{"id":11660,"date":"2016-03-24T09:00:14","date_gmt":"2016-03-24T13:00:14","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=11660"},"modified":"2017-09-24T08:07:47","modified_gmt":"2017-09-24T12:07:47","slug":"gsm-hijacking","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/gsm-hijacking\/11660\/","title":{"rendered":"Total surveillance: hacking GSM networks over the air"},"content":{"rendered":"<p>In one of the previous installments of our GSM saga we mentioned an urban legend of hijacking encryption keys on the fly. It presupposes someone can clone your SIM card without any physical manipulations, even if it would be a temporary clone. However, the Ki key is stored locally on a SIM card and in the carrier\u2019s database, so it does not even leave its home. So, what\u2019s the trick?<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/03\/06022618\/gsm-eavesdropping-FB.jpg\" rel=\"attachment wp-att-11662\"><img decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/03\/06022618\/gsm-eavesdropping-FB.jpg\" alt=\"Total surveillance: hacking GSM networks over the air\" width=\"1280\" height=\"1280\" class=\"aligncenter size-full wp-image-11662\"><\/a><\/p>\n<p>In theory, an adversary can establish a fake base station emitting strong signal and imitate legitimate requests to SRES by sending random RAND requests (if you are unsure what it all means, it\u2019s time to check out the <a href=\"https:\/\/www.kaspersky.ru\/blog\/sim-card-history\/10189\/\" target=\"_blank\" rel=\"noopener\">first part of the story<\/a>). Using this method, an attacker is able to calculate Ki with help of crypto analysis \u2014 just the way they would do it when having physical access to the SIM card.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">The evolution of the SIM card \u2013 what has changed, what has not? <a href=\"https:\/\/t.co\/VUa9NdEWiY\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/VUa9NdEWiY<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/mobile?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#mobile<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/cell?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#cell<\/a> <a href=\"https:\/\/t.co\/w3Ef9jVqzl\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/w3Ef9jVqzl<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/684384496419008512?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">January 5, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>However, this method is quite complex: the crypto analysis takes quite some time and requires a lot of faux requests. While the attacker is busy bombarding the victim with RANDs, the owner of the target phone might leave the fake base station\u2019s radio range, and the adversary would need to follow the victim with the equipment. Well, if we are talking about a well-planed targeted attack, the equipment may be deployed somewhere around the home location. The success of the attack depends on the encryption algorithm: if the carrier uses <a href=\"https:\/\/en.wikipedia.org\/wiki\/COMP128\" target=\"_blank\" rel=\"noopener nofollow\">COMP128v2<\/a>, the hack may not work.<\/p>\n<p>In fact, over-the-air attacks are primarily designed to allow an adversary to eavesdrop on the subscriber\u2019s conversations. As we already know, over-the-air communication is encrypted (except for special cases, when encryption is disabled during law enforcement operations) primarily for this reason: restricting ability to listen to private conversations. The encryption uses the A5 algorithm with a 64 bit key. A5 has two versions: the more sustainable A5\/1 and the less resilient A5\/2, which is shipped without restrictions to all \u2018potential adversary\u2019 countries.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">What are virtual SIM cards and what do they do? <a href=\"https:\/\/t.co\/8FLHwLXCug\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/8FLHwLXCug<\/a> <a href=\"https:\/\/t.co\/R2WgxWFv73\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/R2WgxWFv73<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/710103456653189120?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">March 16, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>To do it justice, even a A5\/1 key is not a 64 bit but a 54 bit key: the first ten bits are \u2018low bits\u2019, which are there for the purpose of simplicity. A5\/2 is designed to ease the task for secret services working overseas.<\/p>\n<p>Before, the method of hacking A5\/1 was based on brute-forcing locally stored data and required so much time, that the information in question would lose its relevance before the hack is completed. But today\u2019s PCs (well, not even \u201ctoday\u2019s\u201d, as the corresponding PoC was first demonstrated back in 2010) are able to crack it in seconds and calculate the key with help of so-called \u2018rainbow tables\u2019. The 1.7 TB set of tables can be stored on fast high-capacity SSDs which are relatively cheap and available everywhere.<\/p>\n<p>An adversary acts passively and does not broadcast anything over the air, which makes them almost untrackable. The complete toolset for cracking the key includes just the Kraken software with rainbow tables and a moderately \u2018fine-tuned\u2019 telephone of the \u2018Nokia with a flashlight\u2019 class. Armed with those assets, an attacker would be able to eavesdrop on conversations and intercept, block or alter SMS messages (so, don\u2019t consider two-factor authentication for your online bank a \u2018digital fortress\u2019).<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Unfortunately two-factor authentication can't save you from <a href=\"https:\/\/twitter.com\/hashtag\/banking?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#banking<\/a> Trojans <a href=\"https:\/\/t.co\/dEKfOWPaXo\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/dEKfOWPaXo<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/mobile?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#mobile<\/a> <a href=\"https:\/\/t.co\/hRP7WnTNmS\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/hRP7WnTNmS<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/708316552937000961?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">March 11, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Armed with the key, an adversary can also hijack calls and impersonate the victim. Another killer capability: dynamic cloning. A culprit initiates an outbound call request to the cellular network while the victim is also engaged into the session. When the network sends back the authorization request, the attacker hijacks it and forwards to the victim, thus obtaining the Kc key. Then it\u2019s done, the session with the victim is over, whereas an adversary starts his own session with the network, impersonating the victim.<\/p>\n<p>This allows to initiate calls at the victim\u2019s expense and do other things, like sending text messages to premium numbers and siphoning money through content provider partner programs. This method was once used in Moscow: a group of people would drive around crowded places in a minivan to massively clone SIM cards and charge small sums from people\u2019s phones.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Weak Link: How to lose everything having lost your <a href=\"https:\/\/twitter.com\/hashtag\/SIM?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#SIM<\/a>-card <a href=\"https:\/\/t.co\/wha5ECQP6A\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/wha5ECQP6A<\/a>  <a href=\"https:\/\/twitter.com\/hashtag\/security?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#security<\/a> <a href=\"http:\/\/t.co\/ykU4j1mbvI\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/ykU4j1mbvI<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/534528996541988864?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 18, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The criminals managed to remain unnoticed for quite a long time: the rogue operations were seen as if initiated by legitimate users. The only thing which helped to identify the fraud scheme is a suspiciously large number of similar requests to a certain premium content provider in one particular base station range.<\/p>\n<p>To encrypt packet traffic (GPRS\/EDGE), another Kc key is used. Whereas it differs from the Kc key used for voice traffic, it is calculated using the same algorithm \u2014 GPRS-A5, aka GEA (GPRS Encryption Algorithm), which exists in GEA1, GEA2 and GEA3 forms. That means one can intercept even mobile Internet traffic. Well, today, when Internet traffic is usually carried over 3G and LTE, this problem is not so grave anymore. From the other hand, the 2G data transmission is still used by many telematic systems like ATMs, POS terminals and the likes of those.<\/p>\n<p>The is one way to prevent such attacks: using the more resilient and up-to-date A5\/3 algorithm which is not crackable with the help of rainbow tables. However, the carriers are a bit reluctant to deploy the new technology: first, it\u2019s a costly migration that brings no additional profit (meaning the investment is spent on something not very profitable, which is nuisance in the carrier world). Second, the majority of handsets today don\u2019t support A5\/3 or at least don\u2019t support it properly, which might cause interruptions.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">SIM cards can be cloned\u2026 should you be concerned? <a href=\"https:\/\/t.co\/zClUBFHipG\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/zClUBFHipG<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/mobile?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#mobile<\/a> <a href=\"https:\/\/t.co\/IjhdbiuvVK\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/IjhdbiuvVK<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/689463384580853761?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">January 19, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Third, A5\/3 won\u2019t stop adversaries from eavesdropping on subscribers: if the attackers use a fake base station, the latter is empowered to downgrade the encryption algorithm used by the phone, ultimately helping hackers in their quest of obtaining the key (and the key is the same in all algorithms, mind you!). If the threat is still there, what\u2019s the point in spending more money and effort on migrating to a better encryption algorithm? Fourth, it\u2019s expensive. Fifth, it\u2019s unbearably expensive.<\/p>\n<p>On a brighter side, all attacks we covered today are bound to become obsolete quite soon.The era of <a href=\"https:\/\/www.kaspersky.com\/blog\/virtual-sim\/11572\/\" target=\"_blank\" rel=\"noopener nofollow\">Virtual SIM<\/a> cards and <a href=\"https:\/\/www.kaspersky.com\/blog\/what-is-esim\/11400\/\" target=\"_blank\" rel=\"noopener nofollow\">eSIMs<\/a> has already begun, and those new approaches to SIM cards would fix at least some of the security flaws that exist in the nowadays SIMs.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ways that hackers can access a user&#8217;s calls.<\/p>\n","protected":false},"author":540,"featured_media":11661,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[1377,1488,1487,261,1378,97,874,987,768,321],"class_list":{"0":"post-11660","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-carriers","9":"tag-cellular-networks","10":"tag-connectivity","11":"tag-encryption","12":"tag-mobile-carriers","13":"tag-security-2","14":"tag-sim","15":"tag-sim-cards","16":"tag-surveillance","17":"tag-technology"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/gsm-hijacking\/11660\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/gsm-hijacking\/6909\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/gsm-hijacking\/6876\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/gsm-hijacking\/8002\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/gsm-hijacking\/7795\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/gsm-hijacking\/11375\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/gsm-hijacking\/5410\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/gsm-hijacking\/6150\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/gsm-hijacking\/5823\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/gsm-hijacking\/7306\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/gsm-hijacking\/10833\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/gsm-hijacking\/11375\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/gsm-hijacking\/11660\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/gsm-hijacking\/11660\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/carriers\/","name":"Carriers"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/11660","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/540"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=11660"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/11660\/revisions"}],"predecessor-version":[{"id":19266,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/11660\/revisions\/19266"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/11661"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=11660"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=11660"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=11660"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}