>>All right. So wow further ado, we have Loki presented on GSM this morning or this afternoon,
sorry. And ‑ ‑ pierce. I'm sorry. I missed that. So without further ado, I'm going to let
the fine gentlemen get on with this. Enjoy. [ Applause ] >> Left and ‑ ‑ left and right.
Okay. GSM, welcome to our talk. We are going to talk about NSA today, we have fun GSM and going
to talk about. My name is dean pierce. This is my fourth Def Con talk. I have been attending
Def Con since Def Con 10. I am information security professional and I work in the
field of product security, which is great. It is way cooler than testing you get to see cool
shit. So. It is good stuff. It should be a career path people look into. Also for some reason
when I get a paper for Def Con is wireless stuff. All of my nonwireless talks are excepted.
That's about me. >> Hey, I'm Loki. Yeah. This is my first time talking at Def Con. [
Applause ] So I've been doing stuff for ‑ ‑ secure stuff for 12 years. Mostly analytic‑ type
stuff. They are calling the big data now which bothers me. And pretty much every role I have
ever been in, I had to do some sort of security stuff. I like seeing problems that is also a
interest of me. And the GSM stuff for the past few years I had a heavy interest in and
kept playing with it. That's about it for me. So let's see. So GSM, most of you guys are
probably familiar with it, is the most widely used cellular system in the world. And right
now ‑ ‑ what? There's, right? 7 billion, I think, as of 2013. People worldwide using it. Going
off of the GSM association it is available in more than 219 countries, market share more
than 9%. All ‑ ‑ 90%. All of that fun stuff, and also the legacy network for most of the
other technologies used today, with the exception of CDMA. That means LT built on top of the GSM
stuff. Right now there, if you make a voice call that is probably going on classic GSM.
Whereas, essentially, with LTE we expect to see that go over data traffic, at some point it
will be probably be more difficult to play with. Hold on, slides. One of the things that
was interesting about the GSM stuff was that it's, it was ‑ ‑ the first of seriously consider
any form of security with both ‑ ‑ stuff with the ‑ ‑ beans instead of any sort of ‑ ‑ um,
persistent mobile identity. It somewhat helped your usage of it from just an eavesdropper
perspective. And it also used A5 encryption, which there is A5/1 and A5/2 are the standards, and
unfortunately, what was rolled out for most of the world was a slightly broken version of it,
even though at this point most of them have gone to somewhat more secure, but still breakable
A5/1. There is A53. But as far as I'm aware there is no rollouts of it. That one is also
know, nobody has breaks for it at this point. So I'm out of sync with my slides. Sorry about
that. This short history lesson in the 199's, the first attack on A5 was proposed on June 17,
1994, there was a message posted to UK telecom group and it, he described potential
attacks and also the first publication of open A5 site. People had idea what was it, but
nobody published code that may represents what it looks like internally. Yeah, that was over
20 years ago. In, we're, still using the same cipher today. In '97, um, at ‑ ‑ I can never
pronounce his name. It is Jovon, presented ‑ ‑ cryptanalysis, and presented a potential time
memory trade‑ off attack which was sort of the basis for a lot of the further attacks that
happened. So in 2000, um, at the seventh international workshop on software encryption, three
guys presented a ‑ ‑ um, paper on realtime cryptanalysis ‑ ‑ of A51, and than that one, that
was the first attack to theoretically allow you to see decrypted traffic in realtime.
Also, in 2000, two other people went ahead and invented essentially the same idea with a
slightly different time memory trade‑ off technique. And so both of them theoretically
allowed attacks on A5 with plain text. But they were not really practical. So then 2003 came
along and there was a paper related in cipher text only cryptanalysis. And it was a time
only memory trade‑ off attack. It was practical, but it requires a ridiculous large
computation phase. I believe it was in the order of 32 terabytes, which was not
practical at all. And then in 2006 the full version of the paper was related. 2003 was
significantly cut on what they actually talked about. In that they went ahead and gave a lot
more information that allowed you to ‑ ‑ basically come up with very short plain text. Up
until then, um, know five minutes of plain text would be required, again, impractical. So
2007 COPACOBANA came along. In that one, COPACOBANA was a hardware project it stands for
cost optimized parallel codebreaker. And it was implemented for running most
algorithms but specifically for cryptanalysis. It was commercially available
eventually, and could be used for A5/1 and A5/2 and other things, including GSM. It went
and ahead enabled force attacks from GSM without look up tables. However, this was still not
realtime. That was actually done as a research project that eventually turned into a
commercial solution. Yeah. I wanted to jump in with 2007, because ‑ ‑ this is also 2007 I
attended torcon and I saw a really awesome presentation on using FPGAs and USRPs with crack
phone calls for $30, and it was amazing. I thought it would be cool if somebody bundled it
together and sold it on eBay. That stuff is hard to do. They didn't release information on
how to do it. That was my first thought of the NAS playset bundle concept. It has taken a
long time to actually do stuff. Let's see, 2008. 2008 was actually when carry talked about
generating tables and the, the tables got generated but a lot of the tools were, a lot of
tools didn't get released and a lot of the tables didn't get released. A lot of stuff didn't
happen. It was very much like a theoretical thing at that point. Which leads to 2009. Let's see.
So in 2009, that's when you have the, there's a talk at black hat where they tried to kickoff
the A5/1 project. So this was a global distributed effort where everybody who had, like fast
video cards could team up together and everyone was going to generate the A5/1 tables once
and for all. It was going to be great. Also, it is really fun to read the mailing list, too. If
you go back and look at the A5/1 mailing list at this point. You have people jumping in saying I
got this card it is not optimized. Everyone doing their own thing and turning a table
here and there. This one guy jumps on, hey I wrote this tool called cracking that uses the
table and brute force. That is great and still used today. And then the tables got released.
So ‑ ‑ let's see. How do I get back? Over here? Yeah. Good. So 2010 was Carson speaking at
black hat. Again, and demoing, demoing the stuff and ‑ ‑ actually, they replaced air pro,
which is great, air pro uses the USRP to get the raw GSM and then you can figure out some, some
like the text stuff and then use that and crack it with the cracking tools and the A5/1
tables released and then decrypt the traffic. He showed this on the black hat stage. It was
great. Everyone applauded it was wonderful. They also talk about in 2010, actually using the
Motorola phones to start sniffing stuff. Which is great, they are a heck of a lot
cheaper than the USRPs that are a couple of thousand dollars with the accessories. And the
phones are silly phones that you can get at any store. So that was great. At the end of 2010.
Carson did a talk at CCC and taking about broadband GSM and used four different phones and
then monitored all frequencies and did a full range of sniffing everything with the
phones. It was good. So nothing really happened. Wait. Nothing really happened in 2011. GSM
security was broken. It was done. We're good. Everybody is going get fixed now. Right? So,
unfortunately that didn't really happen, but ‑ ‑ in 2012, we had this great thing, anyone here
familiar with the real tech SDR bundles? These things are great. They started selling and people
quickly realized, these are T.V. tuners sold everywhere under different brand names. People
realized they could twittal a couple of bits here at whatever frequency and dump traffic.
Overnight the software defined radio computer exploded. Every one with $20 in their pocket
could go buy this little receiver and just start sniffing traffic and it worked with all
the GSM radios and the tools the more academic things. In 2013, I was able to take a radio class.
It was a great experience, and I told them my weird of identifying of packaging
everybody together and trying to get it to work and get it out there as much as possible. He
thought it was really cool. And we talked about it a bit. And then at the end of 2013 was when
the ANT catalog was released. Who remembers the ANT catalog? Anyone. That was interesting
stuff from NSA, what weird toys that they sell and different parts of the intelligence
community. Great stuff. Anyway, that brings us up to 2014. What was that? Okay. Well ‑ ‑ it is
‑ ‑ there. Yeah. So ‑ ‑ in 2014. This was the birth of the NSA playset here. It was great.
We, after the ANT catalog came out Mike was like remember that crazy playset idea, like ‑ ‑
like, he thought of the stuff with the reflectors and things, that was cool. He wants to make
a bunch of these things. That would be rad to pull things together and actually see how
much could be built. That was really exciting. I talked to Joe and a bunch of other people and
like other weird things we could do and things that looked like they were pretty feasible. And
so ‑ ‑ yeah. Everything started to come together. Mike gave the first talk at hack in the box in
Amsterdam. And we tried to recruit a few people. Our mailing list is growing and
growing. 150 members of the mailing list right now. That's pretty great. What we really
tried to focus on with the playset stuff is making it as easy as possible to use so that
it is just as ‑ ‑ accessible as possible. And then also reducing the cost and making it more
accessible. As many people can play with it as possible. The motto I have been saying over
and over, if a 10‑ year‑ old can't do it, it doesn't count. So because it ‑ ‑ things don't
really get fixed until they are actually extremely accessible. That's kind of a bummer.
Because eve one all of the great work that Carson and people did, I mean, the ‑ ‑ we're still
using a lot of the like crazy terrible cryptography, and the fixes Carson has recommended to
the carriers have not been implemented. So that's kind of a bummer. >>So ‑ ‑ with the,
with the NSA playset, it is actually sort of three separate things. And I'll go over one of
them and dean will go over the other two. In general, what we have done so far with NSA
playset and GSM. We have air probe working with essentially after major SDR out there,
through the asthma SDR. That basically gives us a single interface that supports the
hacker, the RTL, SDR, the USRP. Without having to worry about from our code what the back end
is, what our signal source is. We've improved the signal tracking a bit. There was a lot
of problem with ‑ ‑ drift, especially with the cheaper RT SDRs. So frequency code has been
improved a bit. The cracking A5/1 tables and indexes have gone ahead and been put on a
single external USB3 hard drive. It's basically plug‑ and‑ play with the tracking program on any
Linux machine at this point. It also works on OS X in some cases. And also an environment
based upon limits that has been upgraded with ‑ ‑ the ah, new radio 3.7 and a bunch of GSM‑
specific tools. Oh, and we also imported the air probe GSM to work with 3.7. So the bootable
environment, you know, of course, it comes with every challenge with it, and, of
course, comes with the improved GSM receiver, it comes with, which is what you use to
actually listen for traffic. CCCH scan, for the codes, it comes with binaries and various
other tools to calibrate and stuff like that. So the first of the NSA playset GSM tool. This
one is not complete yet. It is not ready to be released is twilight vegetable. It a system
that basically you turn on your machine and eventually you're going to start getting dumps of
all of the voice messages or all of the voice traffic and SMS traffic that is within range for
you. The sources are basically any of the SDR supported by asthma SDR as well as the DB and
Samsung gallery devices. The BB is any phone and then the Samsung galaxy devices use
something like X gold that uses the debugging feature in the devices for traffic. Basically
twilight vegetables detect the sending and dumping traffic to the essential service. That
essential services handing all of the description and stuff like that. It is necessary as
well as to decoding data. Let's see, so basic overview of the system. You have the capture
clients the SDRs and BBs. Those just send the data to the central dispatcher, which
basically consists of database server that we store stuff like session keys, mapping and a
bunch of custom software that is written around the database and send requests out to run
statistical analysis on the encrypted data to detect, you know, what type of plain text we
think it is. And then, of course, kraken itself, which is executable index files and
tables. With the potential to have that load balance so that there's, so that kraken
definitely has a speed limit. You can go ahead and get around that using multiple instances.
So the UM interface capture device is basically one of these would ‑ ‑ we have it mostly,
but one of these is written for each type of device, one for the DSR. One for gold, and one for
DB. If a new UM interface that is the radio side of things capture device comes out, it
should be able to be added relatively simply either by writing the writer or hopefully
DR supports it. So each of these is responsible for listening one or more, or A RSD N, the radio
frequency channel numbers. Think of them as frequencies there is a map between the member and a
given frequency and the GSM band. And what it does it goes ahead and detects any what are
called immediate channel assignment messages. These basically say, hey I need you to
switch to a new channel and most likely going to send you encrypted data. So when the
phone receives this, it switches that new channel and the first message that is usually sent is
a crypto message we know what that looks like. It is a known plain text. We can use it with
kraken to go ahead and crack the rest of the traffic. So when it sees that channel assignment
message it goes ahead and starts capturing all of the data on that channel. Once that channel
is released or that channel is reassigned, sometimes the channel release messages
themselves are encrypted, we cannot detect that until we crack it. It goes ahead and ends
the capture file ‑ ‑ sorry ‑ ‑ ends the capture file and submits it to the central
dispatcher. What it submits is the error FCN. The temporary mobile subscriber identify, the
network information, that is your mobile country code and mobile network code, cell ID and
signal‑ to‑ noise ratio. Which is important to tell if a packet is likely to have
corrupted data tin or not. And then as well it sends the ‑ ‑ actual channel data that it has
captured. So when the submits that to the central dispatcher ‑ ‑ where's the next slide? The
central dispatcher goes ahead and ‑ ‑ um, writes multiple functions. Basically it takes it
in, puts it in a file store, enters the submitted data into a database linking to the file,
the file in the file store, and then runs statistical analysis on the packets to see which one
we know are plain text. Some of that is very simple. This is if first packet. We know it is
a crypto packet. Some of that is a ‑ ‑ um, for instance, a system information 5 message,
which we can, by looking at the plain text version of it, we know what the crypto version of
it and detect whether or not it send a message with high likelihood based upon comparison
with the rest of the encrypted messages in a sense. So it also goes ahead and stores any
cracked keys that it gets back from crack one the associated keys. Keys are used, reused for
a given session. So we're able to go ahead and immediately encrypt any data using that
"TMZ" in the future. Then also want it gets back a key and it is able to decrypt the data, it
goes ahead and parses through looking for SMS and voice messages. And then writes them
out to disk for you. With an associated MZ if it is detected in MZs. They are not sent very
often. So that's sort of the glue that holds everything together. The next part of that
is kraken, which we will cover more later. But kraken ‑ ‑ when it ‑ ‑ it is able to be run in
server mode and supports asynchronis operation, so we can submit a bunch of binary
sequences to it. As it is able to match those and give us back potential keys we can check
those keys in whatever order they are returned. There is also the potential to go ahead and
run multiple instances in parallel using load balancing to allow the kraken cloud to be
built. So our kit for twilight vegetable that was sold used is a USB key and a nano SDR. The
USB key is nice and fast. It is customized with GSM tools. Oh, and the second line is being
covered. Anyway, being ‑ ‑ it's, you do have to put in persistent code to get the
binary system built on it. We'll go ahead and be released further updates on it as we improve the
system. Then we're also ‑ ‑ including this, nano SDR. It is extremely tiny. Give you an
idea. This is the RTLSDR. And I mean that is about as small as you're going to get for software
defined radio that I have seen. They are really cheap. They are $20. They have improved the
crystals and capacitors and they come from a company that specializes in doing RTL, SDR
stuff, not just T.V. tuners. So this specific device, from 25 megahertz. Higher bands such as
the 1800 GSM band and another bands I mentioned. The 850 band. And the connector on it is
standard MCX. Whatever active antenna or better antenna you manage to find, you don't have
to deal with weird issues. This is really nice. There is a few things about them. I want to
give them a shout out, they went ahead and wrote nano SDRs. Free swag is always good. They have
improved electronics and gave you guy as discount code. It is good through the end of August.
Most important, for a lot of you guys they had bit coin for software defined radio
purchases. That's also sort of advantageous. And they work with other SDR stuff. So they have
more than just this in stock. They know what they're talking about if you have any questions
about if you can use a given SDR device for a given purpose. So that ‑ ‑ that brings us to
the next segment, which pierce will take care of? >> Did you get the SDR? Good stuff. It is
pretty much a 16 gig USB if you have one of your own the ‑ ‑ image will be on the left. It is
like 7 gigs or something, so it might be hard to download at the hotel. But ‑ ‑ when you get
home download the image and make it yourself. And we will be releasing updates. Okay. So who
here remembers the genesis handset? It was the, it was like, it was like a telephone,
right? That is because it pretty much is, a Motorola sliver L9. If you look at the picture
there. Elevated modifications, I guess they added memory to it and different SDR components.
Essentially it is a little portable thing. NSA had genesis. I thought it would be good to
make ‑ ‑ how do I get that out? Yeah. No. Click. Yeah. Yeah. So we made this handset. So ‑ ‑
and ‑ ‑ so this is, I mean, it ‑ ‑ it looks like a regular Motorola phone, that is because
it is. You can buy these all over eBay. It is crazy stuff. This is the Motorola C139
phones. So if you ever looked into VD it is a really great project. Everyone should look
into it. All of the documentation and talks, everything that you ever see
about them talks about the C123. Because of that and because of all of the great information
that have been found with the 123, they are kind of expensive to buy on ebay. They go for
$200 sometimes for the $5phones. The 123 is good in Europe, but the 139s are made
for the U.S. And they work really well in the United States and they work really well with
all of the OSMOCOM tools. If you're on eBay buying phones by the 139 it is great. So ‑ ‑ the
in addition to that, you also need this custom SD cable that talks serial over the micro
audio port that is in the thing. So you are pretty much connected up and then all of the tools
work with it. Also one thing that I didn't quite realize until I started playing with it.
The firmware that you put onto the phones actually exists only inswww memory. You are typically
not supposed to persistently put the things on the phone. So what happens you turn your phone off
and back on it is a regular cell phone, that's great. So as part of the handset I wanted to
throw good demos on the USB. If you download USB or managed to acquire one yesterday. I got
this tool in the home director. When you boot you boot into persistent mode and all of the
tools are in the home directory. RSSI is a firmware that does kind of frequency scanning and
‑ ‑ it is pretty neat. So dot/RSSI it loads the frequency scanner. I will have a demo of
that in a second here. I also wanted to show off some actual, you know, live GSM packet
dumping. So I put on this layer one pushes a special image to your phone that essentially
turns it into a‑ ‑ like a GSM kind of gateway functional thing. It is a layer one kind of
device that you can do all of your typical, like, a.m., you know, cell phone tower,
whatever, dialing, whatever. You transmit it to layer one and it spits it out GSM over the
network. And then the CCCH scan. I have it modified with a burst and patch, if anybody knows what
that is. It allows for a lot of GSM dumping and raw GSM traffic on the network. That is great.
And then wire tracking can navigate. That is good stuff. I had a couple of problems if
anybody saw me trying to demo the stuff yesterday. For some reason Def Con made it so my
console device was not TTYSO. It turned into like ‑ ‑ S4 or whatever. So I added the shell
scripts and everything works fine. I had two more phones I didn't want to sell it, they
were not working right. But I got them working. I added the control strip. I don't know. And
also all of the charging is done in software on the phones. It is usually not a good idea to ‑ ‑
delete a continuously charging when it is plugged in. It might not be as good as the actual
official charging software that is on there. And sometimes it will overheat, sometimes they
will not really charge. Things like that. I also really wanted to enable BB stuff happening in
the United States. There's a really great tool that Carson related last year called GSM
map. GSM map was a bootable USB stick you put up to it, you plug in your phone and hit the button
and it takes surveys of the GSM networks around and you figures out the security features they
are using and packages they applied and what they are doing. It up loads the data. So if you
go to GSM map.com, you will see a full map of the security technologies over time. It is
pretty much entirely Europe, Europe has all of the data sources. There is like three
data sources in the U.S. Everyone who gets the phones should contribute to the
project. It is really great and it is really good to see security every time. So like I
said, search eBay for the 139. The TracFones have a newer firmware on it. You can still ‑
‑ there are ways to bypass it, but if you want to do the easy way, buy these phones. They work
great out of the box. A guy that I work with, reed, he makes crazy modified hardware and
sells them on eBay. So you can look him up on eBay or e‑ mail him directly. You can charge,
and turn your phone into a base station, doing all sorts of fun stuff. So another part of the
project is the drizzle chair. This is a tiny hard drive. This is 2 terabytes. Like the tables
that came out. People were thinking 2 terabytes how many things will I need to do that.
Now, it is simple USB things you can buy them for under $100. And the first idea justs have all of
the tools. One thing to know the tables are in the partition, you cannot download the fires into
a device. You have to download the files and use a tool to insert them. If you buy one of
these on‑ line make sure that you have a hard drive in your computer if you downloading it.
You do need two, one to download to and one to transfer them to afterwards. So keep that in
mind. And essentially what it does, you can see cipher text off of the network. There is a
lot of traffic that's very, very predictable in GSM. What you do, you find a packet that looks
like a packet that you recognize and then you do work between the two. What you get is
the raw A51 stream. With the raw A5/1 stream, you copy and paste it into kraken and kraken goes
through the rainbow table thing and looks for a result and then dumps it out when it finds it.
Then you can use either tool to decrypt. >> Seeing any signal? >> I might have to reboot to do
that. So what I'm doing now is just booting up off of the USB. I sold a whole a bunch
yesterday. The exact same USB stick you could download from the Internet to make your own.
And, let's see. The thing is, it pretty much just has a straight Cali boot disk with the
resistant image. So it is a ‑ ‑ it is Cali 108, which was release a few days ago. And than
it is just a home directory full of tools all of the tools do the sniffing, the decrypting,
the cracking and ‑ ‑ have ‑ ‑ things like pineapple kind of installed that kind of work. And
all of the air pro stuff that is a pain to compile on all of the different systems. The
maintenance is not as good as it could be for all of the tools that are there. Let's see.
Hopefully it starts up now. So yeah. We just got all of the ‑ ‑ yeah ‑ ‑ ah. It was working
in the demo room. I don't know. There's ‑ ‑ yeah. Try that. Okay. So we might not have a
demo that looks like ‑ ‑ the projector is not working the way it did in the demo room. But we
might be able to show stuff on your laptop? Okay. Yeah. Yeah. Okay. Hmm. Let's see if this
works. Okay. It is very small. It takes a long time to run. It will calibrate and scan through
frequencies all of the possible frequencies for a given GSM and tell you which channels are
active. So I ran that and it told me that the ‑ ‑ test area was ‑ ‑ 180 which is A69.4. The
scientific notation. And anyway, if we go ahead and run this, this is using the little nano
SDR with this thing. It will start scanning ‑ ‑ so it is going to find the only device on
the system. Then if we flip over to Wireshark I have a filter in here right now that just shows
immediately channel assignments and these are the ones that are important for when you are
trying to capture encrypted data. So you can see it has captured five of them so far.
And ‑ ‑ ah ‑ ‑ not going to be able to show you too much. But ‑ ‑ so you got your header
telling you the channel it is on and stuff like that and then you immediate assignment data
itself, which contains a channel description that tells you, hey, I now need to start capturing on
zero, usually it is channel one through seven must be control traffic and be encrypted. It
really is that simple to start looking at GSM data in Wireshark. If I remove the
filter, um, let's see, you'll see that it sends it to a given port, that port is not open now,
but everyone ‑ ‑ GSM tap messages is coming through and that's being captured live off
of the air. So quick demo of that for you guys. Do we want to ‑ ‑ do ‑ ‑ that? Yeah. If
anybody wants to stay afterwards you can come up and see the script. We have flags also. So
throw out your thing first? Any questions? Good questions get good swag. Bad questions get
heavy things. So ‑ ‑ yes? How long? Two minutes. Okay. Two minutes. 45? So we'll be in the
chill out cafe for Q & A. If you got good questions you get SDRs. Ask us questions. Thank you very
much.
