with help of so-called ‘rainbow tables’. The 1.7 TB set of tables can be stored on fast high-capacity SSDs which are relatively cheap and available everywhere.
An adversary acts passively and does not broadcast anything over the air, which makes them almost untrackable. The complete toolset for cracking the key includes just the Kraken software with rainbow tables and a moderately ‘fine-tuned’ telephone of the ‘Nokia with a flashlight’ class. Armed with those assets, an attacker would be able to eavesdrop on conversations and intercept, block or alter SMS messages (so, don’t consider two-factor authentication for your online bank a ‘digital fortress’).
— Kaspersky Lab (@kaspersky) March 11, 2016
Armed with the key, an adversary can also hijack calls and impersonate the victim. Another killer capability: dynamic cloning. A culprit initiates an outbound call request to the cellular network while the victim is also engaged into the session. When the network sends back the authorization request, the attacker hijacks it and forwards to the victim, thus obtaining the Kc key. Then it’s done, the session with the victim is over, whereas an adversary starts his own session with the network, impersonating the victim.
This allows to initiate calls at the victim’s expense and do other things, like sending text messages to premium numbers and siphoning money through content provider partner programs. This method was once used in Moscow: a group of people would drive around crowded places in a minivan to massively clone SIM cards and charge small sums from people’s phones.
— Kaspersky Lab (@kaspersky) November 18, 2014
The criminals managed to remain unnoticed for quite a long time: the rogue operations were seen as if initiated by legitimate users. The only thing which helped to identify the fraud scheme is a suspiciously large number of similar requests to a certain premium content provider in one particular base station range.
To encrypt packet traffic (GPRS/EDGE), another Kc key is used. Whereas it differs from the Kc key used for voice traffic, it is calculated using the same algorithm — GPRS-A5, aka GEA (GPRS Encryption Algorithm), which exists in GEA1, GEA2 and GEA3 forms. That means one can intercept even mobile Internet traffic. Well, today, when Internet traffic is usually carried over 3G and LTE, this problem is not so grave anymore. From the other hand, the 2G data transmission is still used by many telematic systems like ATMs, POS terminals and the likes of those.
The is one way to prevent such attacks: using the more resilient and up-to-date A5/3 algorithm which is not crackable with the help of rainbow tables. However, the carriers are a bit reluctant to deploy the new technology: first, it’s a costly migration that brings no additional profit (meaning the investment is spent on something not very profitable, which is nuisance in the carrier world). Second, the majority of handsets today don’t support A5/3 or at least don’t support it properly, which might cause interruptions.
— Kaspersky Lab (@kaspersky) January 19, 2016
Third, A5/3 won’t stop adversaries from eavesdropping on subscribers: if the attackers use a fake base station, the latter is empowered to downgrade the encryption algorithm used by the phone, ultimately helping hackers in their quest of obtaining the key (and the key is the same in all algorithms, mind you!). If the threat is still there, what’s the point in spending more money and effort on migrating to a better encryption algorithm? Fourth, it’s expensive. Fifth, it’s unbearably expensive.
On a brighter side, all attacks we covered today are bound to become obsolete quite soon.The era of Virtual SIM cards and eSIMs has already begun, and those new approaches to SIM cards would fix at least some of the security flaws that exist in the nowadays SIMs.