In one of the previous installments of our GSM saga we mentioned an urban legend of hijacking encryption keys on the fly. It presupposes someone can clone your SIM card without any physical manipulations, even if it would be a temporary clone. However, the Ki key is stored locally on a SIM card and in the carrier’s database, so it does not even leave its home. Download buku pdf. So, what’s the trick? In theory, an adversary can establish a fake base station emitting strong signal and imitate legitimate requests to SRES by sending random RAND requests (if you are unsure what it all means, it’s time to check out the ). Using this method, an attacker is able to calculate Ki with help of crypto analysis — just the way they would do it when having physical access to the SIM card.
The evolution of the SIM card – what has changed, what has not? — Kaspersky Lab (@kaspersky) However, this method is quite complex: the crypto analysis takes quite some time and requires a lot of faux requests. While the attacker is busy bombarding the victim with RANDs, the owner of the target phone might leave the fake base station’s radio range, and the adversary would need to follow the victim with the equipment. Well, if we are talking about a well-planed targeted attack, the equipment may be deployed somewhere around the home location. The success of the attack depends on the encryption algorithm: if the carrier uses, the hack may not work.
In fact, over-the-air attacks are primarily designed to allow an adversary to eavesdrop on the subscriber’s conversations. As we already know, over-the-air communication is encrypted (except for special cases, when encryption is disabled during law enforcement operations) primarily for this reason: restricting ability to listen to private conversations. The encryption uses the A5 algorithm with a 64 bit key. A5 has two versions: the more sustainable A5/1 and the less resilient A5/2, which is shipped without restrictions to all ‘potential adversary’ countries. What are virtual SIM cards and what do they do?
— Kaspersky Lab (@kaspersky) To do it justice, even a A5/1 key is not a 64 bit but a 54 bit key: the first ten bits are ‘low bits’, which are there for the purpose of simplicity. A5/2 is designed to ease the task for secret services working overseas. Before, the method of hacking A5/1 was based on brute-forcing locally stored data and required so much time, that the information in question would lose its relevance before the hack is completed. But today’s PCs (well, not even “today’s”, as the corresponding PoC was first demonstrated back in 2010) are able to crack it in seconds and calculate the key with help of so-called ‘rainbow tables’. The 1.7 TB set of tables can be stored on fast high-capacity SSDs which are relatively cheap and available everywhere. An adversary acts passively and does not broadcast anything over the air, which makes them almost untrackable. The complete toolset for cracking the key includes just the Kraken software with rainbow tables and a moderately ‘fine-tuned’ telephone of the ‘Nokia with a flashlight’ class.
Armed with those assets, an attacker would be able to eavesdrop on conversations and intercept, block or alter SMS messages (so, don’t consider two-factor authentication for your online bank a ‘digital fortress’). Unfortunately two-factor authentication can't save you from Trojans — Kaspersky Lab (@kaspersky) Armed with the key, an adversary can also hijack calls and impersonate the victim. Another killer capability: dynamic cloning. A culprit initiates an outbound call request to the cellular network while the victim is also engaged into the session.
Creator at DesignEpicLife.com where I help ambitious people design their epic lives. Nov 27, 2017 A Practical Hack To Combat Negative Thoughts In 2 Minutes Or Less.
When the network sends back the authorization request, the attacker hijacks it and forwards to the victim, thus obtaining the Kc key. Then it’s done, the session with the victim is over, whereas an adversary starts his own session with the network, impersonating the victim. This allows to initiate calls at the victim’s expense and do other things, like sending text messages to premium numbers and siphoning money through content provider partner programs. This method was once used in Moscow: a group of people would drive around crowded places in a minivan to massively clone SIM cards and charge small sums from people’s phones. Weak Link: How to lose everything having lost your -card — Kaspersky Lab (@kaspersky) The criminals managed to remain unnoticed for quite a long time: the rogue operations were seen as if initiated by legitimate users.