COMSEC — Attacking Mobile and Satellite Communications
Attacking Satellite Communications
1986 — An operations engineer at a satellite uplink station over-rode the HBO signal through Galaxy 1, broadcasting a 4.5-minute protest of HBO's rates for satellite dish owners.
The 1987 Max Headroom broadcast signal intrusions were done by abusing the terrestrial studio-to-transmitter links within the city of Chicago.
2014 — IOActive published a paper describing how they reverse-engineered the firmware of several commercial satellite terminals from various vendors. They found a number of security risks including what appear to be backdoors, hardcoded credentials, undocumented and insecure protocols, and the use of weak encryption algorithms. Only one vendor, Iridium, responded. Especially interesting weaknesses include:
Harris RF-7800-VU024 and RF-7800-DU024 military land mobile and land portable BGAN terminals. Those units are used with software-defined radios such as the FALCON III AN/PRC-117G SDR. Malware running on an infected laptop connected to the terminal could inject malicious code, obtaining the GPS coordinates of the system and then possibly cutting off communication.
Hughes BGAN M2M terminal. This was found to be susceptible to a remote exploit. If the attacker knows the Mobile Subscriber Integrated Services Digital Network-Number (MSISDN) and the International Mobile Equipment Identity (IMEI), he can send an SMS incorporating the backdoor "admin code" and install malicious firmware.
Cobham BGAN terminal. The attack scenario is that a military unit member could be browsing the Internet during personal time and be lured onto the wrong website, to be hit with a client-side attack that would install malicious firmware which leaks the device's GPS-derived location.
2015 — A researcher from Synack announced at Black Hat that he could monitor and modify data flowing through a Globalstar satellite network. This was reported by Wired, Reuters, CNN, and others.
Other documents and articles:
Infosec Institute: "Hacking Satellites ... Look Up to the Sky" SpaceNews: "Eutelsat To Field Test New Anti-jamming Capability" Wired: "Russian Spy Gang Hijacks Satellite Links to Steal Data" Vice Motherboard: "This $1,000 Device Lets Hackers Hijack Satellite Communications"
Intercepting Mobile Telephony
Targeted eavesdroppers can use a cell site emulator, which could be something like the CCS Digital Data Interpreter. These emulators use the non-voice data streams to track frequency changes, cell hand-offs, etc., and capture all the call information and content while tracking location. These are expensive, but they really do the job! The OKI 900 controlled by the right software running on a laptop is a lower-budget cellular intercept platform that's still pretty capable.Build a
Much more capable and still under US$ 500 for the whole system, build your own GSM base transceiver system using a Raspberry Pi and a bladeRF x40 software-defined radio.
To build your own GSM femtocell, see the Vodafone - THC project.Harris Corporation
Surveillance Manuals U.S. Government
catalog of mobile
Better yet, use an IMSI-catcher, what the FBI and local law enforcement use to intercept and track mobile phones. A Harris Corporation StingRay and the follow-on Hailstorm and Crossbow models spoof a legitimate cell tower, tricking all nearby mobile phones and other wireless communication devices including air cards for GSM Internet connectivity on laptops. The devices all connect to the IMSI-catcher instead of the legitimate carrier tower. By moving the device around, authorities can pinpoint the device location down to a specific apartment in a building.Good explanation of cell-site simulators
Cruder forms of this technology have been used by law enforcement for at least 20 years. An FBI agent in a case in Utah in 2009 described using a cell site emulator more than 300 times over a decade, and indicated that they were used daily by U.S. Marshals, U.S. Secret Service and "other federal agencies".
Harris' cell site emulator product in the mid 1990s was the Triggerfish. By 2013 Harris' current model of full-sized cell site emulator had been the StingRay for some years. The KingFish is a hand-held unit easily carried up and down hallways of apartment buildings and hotels.
Harris's mobile phone surveillance products are named after fish and related terms — StingRay, KingFish (a hand-held StingRay), Triggerfish, Amberjack, Gossamer, Harpoon — "StingRay" is the one the media has fixated on.
Other companies including Verint, View Systems, Altron, NeoSoft, Cobham Surveillance (formerly MMI Research Products), Ability and Meganet make systems similar to the Harris StingRay, intercepting and tracking GSM/UMTS based communications. But the Harris StingRay and KingFish can also track CDMA2000, and iDEN, and can support three different communications modes simultaneously. The StingRay II supports four communications modes simultaneously. When the City of Miami was shopping for Harris wireless surveillance products in September 2008 and published the Harris price list on their web site, a StingRay II cost $148,000 plus $22,000 per supported mode. A KingFish was $27,800 for just UMTS plus $18,000 each for GSM, CDMA and iDen modes. The Israeli company Rayzone makes an interceptor named Piranha that claims to work against CDMA and GSM 2G, 3G, and 4G systems.
IMSI catchers collect identification and location information for nearby phones, and in some situations can capture voice conversations, text messages, and web history. IMSI or International Mobile Subscriber Identity is the unique serial number the cellular system uses to identify your phone. See this background on IMSI catchers and Stingray.
The U.S. Government has been very secretive about the use of IMSI catchers and similar systems by law enforcement and other agencies. The FBI has made local law enforcement sign non-disclosure agreements, and has instructed law enforcement agencies to lie about the use of the technology. Meanwhile the Baltimore police used Stingray over 25,000 times. See descriptions in Newsweek, in Wired here and here, in STL Today, in Ars Technica, in Vice, and from the ACLU.
Unexplained IMSI catchers have been detected across the U.S. according to stories in the Washington Post, Wired, Gizmodo, and VentureBeat.
You can build your own or just buy one on line, and many SMS spammers use them in China.
For more details on GSM hacking, see the announcement of GSM cloning and how security-through-obscurity isn't security at all.
Your Secret Stingray's No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance and Its Impact on National Security and Consumer Privacy is a 2014 paper by Stephanie Pell of the Stanford Law School Center for Internet and Society and Christopher Soghoian of the Yale University Information Society Project. They describe how the law enforcement and national government monopoly on cellular interception has vanished, and now criminals, the tabloid press, and anyone with a little motivation and money can eavesdrop. The Associated Press reported on 12 June 2014 that "The Obama administration has been quietly advising local police not to disclose details about surveillance technology they are using to sweep up basic cellphone data from entire neighborhoods. [...] Citing security reasons, the U.S. has intervened in routine state public records cases and criminal trials regarding use of the technology. This has resulted in police departments withholding materials or heavily censoring documents in rare instances when they disclose any about the purchase and use of such powerful surveillance equipment."
Also see Privacy International and their study of the $5 billion per year global surveillance industry.
Cryptanalysis — Breaking Telephony Encryption
Digital AMPS (a GSM competitor once popular in North America, although now well beyond end-of-life) used CAVE (Cellular Authentication, Voice Privacy and Encryption) and CMEA (Cellular Message Encryption Algorithm). These perform three main functions:
- Authenticate to the network that the unit requesting service is a legal subscriber.
- Generate codes to protect control channel data, including all digits dialed on the keypad (dialed numbers, plus later PIN's etc). Control channel data is encrypted with CMEA (Cellular Message Encryption Algorithm).
- Generate two keys to "mask" the digitized forward and reverse voice channels.
The voice "masking" was known to be cryptographically weak in 1992. On 20 March 1997, Bruce Schneier (author of Applied Cryptography) and David Wagner (UC Berkeley grad student) announced breaking CMEA. The response of the Cellular Telephone Industry Association (CTIA) was to lobby for laws to make it illegal to break their breakable system, so they can continue to advertise it to an unwary public as "unbreakable".... See Monitoring Times, June 1997, pp 28-29, and Bruce Schneier's Crypto-Gram for more details.
Late 1999 saw announcements of GSM cracking (which, for the U.S.A., effected "Digital PCS" as well). Summarizing from Bruce Schneier's Crypto-Gram newsletter, 15 December 1999, the relevant algorithms at the time were:
- A3 is the authentication algorithm to prevent phone cloning.
- A5/1 is the stronger of the two voice-encryption algorithms.
- A5/2 is the weaker of the two voice-encryption algorithms.
- A5/3 has been added more recently for 3G communications.
- A8 is the voice-privacy key-generation algorithm.
Schneier says, "These algorithms were developed in secret, and were never published. "Marc Briceno" (with the Smartcard Developer Association) reverse-engineered the algorithms, and then Ian Goldberg and David Wagner at U.C. Berkeley cryptanalyzed them. Most GSM providers use an algorithm called COMP128 for both A3 and A8. This algorithm is cryptographically weak, and it is not difficult to break the algorithm and clone GSM digital phones. The attack takes just 2^19 queries to the GSM smart-card chip, which takes roughly 8 hours over the air. This attack can be performed on as many simultaneous phones in radio range as your rogue base station has channels." Summarizing now, the breaks and the publishing dates are:
- A3 and A8 — Can always be broken in 8 hours over the air (as above). All A8 implementations tested did not use COMP128, they used a weakened form! (April 1998)
- A5/2 — Can be broken in real-time without any trouble. (August 1999) Read Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication by three researchers at Techion - Israel Institute of Technology.
A5/1 — Given the first two minutes of the
conversation, one PC with 128 MB of RAM and two 73 GB
hard drives can find the A5/1 key in about
one second. (May 1999)
Real Time Cryptanalysis of A5/1 on a PC Software-Hardware Trade-offs: application to A5/1 Cryptanalysis Cryptanalysis of the A5/1 GSM Stream Cipher On Hardware-Assisted Cryptanalysis of A5/1
Then in Feb 2008 Schneier again commented on A5/1 cryptanalysis. There had been quite a bit of coverage of announcements of further A5/1 cryptanalysis and practical systems to break GSM keys. This 2008 attack is completely passive, requires about US$ 1000 in hardware, and breaks the key in about 30 minutes:
- "Research May Hasten Death of Mobile Privacy Standard", Washington Post, Feb 2008
- Forbes magazine, 21 Feb 2008
- Government Computer News, 20 Feb 2008
- Information Week, 20 Feb 2008
A5/3 or Kasumi is used for confidentiality and integrity in 3G telephony. It is stronger than A5/1, but it is also vulnerable! A 2010 paper reports "The privacy of most GSM phone conversations is currently protected by the 20+ years old A5/1 and A5/2 stream ciphers, which were repeatedly shown to be cryptographically weak. They will soon be replaced in third generation networks by a new A5/3 block cipher called KASUMI, which is a modified version of the MISTY cryptosystem. In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of 2-14. By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full KASUMI by using only 4 related keys, 226 data, 230 bytes of memory, and 232 time. These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity."
The industry (predictably) claimed this was all impossible, as it required unavailable hardware. Yeah, right. Well under US$ 10,000 should provide a high-quality intercept station. For details of the analysis see the Smartcard Developer Association and the references here.
See this project to design and build a relatively inexpensive (US$ 700) GSM receiver and crack A5/1.
Further GSM security and insecurity references include GSM Security FAQ: Have the A5 algorithms been broken? and GSM Security Algorithms.
August 2009 saw further reports on making A5/1 cracking more practical and less academic. See Subverting the security base of GSM by Karsten Hohl and Sascha Krissler, presented at the Hacking At Random conference in Aug 2009. The DarkReading mailing list discussed the work.
December 2009 brought even further A5/1 cracking results. An article from late December 2009 reported that a complete GSM intercept station could now be built for about $4000, and it can handle the random channel hopping. A 2TB Rainbow Table is used to rapidly find the encryption key. A low-end intercept station could be built around a PC with a medium-end graphics card, at least 2TB of disk storage, and two GNURadio USRP2 computer-controlled receivers. A few minutes of conversation will be required to gather enough information. More elaborate and expensive systems using FPGA devices could break the encryption "almost instantaneously".
GSM uses GPRS for data, like web browsing. With large deployment world-wide in the early 2000s, it was many people's first mobile Internet connection. GEA-1 and GEA-2 were broken in 2011. In 2021 we learned that the design of GEA-1 was intentionally weakened. GEA-1 uses a 64-bit key, but it only provides the security of a 40-bit key. GEA-2 doesn't have the same intentional weakness, but it only provides about 45-bit security. GPRS is 2G technology, but most handsets still supported it in 2021 and may be vulnerable to a downgrade attack.
In 2012, researchers at Ruhr University Bochum broke the A5-GMR-1 and A5-GMR-2 algorithms used on satellite phones. They report a ciphertext-only attack on A5-GMR-1 with average complexity 232 steps, and a known-plaintext attack on A5-GMR-2 for which "the encryption key for one session, i.e., one phone call, can be recovered with approximately 50–65 bytes of key stream and a moderate computational complexity."
This 2017 paper reported a real-time attack on the GMR-2 cipher, needing only 15 bytes (or one frame) of keystream and 0.020 seconds of computation. Their description is that GMR-1 is "a proprietary variant of GSM A5/2" while GMR-2 is "an entirely newly designed stream cipher."
Also see these attacks on the SNOW 3G and SNOW 2.0 crypto primitives intended as replacements for KASUMI, and on the ZUC stream cipher used in 3GPP:
The good news is that this 2016 paper found that the AKA protocol looks much safer. AKA uses a set of AES-based algorithms called MILENAGE, and the TUAK algorithms which are based on a modification of Keccak.
If you want voice COMSEC on the cheap, check out PGPfone. You use your computer's audio interface and PGP software to encrypt and decrypt a pair of audio streams.
Mobile networks have been hacked by attacking the insecure GPRS backbone links used by most mobile phone providers. This was announced and demonstrated at the Chaos Communication Camp 2001.
GPRS encryption has been broken, see articles in ComputerWorld, in The Register, and MIT Technology Review.
Jamming Mobile Signals
From an article about the common use of cell phones by prisoners despite its illegality, in Urgent Communications, a trade magazine for public-service and emergency radio communications ("Arresting Developments", August 2010, pp 42-47): South Carolina's prison system found 3,024 cell phones among its population of 24,000 inmates, a 1:8 ratio, in the 2009 fiscal year. A Texas correctional facility was found to have 239 cell phones in use in one 400-inmate wing.
CellAntenna makes cellular systems: in-building repeaters, signal boosters, antennas, etc. CJam Cellular Jamming Technology seems to be CellAntenna under another name, and they openly market cell phone jamming systems.
Security Intelligence Technologies builds and sells GSM jammers.
Bomb Jammer builds and sells GSM jammers, including their "VIP 200 Bomb Jammer". Many of these companies market their products as jammers just for the control links for improvised explosive devices (IEDs).
Netline Communications Technologies of Israel sells a system called CellTrack. It has multiple covert devices that can detect a variety of GSM/cellular standards simultaneously, tied into a central computer doing the overall analysis.
Armed Forces International provides information on a vendors of a range of military-related products.
Extracting Data from Mobile Devices
See this report describing how U.S. law enforcement agencies use mobile device forensic tools to extract full copies of data from mobile devices — all emails, texts, photos, location tracking data, and more — and then search it.
Over 2,000 law enforcement agencies have these tools. The police seize phones in minor cases such as petty theft and public intoxication, extract all data without a warrant, and make no public records of these searches.
Mass Extraction: The Widespread Power of U.S. Law Enforcement to Search Mobile Phones