>>All right. So wow further ado, we have Loki presented on GSM this morning or this afternoon, sorry. And  ‑ ‑ pierce. I'm sorry. I missed that. So without further ado, I'm going to let the fine gentlemen get on with this. Enjoy. [ Applause ] >> Left and  ‑ ‑ left and right. Okay. GSM, welcome to our talk. We are going to talk about NSA today, we have fun GSM and going to talk about. My name is dean pierce. This is my fourth Def Con talk. I have been attending Def Con since Def Con 10. I am information security professional and I work in the field of product security, which is great. It is way cooler than testing you get to see cool shit. So. It is good stuff. It should be a  career path people look into. Also for some reason when I get a  paper for Def Con is wireless stuff. All of my nonwireless talks are excepted. That's about me. >> Hey, I'm Loki. Yeah. This is my first time talking at Def Con. [ Applause ] So I've been doing stuff for  ‑ ‑ secure stuff for 12 years. Mostly analytic‑ type stuff. They are calling the big data now which bothers me. And pretty much every role I have ever been in, I had to do some sort of security stuff. I like seeing problems that is also a  interest of me. And the GSM stuff for the past few years I had a  heavy interest in and kept playing with it. That's about it for me. So let's see. So GSM, most of you guys are probably familiar with it, is the most widely used cellular system in the world. And right now  ‑ ‑ what? There's, right? 7  billion, I think, as of 2013. People worldwide using it. Going off of the GSM association it is available in more than 219 countries, market share more than 9%. All  ‑ ‑ 90%. All of that fun stuff, and also the legacy network for most of the other technologies used today, with the exception of CDMA. That means LT built on top of the GSM stuff. Right now there, if you make a  voice call that is probably going on classic GSM. Whereas, essentially, with LTE we expect to see that go over data traffic, at some point it will be probably be more difficult to play with. Hold on, slides. One of the things that was interesting about the GSM stuff was that it's, it was  ‑ ‑ the first of seriously consider any  form of security with both  ‑ ‑ stuff with the  ‑ ‑ beans instead of any sort of  ‑ ‑ um, persistent mobile identity. It somewhat helped your usage of it from just an eavesdropper perspective. And it also used A5 encryption, which there is A5/1 and A5/2 are the standards, and unfortunately, what was rolled out for most of the world was a  slightly broken version of it, even though at this point most of them have gone to somewhat more secure, but still breakable A5/1. There is A53. But as far as I'm aware there is no rollouts of it. That one is also know, nobody has breaks for it at this point. So I'm out of sync with my slides. Sorry about that. This short history lesson in the 199's, the first attack on A5 was proposed on June  17, 1994, there was a  message posted to UK telecom group and it, he described potential attacks and also the first publication of open A5 site. People had idea what was it, but nobody published code that may represents what it looks like internally. Yeah, that was over 20 years ago. In, we're, still using the same cipher today. In '97, um, at  ‑ ‑ I can never pronounce his name. It is Jovon, presented  ‑ ‑ cryptanalysis, and presented a  potential time memory trade‑ off attack which was sort of the basis for a lot of the further attacks that happened. So in 2000, um, at the seventh international workshop on software encryption, three guys presented a  ‑ ‑ um, paper on realtime cryptanalysis  ‑ ‑ of A51, and than that one, that was the first attack to theoretically allow you to see decrypted traffic in realtime. Also, in 2000, two other people went ahead and invented essentially the same idea with a slightly different time memory trade‑ off technique. And so both of them theoretically allowed attacks on A5 with plain text. But they were not really practical. So then 2003 came along and there was a  paper related in cipher text only cryptanalysis. And it was a time only memory trade‑ off attack. It was practical, but it requires a  ridiculous large computation phase. I believe it was in the order of 32 terabytes, which was not practical at all. And then in 2006 the full version of the paper was related. 2003 was significantly cut on what they actually talked about. In that they went ahead and gave a lot more information that allowed you to  ‑ ‑ basically come up with very short plain text. Up until then, um, know five minutes of plain text would be required, again, impractical. So 2007 COPACOBANA came along. In that one, COPACOBANA was a  hardware project it stands for cost optimized parallel codebreaker. And it was implemented for running most algorithms but specifically for cryptanalysis. It was commercially available eventually, and could be used for A5/1 and A5/2 and other things, including GSM. It went and ahead enabled force attacks from GSM without look up tables. However, this was still not realtime. That was actually done as a  research project that eventually turned into a  commercial solution. Yeah. I wanted to jump in with 2007, because  ‑ ‑ this is also 2007 I attended torcon and I saw a  really awesome presentation on using FPGAs and USRPs with crack phone calls for $30, and it was amazing. I thought it would be cool if somebody bundled it together and sold it on eBay. That stuff is hard to do. They didn't release information on how to do it. That was my first thought of the NAS playset bundle concept. It has taken a long time to actually do stuff. Let's see, 2008. 2008 was actually when carry talked about generating tables and the, the tables got generated but a lot of the tools were, a lot of tools didn't get released and a lot of the tables didn't get released. A lot of stuff didn't happen. It was very much like a  theoretical thing at that point. Which leads to 2009. Let's see. So in 2009, that's when you have the, there's a  talk at black hat where they tried to kickoff the A5/1 project. So this was a  global distributed effort where everybody who had, like fast video cards could team up together and everyone was going to generate the A5/1 tables once and for all. It was going to be great. Also, it is really fun to read the mailing list, too. If you go back and look at the A5/1 mailing list at this point. You have people jumping in saying I got this card it is not optimized. Everyone doing their own thing and turning a  table here and there. This one guy jumps on, hey I wrote this tool called cracking that uses the table and brute force. That is great and still used today. And then the tables got released. So  ‑ ‑ let's see. How do I get back? Over here? Yeah. Good. So 2010 was Carson speaking at black hat. Again, and demoing, demoing the stuff and  ‑ ‑ actually, they replaced air pro, which is great, air pro uses the USRP to get the raw GSM and then you can figure out some, some like the text stuff and then use that and crack it with the cracking tools and the A5/1 tables released and then decrypt the traffic. He showed this on the black hat stage. It was great. Everyone applauded it was wonderful. They also talk about in 2010, actually using the Motorola phones to start sniffing stuff. Which is great, they are a  heck of a lot cheaper than the USRPs that are a  couple of thousand dollars with the accessories. And the phones are silly phones that you can get at any store. So that was great. At the end of 2010. Carson did a  talk at CCC and taking about broadband GSM and used four different phones and then monitored all frequencies and did a  full range of sniffing everything with the phones. It was good. So nothing really happened. Wait. Nothing really happened in 2011. GSM security was broken. It was done. We're good. Everybody is going get fixed now. Right? So, unfortunately that didn't really happen, but  ‑ ‑ in 2012, we had this great thing, anyone here familiar with the real tech SDR bundles? These things are great. They started selling and people quickly realized, these are T.V. tuners sold everywhere under different brand names. People realized they could twittal a  couple of bits here at whatever frequency and dump traffic. Overnight the software defined radio computer exploded. Every one with $20  in their pocket  could go buy this little receiver and just start sniffing traffic and it worked with all the GSM radios and the tools the more academic things. In 2013, I was able to take a  radio class. It was a great experience, and I told them my weird of identifying of packaging everybody together and trying to get it to work and get it out there as much as possible. He thought it was really cool. And we talked about it a  bit. And then at the end of 2013 was when the ANT catalog was released. Who remembers the ANT catalog? Anyone. That was interesting stuff from NSA, what weird toys that they sell and different parts of the intelligence community. Great stuff. Anyway, that brings us up to 2014. What was that? Okay. Well  ‑ ‑ it is  ‑ ‑ there. Yeah. So  ‑ ‑ in 2014. This was the birth of the NSA playset here. It was great. We, after the ANT catalog came out Mike was like remember that crazy playset idea, like  ‑ ‑ like, he thought of the stuff with the reflectors and things, that was cool. He wants to make a  bunch of these things. That would be rad to pull things together and actually see how much could be built. That was really exciting. I talked to Joe and a bunch of other people and like other weird things we could do and things that looked like they were pretty feasible. And so  ‑ ‑ yeah. Everything started to come together. Mike gave the first talk at hack in the box in Amsterdam. And we tried to recruit a  few people. Our mailing list is growing and growing. 150 members of the mailing list right now. That's pretty great. What we really tried to focus on with the playset stuff is making it as easy as possible to use so that it is just as  ‑ ‑ accessible as possible. And then also reducing the cost and making it more accessible. As many people can play with it as possible. The motto I have been saying over and over, if a  10‑ year‑ old can't do it, it doesn't count. So because it  ‑ ‑ things don't really get fixed until they are actually extremely accessible. That's kind of a  bummer. Because eve one all of the great work that Carson and people did, I mean, the  ‑ ‑ we're still using a lot of the like crazy terrible cryptography, and the fixes Carson has recommended to the carriers have not been implemented. So that's kind of a  bummer. >>So  ‑ ‑ with the, with the NSA playset, it is actually sort of three separate things. And I'll go over one of them and dean will go over the other two. In general, what we have done so far with NSA playset and GSM. We have air probe working with essentially after major SDR out there, through the asthma SDR. That basically gives us a  single interface that supports the hacker, the RTL, SDR, the USRP. Without having to worry about from our code what the back end is, what our signal source is. We've improved the signal tracking a  bit. There was a lot of problem with  ‑ ‑ drift, especially with the cheaper RT SDRs. So frequency code has been improved a  bit. The cracking A5/1 tables and indexes have gone ahead and been put on a  single external USB3 hard drive. It's basically plug‑ and‑ play with the tracking program on any Linux machine at this point. It also works on OS X in some cases. And also an environment based upon limits that has been upgraded with  ‑ ‑ the ah, new radio 3.7 and a bunch of GSM‑ specific tools. Oh, and we also imported the air probe GSM to work with 3.7. So the bootable environment, you know, of course, it comes with every challenge with it, and, of course, comes with the improved GSM receiver, it comes with, which is what you use to actually listen for traffic. CCCH scan, for the codes, it comes with binaries and various other tools to calibrate and stuff like that. So the first of the NSA playset GSM tool. This one is not complete yet. It is not ready to be released is twilight vegetable. It a  system that basically you turn on your machine and eventually you're going to start getting dumps of all of the voice messages or all of the voice traffic and SMS traffic that is within range for you. The sources are basically any of the SDR supported by asthma SDR as well as the DB and Samsung gallery devices. The BB is any phone and then the Samsung galaxy devices use something like X gold that uses the debugging feature in the devices for traffic. Basically twilight vegetables detect the sending and dumping traffic to the essential service. That essential services handing all of the description and stuff like that. It is necessary as well as to decoding data. Let's see, so basic overview of the system. You have the capture clients the SDRs and BBs. Those just send the data to the central dispatcher, which basically consists of database server that we store stuff like session keys, mapping and a  bunch of custom software that is written around the database and send requests  out to run statistical analysis on the encrypted data to detect, you know, what type of plain text we think it is. And then, of course, kraken itself, which is executable index files and tables. With the potential to have that load balance so that there's, so that kraken definitely has a  speed limit. You can go ahead and get around that using multiple instances. So the UM interface capture device is basically one of these would  ‑ ‑ we have it mostly, but one of these is written for each type of device, one for the DSR. One for gold, and one for DB. If a  new UM interface that is the radio side of things capture device comes out, it should be able to be added relatively simply either by writing the writer or hopefully DR supports it. So each of these is responsible for listening one or more, or A RSD N, the radio frequency channel numbers. Think of them as frequencies there is a map between the member and a given frequency and the GSM band. And what it does it goes ahead and detects any what are called immediate channel assignment messages. These basically say, hey I need you to switch to a  new channel and most likely going to send you encrypted data. So when the phone receives this, it switches that new channel and the first message that is usually sent is a  crypto message we know what that looks like. It is a known plain text. We can use it with kraken to go ahead and crack the rest of the traffic. So when it sees that channel assignment message it goes ahead and starts capturing all of the data on that channel. Once that channel is released or that channel is reassigned, sometimes the channel release messages themselves are encrypted, we cannot detect that until we crack it. It goes ahead and ends the capture file  ‑ ‑ sorry  ‑ ‑ ends the capture file and submits it to the central dispatcher. What it submits is the error FCN. The temporary mobile subscriber identify, the network information, that is your mobile country code and mobile network code, cell ID and signal‑ to‑ noise ratio. Which is important to tell if a  packet is likely to have corrupted data tin or not. And then as well it sends the  ‑ ‑ actual channel data that it has captured. So when the submits that to the central dispatcher  ‑ ‑ where's the next slide? The central dispatcher goes ahead and  ‑ ‑ um, writes multiple functions. Basically it takes it in, puts it in a file store, enters the submitted data into a  database linking to the file, the file in the file store, and then runs statistical analysis on the packets to see which one we know are plain text. Some of that is very simple. This is if first packet. We know it is a crypto packet. Some of that is a  ‑ ‑ um, for instance, a system information 5 message, which we can, by looking at the plain text version of it, we know what the crypto version of it and detect whether or not it send a  message with high likelihood based upon comparison with the rest of the encrypted messages in a  sense. So it also goes ahead and stores any cracked keys that it gets back from crack one the associated keys. Keys are used, reused for a  given session. So we're able to go ahead and immediately encrypt any data using that "TMZ" in the future. Then also want it gets back a  key and it is able to decrypt the data, it goes ahead and parses through looking for SMS and voice messages. And then writes them out to disk for you. With an associated MZ if it is detected in MZs. They are not sent very often. So that's sort of the glue that holds everything together. The next part of that is kraken, which we will cover more later. But kraken  ‑ ‑ when it  ‑ ‑ it is able to be run in server mode and supports asynchronis operation, so we can submit a  bunch of binary sequences to it. As it is able to match those and give us back potential keys we can check those keys in whatever order they are returned. There is also the potential to go ahead and run multiple instances in parallel using load balancing to allow the kraken cloud to be built. So our kit for twilight vegetable that was sold used is a  USB key and a nano SDR. The USB key is nice and fast. It is customized with GSM tools. Oh, and the second line is being covered. Anyway, being  ‑ ‑ it's, you do have to put in persistent code to get the binary system built on it. We'll go ahead and be released further updates on it as we improve the system. Then we're also  ‑ ‑ including this, nano SDR. It is extremely tiny. Give you an idea. This is the RTLSDR. And I mean that is about as small as you're going to get for software defined radio that I have seen. They are really cheap. They are $20. They have improved the crystals and capacitors and they come from a  company that specializes in doing RTL, SDR stuff, not just T.V. tuners. So this specific device, from 25  megahertz. Higher bands such as the 1800 GSM band and another bands I mentioned. The 850 band. And the connector on it is standard MCX. Whatever active antenna or better antenna you manage to find, you don't have to deal with weird issues. This is really nice. There is a few things about them. I want to give them a shout out, they went ahead and wrote nano SDRs. Free swag is always good. They have improved electronics and gave you guy as discount code. It is good through the end of August. Most important, for a lot of you guys they had bit coin for software defined radio purchases. That's also sort of advantageous. And they work with other SDR stuff. So they have more than just this in stock. They know what they're talking about if you have any questions about if you can use a  given SDR device for a  given purpose. So that  ‑ ‑ that brings us to the next segment, which pierce will take care of? >> Did you get the SDR? Good stuff. It is pretty much a  16 gig USB if you have one of your own the  ‑ ‑ image will be on the left. It is like 7 gigs or something, so it might be hard to download at the hotel. But  ‑ ‑ when you get home download the image and make it  yourself. And we will be releasing updates. Okay. So who here remembers the genesis handset? It was the, it was like, it was like a  telephone, right? That is because it pretty much is, a  Motorola sliver L9. If you look at the picture there. Elevated modifications, I guess they added memory to it and different SDR components. Essentially it is a  little portable thing. NSA had genesis. I thought it would be good to make  ‑ ‑ how do I get that out? Yeah. No. Click. Yeah. Yeah. So we made this handset. So  ‑ ‑ and  ‑ ‑ so this is, I mean, it  ‑ ‑ it looks like a  regular Motorola phone, that is because it is. You can buy these all over eBay. It is crazy stuff. This is the Motorola C139 phones. So if you ever looked into VD it is a  really great project. Everyone should look into it. All of the documentation and talks, everything that you ever see about them talks about the C123. Because of that and because of all of the great information that have been found with the 123, they are kind of expensive to buy on ebay. They go for $200  sometimes for the $5phones. The 123 is good in Europe, but the 139s are made for the U.S. And they work really well in the United States and they work really well with all of the OSMOCOM tools. If you're on eBay buying phones by the 139 it is great. So  ‑ ‑ the in addition to that, you also need this custom SD cable that talks serial over the micro audio port that is in the thing. So you are pretty much connected up and then all of the tools work with it. Also one thing that I didn't quite realize until I started playing with it. The firmware that you put onto the phones actually exists only inswww memory. You are typically not supposed to persistently put the things on the phone. So what happens you turn your phone off and back on it is a  regular cell phone, that's great. So as part of the handset I wanted to throw good demos on the USB. If you download USB or managed to acquire one yesterday. I got this tool in the home director. When you boot you boot into persistent mode and all of the tools are in the home directory. RSSI is a firmware that does kind of frequency scanning and  ‑ ‑ it is pretty neat. So dot/RSSI it loads the frequency scanner. I will have a  demo of that in a  second here. I also wanted to show off some actual, you know, live GSM packet dumping. So I put on this layer one pushes a  special image to your phone that essentially turns it into a‑ ‑ like a  GSM kind of gateway functional thing. It is a layer one kind of device that you can do all of your typical, like, a.m., you know, cell phone tower, whatever, dialing, whatever. You transmit it to layer one and it spits it out GSM over the network. And then the CCCH scan. I have it modified with a burst and patch, if anybody knows what that is. It allows for a lot of GSM dumping and raw GSM traffic on the network. That is great. And then wire tracking can navigate. That is good stuff. I had a  couple of problems if anybody saw me trying to demo the stuff yesterday. For some reason Def Con made it so my console device was not TTYSO. It turned into like  ‑ ‑ S4 or whatever. So I added the shell scripts and everything works fine. I had two more phones I didn't want to sell it, they were not working right. But I got them working. I added the control strip. I don't know. And also all of the charging is done in software on the phones. It is usually not a  good idea to  ‑ ‑ delete a  continuously charging when it is plugged in. It might not be as good as the actual official charging software that is on there. And sometimes it will overheat, sometimes they will not really charge. Things like that. I also really wanted to enable BB stuff happening in the United States. There's a  really great tool that Carson related last year called GSM map. GSM map was a  bootable USB stick you put up to it, you plug in your phone and hit the button and it takes surveys of the GSM networks around and you figures out the security features they are using and packages they applied and what they are doing. It up loads the data. So if you go to GSM map.com, you will see a  full map of the security technologies over time. It is pretty much entirely Europe, Europe has all of the data sources. There is like three data sources in the U.S. Everyone who gets the phones should contribute to the project. It is really great and it is really good to see  security every time. So like I said, search eBay for the 139. The TracFones have a  newer firmware on it. You can still  ‑ ‑ there are ways to bypass it, but if you want to do the easy way, buy these phones. They work great out of the box. A  guy that I work with, reed, he makes crazy modified hardware and sells them on eBay. So you can look him up on eBay or e‑ mail him directly. You can charge, and turn your phone into a  base station, doing all sorts of fun stuff. So another part of the project is the drizzle chair. This is a tiny hard drive. This is 2 terabytes. Like the tables that came out. People were thinking 2 terabytes how many things will I need to do that. Now, it is simple USB things you can buy them for under $100. And the first idea justs have all of the tools. One thing to know the tables are in the partition, you cannot download the fires into a  device. You have to download the files and use a  tool to insert them. If you buy one of these on‑ line make sure that you have a hard drive in your computer if you downloading it. You do need two, one to download to and one to transfer them to afterwards. So keep that in mind. And essentially what it does, you can see cipher text off of the network. There is a lot of traffic that's very, very predictable in GSM. What you do, you find a  packet that looks like a  packet that you recognize and then you do work between the two. What you get is the raw A51 stream. With the raw A5/1 stream, you copy and paste it into kraken and kraken goes through the rainbow table thing and looks for a  result and then dumps it out when it finds it. Then you can use either tool to decrypt. >> Seeing any signal? >> I might have to reboot to do that. So what I'm doing now is just booting up off of the USB. I sold a  whole a  bunch yesterday. The exact same USB stick you could download from the Internet to make your own. And, let's see. The thing is, it pretty much just has a  straight Cali boot disk with the resistant image. So it is a  ‑ ‑ it is Cali 108, which was release a few days ago. And than it is just a  home directory full of tools all of the tools do the sniffing, the decrypting, the cracking and  ‑ ‑ have  ‑ ‑ things like pineapple kind of installed that kind of work. And all of the air pro stuff that is a pain to compile on all of the different systems. The maintenance is not as good as it could be for all of the tools that are there. Let's see. Hopefully it starts up now. So yeah. We just got all of the  ‑ ‑ yeah  ‑ ‑ ah. It was working in the demo room. I don't know. There's  ‑ ‑ yeah. Try that. Okay. So we might not have a  demo that looks like  ‑ ‑ the projector is not working the way it did in the demo room. But we might be able to show stuff on your laptop? Okay. Yeah. Yeah. Okay. Hmm. Let's see if this works. Okay. It is very small. It takes a long time to run. It will calibrate and scan through frequencies all of the possible frequencies for a  given GSM and tell you which channels are active. So I ran that and it told me that the  ‑ ‑ test area was  ‑ ‑ 180 which is A69.4. The scientific notation. And anyway, if we go ahead and run this, this is using the little nano SDR with this thing. It will start scanning  ‑ ‑ so it is going to find the only device on the system. Then if we flip over to Wireshark I have a filter in here right now that just shows immediately channel assignments and these are the ones that are important for when you are trying to capture encrypted data. So you can see it has captured five of them so far. And  ‑ ‑ ah  ‑ ‑ not going to be able to show you too much. But  ‑ ‑ so you got your header telling you the channel it is on and stuff like that and then you immediate assignment data itself, which contains a channel description that tells you, hey, I now need to start capturing on zero, usually it is channel one through seven must be control traffic and be encrypted. It really is that simple to start looking at GSM data in Wireshark. If I remove the filter, um, let's see, you'll see that it sends it to a  given port, that port is not open now, but everyone  ‑ ‑ GSM tap messages is coming through and that's being captured live off of the air. So quick demo of that for you guys. Do we want to  ‑ ‑ do  ‑ ‑ that? Yeah. If anybody wants to stay afterwards you can come up and see the script. We have flags also. So throw out your thing first? Any questions? Good questions get good swag. Bad questions get heavy things. So  ‑ ‑ yes? How long? Two minutes. Okay. Two minutes. 45? So we'll be in the chill out cafe for Q & A. If you got good questions you get SDRs. Ask us questions. Thank you very much.