Publicly Disclosed GSM Attack Surface ExpandingBy: Ben Feinstein
During the course of 2009, the amount of publicly available information on the security of GSM cellular networks and devices has steadily increased. GSM stands for the "Global System for Mobile communications" and is the world's most popular standard for mobile handsets. The GSM Association estimates that more than 3 billion people are now using GSM technology. With such a massive install base, addressing potential security vulnerabilities in GSM handsets or in GSM networks themselves is clearly an enormous challenge.
The DeepSec In-Depth Security Conference 2009 in Vienna, Austria saw the presentation of research on attacking GSM networks, as well as attacking GSM handsets using SMS /MMS. David Burgess and Harald Welte held a highly regarded workshop entitled Security on the GSM Air Interface, covering contemporary technologies and techniques for radio direction finding, including the capabilities and deployment of devices known as IMSI Catchers. An IMSI Catcher device functions as a rogue cellular access point and can be leveraged to aid in radio direction finding or may offer full voice and data man-in-the-middle capabilities with a variety of uses. Commercially available hardware and software from the OpenBTS and OpenBSC projects was used to demonstrate attacks and countermeasures under laboratory conditions using a private GSM network.
Continuing the thread of GSM security material at DeepSec, noted security researchers Zane Lackey and Luis Miras presented research on techniques for attacking GSM handsets using SMS/MMS, both the implementations themselves as well as architectural vulnerabilities in the carrier networks.
At the 26th Chaos Communication Congress (26C3) in Berlin, Germany, noted cryptographer and hardware hacker Karsten Nohl and colleague Chris Paget announced that their A5/1 Cracking Project had successfully calculated the cryptographic base needed to demonstrate cracking GSM communications secured using the A5/1 encryption algorithm. This data, commonly referred to as a rainbow table, is now publicly available on the Internet. Nohl and Paget also announced they have open sourced the software they used to calculate the rainbow tables. The ability to passively decrypt A5/1 secured GSM communications is critical to performing passive, difficult to detect interception. This contrasts with active and easily detectable interception techniques using an IMSI Catcher device.
GSM is being adopted in a growing number of sensitive applications including financial transactions, mobile payments, and of course sensitive voice communications. Capabilities once only available to very well-resourced organizations such as the military, intelligence agencies, civilian law enforcement and organized crime are now increasingly within reach of much less well-resourced organizations, such as smaller criminal groups or even malicious individuals.
Organizations using GSM for sensitive applications or to discuss or transmit sensitive information should adopt a proven information security risk management approach to their use of mobile communications technologies such as GSM, just as they do for more traditional IT systems. For organizations that must utilize GSM communications for sensitive applications within hostile environments, several third-party security solutions are commercially available.