I here with Carson Knowle from Security Research Labs in Berlin.
Carson has done a lot of interesting work on breaking real-world cryptosystems,
including the GSM cryptosystem that's used to protect many mobile calls and SMS messages.
He's going to give us a little demo of that and then explain how it works.
I'd like to start with a motivating example of where this has been applied,
cracking mobile phones--the 2G part of the phones we still use.
Every phone today is still a 2G phone in some way,
even though 3G and 4G now have been added to it.
Breaking this, of course, allows you to snoop in on messages, phone calls,
may allow you to put charges on somebody else's phones,
and may allow you to track them, for instance, right?
You can certainly get in a lot of trouble for misusing those powers.
Yes, and we certainly want to stay away from that today,
which is why we're only breaking this phone, my phone.
The demo I want to show is intercepting a text message sent to this phone.
It's something that is delivered to the phone in an encrypted form--
an encryption function from 20 years ago, but some of these are still solild.
DES, for instance--TripleDES anyway.
However, this one turns out to be weak and how weak we'll show now.
For this I need a way of intercepting the phone communication with another phone.
Of course, every phone can record phone traffic.
Usually, they'll record traffic sent to their own number.
If you slightly reprogram it, it'll just record traffic sent to any number
or whatever number you specify.
To stay in the legal side, we'll make it just intercept traffic off this one other phone today.
This and a little bit of theory that you'll learn today is all that's needed to intercept a text message.
Okay. You see these blue lines?
These are all attempts of the cell to reach phones for whatever reason.
Those are--we don't want to intercept them.
Now you see the red lines. This is when it started sending data to the right phone.
The one where we gave it--
So you set this up only to look at data that's sent to that particular number. &gt;&gt;Right.
We could have put any number or just left it out to intercept it.
That would put us on the wrong side of the law.
You see after just over 2 seconds, it found the correct key.
It also would show the from number. We blanked this out here.
It did come from England though. Interesting service you're using there.
And, of course, the texter of the SMS--the actual secret.
All of this can be cracked in less than 3 seconds, apparently.
While we are on this data, let me briefly show you
what actually was exchanged between the phones, which will be interesting later
to see why this was crackable.
In particular, we'll ask the question, why was this predictable in parts.
Some of the messages that you're intercepting you need to be able to guess what they are.
That's ciphering, which is the old word for starred encryption.
Then everything below here is encrypted.
Now, a lot of this shouldn't be encrypted, at least it's not secret.
For instance, the GPRS data connection list switched off.
While you're receiving an SMS, apparently this phone is not supposed
to also do data connections for just 1 second.
Then the cell introduces itself, saying I am the cell that uses all of these frequencies.
It did that as well before. You see up here the exact same message but unencrypted.
Here's the borderline. &gt;&gt;So these messages are very predictable.
Very predictable given one's encrypted and one's not.
Then the phone responds, hey, I measured our communication,
and I measured you to be this far away.
This is for tweaking certain parameters--also not very secret,
because probably the measurement report didn't change much from before the encryption.
He goes on to exchange a few empty packets.
In JSM you have to say something in certain time slots,
and if you have nothing to say then you say you have nothing to say. Exactly.
These are just empty.
Again it measures. Again, empty, empty, empty, empty.
And again, the cell introduces itself and again it measures.
And again an empty and an empty frame.
And only now the actual SMS is exchanged.
The from number with the text--I won't go into it so we don't see the from number.
The phone acknowledges the message as being received.
These are the only two messages that I actually really needed.
Only one of them should really be encrypted.
This cell, again, introduces itself as if the connection wasn't over yet.
And again, the phone measures. There's a couple more empty messages.
The cell says, "Please stop using this channel. We are done."
Just in case the phone hasn't gone away yet, sends more empty encrypted messages.
Now, this is all the decrypted traffic after you've decrypted it,
but before decrypting it you've got a pretty good guess of what was in it
other than that one frame with the message.
Precisely, each predictable message gives us some attack surface
that we can exploit using methods that we want to discuss next.
Great, well, let's hear about how you actually explain that.
