Practice English Speaking&Listening with: DEF CON 22 - NSA Playset - GSM Sniffing

Difficulty: 0

>>All right. So wow further ado, we have Loki presented on GSM this morning or this afternoon,

sorry. And  ‑ ‑ pierce. I'm sorry. I missed that. So without further ado, I'm going to let

the fine gentlemen get on with this. Enjoy. [ Applause ] >> Left and  ‑ ‑ left and right.

Okay. GSM, welcome to our talk. We are going to talk about NSA today, we have fun GSM and going

to talk about. My name is dean pierce. This is my fourth Def Con talk. I have been attending

Def Con since Def Con 10. I am information security professional and I work in the

field of product security, which is great. It is way cooler than testing you get to see cool

shit. So. It is good stuff. It should be a  career path people look into. Also for some reason

when I get a  paper for Def Con is wireless stuff. All of my nonwireless talks are excepted.

That's about me. >> Hey, I'm Loki. Yeah. This is my first time talking at Def Con. [

Applause ] So I've been doing stuff for  ‑ ‑ secure stuff for 12 years. Mostly analytictype

stuff. They are calling the big data now which bothers me. And pretty much every role I have

ever been in, I had to do some sort of security stuff. I like seeing problems that is also a

interest of me. And the GSM stuff for the past few years I had a  heavy interest in and

kept playing with it. That's about it for me. So let's see. So GSM, most of you guys are

probably familiar with it, is the most widely used cellular system in the world. And right

now  ‑ ‑ what? There's, right? 7  billion, I think, as of 2013. People worldwide using it. Going

off of the GSM association it is available in more than 219 countries, market share more

than 9%. All  ‑ ‑ 90%. All of that fun stuff, and also the legacy network for most of the

other technologies used today, with the exception of CDMA. That means LT built on top of the GSM

stuff. Right now there, if you make a  voice call that is probably going on classic GSM.

Whereas, essentially, with LTE we expect to see that go over data traffic, at some point it

will be probably be more difficult to play with. Hold on, slides. One of the things that

was interesting about the GSM stuff was that it's, it was  ‑ ‑ the first of seriously consider

any  form of security with both  ‑ ‑ stuff with the  ‑ ‑ beans instead of any sort of  ‑ ‑ um,

persistent mobile identity. It somewhat helped your usage of it from just an eavesdropper

perspective. And it also used A5 encryption, which there is A5/1 and A5/2 are the standards, and

unfortunately, what was rolled out for most of the world was a  slightly broken version of it,

even though at this point most of them have gone to somewhat more secure, but still breakable

A5/1. There is A53. But as far as I'm aware there is no rollouts of it. That one is also

know, nobody has breaks for it at this point. So I'm out of sync with my slides. Sorry about

that. This short history lesson in the 199's, the first attack on A5 was proposed on June  17,

1994, there was a  message posted to UK telecom group and it, he described potential

attacks and also the first publication of open A5 site. People had idea what was it, but

nobody published code that may represents what it looks like internally. Yeah, that was over

20 years ago. In, we're, still using the same cipher today. In '97, um, at  ‑ ‑ I can never

pronounce his name. It is Jovon, presented  ‑ ‑ cryptanalysis, and presented a  potential time

memory tradeoff attack which was sort of the basis for a lot of the further attacks that

happened. So in 2000, um, at the seventh international workshop on software encryption, three

guys presented a  ‑ ‑ um, paper on realtime cryptanalysis  ‑ ‑ of A51, and than that one, that

was the first attack to theoretically allow you to see decrypted traffic in realtime.

Also, in 2000, two other people went ahead and invented essentially the same idea with a

slightly different time memory tradeoff technique. And so both of them theoretically

allowed attacks on A5 with plain text. But they were not really practical. So then 2003 came

along and there was a  paper related in cipher text only cryptanalysis. And it was a time

only memory tradeoff attack. It was practical, but it requires a  ridiculous large

computation phase. I believe it was in the order of 32 terabytes, which was not

practical at all. And then in 2006 the full version of the paper was related. 2003 was

significantly cut on what they actually talked about. In that they went ahead and gave a lot

more information that allowed you to  ‑ ‑ basically come up with very short plain text. Up

until then, um, know five minutes of plain text would be required, again, impractical. So

2007 COPACOBANA came along. In that one, COPACOBANA was a  hardware project it stands for

cost optimized parallel codebreaker. And it was implemented for running most

algorithms but specifically for cryptanalysis. It was commercially available

eventually, and could be used for A5/1 and A5/2 and other things, including GSM. It went

and ahead enabled force attacks from GSM without look up tables. However, this was still not

realtime. That was actually done as a  research project that eventually turned into a

commercial solution. Yeah. I wanted to jump in with 2007, because  ‑ ‑ this is also 2007 I

attended torcon and I saw a  really awesome presentation on using FPGAs and USRPs with crack

phone calls for $30, and it was amazing. I thought it would be cool if somebody bundled it

together and sold it on eBay. That stuff is hard to do. They didn't release information on

how to do it. That was my first thought of the NAS playset bundle concept. It has taken a

long time to actually do stuff. Let's see, 2008. 2008 was actually when carry talked about

generating tables and the, the tables got generated but a lot of the tools were, a lot of

tools didn't get released and a lot of the tables didn't get released. A lot of stuff didn't

happen. It was very much like a  theoretical thing at that point. Which leads to 2009. Let's see.

So in 2009, that's when you have the, there's a  talk at black hat where they tried to kickoff

the A5/1 project. So this was a  global distributed effort where everybody who had, like fast

video cards could team up together and everyone was going to generate the A5/1 tables once

and for all. It was going to be great. Also, it is really fun to read the mailing list, too. If

you go back and look at the A5/1 mailing list at this point. You have people jumping in saying I

got this card it is not optimized. Everyone doing their own thing and turning a  table

here and there. This one guy jumps on, hey I wrote this tool called cracking that uses the

table and brute force. That is great and still used today. And then the tables got released.

So  ‑ ‑ let's see. How do I get back? Over here? Yeah. Good. So 2010 was Carson speaking at

black hat. Again, and demoing, demoing the stuff and  ‑ ‑ actually, they replaced air pro,

which is great, air pro uses the USRP to get the raw GSM and then you can figure out some, some

like the text stuff and then use that and crack it with the cracking tools and the A5/1

tables released and then decrypt the traffic. He showed this on the black hat stage. It was

great. Everyone applauded it was wonderful. They also talk about in 2010, actually using the

Motorola phones to start sniffing stuff. Which is great, they are a  heck of a lot

cheaper than the USRPs that are a  couple of thousand dollars with the accessories. And the

phones are silly phones that you can get at any store. So that was great. At the end of 2010.

Carson did a  talk at CCC and taking about broadband GSM and used four different phones and

then monitored all frequencies and did a  full range of sniffing everything with the

phones. It was good. So nothing really happened. Wait. Nothing really happened in 2011. GSM

security was broken. It was done. We're good. Everybody is going get fixed now. Right? So,

unfortunately that didn't really happen, but  ‑ ‑ in 2012, we had this great thing, anyone here

familiar with the real tech SDR bundles? These things are great. They started selling and people

quickly realized, these are T.V. tuners sold everywhere under different brand names. People

realized they could twittal a  couple of bits here at whatever frequency and dump traffic.

Overnight the software defined radio computer exploded. Every one with $20  in their pocket

could go buy this little receiver and just start sniffing traffic and it worked with all

the GSM radios and the tools the more academic things. In 2013, I was able to take a  radio class.

It was a great experience, and I told them my weird of identifying of packaging

everybody together and trying to get it to work and get it out there as much as possible. He

thought it was really cool. And we talked about it a  bit. And then at the end of 2013 was when

the ANT catalog was released. Who remembers the ANT catalog? Anyone. That was interesting

stuff from NSA, what weird toys that they sell and different parts of the intelligence

community. Great stuff. Anyway, that brings us up to 2014. What was that? Okay. Well  ‑ ‑ it is

‑ ‑ there. Yeah. So  ‑ ‑ in 2014. This was the birth of the NSA playset here. It was great.

We, after the ANT catalog came out Mike was like remember that crazy playset idea, like  ‑ ‑

like, he thought of the stuff with the reflectors and things, that was cool. He wants to make

a  bunch of these things. That would be rad to pull things together and actually see how

much could be built. That was really exciting. I talked to Joe and a bunch of other people and

like other weird things we could do and things that looked like they were pretty feasible. And

so  ‑ ‑ yeah. Everything started to come together. Mike gave the first talk at hack in the box in

Amsterdam. And we tried to recruit a  few people. Our mailing list is growing and

growing. 150 members of the mailing list right now. That's pretty great. What we really

tried to focus on with the playset stuff is making it as easy as possible to use so that

it is just as  ‑ ‑ accessible as possible. And then also reducing the cost and making it more

accessible. As many people can play with it as possible. The motto I have been saying over

and over, if a  10yearold can't do it, it doesn't count. So because it  ‑ ‑ things don't

really get fixed until they are actually extremely accessible. That's kind of a  bummer.

Because eve one all of the great work that Carson and people did, I mean, the  ‑ ‑ we're still

using a lot of the like crazy terrible cryptography, and the fixes Carson has recommended to

the carriers have not been implemented. So that's kind of a  bummer. >>So  ‑ ‑ with the,

with the NSA playset, it is actually sort of three separate things. And I'll go over one of

them and dean will go over the other two. In general, what we have done so far with NSA

playset and GSM. We have air probe working with essentially after major SDR out there,

through the asthma SDR. That basically gives us a  single interface that supports the

hacker, the RTL, SDR, the USRP. Without having to worry about from our code what the back end

is, what our signal source is. We've improved the signal tracking a  bit. There was a lot

of problem with  ‑ ‑ drift, especially with the cheaper RT SDRs. So frequency code has been

improved a  bit. The cracking A5/1 tables and indexes have gone ahead and been put on a

single external USB3 hard drive. It's basically plugandplay with the tracking program on any

Linux machine at this point. It also works on OS X in some cases. And also an environment

based upon limits that has been upgraded with  ‑ ‑ the ah, new radio 3.7 and a bunch of GSM

specific tools. Oh, and we also imported the air probe GSM to work with 3.7. So the bootable

environment, you know, of course, it comes with every challenge with it, and, of

course, comes with the improved GSM receiver, it comes with, which is what you use to

actually listen for traffic. CCCH scan, for the codes, it comes with binaries and various

other tools to calibrate and stuff like that. So the first of the NSA playset GSM tool. This

one is not complete yet. It is not ready to be released is twilight vegetable. It a  system

that basically you turn on your machine and eventually you're going to start getting dumps of

all of the voice messages or all of the voice traffic and SMS traffic that is within range for

you. The sources are basically any of the SDR supported by asthma SDR as well as the DB and

Samsung gallery devices. The BB is any phone and then the Samsung galaxy devices use

something like X gold that uses the debugging feature in the devices for traffic. Basically

twilight vegetables detect the sending and dumping traffic to the essential service. That

essential services handing all of the description and stuff like that. It is necessary as

well as to decoding data. Let's see, so basic overview of the system. You have the capture

clients the SDRs and BBs. Those just send the data to the central dispatcher, which

basically consists of database server that we store stuff like session keys, mapping and a

bunch of custom software that is written around the database and send requests  out to run

statistical analysis on the encrypted data to detect, you know, what type of plain text we

think it is. And then, of course, kraken itself, which is executable index files and

tables. With the potential to have that load balance so that there's, so that kraken

definitely has a  speed limit. You can go ahead and get around that using multiple instances.

So the UM interface capture device is basically one of these would  ‑ ‑ we have it mostly,

but one of these is written for each type of device, one for the DSR. One for gold, and one for

DB. If a  new UM interface that is the radio side of things capture device comes out, it

should be able to be added relatively simply either by writing the writer or hopefully

DR supports it. So each of these is responsible for listening one or more, or A RSD N, the radio

frequency channel numbers. Think of them as frequencies there is a map between the member and a

given frequency and the GSM band. And what it does it goes ahead and detects any what are

called immediate channel assignment messages. These basically say, hey I need you to

switch to a  new channel and most likely going to send you encrypted data. So when the

phone receives this, it switches that new channel and the first message that is usually sent is

a  crypto message we know what that looks like. It is a known plain text. We can use it with

kraken to go ahead and crack the rest of the traffic. So when it sees that channel assignment

message it goes ahead and starts capturing all of the data on that channel. Once that channel

is released or that channel is reassigned, sometimes the channel release messages

themselves are encrypted, we cannot detect that until we crack it. It goes ahead and ends

the capture file  ‑ ‑ sorry  ‑ ‑ ends the capture file and submits it to the central

dispatcher. What it submits is the error FCN. The temporary mobile subscriber identify, the

network information, that is your mobile country code and mobile network code, cell ID and

signaltonoise ratio. Which is important to tell if a  packet is likely to have

corrupted data tin or not. And then as well it sends the  ‑ ‑ actual channel data that it has

captured. So when the submits that to the central dispatcher  ‑ ‑ where's the next slide? The

central dispatcher goes ahead and  ‑ ‑ um, writes multiple functions. Basically it takes it

in, puts it in a file store, enters the submitted data into a  database linking to the file,

the file in the file store, and then runs statistical analysis on the packets to see which one

we know are plain text. Some of that is very simple. This is if first packet. We know it is

a crypto packet. Some of that is a  ‑ ‑ um, for instance, a system information 5 message,

which we can, by looking at the plain text version of it, we know what the crypto version of

it and detect whether or not it send a  message with high likelihood based upon comparison

with the rest of the encrypted messages in a  sense. So it also goes ahead and stores any

cracked keys that it gets back from crack one the associated keys. Keys are used, reused for

a  given session. So we're able to go ahead and immediately encrypt any data using that

"TMZ" in the future. Then also want it gets back a  key and it is able to decrypt the data, it

goes ahead and parses through looking for SMS and voice messages. And then writes them

out to disk for you. With an associated MZ if it is detected in MZs. They are not sent very

often. So that's sort of the glue that holds everything together. The next part of that

is kraken, which we will cover more later. But kraken  ‑ ‑ when it  ‑ ‑ it is able to be run in

server mode and supports asynchronis operation, so we can submit a  bunch of binary

sequences to it. As it is able to match those and give us back potential keys we can check

those keys in whatever order they are returned. There is also the potential to go ahead and

run multiple instances in parallel using load balancing to allow the kraken cloud to be

built. So our kit for twilight vegetable that was sold used is a  USB key and a nano SDR. The

USB key is nice and fast. It is customized with GSM tools. Oh, and the second line is being

covered. Anyway, being  ‑ ‑ it's, you do have to put in persistent code to get the

binary system built on it. We'll go ahead and be released further updates on it as we improve the

system. Then we're also  ‑ ‑ including this, nano SDR. It is extremely tiny. Give you an

idea. This is the RTLSDR. And I mean that is about as small as you're going to get for software

defined radio that I have seen. They are really cheap. They are $20. They have improved the

crystals and capacitors and they come from a  company that specializes in doing RTL, SDR

stuff, not just T.V. tuners. So this specific device, from 25  megahertz. Higher bands such as

the 1800 GSM band and another bands I mentioned. The 850 band. And the connector on it is

standard MCX. Whatever active antenna or better antenna you manage to find, you don't have

to deal with weird issues. This is really nice. There is a few things about them. I want to

give them a shout out, they went ahead and wrote nano SDRs. Free swag is always good. They have

improved electronics and gave you guy as discount code. It is good through the end of August.

Most important, for a lot of you guys they had bit coin for software defined radio

purchases. That's also sort of advantageous. And they work with other SDR stuff. So they have

more than just this in stock. They know what they're talking about if you have any questions

about if you can use a  given SDR device for a  given purpose. So that  ‑ ‑ that brings us to

the next segment, which pierce will take care of? >> Did you get the SDR? Good stuff. It is

pretty much a  16 gig USB if you have one of your own the  ‑ ‑ image will be on the left. It is

like 7 gigs or something, so it might be hard to download at the hotel. But  ‑ ‑ when you get

home download the image and make it  yourself. And we will be releasing updates. Okay. So who

here remembers the genesis handset? It was the, it was like, it was like a  telephone,

right? That is because it pretty much is, a  Motorola sliver L9. If you look at the picture

there. Elevated modifications, I guess they added memory to it and different SDR components.

Essentially it is a  little portable thing. NSA had genesis. I thought it would be good to

make  ‑ ‑ how do I get that out? Yeah. No. Click. Yeah. Yeah. So we made this handset. So  ‑ ‑

and  ‑ ‑ so this is, I mean, it  ‑ ‑ it looks like a  regular Motorola phone, that is because

it is. You can buy these all over eBay. It is crazy stuff. This is the Motorola C139

phones. So if you ever looked into VD it is a  really great project. Everyone should look

into it. All of the documentation and talks, everything that you ever see

about them talks about the C123. Because of that and because of all of the great information

that have been found with the 123, they are kind of expensive to buy on ebay. They go for

$200  sometimes for the $5phones. The 123 is good in Europe, but the 139s are made

for the U.S. And they work really well in the United States and they work really well with

all of the OSMOCOM tools. If you're on eBay buying phones by the 139 it is great. So  ‑ ‑ the

in addition to that, you also need this custom SD cable that talks serial over the micro

audio port that is in the thing. So you are pretty much connected up and then all of the tools

work with it. Also one thing that I didn't quite realize until I started playing with it.

The firmware that you put onto the phones actually exists only inswww memory. You are typically

not supposed to persistently put the things on the phone. So what happens you turn your phone off

and back on it is a  regular cell phone, that's great. So as part of the handset I wanted to

throw good demos on the USB. If you download USB or managed to acquire one yesterday. I got

this tool in the home director. When you boot you boot into persistent mode and all of the

tools are in the home directory. RSSI is a firmware that does kind of frequency scanning and

‑ ‑ it is pretty neat. So dot/RSSI it loads the frequency scanner. I will have a  demo of

that in a  second here. I also wanted to show off some actual, you know, live GSM packet

dumping. So I put on this layer one pushes a  special image to your phone that essentially

turns it into a‑ ‑ like a  GSM kind of gateway functional thing. It is a layer one kind of

device that you can do all of your typical, like, a.m., you know, cell phone tower,

whatever, dialing, whatever. You transmit it to layer one and it spits it out GSM over the

network. And then the CCCH scan. I have it modified with a burst and patch, if anybody knows what

that is. It allows for a lot of GSM dumping and raw GSM traffic on the network. That is great.

And then wire tracking can navigate. That is good stuff. I had a  couple of problems if

anybody saw me trying to demo the stuff yesterday. For some reason Def Con made it so my

console device was not TTYSO. It turned into like  ‑ ‑ S4 or whatever. So I added the shell

scripts and everything works fine. I had two more phones I didn't want to sell it, they

were not working right. But I got them working. I added the control strip. I don't know. And

also all of the charging is done in software on the phones. It is usually not a  good idea to  ‑ ‑

delete a  continuously charging when it is plugged in. It might not be as good as the actual

official charging software that is on there. And sometimes it will overheat, sometimes they

will not really charge. Things like that. I also really wanted to enable BB stuff happening in

the United States. There's a  really great tool that Carson related last year called GSM

map. GSM map was a  bootable USB stick you put up to it, you plug in your phone and hit the button

and it takes surveys of the GSM networks around and you figures out the security features they

are using and packages they applied and what they are doing. It up loads the data. So if you

go to GSM, you will see a  full map of the security technologies over time. It is

pretty much entirely Europe, Europe has all of the data sources. There is like three

data sources in the U.S. Everyone who gets the phones should contribute to the

project. It is really great and it is really good to see  security every time. So like I

said, search eBay for the 139. The TracFones have a  newer firmware on it. You can still  ‑

there are ways to bypass it, but if you want to do the easy way, buy these phones. They work

great out of the box. A  guy that I work with, reed, he makes crazy modified hardware and

sells them on eBay. So you can look him up on eBay or email him directly. You can charge,

and turn your phone into a  base station, doing all sorts of fun stuff. So another part of the

project is the drizzle chair. This is a tiny hard drive. This is 2 terabytes. Like the tables

that came out. People were thinking 2 terabytes how many things will I need to do that.

Now, it is simple USB things you can buy them for under $100. And the first idea justs have all of

the tools. One thing to know the tables are in the partition, you cannot download the fires into

a  device. You have to download the files and use a  tool to insert them. If you buy one of

these online make sure that you have a hard drive in your computer if you downloading it.

You do need two, one to download to and one to transfer them to afterwards. So keep that in

mind. And essentially what it does, you can see cipher text off of the network. There is a

lot of traffic that's very, very predictable in GSM. What you do, you find a  packet that looks

like a  packet that you recognize and then you do work between the two. What you get is

the raw A51 stream. With the raw A5/1 stream, you copy and paste it into kraken and kraken goes

through the rainbow table thing and looks for a  result and then dumps it out when it finds it.

Then you can use either tool to decrypt. >> Seeing any signal? >> I might have to reboot to do

that. So what I'm doing now is just booting up off of the USB. I sold a  whole a  bunch

yesterday. The exact same USB stick you could download from the Internet to make your own.

And, let's see. The thing is, it pretty much just has a  straight Cali boot disk with the

resistant image. So it is a  ‑ ‑ it is Cali 108, which was release a few days ago. And than

it is just a  home directory full of tools all of the tools do the sniffing, the decrypting,

the cracking and  ‑ ‑ have  ‑ ‑ things like pineapple kind of installed that kind of work. And

all of the air pro stuff that is a pain to compile on all of the different systems. The

maintenance is not as good as it could be for all of the tools that are there. Let's see.

Hopefully it starts up now. So yeah. We just got all of the  ‑ ‑ yeah  ‑ ‑ ah. It was working

in the demo room. I don't know. There's  ‑ ‑ yeah. Try that. Okay. So we might not have a

demo that looks like  ‑ ‑ the projector is not working the way it did in the demo room. But we

might be able to show stuff on your laptop? Okay. Yeah. Yeah. Okay. Hmm. Let's see if this

works. Okay. It is very small. It takes a long time to run. It will calibrate and scan through

frequencies all of the possible frequencies for a  given GSM and tell you which channels are

active. So I ran that and it told me that the  ‑ ‑ test area was  ‑ ‑ 180 which is A69.4. The

scientific notation. And anyway, if we go ahead and run this, this is using the little nano

SDR with this thing. It will start scanning  ‑ ‑ so it is going to find the only device on

the system. Then if we flip over to Wireshark I have a filter in here right now that just shows

immediately channel assignments and these are the ones that are important for when you are

trying to capture encrypted data. So you can see it has captured five of them so far.

And  ‑ ‑ ah  ‑ ‑ not going to be able to show you too much. But  ‑ ‑ so you got your header

telling you the channel it is on and stuff like that and then you immediate assignment data

itself, which contains a channel description that tells you, hey, I now need to start capturing on

zero, usually it is channel one through seven must be control traffic and be encrypted. It

really is that simple to start looking at GSM data in Wireshark. If I remove the

filter, um, let's see, you'll see that it sends it to a  given port, that port is not open now,

but everyone  ‑ ‑ GSM tap messages is coming through and that's being captured live off

of the air. So quick demo of that for you guys. Do we want to  ‑ ‑ do  ‑ ‑ that? Yeah. If

anybody wants to stay afterwards you can come up and see the script. We have flags also. So

throw out your thing first? Any questions? Good questions get good swag. Bad questions get

heavy things. So  ‑ ‑ yes? How long? Two minutes. Okay. Two minutes. 45? So we'll be in the

chill out cafe for Q & A. If you got good questions you get SDRs. Ask us questions. Thank you very


The Description of DEF CON 22 - NSA Playset - GSM Sniffing