There are well documented security flaws in GSM, and publicly available tools to exploit them. At the same time, it has become considerably cheaper and easier to analyze GSM traffic over the past few years. Open source tools such as gr-gsm have matured, and the community has developed methods for capturing the GSM spectrum without the need for expensive SDR radios.
With less than $100 and a weekend it’s possible to capture and analyze GSM traffic. With some extra effort it’s possible to decrypt your own traffic, and depending on how your mobile provider has set up their network it may even be possible for somebody else to illegally decrypt traffic they don’t own.
GSM is terrifying.
I remember reading somewhere that the move to VoLTE is considered a “risk” for secret services worldwide because they cannot intercept VoLTE calls as easily as GSM.
@Kurkosdr That is not surprising, and it is understandable.
As for finding something specific in GSM traffic, while it’s not impossible, it must really be a needle in the haystack, not impossible, easily demonstrated in ideal circumstances, but probably far harder in the real life scenarios. I don’t think we need to worry about nefarious Lotharios, but state actors might be a very different issue!
I wonder what the math is when you have to trawl through 5x or 10x as much traffic?
For IoT hobbyists like myself there is a bigger issue, as those short messages can expose huge vulnerabilities.
The secret services do not deal with GSM, they have direct access to tap into phone calls at the provider level. Possibly VoLTE adds end-to-end encryption which would defeat that.
Of course they can. All the legitimate intelligence services have hooks at telecos. Of course they need a warrant to use those, but they need that in all “civilized” countries.
Carewolf,
If I recall, about 70% of US telephone infrastructure is directly tapped by the government 24/7. I’m positive that they collect 100% of the metadata on every call, but this doesn’t imply they’re recording everyone’s calls. But they have the technical ability to tap any call and do so without serving a warrant to private company.
https://arstechnica.com/uncategorized/2006/04/6585-2/
https://theintercept.com/2016/11/16/the-nsas-spy-hub-in-new-york-hidden-in-plain-sight/
The prism program leaked by snowden covers newer internet technologies and defeats crypto by means of capturing traffic within these companies.
https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29
In addition to PRISM, the NSA had managed to secretly tap unencrypted traffic at google & yahoo data centers unbeknownst to these companies.
https://www.cnet.com/news/nsa-taps-into-google-yahoo-clouds-can-collect-data-at-will-says-post/
Google was furious and responded by employing VPN encryption even for the private networks, something they probably should have been doing all along. Of course the government has systematically defended it’s actions, but it does highlight how the US government feels entitled to just about everything without the need for warrants.
Yes GSM is as secure as a colander. 3G and 4G inherit those insecurities. 5G is a lot better especially now people have cottoned on to how committees and standards can be usurped. 5G is better but not perfect.
GCHQ’s “time machine” and network monitoring culls a lot of the garbage. Specialist hardware designed for handling specific data can rip through data magnitude quicker than off the shelf hardware. For the likes of GCHQ and their opposite numbers these kinds of tasks are easy. It’s their bread and butter. They do it every day and have access to the PhDs and accumulated institutional expertise and while budgets are not infinate high enough to be “good enough” they are in effect infinite compared to their targets. All of the above is used in combination with open source data and data from other sources like SATINT (including visible light and IR and ground penetrating radar) and HUMINT for target identification and to cull the junk. So yes while the amount of traffic is considerable much like graphics processing after culling the junk the overall amount is reduced by a few orders of magnitude plus backend specialist hardware can crunch what they have quicker than anything off the shelf. It’s probably old by now but the publicly available leaked specs for the IBM/NSA/GCHQ protoype had a few hundred ASICs for crunching through data so gives you an idea of the type and nature of hardware being used.
Thanks to GCHQ and weakminded ministers the UK doesn’t have fully open network tower sharing for calls in progress so end users continue to experience network black spots. That’s on top of the “spy cops” scandal and “licence to kill” legislation and fighting EU privacy law every step of the way.
This is why things like democracy underpinned by human rights law and accountability and a necessary level of transparency and redress is important.
GCHQ is probably the worlds most powerful and respected government intelleigence and cryptography organisation in the world, likely beating the Pentagon for technology and sophistication. It’s not unusual for the US, Canada and other allies to come to the UK for intelligence
Whether it’s a good thing or not, i’m not here to judge, but it definitely keeps the UK on the stage with the other big world players..
I daresay what you say including caveats is true. Out of politeness and respect I won’t beat the drum too hard. There is a lot of first class effort on things which matter by people all around the world.
Even so discussing state actors that can leverage these weaknesses is not the same as inferring GSM is wide open to any spud with a two cent oscilloscope!
To get any reasonable quantity of usable data out of scrapping it you need to be operating your own supercomputer or ASIC, something that still takes a lot of money to setup.
Yes, this is true. Even if you had the tools who would you target and why and what useful information would you get? 99% of phone calls are boring to 99% of other people. If you have something very valuable or you are a target for some reason the risk rises a notch or two. Most of us aren’t worth the effort and most adversaries are too lazy.
@HollyB
Yes, I’m sure that in 99% of cases there is probably a much easier more conventional way to get this information. I appreciate a state actor might use man-in-the-middle, but that nearly always combines data scrapping with conventional surveillance techniques like video or direct observation, perhaps face recognition has helped automate some of this to narrow the data search, but none of that will help the $0,02 hacker.
I suppose nefarious types could mine the data like bitcoin mining, but how much energy and cost goes into getting a return? The overhead would grow exponentially.
cpcf,
I don’t think it’s particularly difficulty for those who are willing and able to conduct a man in the middle attack. GSM has no end to end encryption, it just encrypts wireless traffic between the handset and base station. This means that if you can convince a target to connect to your base station (there are various tricks to do this), you could get the same privileged access as the network operator.
https://hackaday.com/2016/04/08/build-your-own-gsm-base-station-for-fun-and-profit/
I believe there are some legitimate consumer products like femtocells that do something similar (although I’m not sure how easy they are to hack or what they’re using for crypto on the back end).
https://www.thinksmallcell.com/FAQs/faq.html
https://www.landmarkdividend.com/femtocells/
I assume some some kind of product certification is required to legally operate your own base station(s).
@Alfman
When doing some IoT experimentation I used my brothers home as it sits on a hillside below a major cell tower, distance to the antenna is about 150ft line of site. I was trying to create a budget geolocation system for a sensor without GPS, and I thought being close to a cell would simplify the early work on the basis signals travel at roughly 1ft per nanosecond. No matter what I did I could not stop the hardware hopping between base stations, it’s inherent in the GSM protocol, even though one is only 150ft away and the next closest is probably 5000ft away.
While that is good for finding out where you are, it’s rubbish when you are trying to develop and debug very low cost hardware.
It’s not as easy as it sounds.
cpcf,
I want to hear more about that! Do you have a write up for it? I’ve wanted to do something similar for my DIY projects.
I’ve tried to triangulate position using standard wifi access points because some Wifi drivers report signal strength, but it’s not accurate enough for this purpose.
I was considering that, with a sufficiently fast SDR, it might make it possible to triangulate using time of flight. I’ve successfully used bladerf radios with ~12Mhz raw bandwidth on USB2 some years ago. Now days I could get a USB3 SBC, which theoretically gets me 61Mhz according to the bladerf specs. I don’t know that a cheap SBC could handle it in real time, but it’d be fun to try. At 61MHz, light travels about 5m for each sample taken by the SDR unit, which doesn’t provide us with great resolution. However by processing multiple wave cycles (perhaps thousands of them) it should be possible to get a much better statistical average. I think this has a good chance of working, however this is quite expensive and the processing power isn’t very portable.
I purchased a few (cheap) lidar units for <$100 off ebay, and these have proven to be very accurate and easy to use with a micro-controller, however the range is extremely limited especially in outdoor conditions. I wish I had access to one of the lidars that are used in self driving cars, but I can’t afford it.
I also tried pre-existing ultrasonic modules. These are so cheap I was able to purchase loads of them I think around $1 a piece from china. And they work but after about 20ft they become less reliable and they need more environmental calibration. I think if I make my own custom sonic drivers and sensors that I'll be able to build something that works at longer ranges (I'd like it to cover a typical residential property entirely) but so far I haven't gotten around to it.
I tested GPS using my own phone but the results weren't precise enough at small-scales. This is pretty much what I got…
https://www.gps.gov/systems/gps/performance/accuracy/
These limitations, along with latency make it clear that some form of local triangulation is needed.
I hadn’t considered trying to triangulate based on GSM tower, I’d like it to work in areas without cell service. But it does make me curious, is there an easy way to easily get the necessary timing information from GSM radios? I’d love to hear what you’ve tried 🙂
I believe the stingrays that governments use can jam competing services.
https://theintercept.com/2020/07/31/protests-surveillance-stingrays-dirtboxes-phone-tracking/
I vaguely recall seeing a demo of this on youtube, I’ll try and see if I can find it again, although it wouldn’t surprise me if it was taken down as illegal content.
Not quite what we’re talking about, but this guy’s using a python script and cheap SDR to capture IMSI data of phones connecting to the tower. I don’t think this data is encrypted, but it’s still interesting how easily it can be done.
https://www.youtube.com/watch?v=UjwgNd_as30
@Alfman
No write ups just hobby stuff. My project wasn’t for moving sensors, they were relocatable but fixed when in operation. The trick I was trying to leverage was that using GSM you can peg down the tower location very accurately, but even so problems arise in variability, reflections, diffraction, which limits location accuracy to a couple of hundred yards. You just simply cannot know the path the signal takes to get to your device, so I gave up. I did find a nice math write-up about this long ago, which explained why it was a folly, if I find it I’ll post a link.
I believe you are 100% correct about the stingrays jamming other towers, it’s key to the success of state actors, you can’t just put a new base station in the line of sight and expect it would work. Whether this was by good design or good luck I don’t know, I suppose now they will claim good design.
btw., We aren’t the first or the last, apparently there were big defence projects years ago trying to use cell tower signals as a form of passive radar tracking. Looks like they got nowhere as well for the same basic reasons.
Fact is that GSM’s protections held up incredibly long as it is a protocol from the 1980s. Many security protocols developed in later years held up much less long. Today GSM is not suited anymore for security systems. SMS is typically offered as a second factor with dual-factor authentication however. It would be interesting if somebody could intercept large volumes of SMS traffic.
GSM has built in weaknesses courtesy of GCHQ nobbling the standards committes. It’s similar with NSA nobbling encryption standards..SMS second factor authorisation is so open to abuse it’s better than nothing to guard against low hanging fruit but otherwise not secure at all. Everyone now knows about IMSI catchers. Yes, intelligence services do monitor for these. If you sit there using one, depending on unpublished policy, you run the risk of your targets being tipped off and/or you’re going to get done. 5G has MIMO used a phased array. Triangulation won’t be exact but in combination with other data such as map data can if everything is right be used to fairly accurately identify a location especially if the target is moving. Wifi can be used as a location device or crude radar.
You can pick up an SDR off Ebay for £10. I have one in the form of a television USB stick. Other IHVs or IC vendors may blow the fuses to limit functionality but for large numbers of radio devices built on an underlying SDR the only limit is the software.
Anyone with thinks seL4 hasn’t been nobbled is a joker. Of course it has. As per system theory you cannot assume it hasn’t. There is also no way on Gods Earth seL4 is a final product with every hardening trick in the book thrown at it. The same is true with comms standards.
HollyB,
Let it go, SEL4 is off topic now. The rest is fine 🙂
I do wonder how much 5G has been/will be compromised. There have been a lot of political power plays and banning of foreign 5G vendors.
https://www.salon.com/2020/08/15/5g-is-the-first-stage-of-a-tech-war-between-the-us-and-china_partner/
Part of me is suspicious of the government’s motives though. Which country is more trustworthy in terms of 5G manufacturing, US or china? This shouldn’t be such a tough call, haha. China will obviously wiretap all of it’s own citizens, but would it risk it’s own global economic future selling backdoored equipment that would likely get discovered? On the other side of the pond the US government has been caught red handed and I’m particularly wary of it because each time they openly lied about it.
We probably need to give up on secure infrastructure and just assume it’s compromised from the get-go. End to end encryption is the only thing we should be putting faith in. There still are challenges, but at least it mitigates most types of middleman attacks assuming the software doesn’t do any trickery with the encryption keys.
@Alfman
Flash an ankle and you couldn’t resist. You didn’t have to say anything. Hah hah. Triggered you! But yes you have to have to consider the geopolitical context and honesty and risk assessment of all the various players, and assume everything is compromised. There’s no need to be paranoid or make lifestyle changes for the overwhelming majority of people. End to end encryption and basic common sense with updates and a degree of care in use will cover most people for most uses most of the time.
Decent laws, accountability and transparency, and availability of redress covers most of the civil society issues. Experts and NGOs have a role to play as does the citizen. In a lot of ways this is the best security as it keeps the worst in check. Other than this nothing is trustworthy.
I had my doubts about one app on one of my phones. There was something niggling me about it and I no longer had a use for it so removed it the other month. Because of this it was funny that I read the other week on Slashdot the app code had been compromised in December. It may not have been the Chinese who got to it. It may just have been a gradual trend catching on among criminals to target sourcecode servers which may have been what was niggling me. I tend to remove or freeze updating apps if they develop habits like pinging servers or are taken over by shady businesses. I also have little to no critical information on my phones. My emergency phone is an old school feature phone: smaller, lighter, less breakable and a longer battery life. Totally stock. Nothing on it.
HollyB,
Kind of, but I wouldn’t put everything on the same level. Personally I feel there is a greater risk with proprietary software simply because it’s a black box and you need a lot more trust in a single party.
I am reminded of the secret 3rd “nsa” key discovered in windows crypto validation library. This likely gave the NSA the ability to sign it’s own code as trustworthy on any windows machine. It was discovered when a developer accidentally shipped a debug build. FOSS isn’t a guarantee, but at least the source code is public and developers are not bound by NDAs. This makes 3rd party auditing possible and makes it harder to plant exploits without a whistle-blower coming forward.
I’ve been there. Unfortunately it’s hard to be proactive when you’re scrolling through hundreds of apps and you have no way of knowing an author’s intentions. It’s common for apps to phone home now as a matter of course. The f-droid android app store does a decent job manually removing and documenting these kinds of anti-features, but the app selection is limited. For the millions of apps in the main app stores I don”t think it’s going to get easier for users to find un-bugged apps.