gsm debugging
play

GSM Debugging Karsten Nohl, nohl@srlabs.de Karsten Nohl, - PowerPoint PPT Presentation

Apr 03, 2024 •871 likes •1.07k views

GSM Debugging Karsten Nohl, nohl@srlabs.de Karsten Nohl, nohl@srlabs.de Dieter Spaar, spaar@mirider.augusta.de Dieter Spaar, spaar@mirider.augusta.de Industry responds to GSM cracking attempts by creating new challenges the GSM call has

  1. GSM Debugging Karsten Nohl, nohl@srlabs.de Karsten Nohl, nohl@srlabs.de Dieter Spaar, spaar@mirider.augusta.de Dieter Spaar, spaar@mirider.augusta.de

  2. Industry responds to GSM cracking attempts by creating new challenges “ the GSM call has to be identified and recorded from the radio interface. [] we strongly suspect the team developing the intercept approach has underestimated its practical complexity . A hacker would need a radio receiver system and the signal processing software necessary to process the raw radio data. ” – GSMA, Aug. ‘ 09 This talk demonstrates signal processing software to decode GSM uplink and downlink signals Source: GSMA press statement

  3. Agenda  GSM communication basics  Downlink sniffing: It works!  Uplink sniffing: Getting close

  4. GSM calls are transmitted encrypted over unpredictable frequencies Down- link Phone, Ok, Beacon Uplink are you switch channel channel here? Yes, Encrypted I am You are Switch to Control Start being hopping encryp- channel called channels tion OK OK Unpredictable Traffic Voice Voice hopping channel Voice Voice Voice Voice Voice Voice

  5. GSM spectrum is divided by operators and cells GSM 900 Operator One cell Channels of brand allocation allocation one call 960 MHz Downlink Cell allocations an hopping sequences 925 MHz should be spread over the available 915 MHz spectrum for noise resistance and increased sniffing Uplink efforts 880 MHz

  6. GSM debugging tools have vastly different sepctrum coverage Frequency coverage GSM debugging tools [sniffing bandwidth] GSM 900 Channels of OsmocomBB USRP-1 USRP-2 Commercial band one call [200 kHz] [8MHz] [20MHz] FPGA board [50 MHz] Downlink Uplink Focus of this talk

  7. Agenda  GSM communication basics  Downlink sniffing: It works!  Uplink sniffing: Getting close

  8. Demo: Downlink sniffing.

  9. Open source components fit together in debugging GSM calls GnuRadio Airprobe Kraken Airprobe records data parses con- cracks A5/1 decodes from air trol data key voice Requires Requires  Software radio, ie. USRP  2TB of rainbow tables  Recommended for uplink:  CPU or ATI graphics card  SSD/RAID for fast cracking BURX board 8

  10. Agenda  GSM communication basics  Downlink sniffing: It works!  Uplink sniffing: Getting close

  11. Downstream can be recorded from large distances • Uplink is 10-30dB weaker than downlink • Handset is typically in a much less “radio visible” position Downlink recor- ding range: 5 – 35km Uplink recor- ding range: 100-300m 10

  12. Uplink sniffing is a challenging RF problem Uplink complications  Lower sending power strength than downlink Weaker signal  Phones are hidden in buildings or in street gutter with higher  The phone varies its send variability power to save on battery  Phone might move causing varying signal strength

  13. USRP+Airprobe provide the base for an open source uplink sniffer Sniffed with USRP-1 and two daughter- boards for uplink / downlink

  14. Demo: Uplink sniffing.

  15. Engineering challenges remain towards reliable uplink sniffing  Synchronization between uplink and downlink in Airprobe is not yet reliable (work in progress)  Planned enhancements: 1. Better demodulation algorithm 2. Support for hopping channels  There is plenty to do — Your chance to start contributing to the growing pool of GSM tools!

  16. Demo: Key cracking.

  17. Randomized padding would mitigate attack potential Trace of SDCCH downlink 238530 03 20 0d 06 35 11 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238581 03 42 45 13 05 1e 02 ea 81 5c 08 11 80 94 03 98 93 92 69 81 2b 2b 2b 238613 00 00 03 03 49 06 1d 9f 6d 18 10 80 00 00 00 00 00 00 00 00 00 00 00 238632 01 61 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238683 01 81 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238715 00 00 03 03 49 06 06 70 00 00 00 00 00 04 15 50 10 00 00 00 00 0a a8 238734 03 84 21 06 2e 0d 02 d5 00 63 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 238785 03 03 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b Randomization was specified in Padding in GSM Every byte of randomized 2008 (TS44.006) and should be has traditionally padding increasing attack implemented with high priority been predictable cost by two orders of Additionally needed: randomi- (2B) magnitude! zation of system information msg. 16

  18. Open research into GSM security grows exponentially and so will the attacks $YOUR_PROJECT OsmoconBB: phone firmware HLR tracking of phone users GSM Security Project: A5/1 decrypt tool OpenBSC: Controller for base stations OpenBTS: Full base station emulation CryptoPhone et al.: End-to-end encryption on phones 2006 ‘ 07 ‘ 08 ‘ 09 ‘ 10 ‘ 11 ‘ 12

  19. Questions? GSM project supported by Airprobe, Kraken srlabs.de Karsten Nohl nohl@srlabs.de Dieter Spaar spaar@mirider.augusta.de

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Chapter 15 Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and set values in memory Execute portions of program Stop execution when (and where) desired Want debugging tools to operate on

274 views • 9 slides
Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production

Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production

Welcome to Advanced .NET Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production Challenges in debugging Production issues Production Environment Debugging Timeline Tools for .NET Debugging Review 3

622 views • 47 slides
Visual Debugging Software What is Debugging Visualization Visualizing

Visual Debugging Software What is Debugging Visualization Visualizing

Visual Debugging Software What is Debugging Visualization Visualizing Program State Incremental interactive unfolding (DDD) Visual Memory Abstract representations (traversal-based) Debugging Focusing: memory

433 views • 5 slides
Debugging Techniques for C Programs Debugging Basics Will focus on the gcc/gdb combination.

Debugging Techniques for C Programs Debugging Basics Will focus on the gcc/gdb combination.

Debugging Techniques for C Programs Debugging Basics Will focus on the gcc/gdb combination. Will also talk about the ddd gui for gdb (lots of value added to gdb). First, debugging in the abstract: Program state is a snapshot

475 views • 20 slides
1 Crashes, interrupts, and backtrace Watchpoints GDB will automatically stop if the program

1 Crashes, interrupts, and backtrace Watchpoints GDB will automatically stop if the program

Debugging and debuggers Debugging in the development cycle You have probably already had the experience of making Edit a mistake in a program Speaking roughly, debugging is the process: After you know that your code is wrong

911 views • 3 slides
Coroutines Update Seva Tolstopyatov @qwwdfsad October 13, 2020 Coroutines debugging Coroutines

Coroutines Update Seva Tolstopyatov @qwwdfsad October 13, 2020 Coroutines debugging Coroutines

Kotlin 1.4 Online Event Coroutines Update Seva Tolstopyatov @qwwdfsad October 13, 2020 Coroutines debugging Coroutines debugging Coroutines debugging Coroutines debugging Coroutines debugging IDEA 2020.1 Coroutines debugging Debugging

737 views • 41 slides
Scalable Post-Mortem Debugging Abel Mathew CEO - Backtrace amathew@backtrace.io @nullisnt0

Scalable Post-Mortem Debugging Abel Mathew CEO - Backtrace amathew@backtrace.io @nullisnt0

Scalable Post-Mortem Debugging Abel Mathew CEO - Backtrace amathew@backtrace.io @nullisnt0 Debugging or Sleeping? Debugging Debugging: examining (program state, design, code, output) to identify and remove errors from software.

464 views • 31 slides
Advanced Production Debugging About Me Co-founder Takipi, JVM Production Debugging. Director,

Advanced Production Debugging About Me Co-founder Takipi, JVM Production Debugging. Director,

Advanced Production Debugging About Me Co-founder Takipi, JVM Production Debugging. Director, AutoCAD Web & Mobile. Software Architect at IAI Aerospace. Coding for the past 16 years - C++, Delphi, .NET, Java. Focus on real-time,

460 views • 35 slides
Embedded Software TI2726-B 8. Debugging techniques Koen Langendoen Embedded Software Group

Embedded Software TI2726-B 8. Debugging techniques Koen Langendoen Embedded Software Group

Embedded Software TI2726-B 8. Debugging techniques Koen Langendoen Embedded Software Group Grace Hopper 1947 2 Overview Debugging techniques Debugging a distributed system Preparation for the exam Debugging Write good code!

733 views • 45 slides
Kernel Debugging and Virtualization John Baldwin January 15, 2015 What is Kernel Debugging

Kernel Debugging and Virtualization John Baldwin January 15, 2015 What is Kernel Debugging

Kernel Debugging and Virtualization John Baldwin January 15, 2015 What is Kernel Debugging Step in Kernel Development Post-Mortem Crash Analysis Live Inspection Performance Analysis Userland Debugging Wait, Userland

216 views • 10 slides
Multithreading in Qt Doing it wrong, debugging it, doing it right David Faure

Multithreading in Qt Doing it wrong, debugging it, doing it right David Faure

Multithreading in Qt Doing it wrong, debugging it, doing it right David Faure <david.faure@kdab.com> Outline QThread Debugging race conditions Debugging deadlocks Unit-testing for thread-safety How to use QThread A busy

167 views • 16 slides
Introduction to Debugging with Windbg Module Overview Introduction to Debugging Callstacks and

Introduction to Debugging with Windbg Module Overview Introduction to Debugging Callstacks and

Introduction to Debugging with Windbg Module Overview Introduction to Debugging Callstacks and Symbols Windbg for .NET Debugging Son of Strike (SOS) Review 2 Callstacks and Symbols Anatomy Of A Call Stack (unmanaged) Module &

1.05k views • 45 slides
Debugging; Objects and Graphics Rose-Hulman Institute of Technology Computer Science and

Debugging; Objects and Graphics Rose-Hulman Institute of Technology Computer Science and

Debugging; Objects and Graphics Rose-Hulman Institute of Technology Computer Science and Software Engineering Check out 05-DebuggingObjectsAndGraphics from SVN. Get help if youre stuck. Debugging Debugging includes: Discovering

644 views • 19 slides
Software Engineering for Artificial Intelligence Debugging Constantin Stipnieks & Florian

Software Engineering for Artificial Intelligence Debugging Constantin Stipnieks & Florian

Software Engineering for Artificial Intelligence Debugging Constantin Stipnieks & Florian Busch 25.06.2020 | FB 20 | Reactive Programming & Software Technology | 1 Outline Introduction: Debugging in AI Debugging via

529 views • 50 slides
Introduction to Debugging the Introduction to Debugging the FreeBSD Kernel FreeBSD Kernel May

Introduction to Debugging the Introduction to Debugging the FreeBSD Kernel FreeBSD Kernel May

Introduction to Debugging the Introduction to Debugging the FreeBSD Kernel FreeBSD Kernel May 17, 2008 John Baldwin jhb@FreeBSD.org Introduction Introduction Existing Documentation DDB kgdb Debugging Strategies 2 Existing

640 views • 26 slides
Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many of us need to debug the Linux kernel Proprietary tools like Trace32 and DS-5 are $$$ Open source debuggers like GDB lack kernel

884 views • 40 slides
Understanding Spectrum Speaker: Predrag Spasojevic Students: Haris Kremo, Goran Ivkovic and

Understanding Spectrum Speaker: Predrag Spasojevic Students: Haris Kremo, Goran Ivkovic and

Understanding Spectrum Speaker: Predrag Spasojevic Students: Haris Kremo, Goran Ivkovic and Shridatt Sugrim Co-Advisors: Ivan Seskar, Larry Greenstein, and Melike Gursoy WINLAB Industrial Advisory Board Meeting Spring 2013 Topics ORBIT

611 views • 30 slides
17 Chapter: The Uplink physical resource Uplink reference signals Uplink L1/L2

17 Chapter: The Uplink physical resource Uplink reference signals Uplink L1/L2

3G Evolution Chapter 17 Outline 17 Chapter: The Uplink physical resource Uplink reference signals Uplink L1/L2 control signaling Uplink transmission scheme Uplink transport-channel processing PUSCH frequency hopping

676 views • 12 slides
WiB A New System Concept for DTT Erik Stare, Teracom Dr. Jordi J. Gimnez, UPV Dr. Peter

WiB A New System Concept for DTT Erik Stare, Teracom Dr. Jordi J. Gimnez, UPV Dr. Peter

WiB A New System Concept for DTT Erik Stare, Teracom Dr. Jordi J. Gimnez, UPV Dr. Peter Klenner, Panasonic Europe Ltd Background 1 1992: First IBC in Amsterdam Scandinavian HD-DIVINE project Performed the worlds first HW

603 views • 25 slides
A Network Calculus for Multi-Hop Fading Channels Hussein Al-Zubaidy J org Liebeherr Almut

A Network Calculus for Multi-Hop Fading Channels Hussein Al-Zubaidy J org Liebeherr Almut

A Network Calculus for Multi-Hop Fading Channels Hussein Al-Zubaidy J org Liebeherr Almut Burchard University of Toronto Performance Analysis of Multihop Wireless Network z Cross traffic Cross traffic Cross traffic Through traffic n

659 views • 26 slides
Open-Source Cyber-Physical Network Infrastructure Tobias Betz 2017-12-13 Chair of Network

Open-Source Cyber-Physical Network Infrastructure Tobias Betz 2017-12-13 Chair of Network

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Open-Source Cyber-Physical Network Infrastructure Tobias Betz 2017-12-13 Chair of Network Architectures and Services Department of

565 views • 22 slides
C ATCHING AND U NDERSTANDING GSM SIGNALS Master Thesis Fabian van den Broek Radboud University

C ATCHING AND U NDERSTANDING GSM SIGNALS Master Thesis Fabian van den Broek Radboud University

C ATCHING AND U NDERSTANDING GSM SIGNALS Master Thesis Fabian van den Broek Radboud University Nijmegen 30 March 2010 Some Numbers Some Numbers $ 600 Billion Some Numbers $ 600 Billion 90% of population has coverage Some Numbers

829 views • 54 slides
Recorp: Receiver-Oriented Policies for Industrial Wireless Networks Ryan Brummet*, Octav Chipara,

Recorp: Receiver-Oriented Policies for Industrial Wireless Networks Ryan Brummet*, Octav Chipara,

Recorp: Receiver-Oriented Policies for Industrial Wireless Networks Ryan Brummet*, Octav Chipara, Ted Herman University of Iowa | Mobile Systems Laboratory Industrial Wireless Networks Applications process control systems Workload

459 views • 14 slides
UNIVERSITY OF MANCHESTER School of Computer Science CS3282: Digital communications Barry

UNIVERSITY OF MANCHESTER School of Computer Science CS3282: Digital communications Barry

UNIVERSITY OF MANCHESTER School of Computer Science CS3282: Digital communications Barry Cheetham Section 10 (shortened) Multiple access for wireless communications 4/05/06 CS3282 1 Multiple user access for wireless communications Allow

371 views • 6 slides

More recommend