SlideShare a Scribd company logo

GSM Security 101 by Sushil Singh and Dheeraj Verma

OWASP Delhi
OWASP Delhi

GSM Security 101 by Sushil Singh and Dheeraj Verma @ Combined OWASP/null Delhi chapter July Meeting on 25th July, 2015

Technology
1 of 30
Download to read offline
GSM SECURITY 101 AN OVERVIEW OF ITS SECURITY
AGENDA  Brief introduction to GSM  GSM Architecture  Attacks andThreats on GSM networks  Types of Attacks against Mobile Networks  Third generation and evolution
GSM: INTRODUCTION  GSM is the most widely used cellular standard  Over 3.6 billion users, mostly in Europe and Asia  Based onTDMA radio access and PCM trunking  Use SS7 signaling with mobile-specific extensions  Provides authentication and encryption capabilities  Today’s networks are 2G evolving to 2.5G  Third generation (3G) and future (4G)
GSM ARCHITECTURE
GSM DATA  Initially designed to carry voice traffic  Data connections initially 9600 bps  No need for modems as there is a digital path from MS to MSC  Enhanced rates up to 14.4 kbps  GPRS provides speeds up to 150 kbps  UMTS (3G) promises permanent connections with up to 2 Mbps transfer rate
AUTHENTICATION The authentication procedure checks the validity of the subscriber’s SIM card and then decides whether the mobile station is allowed on a particular network.The network authenticates the subscriber through the use of a challenge- response method.
GSM ALGORITHMS A consequence of international roaming is the exchange of information between providers in different countries.All countries have strict regulations against the export of encryption algorithms and thus GSM works around it.When a user tries to use his phone in say another country, the local networks request the HLR of the subscriber’s home network for the RAND, SRES and KC which is sufficient for authentication and encrypting data.Thus the local network does not need to know anything about the A3 or A8 algorithms stored in the SIM.  Authentication Algorithm A3 – It is operator-dependent and is an operator option.The A3 algorithm is a one-way function.That means it is easy to compute the output parameter SRES by using the A3 algorithm but very complex to retrieve the input parameters (RAND and KI) from the output parameter. Remember the key to GSM’s security is keeping KI unknown.While it may sound odd that each operator may choose to use A3 independently,it was necessary to cover the case of international roaming.  Ciphering Algorithm A5 – Currently, there exists several implementations of this algorithm though the most commonly used ones are A5/0,A5/1 and A5/2.The reason for the different implementations is due to export restrictions of encryption technologies.A5/1 is the strongest version and is used widely in Western Europe and America, while the A5/2 is commonly used in Asia. Countries under UN Sanctions and certain third world countries use the A5/0, which comes with no encryption.  Ciphering Key Generating Algorithm A8 – It is operator-dependent.In most providers the A3 and A8 algorithms are combined into a single hash function known as COMP128.The COMP128 creates KC and SRES, in a single instance.
ATTACKS AND THREATS ON GSM NETWORKS
LOW-TECH FRAUD  Call forwarding to premium rate numbers  Bogus registration details  Roaming fraud  Terminal theft  Multiple forwarding, conference calls
COUNTERMEASURES FOR LOW-TECH FRAUD Fraud Management systems look for:  Multiple calls at the same time,  Large variations in revenue being paid to other parties,  Large variations in the duration of calls, such as very short or long calls,  Changes in customer usage, perhaps indicating that a mobile has been stolen or is being abused,  Monitor the usage of a customer closely during a 'probationary period'
ATTACKS ON GSM NETWORKS  Eavesdropping.This is the capability that the intruder eavesdrops signalling and data connections associated with other users.The required equipment is a modified MS.  Impersonation of a user.This is the capability whereby the intruder sends signalling and/or user data to the network, in an attempt to make the network believe they originate from the target user.The required equipment is again a modified MS.  Impersonation of the network.This is the capability whereby the intruder sends signalling and/or user data to the target user, in an attempt to make the target user believe they originate from a genuine network.The required equipment is modified BTS.
ATTACKS ON GSM NETWORKS  Man-in-the-middle.This is the capability whereby the intruder puts itself in between the target user and a genuine network and has the ability to eavesdrop, modify, delete, re-order, replay, and spoof signalling and user data messages exchanged between the two parties.The required equipment is modified BTS in conjunction with a modified MS.  Compromising authentication vectors in the network.The intruder possesses a compromised authentication vector, which may include challenge/response pairs, cipher keys and integrity keys.This data may have been obtained by compromising network nodes or by intercepting signalling messages on network links.
DE-REGISTRATION SPOOFING  An attack that requires a modified MS and exploits the weakness that the network cannot authenticate the messages it receives over the radio interface.  The intruder spoofs a de-registration request (IMSI detach) to the network.  The network de-registers the user from the visited location area and instructs the HLR to do the same.The user is subsequently unreachable for mobile terminated services.  3G: Integrity protection of critical signalling messages protects against this attack. More specifically, data authentication and replay inhibition of the de-registration request allows the serving network to verify that the de-registration request is legitimate.
LOCATION UPDATE SPOOFING  An attack that requires a modified MS and exploits the weakness that the network cannot authenticate the messages it receives over the radio interface.  The user spoofs a location update request in a different location area from the one in which the user is roaming.  The network registers in the new location area and the target user will be paged in that new area.  The user is subsequently unreachable for mobile terminated services.  3G: Integrity protection of critical signalling messages protects against this attack. More specifically, data authentication and replay inhibition of the location update request allows the serving network to verify that the location update request is legitimate.
CAMPING ON A FALSE BTS  An attack that requires a modified BTS and exploits the weakness that a user can be enticed to camp on a false base station.  Once the target user camps on the radio channels of a false base station, the target user is out of reach of the paging signals of the serving network in which he is registered.  3G:The security architecture does not counteract this attack. However, the denial of service in this case only persists for as long as the attacker is active unlike the above attacks which persist beyond the moment where intervention by the attacker stops.These attacks are comparable to radio jamming which is very difficult to counteract effectively in any radio system.
CAMPING ON FALSE BTS/MS  An attack that requires a modified BTS/MS and exploits the weakness that a user can be enticed to camp on a false base station.  A false BTS/MS can act as a repeater for some time and can relay some requests in between the network and the target user, but subsequently modify or ignore certain service requests and/or paging messages related to the target user.  3G:The security architecture does not prevent a false BTS/MS relaying messages between the network and the target user, neither does it prevent the false BTS/MS ignoring certain service requests and/or paging requests.  Integrity protection of critical message may however help to prevent some denial of service attacks, which are induced by modifying certain messages.
FAKE BTS • IMSI catcher by Law Enforcement • Intercept mobile originated calls • Can be used for over-the-air cloning
TYPES OF ATTACKS AGAINST MOBILE NETWORKS
SECURING THE MOBILE NETWORK
GSM SECURITY As all cellular communications are sent over the air interface, it is less secure than a wired network, as it opens the door to eavesdroppers with appropriate receivers. Several security functions were built into GSM to safeguard subscriber privacy.These include:  Authentication of the registered subscribers only  Secure data transfer through the use of encryption  Subscriber identity protection  Mobile phones are inoperable without a SIM  Duplicate SIMs are not allowed on the network  Securely stored KI
SECURITY BY OBSCURITY  In April 1998, the Smartcard Developer Association (SDA) together with two U.C. Berkeley researchers claimed to have cracked the COMP128 algorithm stored on the SIM. By sending large number of challenges to the authorization module, they were able to deduce the KI within several hours.They also discovered that KC uses only 54 bits of the 64 bits.The remaining 10 bits are replaced by zeros, which makes the cipher key purposefully weaker.  The GSM Alliance responded to the incident, stating even if a SIM could be cloned it would serve no purpose, as the GSM network would only allow only one call from any phone number at any one time. GSM networks are also capable of detecting and shutting down duplicate SIM codes found on multiple phones  In August 1999, an American group of researchers claimed to have cracked the weaker A5/2 algorithm commonly used in Asia, using a single PC within seconds.  In December 1999, two leading Israeli cryptographers claimed to have cracked the strong A5/1 algorithm responsible for encrypting conversations.They admit the version they cracked may not be the exact version used in GSM handsets,as GSM operators are allowed to make small modifications to the GSM algorithms.The researchers used a digital scanner and a high end PC to crack the code.Within two minutes of intercepting a call with a digital scanner, the researchers were able to listen to the conversation.  The GSM Alliance of North America has claimed that none of its members use the A5/1 algorithm, opting for more recently developed algorithms.
THIRD GENERATION WIRELESS  Evolution from existing European and US digital cellular systems (W-CDMA, CDMA2000, UMTS).  Promises broadband multimedia on everyone’s handset and a multitude of related services.  Spectrum up for auctions in many countries, put many operators in financial debt.  Delays in 3G rollouts cast doubt over its success. Some talk about jumping to 4G directly.
THE GPRS NETWORK INFRASTRUCTURE
3G SECURITY MODEL  Network access security (I): the set of security features that provide users with secure access to 3G services, and which in particular protect against attacks on the (radio) access link;  Network domain security (II): the set of security features that enable nodes in the provider domain to securely exchange signalling data, and protect against attacks on the wireline network;  User domain security (III): the set of security features that secure access to mobile stations  Application domain security (IV): the set of security features that enable applications in the user and in the provider domain to securely exchange messages.  Visibility and configurability of security (V): the set of features that enables the user to inform himself whether a security feature is in operation or not and whether the use and provision of services should depend on the security feature.
3GVS. GSM  A change was made to defeat the false base station attack.The security mechanisms include a sequence number that ensures that the mobile can identify the network.  Key lengths were increased to allow for the possibility of stronger algorithms for encryption and integrity.  Mechanisms were included to support security within and between networks.  Security is based within the switch rather than the base station as in GSM.Therefore links are protected between the base station and switch.  Integrity mechanisms for the terminal identity (IMEI) have been designed in from the start, rather than that introduced late into GSM.
3GVS. GSM  GSM authentication vector: temporary authentication data that enables anVLR/SGSN to engage in GSM AKA with a particular user.A triplet consists of three elements: a) a network challenge RAND, b) an expected user response SRES and c) a cipher key Kc.  UMTS authentication vector: temporary authentication data that enables anVLR/SGSN to engage in UMTS AKA with a particular user.A quintet consists of five elements: a) a network challenge RAND, b) an expected user response XRES, c) a cipher key CK, d) an integrity key IK and e) a network authentication token AUTN.
GSM AND GPRS SECURITY The main function of a GSM/GPRS network is to support and facilitate the transmission of information, whether it is voice or non-voice. Similar to any form of information transmission, there exists associated information security risks. When information is transmitted across a GSM/GPRS network, security measures must be taken to protect the information from unauthorized access.The type of information that must be protected on a GSM/GPRS network includes the following:  User Data – This is either voice or non-voice data sent or received by users registered on a GSM/GPRS network.  Charging Information – Information collected from the SGSN and GGSN used to bill for non-voice services.  Subscriber Information –This information is stored in the mobile station, the HLR and theVLR.This is customer specific information for subscribers and roaming users.  Technical Information of the GSM/GPRS Network – This information describes and lays out the GSM/GPRS network architecture and configuration.
EVOLUTION OF GPRS
ADVANTAGES OF LTE
QUESTIONS ?

Recommended

Gsm security final
Gsm security finalGsm security final
Gsm security finalSanket Yavalkar
 
Gsm security
Gsm securityGsm security
Gsm securityAli Kamil
 
GSM Security
GSM SecurityGSM Security
GSM Securitysmita gupta
 
Gsm security and encryption
Gsm security and encryptionGsm security and encryption
Gsm security and encryptionRK Nayak
 
Security in GSM
Security in GSMSecurity in GSM
Security in GSMDr. Ramchandra Mangrulkar
 
Security aspect in GSM
Security aspect in GSMSecurity aspect in GSM
Security aspect in GSMShivangiSingh241
 
Cryptography in GSM
Cryptography in GSMCryptography in GSM
Cryptography in GSMTharindu Weerasinghe
 
Gsm security and encryption
Gsm security and encryptionGsm security and encryption
Gsm security and encryptionjyothsnapaidi
 

Recommended

Gsm security final
Gsm security finalGsm security final
Gsm security finalSanket Yavalkar
 
Gsm security
Gsm securityGsm security
Gsm securityAli Kamil
 
GSM Security
GSM SecurityGSM Security
GSM Securitysmita gupta
 
Gsm security and encryption
Gsm security and encryptionGsm security and encryption
Gsm security and encryptionRK Nayak
 
Security in GSM
Security in GSMSecurity in GSM
Security in GSMDr. Ramchandra Mangrulkar
 
Security aspect in GSM
Security aspect in GSMSecurity aspect in GSM
Security aspect in GSMShivangiSingh241
 
Cryptography in GSM
Cryptography in GSMCryptography in GSM
Cryptography in GSMTharindu Weerasinghe
 
Gsm security and encryption
Gsm security and encryptionGsm security and encryption
Gsm security and encryptionjyothsnapaidi
 
Security in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksSecurity in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksNaveen Kumar
 
GSM SECURITY AND ENCRYPTION BY SAIKIRAN PANJALA
GSM SECURITY AND ENCRYPTION BY SAIKIRAN PANJALAGSM SECURITY AND ENCRYPTION BY SAIKIRAN PANJALA
GSM SECURITY AND ENCRYPTION BY SAIKIRAN PANJALASaikiran Panjala
 
Gsm security by usman zulfqar
Gsm security by usman zulfqarGsm security by usman zulfqar
Gsm security by usman zulfqarusman zulfqar
 
Gsm security
Gsm securityGsm security
Gsm securitymaicuong8
 
Gsm
GsmGsm
GsmNur Islam
 
Presentation one-gsm
Presentation one-gsmPresentation one-gsm
Presentation one-gsmAbu Sadat Mohammed Yasin
 
Gsm security algorithms A3 , A5 , A8
Gsm security algorithms A3 , A5 , A8Gsm security algorithms A3 , A5 , A8
Gsm security algorithms A3 , A5 , A8RUpaliLohar
 
Gsm Security and Attacks
Gsm Security and AttacksGsm Security and Attacks
Gsm Security and AttacksAbdullah Mohamed
 
GSM & UMTS Security
GSM & UMTS SecurityGSM & UMTS Security
GSM & UMTS SecuritySohaib Altaf
 
GSM Introduction
GSM IntroductionGSM Introduction
GSM IntroductionTempus Telcosys
 
Gsm fundamentals
Gsm fundamentalsGsm fundamentals
Gsm fundamentalsMohamed Sewailam
 
Total GSM Concept
Total GSM ConceptTotal GSM Concept
Total GSM ConceptTempus Telcosys
 
Rk 3 gsm network @guddu
Rk 3 gsm network @gudduRk 3 gsm network @guddu
Rk 3 gsm network @guddusarojsatpathy49
 
Rk 3 gsm network
Rk 3 gsm networkRk 3 gsm network
Rk 3 gsm networkAzri Randy
 
ppt on GSM architechture
ppt on GSM architechtureppt on GSM architechture
ppt on GSM architechtureHina Saxena
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
Introduction to GSM - an Overview of Global System for Mobile Communication
Introduction to GSM - an Overview of Global System for Mobile CommunicationIntroduction to GSM - an Overview of Global System for Mobile Communication
Introduction to GSM - an Overview of Global System for Mobile Communicationiptvmagazine
 
Gsm architecture
Gsm architectureGsm architecture
Gsm architecturesumit singh
 
GSM Technology and security impact
GSM Technology and security impactGSM Technology and security impact
GSM Technology and security impactAhmad Sharifi
 
Gsm (Part 1)
Gsm (Part 1)Gsm (Part 1)
Gsm (Part 1)Ali Usman
 
CNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular networkCNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular networkSam Bowne
 
5. telecomm & network security
5. telecomm & network security5. telecomm & network security
5. telecomm & network security7wounders
 

More Related Content

What's hot

Security in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksSecurity in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksNaveen Kumar
 
GSM SECURITY AND ENCRYPTION BY SAIKIRAN PANJALA
GSM SECURITY AND ENCRYPTION BY SAIKIRAN PANJALAGSM SECURITY AND ENCRYPTION BY SAIKIRAN PANJALA
GSM SECURITY AND ENCRYPTION BY SAIKIRAN PANJALASaikiran Panjala
 
Gsm security by usman zulfqar
Gsm security by usman zulfqarGsm security by usman zulfqar
Gsm security by usman zulfqarusman zulfqar
 
Gsm security
Gsm securityGsm security
Gsm securitymaicuong8
 
Gsm security algorithms A3 , A5 , A8
Gsm security algorithms A3 , A5 , A8Gsm security algorithms A3 , A5 , A8
Gsm security algorithms A3 , A5 , A8RUpaliLohar
 
GSM & UMTS Security
GSM & UMTS SecurityGSM & UMTS Security
GSM & UMTS SecuritySohaib Altaf
 
Rk 3 gsm network
Rk 3 gsm networkRk 3 gsm network
Rk 3 gsm networkAzri Randy
 
ppt on GSM architechture
ppt on GSM architechtureppt on GSM architechture
ppt on GSM architechtureHina Saxena
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
Introduction to GSM - an Overview of Global System for Mobile Communication
Introduction to GSM - an Overview of Global System for Mobile CommunicationIntroduction to GSM - an Overview of Global System for Mobile Communication
Introduction to GSM - an Overview of Global System for Mobile Communicationiptvmagazine
 
Gsm architecture
Gsm architectureGsm architecture
Gsm architecturesumit singh
 
GSM Technology and security impact
GSM Technology and security impactGSM Technology and security impact
GSM Technology and security impactAhmad Sharifi
 
Gsm (Part 1)
Gsm (Part 1)Gsm (Part 1)
Gsm (Part 1)Ali Usman
 

What's hot (20)

Security in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksSecurity in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) Networks
 
GSM SECURITY AND ENCRYPTION BY SAIKIRAN PANJALA
GSM SECURITY AND ENCRYPTION BY SAIKIRAN PANJALAGSM SECURITY AND ENCRYPTION BY SAIKIRAN PANJALA
GSM SECURITY AND ENCRYPTION BY SAIKIRAN PANJALA
 
Gsm security by usman zulfqar
Gsm security by usman zulfqarGsm security by usman zulfqar
Gsm security by usman zulfqar
 
Gsm security
Gsm securityGsm security
Gsm security
 
Gsm
GsmGsm
Gsm
 
Presentation one-gsm
Presentation one-gsmPresentation one-gsm
Presentation one-gsm
 
Gsm security algorithms A3 , A5 , A8
Gsm security algorithms A3 , A5 , A8Gsm security algorithms A3 , A5 , A8
Gsm security algorithms A3 , A5 , A8
 
Gsm Security and Attacks
Gsm Security and AttacksGsm Security and Attacks
Gsm Security and Attacks
 
GSM & UMTS Security
GSM & UMTS SecurityGSM & UMTS Security
GSM & UMTS Security
 
GSM Introduction
GSM IntroductionGSM Introduction
GSM Introduction
 
Gsm fundamentals
Gsm fundamentalsGsm fundamentals
Gsm fundamentals
 
Total GSM Concept
Total GSM ConceptTotal GSM Concept
Total GSM Concept
 
Rk 3 gsm network @guddu
Rk 3 gsm network @gudduRk 3 gsm network @guddu
Rk 3 gsm network @guddu
 
Rk 3 gsm network
Rk 3 gsm networkRk 3 gsm network
Rk 3 gsm network
 
ppt on GSM architechture
ppt on GSM architechtureppt on GSM architechture
ppt on GSM architechture
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
 
Introduction to GSM - an Overview of Global System for Mobile Communication
Introduction to GSM - an Overview of Global System for Mobile CommunicationIntroduction to GSM - an Overview of Global System for Mobile Communication
Introduction to GSM - an Overview of Global System for Mobile Communication
 
Gsm architecture
Gsm architectureGsm architecture
Gsm architecture
 
GSM Technology and security impact
GSM Technology and security impactGSM Technology and security impact
GSM Technology and security impact
 
Gsm (Part 1)
Gsm (Part 1)Gsm (Part 1)
Gsm (Part 1)
 

Viewers also liked

CNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular networkCNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular networkSam Bowne
 
5. telecomm & network security
5. telecomm & network security5. telecomm & network security
5. telecomm & network security7wounders
 
Strategyzing big data in telco industry
Strategyzing big data in telco industryStrategyzing big data in telco industry
Strategyzing big data in telco industryParviz Iskhakov
 
Thetexaslawyer
ThetexaslawyerThetexaslawyer
ThetexaslawyerJack740
 
Executive summary for eden heights
Executive summary for eden heightsExecutive summary for eden heights
Executive summary for eden heightsFine and Country
 
Clean Energy Ministerial - Digital Media Year+ in Review
Clean Energy Ministerial - Digital Media Year+ in ReviewClean Energy Ministerial - Digital Media Year+ in Review
Clean Energy Ministerial - Digital Media Year+ in ReviewValerie Riedel
 
Select 4pets
Select 4petsSelect 4pets
Select 4petsJack740
 
GoldAdMatriX - Presentazione
GoldAdMatriX - PresentazioneGoldAdMatriX - Presentazione
GoldAdMatriX - PresentazioneOnethorSlide
 

Viewers also liked (9)

CNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular networkCNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular network
 
5. telecomm & network security
5. telecomm & network security5. telecomm & network security
5. telecomm & network security
 
Strategyzing big data in telco industry
Strategyzing big data in telco industryStrategyzing big data in telco industry
Strategyzing big data in telco industry
 
A London Tale of Gin and Sin
A London Tale of Gin and SinA London Tale of Gin and Sin
A London Tale of Gin and Sin
 
Thetexaslawyer
ThetexaslawyerThetexaslawyer
Thetexaslawyer
 
Executive summary for eden heights
Executive summary for eden heightsExecutive summary for eden heights
Executive summary for eden heights
 
Clean Energy Ministerial - Digital Media Year+ in Review
Clean Energy Ministerial - Digital Media Year+ in ReviewClean Energy Ministerial - Digital Media Year+ in Review
Clean Energy Ministerial - Digital Media Year+ in Review
 
Select 4pets
Select 4petsSelect 4pets
Select 4pets
 
GoldAdMatriX - Presentazione
GoldAdMatriX - PresentazioneGoldAdMatriX - Presentazione
GoldAdMatriX - Presentazione
 

Similar to GSM Security 101 by Sushil Singh and Dheeraj Verma

Fake BTS Network Vulnerabilities
Fake BTS Network VulnerabilitiesFake BTS Network Vulnerabilities
Fake BTS Network VulnerabilitiesSecurity Gen
 
Security management systemofcellular_communication
Security management systemofcellular_communicationSecurity management systemofcellular_communication
Security management systemofcellular_communicationardhita banu adji
 
PROVIDING END-TO-END SECURE COMMUNICATIONSIN GSM NETWORKS
PROVIDING END-TO-END SECURE COMMUNICATIONSIN GSM NETWORKSPROVIDING END-TO-END SECURE COMMUNICATIONSIN GSM NETWORKS
PROVIDING END-TO-END SECURE COMMUNICATIONSIN GSM NETWORKSIJNSA Journal
 
Providing end to-end secure
Providing end to-end secureProviding end to-end secure
Providing end to-end secureIJNSA Journal
 
WCDMA Principles
WCDMA PrinciplesWCDMA Principles
WCDMA PrinciplesAli Ibrahim
 
Security model evaluation of 3 g wireless network1 paper presentation
Security model evaluation of 3 g wireless network1 paper presentationSecurity model evaluation of 3 g wireless network1 paper presentation
Security model evaluation of 3 g wireless network1 paper presentationRotract CLUB of BSAU
 
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSPY24
 
S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...
S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...
S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...IJCSES Journal
 
Fookune ndss gsm (1)
Fookune ndss gsm (1)Fookune ndss gsm (1)
Fookune ndss gsm (1)Bhuwan Gupta
 
G second generation network
G second generation networkG second generation network
G second generation networkSharmaine Carlos
 

Similar to GSM Security 101 by Sushil Singh and Dheeraj Verma (20)

Test
TestTest
Test
 
Fake BTS Network Vulnerabilities
Fake BTS Network VulnerabilitiesFake BTS Network Vulnerabilities
Fake BTS Network Vulnerabilities
 
Security management systemofcellular_communication
Security management systemofcellular_communicationSecurity management systemofcellular_communication
Security management systemofcellular_communication
 
PROVIDING END-TO-END SECURE COMMUNICATIONSIN GSM NETWORKS
PROVIDING END-TO-END SECURE COMMUNICATIONSIN GSM NETWORKSPROVIDING END-TO-END SECURE COMMUNICATIONSIN GSM NETWORKS
PROVIDING END-TO-END SECURE COMMUNICATIONSIN GSM NETWORKS
 
Providing end to-end secure
Providing end to-end secureProviding end to-end secure
Providing end to-end secure
 
B010331019
B010331019B010331019
B010331019
 
new Algorithm1
new Algorithm1new Algorithm1
new Algorithm1
 
GSM
GSMGSM
GSM
 
WCDMA Principles
WCDMA PrinciplesWCDMA Principles
WCDMA Principles
 
Security model evaluation of 3 g wireless network1 paper presentation
Security model evaluation of 3 g wireless network1 paper presentationSecurity model evaluation of 3 g wireless network1 paper presentation
Security model evaluation of 3 g wireless network1 paper presentation
 
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
 
Gsm
Gsm Gsm
Gsm
 
S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...
S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...
S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...
 
Fookune ndss gsm (1)
Fookune ndss gsm (1)Fookune ndss gsm (1)
Fookune ndss gsm (1)
 
Mim
MimMim
Mim
 
G second generation network
G second generation networkG second generation network
G second generation network
 
Gsm fundamentals
Gsm fundamentalsGsm fundamentals
Gsm fundamentals
 
Gsm1
Gsm1Gsm1
Gsm1
 
IT6601 MOBILE COMPUTING
IT6601 MOBILE COMPUTINGIT6601 MOBILE COMPUTING
IT6601 MOBILE COMPUTING
 
Gsm ( Cdma ( Gsm )
Gsm ( Cdma ( Gsm )Gsm ( Cdma ( Gsm )
Gsm ( Cdma ( Gsm )
 

More from OWASP Delhi

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeoverOWASP Delhi
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report WritingOWASP Delhi
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air GapOWASP Delhi
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container EscapesOWASP Delhi
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using TerraformOWASP Delhi
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat IntelligenceOWASP Delhi
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriOWASP Delhi
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelOWASP Delhi
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanOWASP Delhi
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraOWASP Delhi
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraOWASP Delhi
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraOWASP Delhi
 

More from OWASP Delhi (20)

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report Writing
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air Gap
 
UDP Hunter
UDP HunterUDP Hunter
UDP Hunter
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container Escapes
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit Batra
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 

GSM Security 101 by Sushil Singh and Dheeraj Verma

  • 1. GSM SECURITY 101 AN OVERVIEW OF ITS SECURITY
  • 2. AGENDA  Brief introduction to GSM  GSM Architecture  Attacks andThreats on GSM networks  Types of Attacks against Mobile Networks  Third generation and evolution
  • 3. GSM: INTRODUCTION  GSM is the most widely used cellular standard  Over 3.6 billion users, mostly in Europe and Asia  Based onTDMA radio access and PCM trunking  Use SS7 signaling with mobile-specific extensions  Provides authentication and encryption capabilities  Today’s networks are 2G evolving to 2.5G  Third generation (3G) and future (4G)
  • 5. GSM DATA  Initially designed to carry voice traffic  Data connections initially 9600 bps  No need for modems as there is a digital path from MS to MSC  Enhanced rates up to 14.4 kbps  GPRS provides speeds up to 150 kbps  UMTS (3G) promises permanent connections with up to 2 Mbps transfer rate
  • 6. AUTHENTICATION The authentication procedure checks the validity of the subscriber’s SIM card and then decides whether the mobile station is allowed on a particular network.The network authenticates the subscriber through the use of a challenge- response method.
  • 7. GSM ALGORITHMS A consequence of international roaming is the exchange of information between providers in different countries.All countries have strict regulations against the export of encryption algorithms and thus GSM works around it.When a user tries to use his phone in say another country, the local networks request the HLR of the subscriber’s home network for the RAND, SRES and KC which is sufficient for authentication and encrypting data.Thus the local network does not need to know anything about the A3 or A8 algorithms stored in the SIM.  Authentication Algorithm A3 – It is operator-dependent and is an operator option.The A3 algorithm is a one-way function.That means it is easy to compute the output parameter SRES by using the A3 algorithm but very complex to retrieve the input parameters (RAND and KI) from the output parameter. Remember the key to GSM’s security is keeping KI unknown.While it may sound odd that each operator may choose to use A3 independently,it was necessary to cover the case of international roaming.  Ciphering Algorithm A5 – Currently, there exists several implementations of this algorithm though the most commonly used ones are A5/0,A5/1 and A5/2.The reason for the different implementations is due to export restrictions of encryption technologies.A5/1 is the strongest version and is used widely in Western Europe and America, while the A5/2 is commonly used in Asia. Countries under UN Sanctions and certain third world countries use the A5/0, which comes with no encryption.  Ciphering Key Generating Algorithm A8 – It is operator-dependent.In most providers the A3 and A8 algorithms are combined into a single hash function known as COMP128.The COMP128 creates KC and SRES, in a single instance.
  • 8. ATTACKS AND THREATS ON GSM NETWORKS
  • 9. LOW-TECH FRAUD  Call forwarding to premium rate numbers  Bogus registration details  Roaming fraud  Terminal theft  Multiple forwarding, conference calls
  • 10. COUNTERMEASURES FOR LOW-TECH FRAUD Fraud Management systems look for:  Multiple calls at the same time,  Large variations in revenue being paid to other parties,  Large variations in the duration of calls, such as very short or long calls,  Changes in customer usage, perhaps indicating that a mobile has been stolen or is being abused,  Monitor the usage of a customer closely during a 'probationary period'
  • 11. ATTACKS ON GSM NETWORKS  Eavesdropping.This is the capability that the intruder eavesdrops signalling and data connections associated with other users.The required equipment is a modified MS.  Impersonation of a user.This is the capability whereby the intruder sends signalling and/or user data to the network, in an attempt to make the network believe they originate from the target user.The required equipment is again a modified MS.  Impersonation of the network.This is the capability whereby the intruder sends signalling and/or user data to the target user, in an attempt to make the target user believe they originate from a genuine network.The required equipment is modified BTS.
  • 12. ATTACKS ON GSM NETWORKS  Man-in-the-middle.This is the capability whereby the intruder puts itself in between the target user and a genuine network and has the ability to eavesdrop, modify, delete, re-order, replay, and spoof signalling and user data messages exchanged between the two parties.The required equipment is modified BTS in conjunction with a modified MS.  Compromising authentication vectors in the network.The intruder possesses a compromised authentication vector, which may include challenge/response pairs, cipher keys and integrity keys.This data may have been obtained by compromising network nodes or by intercepting signalling messages on network links.
  • 13. DE-REGISTRATION SPOOFING  An attack that requires a modified MS and exploits the weakness that the network cannot authenticate the messages it receives over the radio interface.  The intruder spoofs a de-registration request (IMSI detach) to the network.  The network de-registers the user from the visited location area and instructs the HLR to do the same.The user is subsequently unreachable for mobile terminated services.  3G: Integrity protection of critical signalling messages protects against this attack. More specifically, data authentication and replay inhibition of the de-registration request allows the serving network to verify that the de-registration request is legitimate.
  • 14. LOCATION UPDATE SPOOFING  An attack that requires a modified MS and exploits the weakness that the network cannot authenticate the messages it receives over the radio interface.  The user spoofs a location update request in a different location area from the one in which the user is roaming.  The network registers in the new location area and the target user will be paged in that new area.  The user is subsequently unreachable for mobile terminated services.  3G: Integrity protection of critical signalling messages protects against this attack. More specifically, data authentication and replay inhibition of the location update request allows the serving network to verify that the location update request is legitimate.
  • 15. CAMPING ON A FALSE BTS  An attack that requires a modified BTS and exploits the weakness that a user can be enticed to camp on a false base station.  Once the target user camps on the radio channels of a false base station, the target user is out of reach of the paging signals of the serving network in which he is registered.  3G:The security architecture does not counteract this attack. However, the denial of service in this case only persists for as long as the attacker is active unlike the above attacks which persist beyond the moment where intervention by the attacker stops.These attacks are comparable to radio jamming which is very difficult to counteract effectively in any radio system.
  • 16. CAMPING ON FALSE BTS/MS  An attack that requires a modified BTS/MS and exploits the weakness that a user can be enticed to camp on a false base station.  A false BTS/MS can act as a repeater for some time and can relay some requests in between the network and the target user, but subsequently modify or ignore certain service requests and/or paging messages related to the target user.  3G:The security architecture does not prevent a false BTS/MS relaying messages between the network and the target user, neither does it prevent the false BTS/MS ignoring certain service requests and/or paging requests.  Integrity protection of critical message may however help to prevent some denial of service attacks, which are induced by modifying certain messages.
  • 17. FAKE BTS • IMSI catcher by Law Enforcement • Intercept mobile originated calls • Can be used for over-the-air cloning
  • 18. TYPES OF ATTACKS AGAINST MOBILE NETWORKS
  • 20. GSM SECURITY As all cellular communications are sent over the air interface, it is less secure than a wired network, as it opens the door to eavesdroppers with appropriate receivers. Several security functions were built into GSM to safeguard subscriber privacy.These include:  Authentication of the registered subscribers only  Secure data transfer through the use of encryption  Subscriber identity protection  Mobile phones are inoperable without a SIM  Duplicate SIMs are not allowed on the network  Securely stored KI
  • 21. SECURITY BY OBSCURITY  In April 1998, the Smartcard Developer Association (SDA) together with two U.C. Berkeley researchers claimed to have cracked the COMP128 algorithm stored on the SIM. By sending large number of challenges to the authorization module, they were able to deduce the KI within several hours.They also discovered that KC uses only 54 bits of the 64 bits.The remaining 10 bits are replaced by zeros, which makes the cipher key purposefully weaker.  The GSM Alliance responded to the incident, stating even if a SIM could be cloned it would serve no purpose, as the GSM network would only allow only one call from any phone number at any one time. GSM networks are also capable of detecting and shutting down duplicate SIM codes found on multiple phones  In August 1999, an American group of researchers claimed to have cracked the weaker A5/2 algorithm commonly used in Asia, using a single PC within seconds.  In December 1999, two leading Israeli cryptographers claimed to have cracked the strong A5/1 algorithm responsible for encrypting conversations.They admit the version they cracked may not be the exact version used in GSM handsets,as GSM operators are allowed to make small modifications to the GSM algorithms.The researchers used a digital scanner and a high end PC to crack the code.Within two minutes of intercepting a call with a digital scanner, the researchers were able to listen to the conversation.  The GSM Alliance of North America has claimed that none of its members use the A5/1 algorithm, opting for more recently developed algorithms.
  • 22. THIRD GENERATION WIRELESS  Evolution from existing European and US digital cellular systems (W-CDMA, CDMA2000, UMTS).  Promises broadband multimedia on everyone’s handset and a multitude of related services.  Spectrum up for auctions in many countries, put many operators in financial debt.  Delays in 3G rollouts cast doubt over its success. Some talk about jumping to 4G directly.
  • 23. THE GPRS NETWORK INFRASTRUCTURE
  • 24. 3G SECURITY MODEL  Network access security (I): the set of security features that provide users with secure access to 3G services, and which in particular protect against attacks on the (radio) access link;  Network domain security (II): the set of security features that enable nodes in the provider domain to securely exchange signalling data, and protect against attacks on the wireline network;  User domain security (III): the set of security features that secure access to mobile stations  Application domain security (IV): the set of security features that enable applications in the user and in the provider domain to securely exchange messages.  Visibility and configurability of security (V): the set of features that enables the user to inform himself whether a security feature is in operation or not and whether the use and provision of services should depend on the security feature.
  • 25. 3GVS. GSM  A change was made to defeat the false base station attack.The security mechanisms include a sequence number that ensures that the mobile can identify the network.  Key lengths were increased to allow for the possibility of stronger algorithms for encryption and integrity.  Mechanisms were included to support security within and between networks.  Security is based within the switch rather than the base station as in GSM.Therefore links are protected between the base station and switch.  Integrity mechanisms for the terminal identity (IMEI) have been designed in from the start, rather than that introduced late into GSM.
  • 26. 3GVS. GSM  GSM authentication vector: temporary authentication data that enables anVLR/SGSN to engage in GSM AKA with a particular user.A triplet consists of three elements: a) a network challenge RAND, b) an expected user response SRES and c) a cipher key Kc.  UMTS authentication vector: temporary authentication data that enables anVLR/SGSN to engage in UMTS AKA with a particular user.A quintet consists of five elements: a) a network challenge RAND, b) an expected user response XRES, c) a cipher key CK, d) an integrity key IK and e) a network authentication token AUTN.
  • 27. GSM AND GPRS SECURITY The main function of a GSM/GPRS network is to support and facilitate the transmission of information, whether it is voice or non-voice. Similar to any form of information transmission, there exists associated information security risks. When information is transmitted across a GSM/GPRS network, security measures must be taken to protect the information from unauthorized access.The type of information that must be protected on a GSM/GPRS network includes the following:  User Data – This is either voice or non-voice data sent or received by users registered on a GSM/GPRS network.  Charging Information – Information collected from the SGSN and GGSN used to bill for non-voice services.  Subscriber Information –This information is stored in the mobile station, the HLR and theVLR.This is customer specific information for subscribers and roaming users.  Technical Information of the GSM/GPRS Network – This information describes and lays out the GSM/GPRS network architecture and configuration.