Breaking GSM Security With a $15 Phone – Eavesdropping Alert!

GIZMODO 29-12-10

Whatever assurances have been given about the security of GSM cellphone calls, forget about them now.

Speaking at the Chaos Computer Club (CCC) Congress here today, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network “sniffers,” a laptop computer and a variety of open source software.

While such capabilities have long been available to law enforcement with the resources to buy a powerful network sniffing device for more than $50,000 (remember The Wire?), the pieced-together hack takes advantage of security flaws and short-cuts in the GSM network operators’ technology and operations to put the power in the reach of almost any motivated tech-savvy programmer.

“GSM is insecure, the more so as more is known about GSM,” said Security Research Labs researcher Karsten Nohl. “It’s pretty much like computers on the Net in the 1990s, when people didn’t understand security well.”

Several of the individual pieces of this GSM hack have been displayed before. The ability to decrypt GSM’s 64-bit A5/1 encryption was demonstrated last year at this same event, for instance. However, network operators then responded that the difficulty of finding a specific phone, and of picking the correct encrypted radio signal out of the air, made the theoretical decryption danger minimal at best.

Naturally this sounded like a challenge.

Working the audience through each process step, Nohl and OsmocomBB project programmer Sylvain Munaut demonstrated how the way in which GSM networks exchange subscriber location data, in order to correctly route phone calls and SMSs, allow anyone to determine a subscriber’s current location with a simple Internet query, to the level of city or general rural area.

Once a phone is narrowed down to a specific city, a potential attacker can drive through the area, sending the target phone “silent” or “broken” SMS messages that do not show up on the phone. By sniffing to each bay station’s traffic, listening for the delivery of the message and the response of the target phone at the correct time, the location of the target phone can be more precisely identified.

To create a network sniffer, the researchers replaced the firmware of a simple Motorola GSM phone with their own alternative, which allowed them to retain the raw data received from the cell network, examine more of the cellphone network space than a single phone ordinarily monitors. Upgrading the USB connection allowed this information to be sent in real time to a computer.

By sniffing the network while sending a target phone an SMS, they were able to determine precisely which random network ID number belonged to the target. This gave them the ability to identify which the myriad streams of information they wanted to record from the network.

All that was left was decrypting the information. Not a trivial problem, but made possible by the way operator networks exchange system information with their phones.

As part of this background communication, GSM networks send out strings of identifying information, as well as essentially empty “Are you there?” messages. Empty space in these messages is filled with buffer bytes. Although a new GSM standard was put in place several years ago to turn these buffers into random bytes, they in fact remain largely identical today, under a much older standard.

This allows the researchers to predict with a high degree of probability the plaintext content of these encrypted system messages. This, combined with a two-terabyte table of precomputed encryption keys (a so-called rainbow table), allows a cracking program to discover the secret key to the session’s encryption in about 20 seconds.

This is particularly useful, the researchers said, because many if not most GSM operators reuse these session keys for several successive communications, allowing a key extracted from a test SMS to be used again to record the next telephone call.

“There is one key used for communication between the operators and the SIM card that is very well protected, because that protects their monetary interest,” Nohl said. “The other key is less well protected, because it only protects your private data.”

The researchers demonstrated this process, using their software to sniff the headers being used by a phone, extract and crack a session encryption key, and then use this to decrypt and record a live GSM call between two phones in no more than a few minutes.

Much of this vulnerability could be relatively easily addressed, Nohl said. Operators could make sure that their network routing information was not so simply available through the Internet. They could implement the randomization of padding bytes in the system information exchange, making the encryption harder to break. They could certainly avoid recycling encryption keys between successive calls and SMSs.

Nor is it enough to imagine that modern phones, using 3G networks, are shielded from these problems. Many operators reserve much of their 3G bandwidth for Internet traffic, while shunting voice and SMS off to the older GSM network.

Nohl elicited a laugh from the audience of hackers when he called the reprogrammed network-sniffing phones “GSM debugging devices.” But he was serious, he said.

“This is all a 20 year old infrastructure, with lots of private data and not a lot of security,” he said. “We want you to help phones go through the same kind of evolutionary steps that computers did in the 1990s.”

Article source: http://gizmodo.com/5719940/breaking-gsm-security-with-a-15-phone

Lebanon finds Israeli spying devices

Lebanese Armed Forces dismantled hi-tech and complex Israeli spying devices in the Bekaa Valley, a Press TV correspondent reported on Monday.

The discovery comes as earlier last weekend, the Lebanese Foreign Ministry lodged a complaint with the UN through its mission in New York.

The ministry denounced the act of espionage as a violation of Lebanon’s sovereignty, international law and the UN Security Council Resolution 1701.

The UN resolution ended Israel’s 2006 war on Lebanon that killed about 1,200 Lebanese people — mostly civilians.

Israeli espionage “is in clear violation of resolution 1701,” Lebanese President Michel Sleiman said earlier in December.

The Lebanese army, acting on an alert coming from the resistance movement of Hezbollah, has discovered and dismantled several Israeli espionage devices over the course of the past month.

AGB/CS/AKM

Article source: http://www.presstv.ir/detail/157397.html

Germans charged with espionage in Iran meet with families

(CNN) — Two German journalists charged with espionage in Iran for interviewing the son and lawyer of a woman condemned to die by stoning have met with family members, Iranian officials said Tuesday.

The meeting took place Monday night in the northwest city of Tabriz — where the German nationals were arrested, Iran’s foreign ministry spokesman Ramin Mehmanparast told reporters at his weekly news conference.

“On the basis of humanitarian grounds, this meeting has been made possible,” Mehmanparast said.

The families also met with Ali Akbar Salehi, Iran’s foreign minister.

The relatives traveled to Iran on Friday accompanied by Brand Erbel, the German Ambassador to Tehran, Iran’s semi-official Mehr news agency reported.

“The status of their case depends on the legal proceedings and the judiciary officials proceeding. If they have not committed a crime, then they will be released. And if they have, then they will be dealt with properly,” Mehmanparast said Tuesday.

The two men, identified only as a reporter and photojournalist, were arrested in October after they interviewed the son and lawyer of Sakineh Mohammadi Ashtiani, who was convicted of adultery in 2006 and sentenced to death by stoning.

“Their reports and propaganda in Tabriz proved that they are in the country for spying,” Malek Ajdar Shafiee, the head of the Justice Department of East Azarbaijan, was quoted as saying by Iran’s semi-official Fars News Agency.

Article source: http://www.cnn.com/2010/WORLD/meast/12/28/iran.germans.espionage/index.html?section=cnn_latest

Iran sentences Israel spy to death

“This spy, whose identity will be announced after the verdict is approved, has been sentenced to death,” Jafari-Dolatabadi said on Sunday.

“This person who worked as a spy for Israel has been sentenced to death. The sentence will be carried out after judicial and executive processes,” he added.

He went on to say that other cases of espionage were being investigated by the prosecutor’s office, IRNA reported.

In October, Iran arrested seven individuals, who had collaborated with Israeli intelligence services, on charges of espionage.

Iranian officials say one of the spies was involved in counterrevolutionary activities, and one was working on issues pertaining to the country’s domestic affairs.

Five others were arrested for infiltrating the country’s administrative institutions and passing classified data to foreign countries.

These spies supplied the enemy with information on Iran’s judiciary, military and space agencies, among other things, prior to their arrest.

Israel runs spy cells in many countries around the world. It is also the only Washington ally to openly spy on the United States.

In recent years many Tel Aviv-linked individual have been arrested in countries like Egypt, Lebanon and Syria on espionage charges.

US-born Jonathan Pollard was sentenced to life on charges of spying for Tel Aviv 25 years ago, and his case has been a source of tension between the United States and Israel.

More than 100 people have been arrested in Lebanon on suspicion of spying for Israel since April 2009. Among them are telecom employees, members of the security forces and active duty troops.

MYA/SF/HGH/MMN

Article source: http://www.presstv.ir/detail/157294.html

Scrap heap dispels myths of espionage

GULFPORT, Miss. — 
The planned overthrow of the U.S. government ended rather prosaically this fall, with a giant pile of mashed-up trucks in a muddy scrap yard a mile or so off the Interstate.

The crew at Alter Metal Recycling has been piling up the old trucks since summer and sending them to Alabama, for melting down and reincarnation as everything from cars to washers and dryers.

In certain circles in the mid-1990s, rumors sprouted among those inclined to keep an eye out for black helicopters. To them, the presence of 700 military-looking trucks bearing Soviet-bloc markings in a weed-strewn lot north of Gulfport was clear proof of a U.N. plan to take over the United States.

The specific outlines of such a plot were rather vague. But conspiracy-cult radio shows and right-wing fringe newsletters delivered somber reports about the vehicles, speaking of armored tanks, secret roads and the role of the vehicles in the establishment of a New World Order.

But the real tale behind the trucks, as is often the case, turns out to be more interesting than the conspiracy.

Charles Chawafaty, an Egyptian businessman, and Fred Koval, a retired Air Force lieutenant colonel, met in a Saudi Arabian prison.

Koval, now 88, had moved to Jeddah, Saudi Arabia, in 1979 to teach electronics at a school run by the Lockheed Corp. In 1981, Koval spent 4 1/2 months in a Saudi prison. While there, he said, he met Chawafaty.

In 1993, Chawafaty’s company, Agrinvest International, which is based in Phoenix, bought roughly 1,000 former Soviet bloc vehicles that had been demilitarized and auctioned. Some were stored in Britain, but most made their way to an 18-acre lot north of Gulfport that Koval had found. Chawafaty said the plan was to retrofit the vehicles and sell them to the United Nations for humanitarian missions.

All of this set off the conspiracy theories. “But none of it attracted buyers,” Koval said.

In the end, the vehicles mostly sat unwanted in the lot. The conspiracy theories dwindled, as did customs officials’ visits.

The rusting accelerated after Hurricane Katrina. For various reasons, including the expiration of a trade license and the fact that nobody was interested in rust-covered trucks, Chawafaty decided to scrap them.

Koval laughed about the whole episode, which produced little more than proof that most business schemes, like most conspiracy theories, end up on the ash heap of history.

Article source: http://telegram.com/article/20101227/NEWS/12270415/1052/RSS01&source=rss