Motivation

History of GSM
Analysis of GMR
Conclusions
Breaking GSM and GMR Voice Encryption
Benedikt Driessen
Horst-G ortz Institute for IT Security
Ruhr-University Bochum, Germany
CSE Summer School, Bochum, Germany
5.9.2012
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Idea of this talk

Highlight the challenges in security engineering by

examining two existing, real-world systems

What happened to the largest cryptosystem over time?

Look at GSM and its development over 30 years

What is the initial eort to disclose and break a weak

cryptosystem in a related setting?

Look at recent work on the GMR-1 and GMR-2 satellite

communication systems
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
GSM
(Global System for Mobile Communications)
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Who cares about GSM..?!
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
The origins of GSM and its ciphers

In 1982, Europe began to work on a cell phone system

The Coordinating Committee on Multilateral Export Control

(CoCOM) existed to control export of equipment during the
Cold War

Cryptography is dual-use, hence cell phone equipment fell

under CoCOM regulations

General mindset of the US is reected here

Strong crypto for the domestic market

Weak crypto for export (1990s: 40-bit security)

CoCOM regulations enforced condentiality of encryption

mechanisms

1987, standardization of A5-type ciphers for over-the-air

encryption
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
A5/1 and A5/2 revealed
A5/1
A5/2

The general design of the GSM ciphers was leaked in 1994

Briceno reverse engineered the actual ciphers A5/1 and A5/2

from a phone in 1998/99
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Attacks on A5/1

A5/1 is the strong cipher and not entirely trivial to break

Theoretical attacks
1

Attacks on the leaked design; Anderson94, Golic97

Known-plaintext attacks on the real A5/1; Biryukov99,

Biham00, Ekdahl02, Maximov04, Barkan03 and 06

Ciphertext-only attack; Barkan03

Practical attacks
1

HW/SW trade o attack; Pornin00

COPACOBANA; Gendrullis08

Open source time/memory trade o projects

A5 Cracking Project; THC07

Kraken; Nohl09
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Attacks on A5/2

A5/2 is the weak cipher and quite ecient to attack

Theoretical attacks
1

Known-plaintext attack; Goldberg99, Petrovic00

Ciphertext-only attack; Barkan03

1
Several et Al. were omitted due to cosmetic reasons.
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Status quo
GSM Kick-off
Inception of A5
Leak of A5
Reverse engineering of A5
Initial Analysis
Known-Plaintext
Cipertext-only
!pen-so"rce #M#!
#M#! ta$les p"$lic

The A5-type ciphers constitute the largest cryptosystem ever

deployed

Today, hardware and software are available to mount passive

attacks on the cheap and in negligible time (few seconds)
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
GMR
(Geo-Mobile Radio)
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
The GMR standard

Use satellite communication where no cellphone infrastructure

available

Oil rigs, ships, airplanes, deserts, poles

GMR-1 and GMR-2 are major standards maintained by ETSI

Estimated user base: 350k 500k active users

Thuraya implements GRM-1, Inmarsat uses GMR-2

TerreStar and SkyTerra currently implement GMR-1 (3G)

Specications public, ciphers treated as black boxes

What is the security level provided by GMR-based

systems?
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
Network architecture
Ground Segment
PSTN
User Segment
C
-
B
a
n
d
C
-
B
a
n
d C
-
B
a
n
d
C
-
B
a
n
d
L
-
B
a
n
d
L
-
B
a
n
d
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
What we knew (and conjectured)

GMR-1 and GMR-2 are derived from GSM

Ciphers are named A5-GMR-1 and A5-GMR-2 (GSM: A5/x)

Session based encryption (e.g. one key per call)

Challenge-and-response protocol involving secret on SIM card

Typical satphone is made up of two processors

General purpose CPU (e.g. ARM) running some embedded OS

Specialized DSP for encoding, modulation, signal processing

ARM responsible for extracting and initializing DSP rmware

Encryption part of encoding process and probably done on DSP

Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
Analysis approach

Unknown ciphers are responsible for security of GMR

Satphones need to implement and execute ciphers

Ciphers can be obtained from satphone software

Perform cryptanalysis to assess security level

Procedure to nd ciphers in software

1. Choose appropriate satphone and obtain rmware
2. Dissect rmware, locate DSP initialization in ARM code
3. Reconstruct and dump DSP code
4. Disassemble DSP code
5. Find encryption algorithm
6. Translate algorithm to C code and diagrams
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
Analyzing Thurayas rmware

Thuraya SO-2510 (ARM + TI C55x DSP)

Downloaded rmware update from

Thurayas website

IDA to nd DSP initialization

QEMU to execute initialization routine

IDA to analyze reconstructed DSP

rmware

Static analysis of 240kB of DSP code

No symbols, strings or other clues

Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
Finding A5-GMR-1

Assumption: A5-GMR-1 might bear some resemblance to

A5/1 or A5/2

GMR standards are derived from GSM

A5/x based on Linear Feedback Shift Registers (LFSRs)

LFSRs require a lot of XORing and SHIFTing

Idea: Apply heuristics to nd cipher (Caballero, 2009)

Rank functions by percentage of XOR/SHIFT operations

Four top ranked functions (35%40% of XOR/SHIFT)

adjacent in memory

Each function implements one LFSR of A5-GMR-1

Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
A5-GMR-1 is a variant of A5/2
A5/2 A5-GMR-1

A5-GMR-1 is based on A5/2

Feedback (and output taps) polynomials were changed

Initialization process slightly changed

GSM attacks can be adapted

Known-plaintext attack; Petrovic00

Ciphertext-only attack; Barkan03

Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
From a known keystream attack ..

The clocking of the registers R1 R3 is determined by R4

Classical guess-and-determine attack

Guess R4 and clock cipher to obtain quadratic equations

Linearize equations to obtain Ax = z

Solve equation system and test state candidate x

Session key can be recovered from a state candidate easily

Known keystream (or plaintext) is limited in GMR

Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
.. to a ciphertext-only ..
Cyclic
encoding
Convolutional
code
Channel
interleave
Scrambling
Intraburst
multiplex
Encryption
Encoding
Encryption
vs.

Encoding is done prior to encryption

If we dont know d, we still know something about the

structure of m

Encoding is linear

Encoding d into m

is a linear operation, i.e., m

= d G

Encrypting m

into m is also linear, m = m

z
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
.. attack on A5-GMR-1

In a ciphertext-only attack scenario we have m =

m

(d G) z

G can be computed from the GMR specications

d and z are unknown

Exploit encoding to enable an ecient ciphertext-only attack

Construct parity check matrix H with Hm

= 0

Use H to cancel out plaintext from ciphertext bits

Hm = H(m

z)
= Hm

=0
Hz = H z

Ax
= HA

S
x = S x

Attack similar to known-plaintext attack, but now we

generate and solve S x = Hm
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
Results of attacking the Thuraya network

Real-world attack reveals session key in a few minutes

Equipment for $5,000 (Thuraya SO-2510, USRP-2, antenna,

laptop) to capture downlink data

GNURadio, OsmocomGMR and some custom code to

demodulate, decode and cryptanalyze captured data

2
21
guesses and 16 frames of TCH3 speech data required
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
An experiment
L
-
B
a
n
d
15 m

Capturing the downlink is easy, but what about the uplink?

Establish a call from the roof of the university

Horizontally polarized antenna to measure reception

Given a direct line of sight, uplink can be received at distances

of 5 Km and more
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
More results..?
Cryptography Expert, A Private Company in Abu Dhabi, UAE
A position is available in a private company located in Abu Dhabi,
United Arab Emirates for someone who has 8+ years of experience
developing cryptographic primitives. The period of employement is
between 1 to 2 years and the salary will be based on the experience
of the applicant.
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
Analyzing Inmarsats rmware

IsatPhone Pro (ARM + AD Blackn DSP)

Downloaded rmware from Inmarsats website

IDA to analyze rmware updater

IDA script to reconstruct DSP image

Worlds Slowest Recursive Blackn Disassembler

(WSRBDA) to disassemble Blackn code

Static analysis of 300k lines of DSP code

Custom code for generation of callgraphs

Manual identication of arithmetic functions

(div32/rem32/etc.)
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
ApplyCipher as start of our Odyssey

Ranking approach did not work

Inmarsat left names of source les in binary

Identify functions by source le names

../modem/internal/Gmr2p modem ApplyCipher.c

ApplyCipher XORs two buers

Backtracking input params too complex

Reverse callgraph reveals ten thread functions

thr_Gmr2pBcITchDataRx thr_Gmr2pBcITchDataRx
WaitTchReq_AT_Gmr2pBcITchDataRx WiosAIIocCnf_AT_Gmr2pBcITchRx
thr_Gmr2pBcIRHmsch thr_Gmr2pBcISch
thr_Gmr2pEngModeBcITxCW
thr_Gmr2pBcIRach
thr_Gmr2pEngModeBcITxOnOff
thr_Gmr2pEngModeBcITxRx thr_Gmr2pBcITchTxThread
Gmr2pBcITchTx
sub_2050d9de
sub_204a4358
Gmr2p_modem_ChanEst_OQPSK_NB Gmr2p_modem_Mod_GMSK_NB
sub_2050dae4
Gmr2p_L1SheIIMod
Gmr2p_modem_AppIyCipher
thr_Gmr2p_modem_ChanEst_OQPSK_NB2
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
Finding A5-GMR-2

Thread functions implement state machines

Allocation of zeroed keystream buer in initial state

Call to ApplyCipher in later state

Call to cipher must happen in between

Idea: Intersect set of all functions called by these threads

Found 13 shared sub-callgraphs

Naming arithmetic functions helped to nd the right

sub-callgraph

Topmost function converts frame numbers into bit string

Cipher followed immediately

Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
A5-GMR-2 is ... dierent
3 8
4
8
1
6
6
8

A5-GMR-2 is a byte oriented stream cipher with memory

3-bit counter C, 1-bit counter T

F combines two bytes of session key with previous output

G is used for mixing purposes

H consists of two DES Sboxes as nonlinear output lter

Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
A5-GMR-2: The F function
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
A5-GMR-2: The G function
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
A5-GMR-2: The H function
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Background
GMR-1
GMR-2
A known-plaintext attack

Exploit two properties of A5-GMR-2 to obtain an ecient

known-plaintext attack

F sometimes selects same key byte twice

Bias in H allows to selectively bruteforce key bytes

Result: Ecient attack with keystream/time trade-o

Given 5065 bytes of keystream, session key found after 2

18
operations

Given 200 bytes of keystream, 2

10
operations
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Lessons learned?
Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Lessons learned

If you deploy a large, non-disclosed cryptosystem time works

against you

Leaks and reverse engineering are possible (even if you use

obscure hardware)

Moores law and advances in hardware (e.g. radio equipment)

Collaborative eorts of interested communities

Although security-by-obscurity is a bad practice, some

mistakes are easily avoidable

Dont make your rmware available on the internet

Dont leave valuable information in your binaries

Plan for mitigations

Benedikt Driessen Breaking GSM and GMR
Motivation
History of GSM
Analysis of GMR
Conclusions
Thanks
Thank you for your attention!
Benedikt Driessen Breaking GSM and GMR