SlideShare a Scribd company logo

DEF CON 27 - CAMPBELL / MURRAY - gsm we can hear everyone now

Felipe Prado
Felipe Prado

DEF CON 27 - CAMPBELL / MURRAY - gsm we can hear everyone now

Technology
1 of 26
Download to read offline
GSM: WE CAN HEAR EVERYONE NOW! DEFCON 2019 Campbell Murray, Eoin Buckley James Kulikowski, Bartek Piekarski BlackBerry
© 2018 BlackBerry. All Rights Reserved. 22 Biographical Information Eoin Buckley Senior Cybersecurity Consultant Campbell Murray Global Head of BlackBerry Cybersecurity Delivery Bartek Piekarski Senior Cybersecurity Consultant James Kulikowski Senior Cybersecurity Consultant
© 2018 BlackBerry. All Rights Reserved. 33 AGENDA Topic: Vulnerability in GSM and generating an indicator to exploit it • Section 1: Intro to GSM • Section 2: Concept Overview • Section 3: Test Lab Setup & Demonstration • Section 4: Cellular Security Discussion
Introduction To GSM
© 2018 BlackBerry. All Rights Reserved. 55 GSM Introduction • Concept for GSM (digital) started in the late 1980s • Major improvement over AMPS (analogue) • GSM Security has several design issues • Support for key sizes <= 64 bits • Encrypted data contains redundancy • Error control coding before ciphering
© 2018 BlackBerry. All Rights Reserved. 66 GSM Introduction Timeslot - Contains 114 encrypted data Midamble (26 bits) Encrypted data (57 bits) Encrypted data (57 bits) Guard (8.25 bits)Tail (3 bits) Tail (3 bits)Stealing bit 0 1 2 3 4 5 6 7 Multiframe Superframe Hyperframe 1 Hyperframe ~ 3 hours 29 minutes Frame - Contains 8 timeslots Hyperframe - Contains 2,715,648 frames
© 2018 BlackBerry. All Rights Reserved. 77 GSM Introduction GSM based on symmetric encryption - Specified ciphers: A5/1, A5/3 & A5/4 - A5/1 up to 64 bit key - A5/3 up to 64 bit key - A5/4 up to 128 bit key - Note: A5/2 disallowed in 2000’s - NIST guidance: 112 bit security strength - “The use of keys that provide less than 112 bits of security strength for key agreement is now disallowed” A5/X Cipher Frame number Kc Cipherstream
Concept Overview
© 2018 BlackBerry. All Rights Reserved. 99 Concept Overview Message Error Control Codeword Cipherstream Cipher A5/x Ciphertext • Typical GSM Channel Structure with A5/1 • Encryption • Key maximum 64 bits length • Convolutional error control code • Intended to combat noise from wireless channel • Attack uses code to identify cipherstream “noise” Convolutional code
© 2018 BlackBerry. All Rights Reserved. 1010 Concept Overview Message Error Control Codeword Cipherstream Cipher A5/x Ciphertext • High level view of attack • Capture GSM packet • Compute a cipherstream/key indicator • Use convolutional code parameters • Use indicator with a Rainbow table to identify ciphering key • Use indicator as a fingerprint for ciphering key Convolutional code
© 2018 BlackBerry. All Rights Reserved. 1111 Concept Overview Message (184 bits)Conv. Codeword (456 bits) Cipherstream (456 bits) Cipher A5/3 Ciphertext (456 bits) • Demonstration uses SACCH control channel • Compromise of SACCH also compromises voice (same key) • Works for any SACCH message • Indicator/fingerprint is independent of the message • Knowledge of plaintext is not needed Convolutional code SACCH FIRE code (224 bits)
© 2018 BlackBerry. All Rights Reserved. 1212 Concept Overview • Computing the indicator Input m (224 bits) Conv. Code Encrypted Conv. stream c1 (228 bits) Cipher A5/x g1 g2 Encrypted Conv. stream c2 (228 bits) Deconvolve stream c1 & g1 Deconvolve stream c2 & g2 xor streams q1 & q2 Stream q1 (224 bits) Stream q2 (224 bits) Stream q1 xor q2 (224 bits) 1 0 0 1 1 0 0 0 1 …. 1 0 1 0 1 1 0 1 1 …. Conv. Code Parameters • g1: 1 0 0 1 1 • g2: 1 1 0 1 1 Indicator Deconvolution xor
© 2018 BlackBerry. All Rights Reserved. 1313 Concept Overview • The indicator “q1 xor q2” is • Computed using the full convolutional codeword • Need 4x114 bursts • Independent of SACCH message • Fully determined by 1)The cipher stream and 2) Convolutional code • Full indicator length 224 bits • More than sufficient to identify a 64 bit key
Test Lab Setup & Demonstration
© 2018 BlackBerry. All Rights Reserved. 1515 Hardware • Various unlocked cellular devices • 2G compliant Programable SIM cards • PC SmartCard reader/writer • Ettus Research N210 WBX • Mini GPS ref. clock • AirSpy SDR • Various antennas
© 2018 BlackBerry. All Rights Reserved. 1616 Software • RangeNetworks SDMN 7.0.4 • RangeNetworks OpenBTS 7.0.4 • PySIM • GNU Radio 3.7.0 • GR-GSM • GNU Octave 5.1
© 2018 BlackBerry. All Rights Reserved. 1717 Lab Configuration • All GSM testing run under RF isolation • Cipher Mode configured for A5/3 • SACCH random neighbor protection enabled • Random padding filler protection enabled
© 2018 BlackBerry. All Rights Reserved. 1818 GR-GSM Configuration Opening file, parsing, GSM signal processing Output to wireshark Kc/None A5/x • Raw data filtered into files. • Process relevant timeslot file to produce indicator
© 2018 BlackBerry. All Rights Reserved. 1919 Considerations in Mounting Attack • Small key size: A5/1 & A5/3 • Key length up to 64 bits • NIST guidance: 112 bit security strength for key agreement • Rainbow table computation • Estimates based on 1 rig (4x NVIDIA GTX1080) proof-of-concept using opencl • A5/1, 64 bit key: Obtain 10% coverage using 500 rigs for 200 days • A5/3, 1 epoch, 64 bit key: Obtain 10% key coverage using 500 rigs for 263 days
Cellular Security Discussion
© 2018 BlackBerry. All Rights Reserved. 2121 Cellular Security • Indicator attack possible in GSM voice: • Small key size (e.g. At most 64 bits for A5/1 & A5/3) • Up to 64 bit key size for A5/1 & A5/3 • NIST guidance: 112 bit security strength for key agreement • Ciphering performed after error control coding • Additional attacks on GSM include: • Karsten Nohl (DEFCON 2010) “Attacking phone privacy” • Barkan et al. 2006 “Instant Ciphertext-only Cryptanalysis of GSM encrypted communication” • False Basestation attacks
© 2018 BlackBerry. All Rights Reserved. 2222 Cellular Security • Beyond GSM into 3G-to-5G: • Reduced security risk • Minimum encrypting key size of 128 bits • Error control coding applied after encryption not before • Cellular industry actively studying solutions for GSM security • 3GPP TR 33.809 v0.5.0 “Study on 5G Security Enhancements against False Basestations”
Q&A Thank You
Appendix
© 2018 BlackBerry. All Rights Reserved. 2525 Appendix Consider the addition of the A5/x cipherstream to the codeword ▪ Separate cipherstream into portion xor’d for conv code output 1 & 2 ▪ Let output 1 cipherstream be: s1 ▪ Let output 2 cipherstream be: s2 Denote the resulting ciphertext portions as: ▪ c1 = s1 + p1 = s1 + m*g1 ▪ c2 = s1 + p2 = s2 + m*g2 Message m p1 Conv. Code (1st half of A5/x output) s1 c1 s2 (2nd half of A5/x output) p2 c2
© 2018 BlackBerry. All Rights Reserved. 2626 Appendix The key to the attack is that the ciphertext portions can also be divided by g1 & g2 respectively for quotient q1 & q2 ▪ C1 = s1 + p1 = s1 + m*g1 = (q1*g1 + r1) + m*g1 ▪ C2 = s2 + p2 = s2 + m*g2 = (q2*g2 + r2) + m*g2 Rearranging c1&c2 we can now write ▪ C1 = (q1*g1 + r1) + m*g1 = (q1 + m)*g1 + r1 ▪ C2 = (q2*g2 + r2) + m*g2 = (q2 + m)*g2 + r2 By deconvolving the ciphertext c1&c2 by g1&g2 respectively we can product the quotients ▪ (q1+m) ▪ (q2+m) Adding these quotients generates (q1+q2) which is independent of the “m” : ▪ (q1+m) + (q2+m) = (q1+q2)

Recommended

SlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Encryption
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduinoiruldaworld
 
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemLabmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemSyuan Wang
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateWave Italia SpA
 
Network Security Through FIREWALL
Network Security Through FIREWALLNetwork Security Through FIREWALL
Network Security Through FIREWALLTheCreativedev Blog
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communicationssbwahid
 
BACnet/SC: A Secure Alternative to BACnet/IP
BACnet/SC: A Secure Alternative to BACnet/IP BACnet/SC: A Secure Alternative to BACnet/IP
BACnet/SC: A Secure Alternative to BACnet/IP Cimetrics Inc
 
IoT Workshop with Sigfox & Arduino - Copenhagen Business School
IoT Workshop with Sigfox & Arduino - Copenhagen Business SchoolIoT Workshop with Sigfox & Arduino - Copenhagen Business School
IoT Workshop with Sigfox & Arduino - Copenhagen Business SchoolNicolas Lesconnec
 

Recommended

SlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Encryption
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduinoiruldaworld
 
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemLabmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemSyuan Wang
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateWave Italia SpA
 
Network Security Through FIREWALL
Network Security Through FIREWALLNetwork Security Through FIREWALL
Network Security Through FIREWALLTheCreativedev Blog
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communicationssbwahid
 
BACnet/SC: A Secure Alternative to BACnet/IP
BACnet/SC: A Secure Alternative to BACnet/IP BACnet/SC: A Secure Alternative to BACnet/IP
BACnet/SC: A Secure Alternative to BACnet/IP Cimetrics Inc
 
IoT Workshop with Sigfox & Arduino - Copenhagen Business School
IoT Workshop with Sigfox & Arduino - Copenhagen Business SchoolIoT Workshop with Sigfox & Arduino - Copenhagen Business School
IoT Workshop with Sigfox & Arduino - Copenhagen Business SchoolNicolas Lesconnec
 
PriveComms PriveIN mesh digital operation field overview 2020
PriveComms PriveIN mesh digital operation field overview 2020PriveComms PriveIN mesh digital operation field overview 2020
PriveComms PriveIN mesh digital operation field overview 2020Arimo Koivisto
 
Benefits of SIP Trunking
Benefits of SIP TrunkingBenefits of SIP Trunking
Benefits of SIP TrunkingIntelePeer
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksOmer Coskun
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisP1Security
 
BACnet/IP good field implementation practices
BACnet/IP good field implementation practicesBACnet/IP good field implementation practices
BACnet/IP good field implementation practicesCimetrics Inc
 
Sigfox + Arduino MKRFOX Workshop
Sigfox + Arduino MKRFOX WorkshopSigfox + Arduino MKRFOX Workshop
Sigfox + Arduino MKRFOX WorkshopNicolas Lesconnec
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolMartin Vigo
 
Forti wifi
Forti wifiForti wifi
Forti wifiLan & Wan Solutions
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceI N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceSuhas Desai
 
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best PracticesWindows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best PracticesJohn Rhoton
 
Sigfox x Arduino Workshop
Sigfox x Arduino Workshop Sigfox x Arduino Workshop
Sigfox x Arduino Workshop Nicolas Lesconnec
 
Sigfox World Expo - Advanced Workshop
Sigfox World Expo - Advanced WorkshopSigfox World Expo - Advanced Workshop
Sigfox World Expo - Advanced WorkshopNicolas Lesconnec
 
Matrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI Gateway
Matrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI GatewayMatrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI Gateway
Matrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI GatewayMatrix Comsec
 
BLUETOOTH SECURITY
BLUETOOTH SECURITYBLUETOOTH SECURITY
BLUETOOTH SECURITYJay Nagar
 
Wi fi-security-the-details-matter
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matterDESMOND YUEN
 
Technical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - englishTechnical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - englishPrivateWave Italia SpA
 
Key scan wireless reciever
Key scan wireless recieverKey scan wireless reciever
Key scan wireless recieverDavid Burnett
 
Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationNCS Computech Ltd.
 
Security Issues In Voip
Security Issues In VoipSecurity Issues In Voip
Security Issues In VoipWaqas Daar
 
M08 protecting your message data in IBM MQ with encryption
M08 protecting your message data in IBM MQ with encryptionM08 protecting your message data in IBM MQ with encryption
M08 protecting your message data in IBM MQ with encryptionRobert Parker
 
Webinar Renesas - IoT é Segura? Com Renesas Synergy sim! E o SSP 1.5 tornou a...
Webinar Renesas - IoT é Segura? Com Renesas Synergy sim! E o SSP 1.5 tornou a...Webinar Renesas - IoT é Segura? Com Renesas Synergy sim! E o SSP 1.5 tornou a...
Webinar Renesas - IoT é Segura? Com Renesas Synergy sim! E o SSP 1.5 tornou a...Embarcados
 

More Related Content

What's hot

PriveComms PriveIN mesh digital operation field overview 2020
PriveComms PriveIN mesh digital operation field overview 2020PriveComms PriveIN mesh digital operation field overview 2020
PriveComms PriveIN mesh digital operation field overview 2020Arimo Koivisto
 
Benefits of SIP Trunking
Benefits of SIP TrunkingBenefits of SIP Trunking
Benefits of SIP TrunkingIntelePeer
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksOmer Coskun
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisP1Security
 
BACnet/IP good field implementation practices
BACnet/IP good field implementation practicesBACnet/IP good field implementation practices
BACnet/IP good field implementation practicesCimetrics Inc
 
Sigfox + Arduino MKRFOX Workshop
Sigfox + Arduino MKRFOX WorkshopSigfox + Arduino MKRFOX Workshop
Sigfox + Arduino MKRFOX WorkshopNicolas Lesconnec
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolMartin Vigo
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceI N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceSuhas Desai
 
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best PracticesWindows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best PracticesJohn Rhoton
 
Sigfox World Expo - Advanced Workshop
Sigfox World Expo - Advanced WorkshopSigfox World Expo - Advanced Workshop
Sigfox World Expo - Advanced WorkshopNicolas Lesconnec
 
Matrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI Gateway
Matrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI GatewayMatrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI Gateway
Matrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI GatewayMatrix Comsec
 
BLUETOOTH SECURITY
BLUETOOTH SECURITYBLUETOOTH SECURITY
BLUETOOTH SECURITYJay Nagar
 
Wi fi-security-the-details-matter
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matterDESMOND YUEN
 
Technical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - englishTechnical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - englishPrivateWave Italia SpA
 
Key scan wireless reciever
Key scan wireless recieverKey scan wireless reciever
Key scan wireless recieverDavid Burnett
 
Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationNCS Computech Ltd.
 
Security Issues In Voip
Security Issues In VoipSecurity Issues In Voip
Security Issues In VoipWaqas Daar
 

What's hot (20)

PriveComms PriveIN mesh digital operation field overview 2020
PriveComms PriveIN mesh digital operation field overview 2020PriveComms PriveIN mesh digital operation field overview 2020
PriveComms PriveIN mesh digital operation field overview 2020
 
Benefits of SIP Trunking
Benefits of SIP TrunkingBenefits of SIP Trunking
Benefits of SIP Trunking
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
 
BACnet/IP good field implementation practices
BACnet/IP good field implementation practicesBACnet/IP good field implementation practices
BACnet/IP good field implementation practices
 
Sigfox + Arduino MKRFOX Workshop
Sigfox + Arduino MKRFOX WorkshopSigfox + Arduino MKRFOX Workshop
Sigfox + Arduino MKRFOX Workshop
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
 
Forti wifi
Forti wifiForti wifi
Forti wifi
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceI N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
 
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best PracticesWindows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
 
Sigfox x Arduino Workshop
Sigfox x Arduino Workshop Sigfox x Arduino Workshop
Sigfox x Arduino Workshop
 
Sigfox World Expo - Advanced Workshop
Sigfox World Expo - Advanced WorkshopSigfox World Expo - Advanced Workshop
Sigfox World Expo - Advanced Workshop
 
Matrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI Gateway
Matrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI GatewayMatrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI Gateway
Matrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI Gateway
 
BLUETOOTH SECURITY
BLUETOOTH SECURITYBLUETOOTH SECURITY
BLUETOOTH SECURITY
 
Wi fi-security-the-details-matter
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matter
 
Technical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - englishTechnical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - english
 
Key scan wireless reciever
Key scan wireless recieverKey scan wireless reciever
Key scan wireless reciever
 
Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 Presentation
 
Security Issues In Voip
Security Issues In VoipSecurity Issues In Voip
Security Issues In Voip
 

Similar to DEF CON 27 - CAMPBELL / MURRAY - gsm we can hear everyone now

M08 protecting your message data in IBM MQ with encryption
M08 protecting your message data in IBM MQ with encryptionM08 protecting your message data in IBM MQ with encryption
M08 protecting your message data in IBM MQ with encryptionRobert Parker
 
Webinar Renesas - IoT é Segura? Com Renesas Synergy sim! E o SSP 1.5 tornou a...
Webinar Renesas - IoT é Segura? Com Renesas Synergy sim! E o SSP 1.5 tornou a...Webinar Renesas - IoT é Segura? Com Renesas Synergy sim! E o SSP 1.5 tornou a...
Webinar Renesas - IoT é Segura? Com Renesas Synergy sim! E o SSP 1.5 tornou a...Embarcados
 
Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud ADVA
 
Embedded SIM New opportunities for security sensitive IoT applications
Embedded SIM New opportunities for security sensitive IoT applicationsEmbedded SIM New opportunities for security sensitive IoT applications
Embedded SIM New opportunities for security sensitive IoT applicationsM2M Alliance e.V.
 
NXP FRDM-K64F Platform with ARM mbed Demo - Edinburgh 2016 Workshop
NXP FRDM-K64F Platform with ARM mbed Demo - Edinburgh 2016 WorkshopNXP FRDM-K64F Platform with ARM mbed Demo - Edinburgh 2016 Workshop
NXP FRDM-K64F Platform with ARM mbed Demo - Edinburgh 2016 WorkshopOpen Mobile Alliance
 
Webinar: Comunicação TCP/IP segura
Webinar: Comunicação TCP/IP seguraWebinar: Comunicação TCP/IP segura
Webinar: Comunicação TCP/IP seguraEmbarcados
 
Intermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular NetworksIntermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular Networks3G4G
 
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...Mikael Falkvidd
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
44Con 2014: GreedyBTS - Hacking Adventures in GSM
44Con 2014: GreedyBTS - Hacking Adventures in GSM44Con 2014: GreedyBTS - Hacking Adventures in GSM
44Con 2014: GreedyBTS - Hacking Adventures in GSMiphonepentest
 
Iport ntx pro-embedded_video_interface_data_sheet
Iport ntx pro-embedded_video_interface_data_sheetIport ntx pro-embedded_video_interface_data_sheet
Iport ntx pro-embedded_video_interface_data_sheetWorkswell s.r.o.
 
Making networks secure with multi-layer encryption
Making networks secure with multi-layer encryptionMaking networks secure with multi-layer encryption
Making networks secure with multi-layer encryptionADVA
 
ST tech tour - sigfox presentation & hands-on demp
ST tech tour - sigfox presentation & hands-on dempST tech tour - sigfox presentation & hands-on demp
ST tech tour - sigfox presentation & hands-on dempFrançois Oudot
 

Similar to DEF CON 27 - CAMPBELL / MURRAY - gsm we can hear everyone now (20)

M08 protecting your message data in IBM MQ with encryption
M08 protecting your message data in IBM MQ with encryptionM08 protecting your message data in IBM MQ with encryption
M08 protecting your message data in IBM MQ with encryption
 
Webinar Renesas - IoT é Segura? Com Renesas Synergy sim! E o SSP 1.5 tornou a...
Webinar Renesas - IoT é Segura? Com Renesas Synergy sim! E o SSP 1.5 tornou a...Webinar Renesas - IoT é Segura? Com Renesas Synergy sim! E o SSP 1.5 tornou a...
Webinar Renesas - IoT é Segura? Com Renesas Synergy sim! E o SSP 1.5 tornou a...
 
Configuring-Cisco-CME.ppt
Configuring-Cisco-CME.pptConfiguring-Cisco-CME.ppt
Configuring-Cisco-CME.ppt
 
Ethernet basics
Ethernet basicsEthernet basics
Ethernet basics
 
Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud
 
Security model evaluation of 3 g
Security model evaluation of 3 gSecurity model evaluation of 3 g
Security model evaluation of 3 g
 
Embedded SIM New opportunities for security sensitive IoT applications
Embedded SIM New opportunities for security sensitive IoT applicationsEmbedded SIM New opportunities for security sensitive IoT applications
Embedded SIM New opportunities for security sensitive IoT applications
 
NXP FRDM-K64F Platform with ARM mbed Demo - Edinburgh 2016 Workshop
NXP FRDM-K64F Platform with ARM mbed Demo - Edinburgh 2016 WorkshopNXP FRDM-K64F Platform with ARM mbed Demo - Edinburgh 2016 Workshop
NXP FRDM-K64F Platform with ARM mbed Demo - Edinburgh 2016 Workshop
 
Webinar: Comunicação TCP/IP segura
Webinar: Comunicação TCP/IP seguraWebinar: Comunicação TCP/IP segura
Webinar: Comunicação TCP/IP segura
 
SigfoxMakersDay Total
SigfoxMakersDay TotalSigfoxMakersDay Total
SigfoxMakersDay Total
 
Intermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular NetworksIntermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular Networks
 
20171106 - Workshop lille
20171106 - Workshop lille20171106 - Workshop lille
20171106 - Workshop lille
 
R43019698
R43019698R43019698
R43019698
 
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...
 
177732477-Voice-101.pdf
177732477-Voice-101.pdf177732477-Voice-101.pdf
177732477-Voice-101.pdf
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
44Con 2014: GreedyBTS - Hacking Adventures in GSM
44Con 2014: GreedyBTS - Hacking Adventures in GSM44Con 2014: GreedyBTS - Hacking Adventures in GSM
44Con 2014: GreedyBTS - Hacking Adventures in GSM
 
Iport ntx pro-embedded_video_interface_data_sheet
Iport ntx pro-embedded_video_interface_data_sheetIport ntx pro-embedded_video_interface_data_sheet
Iport ntx pro-embedded_video_interface_data_sheet
 
Making networks secure with multi-layer encryption
Making networks secure with multi-layer encryptionMaking networks secure with multi-layer encryption
Making networks secure with multi-layer encryption
 
ST tech tour - sigfox presentation & hands-on demp
ST tech tour - sigfox presentation & hands-on dempST tech tour - sigfox presentation & hands-on demp
ST tech tour - sigfox presentation & hands-on demp
 

More from Felipe Prado

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsFelipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationFelipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceFelipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityFelipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsFelipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
 

More from Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 

DEF CON 27 - CAMPBELL / MURRAY - gsm we can hear everyone now

  • 1. GSM: WE CAN HEAR EVERYONE NOW! DEFCON 2019 Campbell Murray, Eoin Buckley James Kulikowski, Bartek Piekarski BlackBerry
  • 2. © 2018 BlackBerry. All Rights Reserved. 22 Biographical Information Eoin Buckley Senior Cybersecurity Consultant Campbell Murray Global Head of BlackBerry Cybersecurity Delivery Bartek Piekarski Senior Cybersecurity Consultant James Kulikowski Senior Cybersecurity Consultant
  • 3. © 2018 BlackBerry. All Rights Reserved. 33 AGENDA Topic: Vulnerability in GSM and generating an indicator to exploit it • Section 1: Intro to GSM • Section 2: Concept Overview • Section 3: Test Lab Setup & Demonstration • Section 4: Cellular Security Discussion
  • 5. © 2018 BlackBerry. All Rights Reserved. 55 GSM Introduction • Concept for GSM (digital) started in the late 1980s • Major improvement over AMPS (analogue) • GSM Security has several design issues • Support for key sizes <= 64 bits • Encrypted data contains redundancy • Error control coding before ciphering
  • 6. © 2018 BlackBerry. All Rights Reserved. 66 GSM Introduction Timeslot - Contains 114 encrypted data Midamble (26 bits) Encrypted data (57 bits) Encrypted data (57 bits) Guard (8.25 bits)Tail (3 bits) Tail (3 bits)Stealing bit 0 1 2 3 4 5 6 7 Multiframe Superframe Hyperframe 1 Hyperframe ~ 3 hours 29 minutes Frame - Contains 8 timeslots Hyperframe - Contains 2,715,648 frames
  • 7. © 2018 BlackBerry. All Rights Reserved. 77 GSM Introduction GSM based on symmetric encryption - Specified ciphers: A5/1, A5/3 & A5/4 - A5/1 up to 64 bit key - A5/3 up to 64 bit key - A5/4 up to 128 bit key - Note: A5/2 disallowed in 2000’s - NIST guidance: 112 bit security strength - “The use of keys that provide less than 112 bits of security strength for key agreement is now disallowed” A5/X Cipher Frame number Kc Cipherstream
  • 9. © 2018 BlackBerry. All Rights Reserved. 99 Concept Overview Message Error Control Codeword Cipherstream Cipher A5/x Ciphertext • Typical GSM Channel Structure with A5/1 • Encryption • Key maximum 64 bits length • Convolutional error control code • Intended to combat noise from wireless channel • Attack uses code to identify cipherstream “noise” Convolutional code
  • 10. © 2018 BlackBerry. All Rights Reserved. 1010 Concept Overview Message Error Control Codeword Cipherstream Cipher A5/x Ciphertext • High level view of attack • Capture GSM packet • Compute a cipherstream/key indicator • Use convolutional code parameters • Use indicator with a Rainbow table to identify ciphering key • Use indicator as a fingerprint for ciphering key Convolutional code
  • 11. © 2018 BlackBerry. All Rights Reserved. 1111 Concept Overview Message (184 bits)Conv. Codeword (456 bits) Cipherstream (456 bits) Cipher A5/3 Ciphertext (456 bits) • Demonstration uses SACCH control channel • Compromise of SACCH also compromises voice (same key) • Works for any SACCH message • Indicator/fingerprint is independent of the message • Knowledge of plaintext is not needed Convolutional code SACCH FIRE code (224 bits)
  • 12. © 2018 BlackBerry. All Rights Reserved. 1212 Concept Overview • Computing the indicator Input m (224 bits) Conv. Code Encrypted Conv. stream c1 (228 bits) Cipher A5/x g1 g2 Encrypted Conv. stream c2 (228 bits) Deconvolve stream c1 & g1 Deconvolve stream c2 & g2 xor streams q1 & q2 Stream q1 (224 bits) Stream q2 (224 bits) Stream q1 xor q2 (224 bits) 1 0 0 1 1 0 0 0 1 …. 1 0 1 0 1 1 0 1 1 …. Conv. Code Parameters • g1: 1 0 0 1 1 • g2: 1 1 0 1 1 Indicator Deconvolution xor
  • 13. © 2018 BlackBerry. All Rights Reserved. 1313 Concept Overview • The indicator “q1 xor q2” is • Computed using the full convolutional codeword • Need 4x114 bursts • Independent of SACCH message • Fully determined by 1)The cipher stream and 2) Convolutional code • Full indicator length 224 bits • More than sufficient to identify a 64 bit key
  • 14. Test Lab Setup & Demonstration
  • 15. © 2018 BlackBerry. All Rights Reserved. 1515 Hardware • Various unlocked cellular devices • 2G compliant Programable SIM cards • PC SmartCard reader/writer • Ettus Research N210 WBX • Mini GPS ref. clock • AirSpy SDR • Various antennas
  • 16. © 2018 BlackBerry. All Rights Reserved. 1616 Software • RangeNetworks SDMN 7.0.4 • RangeNetworks OpenBTS 7.0.4 • PySIM • GNU Radio 3.7.0 • GR-GSM • GNU Octave 5.1
  • 17. © 2018 BlackBerry. All Rights Reserved. 1717 Lab Configuration • All GSM testing run under RF isolation • Cipher Mode configured for A5/3 • SACCH random neighbor protection enabled • Random padding filler protection enabled
  • 18. © 2018 BlackBerry. All Rights Reserved. 1818 GR-GSM Configuration Opening file, parsing, GSM signal processing Output to wireshark Kc/None A5/x • Raw data filtered into files. • Process relevant timeslot file to produce indicator
  • 19. © 2018 BlackBerry. All Rights Reserved. 1919 Considerations in Mounting Attack • Small key size: A5/1 & A5/3 • Key length up to 64 bits • NIST guidance: 112 bit security strength for key agreement • Rainbow table computation • Estimates based on 1 rig (4x NVIDIA GTX1080) proof-of-concept using opencl • A5/1, 64 bit key: Obtain 10% coverage using 500 rigs for 200 days • A5/3, 1 epoch, 64 bit key: Obtain 10% key coverage using 500 rigs for 263 days
  • 21. © 2018 BlackBerry. All Rights Reserved. 2121 Cellular Security • Indicator attack possible in GSM voice: • Small key size (e.g. At most 64 bits for A5/1 & A5/3) • Up to 64 bit key size for A5/1 & A5/3 • NIST guidance: 112 bit security strength for key agreement • Ciphering performed after error control coding • Additional attacks on GSM include: • Karsten Nohl (DEFCON 2010) “Attacking phone privacy” • Barkan et al. 2006 “Instant Ciphertext-only Cryptanalysis of GSM encrypted communication” • False Basestation attacks
  • 22. © 2018 BlackBerry. All Rights Reserved. 2222 Cellular Security • Beyond GSM into 3G-to-5G: • Reduced security risk • Minimum encrypting key size of 128 bits • Error control coding applied after encryption not before • Cellular industry actively studying solutions for GSM security • 3GPP TR 33.809 v0.5.0 “Study on 5G Security Enhancements against False Basestations”
  • 25. © 2018 BlackBerry. All Rights Reserved. 2525 Appendix Consider the addition of the A5/x cipherstream to the codeword ▪ Separate cipherstream into portion xor’d for conv code output 1 & 2 ▪ Let output 1 cipherstream be: s1 ▪ Let output 2 cipherstream be: s2 Denote the resulting ciphertext portions as: ▪ c1 = s1 + p1 = s1 + m*g1 ▪ c2 = s1 + p2 = s2 + m*g2 Message m p1 Conv. Code (1st half of A5/x output) s1 c1 s2 (2nd half of A5/x output) p2 c2
  • 26. © 2018 BlackBerry. All Rights Reserved. 2626 Appendix The key to the attack is that the ciphertext portions can also be divided by g1 & g2 respectively for quotient q1 & q2 ▪ C1 = s1 + p1 = s1 + m*g1 = (q1*g1 + r1) + m*g1 ▪ C2 = s2 + p2 = s2 + m*g2 = (q2*g2 + r2) + m*g2 Rearranging c1&c2 we can now write ▪ C1 = (q1*g1 + r1) + m*g1 = (q1 + m)*g1 + r1 ▪ C2 = (q2*g2 + r2) + m*g2 = (q2 + m)*g2 + r2 By deconvolving the ciphertext c1&c2 by g1&g2 respectively we can product the quotients ▪ (q1+m) ▪ (q2+m) Adding these quotients generates (q1+q2) which is independent of the “m” : ▪ (q1+m) + (q2+m) = (q1+q2)