Reviewing the passive attack described in Section 3.2.1 and the practical implementa- tion section above, we can pinpoint the root causes that make these attacks possible:
• re-use of session keys, • weak ciphers,
• with a too small key length, and • too much guessable plaintext.
Almost all of the weaknesses of the passive attack can be found in the cryptography primitives. The A5/1 and A5/2 ciphers can both be considered weak. In the case of A5/2 this was by design, but A5/1 was, and still is, the main cipher used in GSM. There are several weaknesses within A5/1, but the main points that made the cipher
3.4 Analysis and countermeasures
breakable by a hacker’s cracking project are: (I) the internal state of the stream cipher is made up out of a meagre (for modern eyes) 64 bits (II) the state-space of the in- ternal state collapses after several rounds to around 61 bits. These weaknesses of A5/1, combined with the large number of known plaintext samples led to a workable Time-Memory Trade-Off attack, which is discussed at length in Chapter 4.
The only non-crypto weakness exploited by the eavesdropping attack is the large source of known plaintext in the GSM protocol. Messages transmitted over the wire- less interface are required to have a standard length. If the message contained within them is smaller, then the message is padded to the standard length. This padding con- sists out of a standard pattern of “2b” in hex. There is a revision to the GSM standard to add random padding to messages [59], but this seems to be hardly ever implemented [88]. Another source of known plaintext are the so-called SYSTEM INFORMATION 5, 5ter and 6 messages, which are standard control messages transmitted at a predict- able interval and transmitted both unencrypted and encrypted. An attacker would need to observe the cell in which he wishes to perform his attack in order to gain the known plaintext of these control messages and an indication of when they are trans- mitted. Again, because of reasons of responsible disclosure, no software was released that automates this work.
Looking at the active attacks we can identify the weaknesses within GSM that make these attacks possible:
• lack of mutual authentication,
• support for weak or no encryption algorithms, • each encryption algorithm uses the same key, • the authentication can be replayed,
• unprotected class-mark message (discussed on page 35).
Most of these weaknesses are on the protocol level. The fact that mobile phones do not authenticate the network is the obvious weakness here and essentially the root weakness of every active attack. This allows an attacker to impersonate the network, and possibly also the phone. The fact that GSM then allows to switch to unencrypted modes, or weaker encryption, is unfortunate.
There are some practical considerations when performing these active attacks. • The attacker needs to time his attack before the actual data connection he
wishes to capture is set-up. Just dropping in mid conversation claiming to be network towards the phone and the phone towards the network would not work as the transmissions of the actual phone and actual cell tower would still reach each other. Also, the attacker would have to transmit in the correct time slot which would interfere with the actual transmissions in that time-slot.
• By posing as a cell tower (of the victim’s provider) towards the victim’s phone, and ensuring that his transmissions are better received than the actual cell towers (e.g. by also jamming the original cell tower’s frequencies), the phone will automatically switch to the attacker’s fake cell tower. As these are mobile
phone systems, the whole design is tolerant to phones being mobile. So, the network will not be suspicious if a phone no longer responds and the phone is not suspicious if it sees a new cell tower.
• Since all the active attacks require the attacker to be transmitting, these attacks could be noticed when the correct frequencies are being monitored. Also, all attacks that trick the victim phone into using A5/0 are in principle detectable, as this requires the mobile phone to display an open lock symbol. However, there is an option on the SIM card which prevents mobile phones from showing this symbol [58]. There are now also phones on the market that will warn a user when the phone is forced to use A5/2, or to use no encryption [157].
3.4.1
Countermeasures
As we already discussed, theoretical attacks against GSM are almost as old as the GSM system itself. So the GSM industry has had ample time to prepare for the prac- tical implementations of these attacks. There are several possible countermeasures against these attacks:
1. encrypt content using A5/3,
2. use random padding in GSM packets, 3. randomise control messages, 4. use newer 3GPP protocols.
These points are discussed in more detail below. These countermeasures mostly protect against passive eavesdropping, with only the last countermeasure protecting against active attackers, who then still have the ability to do a fall-back attack to GSM. The GSM Map project tries to track the implementation of these countermeasures by the different providers [88].
Encrypt content using A5/3
In Section 3.2.1 we already briefly discussed the A5/3 cipher. This cipher has been public from its inception, and as yet no feasible attack has been found. So using this cipher to encrypt conversations prevents eavesdropping.
However, using A5/3 will not improve GSM’s security much. This is due to the fact that irrespective of the choice of encryption algorithm, the session key used will be the same. This, combined with the presence of a weak cipher, allow an active at- tacker to retrieve the session key. Basically the session key is created based on the secret key, known only to the SIM card and the home network, and a challenge trans- mitted by the cell tower. This challenge is transmitted in the clear, so an attacker could replay the authentication, i.e. the “Active key-retrieval attack”, or use the “Man- in-the-Middle” attack, both discussed in Section 3.2.2. The GSMA (GSM Association) had been advising the use of A5/3 by providers since 2004. In recent years we have seen a definite move towards A5/3, with 2016 being the first year when more than 50% of the mobile networks in the Netherlands offer this stronger encryption [88].
3.4 Analysis and countermeasures
Use random padding
This defensive strategy specifically makes the Kraken attack discussed in Section 3.3.2 harder. It revolves around the fact that the information in GSM packets is padded to a standard length using a standard pattern of “2b”. Some packets consist almost entirely of padding bits – for example the “cipher mode complete”, the first message a cell phone transmits enciphered to the cell tower, usually has 144 of its 265 bits filled with padding bits – which gives an attacker a large source of known plaintext. However, the length of the information bits is already described in the packet header, making the standard padding pattern redundant.
These padding bits can thus be randomised, and that is exactly what was specified by ETSI in 2008 [59]. This would remove a large source of known plaintext for an at- tacker. Without known plaintext there are no known keystream samples which can be looked up in the Kraken tables.
It is questionable how fast this change will be implemented, however. All the low level GSM processing is done by closed source GSM stacks, so it is unknown whether this change would affect the already deployed equipment. The mobile handsets in the field cannot be updated, so this change can only be made in new phones. Also, this change will not completely remove all known plaintext from the system. Some messages can still be guessed, such as system information messages, making the attack described in Section 3.3.2 still feasible for longer conversations.
Randomise control messages
Another large source of known plaintext comes from specific control messages whose content an attacker can learn by observing cell tower traffic. These messages are then also sent encrypted to users, usually in guessable time slots. To prevent this known plaintext source ETSI specified the randomisation of these control messages in 2011 [70]. This specification is fairly recent, so not many providers have switched to using it [88].
Use newer 3GPP protocols
This is kind of a cop-out, but a method that is at least currently available to quite some users. The successors of GSM, both the third generation UMTS as the fourth genera- tion LTE, offer much better security.
In order to fully use this added security, a user should deactivate his phone’s GSM reception, and solely use UMTS or LTE. Otherwise an attacker could force a phone to use GSM, by jamming the UMTS or LTE frequencies. Of course the usability of this solution will depend on the availability of a UMTS or LTE network, and might have additional data costs. Additionally, voice calls are often not supported over LTE and only sometimes available over UMTS.
We will examine the extra security offered by newer generation networks in the next Section.