CRACKING GSM AND UMTS SIGNAL INTERCEPTION AND JAMMING

By: James Konderla Written for CYBS 6350: Data Security (Fall 2014)

10/18/2014

i

Table of Contents Abstract ........................................................................................................................................................ iii

Overview of GSM and UMTS Technologies .................................................................................................. 1

What is GSM? ............................................................................................................................................ 1

Where does UMTS come in? ..................................................................................................................... 1

Security, Vulnerabilities and Attacks ............................................................................................................ 3

First Attack: Man-In-The-Middle ............................................................................................................... 3

Attack 2: Signal Jamming (Denial of Service) ............................................................................................ 6

Thoughts on Encryption ............................................................................................................................ 8

Conclusions ................................................................................................................................................. 10

References .................................................................................................................................................. 11

Table of Figures Figure 1 ......................................................................................................................................................... 2 Figure 2 ......................................................................................................................................................... 4 Figure 3 ......................................................................................................................................................... 7 Figure 4 ......................................................................................................................................................... 7 Figure 5 ......................................................................................................................................................... 8

ii

Abstract

As mobile devices and the “always on” lifestyle become central to society there remains

an area that few choose to think about: mobile security. Mobile devices, in particular

smartphones and tablets, have changed society in indisputable ways by allowing the sharing of

movies, photos, music, and even allowing the ability to telecommute and stay up to date on the

latest news while on the go. At the end of the day, though security of data often drifts to the back

of most consumers’ minds. Recent security events such as the Apple iCloud breach (Samson,

2014) have shown that no security technology is unbreakable and all security technologies need

constant revision to stay one step ahead of the enemy. In this paper I have chosen to focus on two

inter-twined technologies that are central to many lives globally: GSM and UMTS. First we will

take a look at both technologies before delving into two of the most pressing attacks: signal

interception and signal jamming. Finally we will take a look at the encryption of these

technologies as well as some conclusions I have developed based on the review of reference

materials, this course, and current events.

iii

Overview of GSM and UMTS Technologies What is GSM?

The Global System for Mobile Communications (GSM) is a second generation standard

for mobile networks (Technopedias, 2014). Founded in the 1980’s by the European

Telecommunications Standards Institute the mission of GSM was to make one standard

communications method for cellular and mobile devices throughout Europe. GSM uses signals

on three different frequencies: 900 MHz, which has since been depreciated, 1800 MHz, and the

1900 MHz band. GSM has very broad usage in Europe as the de-facto mobile protocol and is

used widely in the U.S. by T-Mobile and AT&T which amounts to approximately 44% of the

total U.S. Cellular Market as of the first quarter of 2014 (Statista, 2014). Although the competing

technology, Code Division Multiple Access (CDMA), holds 56% of the current U.S. Market

GSM still shows to be the top contender on the international side. The major weaknesses of

GSM, though are that the GSM technology has a fixed cell site range of 35 kilometers, has a very

low maximum data rate and that GSM and all 2G technologies are circuit-switched: if there are

no circuits available or the circuit is unreliable your call or data transmission will not be able to

be completed. When it comes down to it, GSM was just not built to be a data-transfer network or

to have data securely transferred.

Where does UMTS come in?

UMTS, or the Universal Mobile Telecommunications Systems, is a third-generation (3G)

mobile telecommunications technology. UMTS uses 3 different yet similar air interfaces and was

built on top of the existing GSM standard, providing the ability to co-operate with current

standards. Though infrastructure upgrades were required, UMTS added the ability for packet-

switching and a virtual connection that provides an “always on” experience using the frequency

1

bands between 1885 and 2025. UMTS expanded GSM into two very important areas: the ability

to consistently transfer data at a moment’s notice and the ability for a user to freely roam

between cell towers without losing connectivity. UMTS, while an improvement on GSM, came

with its own set of problems: usage of the COMP128 encryption algorithm (which has been

proven to allow user impersonation) a key length of only 32 bits, no method of network

authentication allowing the ability of signal interception through false base stations, encryption

that terminates at the base station but leaves the message decrypted in transit and an insecure key

transmission where cipher keys are transmitted in the clear both inside and outside of the

networks (Suominen, 2003). Even with these security flaws, UMTS delivers abilities for data

integrity and security based within the Radio Network Controller rather than at the base station

itself, methods of lawful interception and an increase to a 128 bit cipher key providing

compatibility with GSM network specifications. The way in which these two technologies

interact can be found in Image 1 (HACHA malla, 2010). Of particular note is that these two

systems interact together and are not separate, providing the capability to transmit both call and

data on the same network.

Figure 1

2

Security, Vulnerabilities and Attacks

UMTS was built on GSM, making many improvements but also inheriting some of the

basic weaknesses of the GSM system. One major flaw in the original GSM standard was the

authentication of the device and network. Originally, devices on the GSM network had no way

of ensuring that they were authenticating to a valid network and vice versa. In fact, during a 2012

DEFCON presentation (Goodin, 2014), a team of hackers known as “Ninja Networks” created

their very own GSM network and were able to successfully demonstrate the failings of the GSM

authentication protocols. UMTS was able to improve upon this by implementing the mutual

authentication of users (i.e. devices) and the network. This standard, though, made an important

improvement beyond mutual authentication: for 3G and 4G networks a mandatory cipher mode

using a block cipher called KASUMI, which utilizes a 128 bit cipher key in order to provide data

integrity and security (Suominen, 2003). The user, though, is able to disable this security creating

a very large hole in the security of this system.

In addition to the improvements of authentication, UMTS also provides user identity

confidentiality via the use of International Mobile Subscriber Identity (IMSI) numbers that allow

GSM and UMTS networks to interconnect and even enable users to use their cellular devices in a

“roaming” fashion on other networks. Both of these improvements, while substantial, still rely on

the use of Subscriber Identity Module (SIM) cards.

First Attack: Signal Interception (Man-In-The-Middle)

With the above mentioned facts in mind for both GSM and UMTS there are two classes

of attacks that clearly come to mind and that I have chosen to address: Signal Interception and

Denial of Service. Both of these attacks focus on the manipulation of the specific signal bands

3

that GSM and UMTS are built upon as well as the continued use of SIM card technologies, and

have been shown to be both easy and cheap to execute.

The first of our attacks focuses on Signal Interception via a Man-In-The-Middle attack.

As can be seen in Figure 1, Signal interception is already in use by law enforcement agencies via

a loophole in the standard that, according to Suomien (2003), states “3GMS shall provide access

to the intercepted content of communications (CC) and the Intercept Related Information (IRI) of

the mobile target on behalf of Law Enforcement Agencies (LEAs)”.

Figure 2

In simple terms, the UMTS standard allows for wire-tapping. In fact, there is a

technology that has caught on like wildfire in almost every area of the mobile device arena that

4

shares a similar vulnerability: Network-Assisted Discovery for Device-to-Device

Communications. According to Thanos, Shalmashi and Miao (2014), this technology allows the

network to not only estimate the proximity of devices to each other, but sends unique identifiers

in clear text between the devices and the network using a priory communication scheme allowing

devices to discover one another before communication takes place. Of course a variation of this

technology is also in widespread use by applications that allow detailed news, shopping, weather,

and other information based on activation of subscriber tracing on a particular network

(Willassen, 2003). This is particularly useful in smart phones, allowing users to see nearby

Bluetooth or wireless access points and their current signal strength. The same weakness of

clear-text identification is built into the IMSI transmissions themselves: when a device registers

for the first time in a servicing network the IMSI is sent in clear text and, in some cases, trusted

third parties can be used to assist in authentication (Suomien, 2003). In these cases, if a user has

disabled certain portions of the security interface on their cellular devices, the signal can be

intercepted via man-in-the-middle attacks.

According to Goodin (2014), during the presentation at Defcon, Ninja Networks

explained that one of the underlying algorithms of the GSM network known as A5/1, which is

still in use today during basic authentication with cell towers (also known as Base Stations), uses

a basic shift cypher that shifts the cypher text 3 times and is then transformed, or clocked, 100

times to mix up the bits of the cypher. Ninja Networks also demonstrated how a passive attack

using a Time-Memory-Tradeoff and Rainbow table, can determine the original identifier and

successfully decode the cypher text. In fact, Ninja Networks is not the only group to have

discovered the possibility of these attacks. According to a recent story on the Business Insider

online news site (Cook, 2014), fake cell towers have appeared all over the U.S., most of which

5

whose owners have remained unidentified. Even worse, due to the widespread use of cellular

base stations it has taken even longer to identify fake base towers due to the population no longer

noticing the construction of new towers and providers largely not checking the towers unless a

technical issue has occurred. The equipment cost for these attacks has shown to be between $70

and $500 thousand for equipment proceeding in active attacks and $1 Million for Passive

equipment, such as these cell towers. These towers could provide a huge payoff in populated

areas where users check bank accounts, social networks, and even business emails and

computers while on the go.

Attack 2: Signal Jamming (Denial of Service)

This brings me to the second attack focus of this paper: signal jamming. Signal jamming

can be done on either a deliberate basis, such as blocking the use of devices in a lecture hall or

board room (Naresh, Babu & Satyaswathi, 2013), or accidentally such as in the case of satellite

TV blocking certain Wi-Fi or wireless signal bands. In either case, the usual method of

conducting signal jamming operations is by over-riding the signal’s carrier waves with noise

through use of either a mobile signal jammer or a stationary jammer. In fact, signal jamming

does not even need to be done on the base station itself and can focus entirely on the uplink of

communications instead of the downlink. There are several techniques to jamming GSM signals

but the most obvious is the denial of service. By overloading the signal of the downlink on a

wireless base station an attacker would be able to keep a cellular device from confirming that a

secure and viable connection had been established. In the following table Ståhlberg (2003) has

outlined the GSM Frequency bands used in current networks.

6

Figure 3

As shown in the above table, different frequencies are used for the downlink and uplink

of communications between a device and the base station itself. When the device enters range of

a network it connects to the network through the base station. The problem with this approach is

that the device itself measures the Signal to Noise ratio but the base station itself uses a constant

power and signal level to enable connection by multiple users and devices in the simplest and

fastest way possible. Due to the constant rate of signals, it becomes a simple matter to overpower

the base station on the downlink frequencies. In Figure 3 Ståhlberg (2003) has also outlined the

GSM system’s transmitting powers.

Figure 4

The signal power is adjusted in 2 dBm steps but the handset itself has a maximum signal

power of 37dBm. Through a simple search of Amazon.com I was able to find several examples

of cheap, effective, devices for both short and long range signal jamming. In fact Figure 4 is a

device specifically marketed for blocking GSM signals at a short range.

7

Figure 5

In fact, several sites, such as TheSignalJammer.com exist to supply more advanced

devices to businesses and schools, both public and private, in efforts to block cellular devices in

certain areas of buildings. While these efforts may be justified, such as in grade school

classrooms, nothing would stop a would-be attacker from purchasing one of these devices and

going to a crowded area to hold an active denial of service attack.

Thoughts on Encryption

While reviewing the possibility of Man-In-The-Middle and Denial of Service attacks on

the GSM and UMTS networks I came across many references to the encryption used on these

networks. There are three main encryption Algorithms used to secure data on the GSM network:

A5/0, A5/1, and A5/2. As GSM is the underlying technology of UMTS there is no need here to

cover UMTS’ security Algorithms: UMTS is only effective after GSM connection and

authentication has been established. The most known of these is the A5/1 algorithm. All of the

8

A5 algorithms operate as a shift cipher and stream cipher but were changed between the

iterations. A5/1, for example, consisted of 3 shift registers and a 100-cycle bit scramble.

Originally a tightly kept secret, A5/1 was leaked in 1994. This algorithm was not meant

for use outside of Europe and was actually intentionally changed and made weaker for users in

the U.S. and other markets, creating the A5/2. In 1998, only 4 years since the leak, A5/1 was

reverse engineered and broken. With this also came the breaking of A5/2 and A5/0 in the same

year due to their commonalities. The algorithms still remained resource intensive to break until

2008 when a team of hackers at the DEFCON conference, known as Ninja Networks,

demonstrated the use of 16 PICA E-16 FPGA machines to create a 3 terabyte Rainbow table

which contains all the possible combinations of the A5/1 algorithm.

9

Conclusions

In reviewing both the man-in-the-middle and denial of service attacks on the

GSM/UMTS system one thing is obvious: these systems were not designed for security and were

instead designed for commercial and public use. One would think that the security algorithms

used in cellular communication on these networks are secure to offset for the possible use of

Man-In-The-Middle interactions but that would be an incorrect statement. The A5/0, A5/1, and

A5/2 algorithms were all broken in 1998 and several new algorithms used by certain carriers

have been kept proprietary with no mention of whether their security has or has not been broken.

There are almost no ways for a user to even tell if their signal is being intercepted, legally or

otherwise. In fact, the equipment to perform these attacks is so cheap that people and groups can

easily afford to obtain it. Even with cost being in the equation, a more troubling aspect of the

underlying GSM standard exists: carriers can ask the mobile devices to switch off authentication.

Although great strides have been made to secure UMTS the underlying standard of

communication still depends on GSM to establish and authenticate the connection. As devices

with GSM capabilities are cycled out of the market, whether by force or natural attrition and

device upgrades, GSM stands to be depreciated and the capabilities in UMTS can then be

discarded. Until then, the greatest security hole in the UMTS cellular standard will continue to

exist as, with the allowing of legacy GSM devices to connect to this new technology carriers

have also adopted GSM’s security flaws.

10

References

Cook, J. (2014, September 22). Everything We Know About The Mysterious Fake Cell Towers Across The US That Could Be Tapping Your Phone. Business Insider. Retrieved October 23, 2014, from http://www.businessinsider.com/mysterious-fake-cellphone-towers-2014-9

Goodin, D. (n.d.). At Defcon, hackers get their own private cell network: Ninja Tel. Ars Technica. Retrieved October 25, 2014, from http://arstechnica.com/security/2012/07/ninja-tel-hacker-phone-network/ Kassner, M. (n.d.). GSM encryption: No need to crack it, just turn it off.TechRepublic. Retrieved September 16, 2014, from http://www.techrepublic.com/blog/it-security/gsm-encryption-no-need-to-crack-it-just-turn-it-off/

HACHA malla. (2010, December 11). HACHA malla. Retrieved October 26, 2014, from http://hachamalla.blogspot.com/

Meyer, U., & Wetzel, S. (2004). On the impact of GSM encryption and man-in-the-middle attacks on the security of interoperating GSM/UMTS networks.Personal, Indoor and Mobile Radio Communications, 2004. PIMRC 2004. 15th IEEE International Symposium on, 4, 2876 - 2883.

Naresh, P., Babu, P. R., & Satyaswathi, K. (2013). Mobile Phone Signal Jammer for GSM, CDMA with Pre-scheduled Time Duration using ARM7. International Journal of Science, Engineering and Technology Research (IJSETR), Volume 2(Issue 9), 1781-1784.

Principles of Telecommunication Services Supported by a GSM PLMN. (n.d.). ETSI - European Telecommunications Standards Institute. Retrieved September 16, 2014, from http://www.etsi.org/deliver/etsi_gts/02/0201/03.02.00_60/gsmts_0201sv030200p.pdf

Samson, T. (n.d.). Apple iCloud breach proves Wozniak's point about cloud risks.InfoWorld. Retrieved September 23, 2014, from http://www.infoworld.com/article/2618094/cloud-security/apple-icloud-breach-proves-wozniak-s-point-about-cloud-risks.html

Southern, E., Ouda, A., & Shami, A. (2011). Solutions to security issues with legacy integration of GSM into UMTS.Internet Technology and Secured Transactions (ICITST), 2011 International Conference for, 614-619.

Ståhlberg, M. (Director) (2000, August 1). Radio Jamming Attacks Against Two Popular Mobile Networks. Proceedings of the Helsinki University of Technology Seminar on Network Security fall 2000. Lecture conducted from Helsinki University of Technology, Otaniemi, Espoo.

Suominen, M. (Director) (2003, April 15). UMTS security. Security issues in mobile networks. Lecture conducted from Helsinki University of Technology, Espoo, Finland.

What is the Global System for Mobile Communications (GSM)? - Definition from Techopedia. (n.d.). Techopedias. Retrieved September 23, 2014, from http://www.techopedia.com/definition/5062/global-system-for-mobile-communications-gsm

11

Thanos, A., Shalmashi, S., & Miao, G. (n.d.). Network-Assisted Discovery for Device-to-Device Communications.Academia.edu. Retrieved September 16, 2014, from https://www.academia.edu/5543066/Network-Assisted_Discovery_for_Device-to-Device_Communications

Willassen, S. Y. (2003). Forensics and the GSM mobile telephone system.International Journal of Digital Evidence,Volume 2(Issue 1). Retrieved September 10, 2014, from http://www.ccse.kfupm.edu.sa/~ahmadsm/coe589-121/willassen2003-mobile-forensics.pdf

Wireless carrier market share subscriptions United States 2011-2014 | Statistic. (n.d.). Statista. Retrieved September 23, 2014, from http://www.statista.com/statistics/199359/market-share-of-wireless-carriers-in-the-us-by-subscriptions/

12