29 December 2009. GSM A5 Files Published on Cryptome
16 April 2005
To: TSCM-L [at] yahoogroups.com From: "contranl" <contranl [at] yahoo.co.uk> Date: Sat, 16 Apr 2005 17:05:36 -0000 Subject: [TSCM-L] Re: French IPP + Bad ethics copying messages without credits http://www.reseaux-telecoms.com/cso_btree/05_04_14_171156_492/Newscso_view When you follow the link to cryptome (in that article) you will see the whole thread " Crypto on or off in GSM" (how to find out)" Wich is a thread from this group. I respect cryptome since they have been revealing interesting matters But I don't agree with copying whole threads from this or any other group without mentioning the source AND the writer. In this particular thread is a long writing by me and my name and corresponding URL's are cut off...this is not good internet ethics. I am not writing in this group to see what ever i say being published somewhere else without even mentioning my name and URL. I know all contents of TSCM-L are being published by James...but at least he does that without cutting of the writers name...so when someone runs in to such an article he at least knows who wrote that so the writer does get the credits...this is a reason why i have not complained to James. But Cryptome should know that part of posting/publishing/revealing/sharing things is that the writer likes to get the credits for that. So Mr Cryptome please adjust that or remove it. A reply to my point of view is welcome. Tetrascanner http://www.tetrascanner.com http://groups.yahoo.com/group/gsm-scanner http://groups.yahoo.com/group/traffic-cams ------------------------ Yahoo! Groups Sponsor --------------------~--> What would our lives be like without music, dance, and theater? Donate or volunteer in the arts today at Network for Good! http://us.click.yahoo.com/Tcy2bD/SOnJAA/cosFAA/UBhwlB/TM --------------------------------------------------------------------~-> ======================================================== TSCM-L Technical Security Mailing List "In a multitude of counselors there is strength" Come, my friends, 'Tis not too late to seek a newer world. Push off, and sitting well in order smite The sounding furrows; for my purpose holds To sail beyond the sunset, and the baths Of all the western stars, until I die. - Tennyson, "Ulysses" =================================================== TSKS Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/TSCM-L/ <*> To unsubscribe from this group, send an email to: TSCM-Lfirstname.lastname@example.org <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/ ------------------------------------------------------------------ To: TSCM-L [at] yahoogroups.com From: John Young <jya [at] pipeline.com> Date: Sat, 16 Apr 2005 15:03:39 -0700 Subject: Re: [TSCM-L] Re: French IPP + Bad ethics copying messages without credits Nah, the GSM piece was handled on Cryptome just right, bitches or plaudits invited, here or to the site's admin. Not many want credit on Cryptome once they understand the consequences. Most who know what it means say don't put my name on Cryptome, so we stopped giving credit (informing on contributors) to avoid fingering those who did not understand what they are letting themselves in for.
13 April 2005. Thanks to C, description of GSM interception:
See also hundreds of 3GPP and ETSI documents for lawful interception of telecommunications:
11 April 2005. Add response from Cryptophone.
10 April 2005. Add responses.
9 April 2005.
This appeared on technical security mail list. Affirmation or denial of the claims made about bypassing GSM encryption is invited. Send to: jya [at] pipeline.com
8 April 2005
Bret McDanel (http://www.0xdecafbad.com) writes:
The GSM phones support A5/0, /1, /2 but in France that encryption is disabled. Which is why many refer to A5/0 as 'French mode'.
The same is true of Libya (export controls), and a few other countries. However in France it is because DST wants to be able to more easily intercept without bothering to go to the cell provider with an interception request.
Brief information on GSM: The cell tower and phone negotiate the highest level of crypto that both mutually support. During call setup a handset sends a packet that states its crypto level and the tower will return a signal with what is actually going to be used. Devices that intercept GSM clear-data simulate a tower and proxy the data to the real tower. They drop the 'I support crypto' packet from the handset so the tower thinks that the handset does not support any type of encryption and transmits the call in the clear.
Most if not all GSM phones have no way to notify the users that A5 is being executed at the non-crypto level. As such, if one wants to intercept calls the phone users do not know, and assume their calls are encrypted. The German-made GA-901 IMSI Catcher works this way.
J. writes 9 April 2005:
Bret McDanel is correct in stating that most phones do not display what kind of encryption, if any, is being used. However, at least some cellphones can be tweaked to enable a diagnostic mode which does show the encryption status.
Nokia phones, for instance, do have a "Netmonitor" mode. All models I'm familiar with allow it to be easily activiated using a data-link cable and proprietary software (e.g. Nokia's PC Locals or their Logo Manager software). I have been told though, that some newer phones require some hardware modding. (I do, however, not know if that's true.)
Once the Netmonitor is activated, one can scroll down to screen #12 which displays what cipher the phone currently uses.
Motorola phones do have an "engineering mode", which to my knowledge does not display any information regarding encryption. There is a PC-based diagnostic software which does but it's not available to the general public.
Siemens phones do have a rather comprehensive diagnostics mode. Unfortunately, the manufacturer chose to put safeguards in place which make it hard for the average user to enable this mode. Some early Siemens phones such as the S25 did display a warning to the user when there was no phone-to-BTS encryption. I do at this point not have access to any GSM network that doesn't use at least A5/1 encryption so I cannot verify if newer models still exhibit this behaviour.
I agree with A's assesment that phones should reveal the current encryption status to the user, even if it's only by showing or not showing a padlock (akin to how webbrowser GUIs are designed). I'm afraid this is somewhat unlikely to happen though since there's virtually zero end-user demand for such a feature. Those few people who value their privacy when using cell phones at all already use third-party point-to-point encryption. And, sadly, the general public seems to subscribe to the notion that ignorance is bliss.
Z. writes 9 April 2005:
Some remarks about Bret McDanel's GSM post. What's basically "compromised" in this type of attack is not the network-used encryption (A5 modes, from A5/0 to A5/3, A5/0 being unencrypted mode), but the terminal encryption. That means that if your phone manufacturer is stupid enough (or doesn't want to bug users) to permit forced unencrypted traffic, the network encryption won't help anything.
Also, I think that the reference to the Direction de la Surveillance du Territoire (your FBI equivalent although with a fairly modest size) is somewhat paranoid (sounds fishy), because here, these nice folks have legal access to anti-terrorist/mafia/.. judges who won't hesistate to deliver them broad monitoring warrants (actually that's too bad but I guess that's the ransom we pay for living "in the post 9/11 world").
From the technical security mail list 9 April 2005:
"contranl" <contranl [at] yahoo.co.uk> writes: Bret McDanel said that in the French GSM-networks crypto is not used he could be correct...if true this fact reveals a serious security hole and as a result any calls on the French GSM-network could be eavesdropped on, not only by government but also by anyone else who has the funds to purchase equipment to do just that. There is a whole list of GSM-scanners or GSM-interception equipment available. All of these need knowledge of the used encryption-keys these keys are not available to the public. Usually they can be obtained from the GSM-network administration. This can be either done manually or automatically (datalink). Interception-equipment with realtime code-cracking is not available (at least I was not able to find a serious one in 2 years research) so it exists only on paper or in some secret NSA laboratory. As a matter of fact it is not even neccesary to crack that at all since the keys are available at the network as said above. Now if certain countries have encryption switched off, you won't need such code-cracking options at all and you won't need to know the keys. So you could eavesdrop on any calls since they are in the clear in that case you could purchase such a "GSM-scanner" and eavesdrop on any cellphone of your choice. From all the GSM-scanners on the Internet at least 75% are fakes, they are mainly advertised by "spyshop" kind of companies. If you look at what else they sell you will have to agree with that. So their GSM-scanners don't exist. The reason why they advertise them is because it attracks a lot of visitors who in the end might buy something else from them. The remaining 25% are real and working GSM-scanners (I assume). In turn half of those are produced by serious companies who will not sell outside the government-circus. The other half might sell and is actually targeting a market which is not specificly government. If their equipment really works can only be found out by actually purchasing it. Resuming ======== So are there any threats and who can listen to your GSM-calls ? A) All government agencies can listen-in on all, encrypted or not that is if they are in their own country. B) Foreign governments can listen-in, if they have the cooperation of the local government who will supply the encryption keys. These keys will be given in the shady area of inter-agency cooperation. C) Anyone can listen-in if they own a so called IMSI-catcher,this is the "man in the middle attack". Basically a fake (mobile) base-station is inserted in the RF-path between the mobile and the base-station. The mobile will lock to that "fake-cell". The cell will say "no encryption available". The call will go un-encrypted. IMSI-catchers are not sold to the public. They are manufactured by established companies with good relations with the governments. Of course such governments could use it outside their own territories. D) Anyone can listen-in in countries where the GSM-network does not use encryption. This includes both governments and privates with funds. It is not absolutly neccesary to use specificly manufactured GSM-scanners. It could also be done with slightly modified test-equipment. Such test-equipment is available to anyone. If and where GSM-encryption is used is difficult to find out from the paperwork. It is not something they like to advertise. However there is a simple and low-cost way to find that out: Is my GSM-network encrypted? ============================ Your phone knows if encryption is on or not, it has to know to make the system work. Some phones show an icon in the display, these are mainly older phones (especially Siemens) Most modern GSM-phones don't show this since manufacturers don't feel it is neccesary. On the other hand they might have agreed with network operators that this is "not in the interest of the public" Network-operators,Phone-manufacturers,Standardisation-bodies are all united in special comitties were they "cook-up" things like this. Other phones (like Nokia) allow you to go in "monitor-mode" this is a special sub-menu wich you can enter by either pressing certain buttons or by connecting it to a PC wich runs a program called "Netmonitor" From both you can see things like: Which crypto-standard is used or if any crypto is used at all you can also see if frequency-hopping is used, you may see other things of interest. Sagem and Ericsson have special testphones wich most certainly will show if encryption is used..these phones should be available without to much problems....they can also be used as standard phones to make your calls. Solutions: ========== Any phone call without special measures should be considered unsafe, if you are in an environment where you could be a victim of GSM-eavesdropping you might as well meet your partners in person and have an "eye to eye" conversation. And don't forget to keep on walking :) :). Of course that is very unpractical so: If you absolutely have to use your GSM-phone on a regular base and you don't trust anybody, you might consider a phone with high-level built-in encryption. These are available from about 10 different manufacturers now. These phones encrypt your call in addition to the network encryption this is called "end-to-end" encryption since it encrypts your call from your phone all the way to the phone at the other end, all of this on top of the standard network encryption. Like that all above mentioned equipment or tricks have no effect and your call will remain safe. In addition this will also prevent eavesdropping on the microwavelinks wich connect all cells to the network-center. These microwave-links are very likely not encrypted. The standard encryption only covers the air-part between the mobile and the basestation(cell)from there it goes in the clear over the network. Remarks on GSM-phones with additional "end-to-end" encryption: ============================================================== A) They will still be able to see who is calling who (both government and private eavesdroppers) B) They will still be able to see the locations of both parties (A,B) (governenment only since network acces is needed) C) Make statistical patterns of your calling behaviour D) Some crypto manufacturers have (proven) ties with government security agencies such as NSA,therefore even the use of additonally encrypted phones may not give "absolute security". But that is another story and should not affect you since such agencies are only interested in enemies of "Homeland Security" :) :) :) In a Yahoo group called GSM-scanner we are trying to reveal wich countries have network-encryption on or off, simply by using the above described method (monitor-mode). Some members have found out that in their country encryption is off. One of them is India. We are now trying to establish that with France. Tetrascanner http://www.tetrascanner.com http://groups.yahoo.com/group/gsm-scanner http://groups.yahoo.com/group/traffic-cams
From the technical security mail list 9 April 2005, Bret McDanel writes:
> Bret McDanel said that in the French GSM-networks crypto is not used > he could be correct...if true this fact reveals a serious security > hole and as a result any calls on the French GSM-network could be > eavesdropped on...not only by government but also by anyone else who > has the funds to purchase equipment to do just that. Sorry I forgot to do this yesterday, got involved with stuff. Anyway, I cannot find the source to cite about France turning crypto off. I do know that the Groupement de Communications Radio-electriques (GCR), the French NSA, maintains a close working relationship with France Telecom and, like the U.S. NSA, has strict rules on the use of encryption products within France, allegedly so that they can "break" the encryption and eavesdrop on communications within France. > Interception-equipment with realtime code-cracking is not available > (at least i was not able to find a serious one in 2 years research) > so it exists only on paper or in some secret NSA laboratory. > A5 has enough holes in it that its not a problem, and an active attack such as the GA901 ismi catcher which drops the crypto request from the mobile to the tower results in the call being clear text regardless of where you are. The GSM spec *requires* this functionality (just in case there is a phone without A5/3 support). http://www.ijde.org/docs/03_spring_art1.pdf 'Forensics and the GSM mobile telephone system' When MSC then starts ciphering and algorithms supported in MSC and MS does not match, BSC then may choose 'no encryption' for the connection (GSM TS 12.03, chapter 4.3.1). In this case, MSC should do a 'late authentication' after it realizes that the connection will be unencrypted (GSM TS 12.03, chapter 6.2.1) Further GSM spec requires SS7-MAP connections and MAP and BSSP are unencrypted so you can often see intercarrier communication in the clear, and many use unencrypted RF links, which can be monitored. Injection into those streams would yield free roaming calls (even if the phone otherwise has no service) since when roaming the home carrier provides the 128 bit RAND the 32 bit CRES (cypher response from A3 to the RAND) and the 64 bit A5 key. By injecting those bits into the unencrypted RF stream (above ability of 'average' person but not a dedicated person) they would be able to auth themselves for a call (they could use a SIM emulator to guarantee they return the correct data) ... Just by *monitoring* the SS7 rf link (intercarrier) they would be able to see HLR updates (location registries) for roaming individuals, and possibly (although unlikely) local traffic to the carrier itself, which would include non roaming customers. Since most people take their mobiles with them everywhere obtaining this data and getting location data means that from a stationary position you could track someone from afar. > Now if certain countries have encryption switched off...you won't > need such code-cracking options at all and you won't need to know > the keys. See above about not needing the tower to turn it off. It just makes it somewhat easier, if its cleartext a GA900 would work for listening to the call, however a GA901 would be a better commercial imsi catcher to force the call into cleartext and listen. > From all the GSM-scanners on the internet at least 75% are fakes, > they are mainly advertised by "spyshop" kind of companies..if you > look at what else they sell you will have to agree with that. > So their GSM-scanners don't exist...the reason why they advertise > them is because it attracks a lot of visitors who in the end might > buy something else from them. Most are selling them for $400k-$750k and they are $200 or so in parts. A fully functional IMSI catcher can be built for well under $500 which would force calls to be cleartext, let you place calls on someone elses account, etc. Its a matter of knowing what is what not spending money. I also bet that at $500k average price not one has been sold. So they advertise it in such a way as to make people think they are cool but do not have such a product nor intend to sell it ever. > The remaining 25% are real and working GSM-scanners (i assume) > In turn half of those are produced by serious companies who > will not sell outside the goverment-circus. But vendors will sell GSM transceiver boards to anyone wanting to make a GSM device. Keep in mind the GSM MoU keeps a tight lid on things like A5, comp-128, etc. So to get those algos you have to pay a lciense fee and sign a NDA. comp-128 is a *reference* algorithm and may or may not be used by the individual carrier (used for auth purposes only) each carrier is free to select their own auth algorithms providing A3 (placeholder name) takes a 128 bit number and returns a 32 bit hash and A8 takes a 128 bit number and returns a 64 bit value suitable for A5. Interesting that A5 is 64 bits but most carriers set the first 10 bits to 0 this making it a 54 bit key. Further intersting that the breaking of A5 did *not* take that into account. A5 has an effective key length of well under 40 bits and thus can be cracked in near realtime with none too expensive computers. The authors of the A5 crack suspected that there were further weaknesses but stopped becuase they broke the 40 bit barrier, which in crypto circles for a symmetric algorithm is considered 'horribly broken why bother any further'. Now 3G does not have these issues. All messages are digitally signed so interception man-in-the-middle attacks wont work. It also uses katsumi for encrypting audio portions which is an open algorithm (GSM MoU learned to not keep it so secret :) And is believed to be flaw free, and hopefully that holds for a few more years. If you are concerned with GSM security of conversation peices today why trust the cell company to encrypt it (GSM was only to have wired line security equivalent never more than the privacy you get off a normal wired phone). http://www.cryptophone.de Cryptophone makes a data channel, and will encrypt your voice as digital data using its own algorithms and keys (the code was at one time open and freely available, I do not know if that is still true). The result, even if A5 is bypassed the data is still encrypted, and done so in such a way even the telephone company cant listen to it. Now this *only* works becuase it makes a data call and it is relied upon that the data is transmitted raw rather than a codec conversion. If you tried to convert the coded it would disrupt the data and fail. But gsm->gsm via data it works :) > B) > > Foreign governments can listen-in...if they have the cooperation > of the local government who will supply the encryption keys. > These keys will be given in the shady area of inter-agency > cooperation. A5 keys are genereated in realtime so to do this it would have to be a dedicated link. However as previously stated A5 is a broken algorithm and a low end pc can crack it quickly. As such it makes no sense for them to even bother with a formal request and have to owe a favour to the provider of the information. On a low end system with 2 minutes of cyphertext you can crack in 1-2 seconds, with 1-2 seconds of cyphertext it takes a couple minutes to crack the key. Faster systems yield even better results. > C) > > Anyone can listen-in if they own a so called IMSI-catcher,this is the > "man in the middle attack" ...basically a fake (mobile) basestation > is inserted in the RF-path between the mobile and the basestation. > The mobile will lock to that "fake-cell" ..the cell will say > "no encryption available" ...the call will go un-encrypted. > IMSI-catchers are not sold to the public..they are manufactured > by established companies with good relations with the governments. > > Ofcourse such a government could use it outside their own > territories. And a person with limited electronics ability can buy off the shelf GSM transceiver boards with everything needed to interface it to a microprocesosr and make their own. The transceiver boards take care of the GSM layer (FDMA & TDMA) enabling the individual to select proper channels to play with. > Any phone call without special measures should be considered unsafe, > if you are in an environment where you could be a victim of > GSM-eavesdropping you might as well meet your partners in person > and have an "eye to eye" conversation...and don't forget to keep > on walking :) :) ofcourse that is very unpractical so: Keep in mind the stated GSM design goal is to provide wired equivalent security, nothing more. How insecure is the wire going into your house? 3G is a different story however. > In addition this will also prevent eavesdropping on the > microwavelinks wich connect all cells to the network-center. > These microwavelinks are very likely not encrypted...the standard > encryption only covers the air-part between the mobile and the > basestation(cell)from there it goes in the clear over the network. And indeed MAP (SS7 - signalling information) and BSSP links are specifically *not* encrypted as per spec. > They will still be able to see the locations of both parties (A,B) > (governenment only since network acces is needed) And anyone that monitors the unencrypted SS7-MAP links providing the specific data traffics those links. GSM includes a HLR and VLR (databases on the SS7 network). HLR is home location registry and includes the location of every home subscriber (even if roaming), the VLR is the "visitor location registry" and includes locations of all people roaming on that provider's network. When roaming the carrier not only inserts data into the VLR but sends that same data via the SS7-MAP links to the home carrier so they can record it in their HLR. This data is updated every 15-30 minutes depending on carrier netowrk settings. It also can be updated when tower switches occur. Cell phones by design have to track subscribers. If they can't they won't work properly. How this information is stored and shared is very well defined in GSM. > C) > > Make statistical patterns of your calling behaviour And location. If guessing where someone lives, works, plays, and has a girlfriend in an apartment somewhere becomes trivial with prolonged location data. Swisscom got raided by Swiss authorities for keeping location data longer than the 6 months allowable by Swiss law. In Dec that year they stopped doing all prepaid. I believe that was 2003. > In a Yahoo group called GSM-scanner we are trying to reveal wich > countries have network-encryption on or off...simply by using > the above described method (monitor-mode) > Some members have found out that in their country encryption is off. > One of them is India...we are now trying to establish that with > France. Encryption costs money. Most people don't know if it's on or not and assume their cellphone is private. To encrypt and decrypt traffic the CPU has to be a little beefier to handle the normal call tasks plus crypto. By shutting it off they can gain slightly higher performance. The same thing happens at NAPs (network access points, places where a bunch of companies co-locate equipment to peer with each other for Internet traffic). Many of the older NAPs (Mae-East Mae-West, etc) have very little network level security, as such tricking the switches into forwarding traffic to you is trivial. And it only costs a few hundred a month to get a box at these places. Now private peering has replaced many links, becuase its faster (and the NAPs were poorly managed). But there is still a substantial amount of information that goes across the Internet that goes through a NAP. With NAP access, everything from a DoS (TCP reset the BGP connection routing is broke ...) to sniffing (arp poisoning to redirect traffic to you ...) to session hijacking to packet insertion, to ... And with the VoIP craze most providers do not encrypt those packets either. As such its easy to use Vomit or other VoIP sniffer to capture call data. The joys of technology.
Frank Rieger, CTO, GSMK CryptoPhone, writes 11 April 2005: Actually, the situation is a bit more complex then just "new phones" or "old phones". The GSM standard specifies that displaying the encryption status to the user is a required feature for all GSM compatible phones, so also todays phones have to incorporate this feature. Spefically, they need a display option to show that A5/0 has been enabled, meaning no encryption at all is used. Now the GSM operators need to switch of encrytpion from time to time, by government requirement or by technical reasons. As they "do not want to confuse the users", they put into the GSM standard a contol bit on the SIM card, that allows them to specifiy wether the user gets informed on the encryption status or not. Most big operators have set the bit on their current generation of SIMs to "do not display encryption status". The bit is documented in the GSM standard with a fairly obscure name, it is called the OFM bit (as specified in 3GPP TS 11.11 EF AD, Byte 3, OFM Bit) Interestingly, the bit is located in the part of the SIM that can be modified, either by the operator (possibly even over the air with SIM toolkit) or by the user with a chipcard reader and a chipcard editor. Regarding the perceived security enhancement of 3G phones, the assumption that they improve things is rather theoretical. If an adversary wants to intercept an 3G user, he will selectively jam the 3G band and thus force the victims phone into GSM mode and then use its tried and true GSM interception gear. A5/3 is also scheduled to be deploayed into the old GSM networks over time, but as long as A5/3 (Katsumi) is not _widely_ deployed into both networks and installed base of SIMs, the situation will not change as an attackers IMSI catcher can always claim to be an old-style GSM network.