Wireless OverviewProtocols and Threat Models : Wireless Overview Protocols and Threat Models Dan Veeneman
dan@decodesystems.com
www.decodesystems.com/blackhat/bh-1.ppt
Focus of this talk : Focus of this talk Overview of available commercial technologies
Skipping 802.11
U.S.-centric
Terrestrial networks
Additional information in second briefing
Wireless OverviewProtocols and Threat Models : Wireless Overview Protocols and Threat Models Radio Frequency Basics
Mobile telephony
Cellular Digital Packet Data (CDPD)
Nextel
Private data networks
Two-way paging
Bluetooth
3G
Why Wireless : Why Wireless Immediate communication, mobile user
Two-way, interactive
Broadcast
Convenience
Bandwidth limitations
Roaming (no fixed location)
Market Requirements : Market Requirements Reliable
Low-cost
Easy to use
Secure
Pervasive
Interoperable
Wireless Security Requirements : Wireless Security Requirements Trust Model
access control
authenticate users to access particular resources
link privacy
encryption
link integrity
message authentication
prevent denial of service
(limit bandwidth hogs)
Radio Frequency : Radio Frequency Federal Communications Commission
FM Radio: 88 to 108 MHz
Cellular telephones: 800 and 1900 MHz
Two-way pagers: 900 MHz
Industrial, Scientific and Medical (ISM): 2.402 to 2.480 GHz
Radio Wave : Radio Wave Frequency
Wavelength
Amplitude
Modulation
Amplitude
Frequency
Phase
FSK
PSK
Slide9 :
Generic Wireless Architecture : Generic Wireless Architecture Mobile terminal
Airlink
Radio base station
Intraconnect links
Network control
Interconnect links
External Networks
Public Switched Telephone Network
Internet
Common Airlink Problems : Common Airlink Problems Variable link quality
Multi-path (signal reflections)
Shadowing (terrain/structure blockage)
Interference
Other users
EMI
Attenuation
Distance
Antenna orientation/polarization
Multipath : Multipath Multiple paths to receiver
Each path has slightly different time delay
Interference : Interference
Error Detection/Correction : Error Detection/Correction Parity Codes
Parity bits + Data bits = Expected code word
Cyclic Redundancy Check
Chunk of data + Polynomial residue
Block Codes
Chunk of data + Redundant Data
Convolutional Codes
Data stream fed through LFSR
Code rate, constraint length
Concatenated Codes
Terrestrial Networks : Terrestrial Networks Voice primary
Cellular and PCS
Nextel
Data primary
private packet
paging
Cellular : Cellular Analog
Digital - TDMA
Digital - CDMA
Digital - GSM
System Comparison : System Comparison
Cellular Frequency Reuse : Cellular Frequency Reuse Seven frequency sets
Geographic distance between sets allows the same frequencies to be reused
Cellular-based : Cellular-based Mobile Telephone Switching Office (MTSO)
Controls multiple base stations
Interfaces to PSTN
Mobile is handed off from one base station to another
Advanced Mobile Phone System : Advanced Mobile Phone System '1G'
Analog voice
50 MHz, 832 channels
Mobile transmit: 824 MHz to 849 MHz
Base transmit: 869 to 894 MHz
21 control channels
Designed in 1970’s
Cellular Telephone startup : Cellular Telephone startup Mobile telephone scans for strongest control channel
Listens to overhead messages on forward link
Sends registration message
Electronic Serial Number (ESN)
Mobile Identification Number (MIN)
Waits for paging message
AMPS weaknesses : AMPS weaknesses Interception is easy (but now illegal)
Spoofing ('cloned' phones)
Call hijacking
Tracking
Locating Mobiles : Locating Mobiles GPS
Time Difference of Arrival
Angle of Arrival
Multipath Fingerprinting
TDOA : TDOA
AOA : AOA
Cellular Digital Packet Data : Cellular Digital Packet Data Packet data sent on idle voice channels
Voice takes priority
ATandamp;T
'OmniSky' service
Verizon
IP-based interfaces
150,000 customers
Many police car installs
CDPD Coverage : CDPD Coverage
CDPD Elements : CDPD Elements M-ES: Mobile End System
CDPD modem
MDBS: Mobile Data Base Station
RF interface
MD-IS: Mobile Data Intermediate System
Mobile Home Function (MHF)
Mobile Serving Function (MSF)
IS: Intermediate System
Router, IP/CNIP
F-ES: Fixed End Station
CDPD Roaming : CDPD Roaming Packets to M-ES go to MHF MD-IS first
Forwarded to MSF MD-IS
Packets from M-ES can route directly to F-ES
CDPD Airlink : CDPD Airlink GMSK modulation
19.2 kbps raw data rate
FEC
Reed-Solomon 63, 47 block code
47 info symbols (six-bit symbols, 282 bits), 16 parity symbols, 63 total symbols
Correct up to 8 six-bit symbols
CDPD MAC : CDPD MAC Continuous forward link from MDBS
Mobiles listen to forward link busy/idle
Possible reverse channel collisions
Mobile checks forward link for decode success
Header, User Data, Trailer (Frame Check)
Flag, address, control fields in header
Selective ARQ
CDPD Link Establishment : CDPD Link Establishment M-ES known to serving MD-IS Terminal Equipment Identifier (TEI), 6 to 27 bits
M-ES sends TEI Request with 48-bit Equipment ID
MD-IS issues TEI Assign with assigned TEI
TEI lifetime of 4 hours, can be exhausted
CDPD Registration : CDPD Registration End System Hello (ESH) message
Network Equipment Identifier (usually 32-bit IP address)
Registration Counter (to filter duplicates)
Credentials
Authentication Random Number (ARN, 64 bits)
Authentication Sequence Number (ASN, 16 bits)
Shared history (incremented by 1 after each TEI assignment)
ESH sent from M-ES to MDBS encrypted
ASN and ARN are both 0 at initial configuration
ARN occasionally changed
Network maintains two most-recent Credentials
(in case of loss of update synchronization)
CDPD Registration : CDPD Registration MD-IS sends Redirect Request (RDR) to MHF
Requests MHF send all future packets to it
MHF checks M-ES Credentials
MHF returns Redirect Confirmation to MSF
MSF returns Hello Confirmation (ISC) to M-ES
CDPD Attacks : CDPD Attacks IP-accessible Intermediate Systems (routers)
Attacks from outside, other providers
BGP4, OSPF, buffer overflow, etc
Only the airlink is encrypted
Use unauthenticated RDR messages to grab traffic
Brute force Credentials via repeated RDR
Jam reverse link transmissions
Disrupt M-ES reception
Busy-out the reverse link (attempt saturation)
Place an analog call via CDPD cellsite
CDPD 'ZAP' command to silence bad modems
Cellemetry : Cellemetry Use spare capacity in the cellular control channel
A few bytes
Telemetry
Vending machines
Maintenance data
Digital AMPS : Digital AMPS Answer to capacity issues
ATandamp;T Wireless
IS-136
800 MHz cellular and 1900 MHz PCS
Time Division Multiple Access
Six timeslots
One call gets two timeslots
Time Division Multiple Access : Time Division Multiple Access Mobiles take turns transmitting
Base transmits continuously
Code Division Multiple Access : Code Division Multiple Access Competitor to D-AMPS
IS-95
Sprint PCS, Verizon
Pilot + 63 other 'channels'
Walsh Codes
Requires that all users in a cell be time-synchronized to maintain orthogonality
Near/Far problem, power control
Frequency Hopping : Frequency Hopping Transmissions 'hop'
Pseudo-random sequence
Transmitter and receiver must synchronize
2.4 GHz ISM
at least 75 frequencies
duration andlt; 400 ms
Direct Sequence : Direct Sequence Each data bit replaced with sequence of 'chips'
Bandwidth increases
Power density decreases
Signals appear as noise
LPI/LPD, anti-jam
GPS, IS-95
Chip pattern comes from Pseudo-random Noise (PN) code
Transmitter and receiver must synchronize
Correlation Example : Correlation Example DATA: 1 0 1 1 0 1 1 0 0 1 0 0
PN: 1010 0110 0100 1111 0001 0100 1001 0100 0101 0001 0100 1011
SPREAD: 1010 1001 0100 1111 1110 0100 1001 1011 1010 0001 1011 0100
(four chips per bit)
First data bit 1 becomes 4 chips, 1010
Next data bit 0 comes 4 chips, 1001 (inverted 0110)
Correlation with PN Code synchronized
SPREAD: 1010 1001 0100 1111 1110 0100 1001 1011 1010 0001 1011 0100
PN: 1010 0110 0100 1111 0001 0100 1001 0100 0101 0001 0100 1011
XOR: 0000 1111 0000 0000 1111 0000 0000 1111 1111 0000 1111 1111
Correlation with PN Code not synchronized (one chip off)
SPREAD: 1010 1001 0100 1111 1110 0100 1001 1011 1010 0001 1011 0100
PN: 0100 1100 1001 1110 0010 1001 0010 1000 1010 0010 1001 0110
XOR: 1110 0101 1101 0001 1100 1101 1011 0011 0000 0011 0010 0010
Problems with CDMA : Problems with CDMA Cell sites 'breathe'
Combined noise of all reverse links can exceed cell site limit
Airlink different but network suffers same weaknesses as D-AMPS
Must license from Qualcomm
Global System for Mobiles : Global System for Mobiles European design from the 1980s
VoiceStream, Cingular, ATandamp;T transitioning
Short Message Service
200 kHz channels
Eight timeslots
270 kbps aggregate data rate
Separates equipment identity from user identity
Subscriber Information Module
International Mobile station Equipment Identity : International Mobile station Equipment Identity Type Approval Code (TAC) is issued by a central authority
Final Assembly Code (FAC) identifies the place of manufacture
Serial Number (SNR) assigned by the manufacturer
Spare (SP) is reserved, usually zero.
International Mobile Subscriber Identity : International Mobile Subscriber Identity Mobile Country Code (MCC) identifies the country in which the customer is subscribed.
(United States is 310)
Mobile Network Code (MNC) identifies the GSM network to which the user is subscribed, also known as the home network.
(VoiceStream is 26)
Mobile Subscriber Identification Number (MSIN) identifies the user within the network.
GSM Speech : GSM Speech 20 millisecond sample of speech
Digitized from codec (13 kbps)
Channel coding (22.8 kbps)
Interleaving
Encrypting
Burst formatting (33.8 kbps)
Modulation (270 kbps)
GSM has weak crypto : GSM has weak crypto Security by Obscurity
Algorithms never officially released
All of them leaked or reverse-engineered
A3/A8 in SIM
A5 in hardware
A5 (privacy algorithm) deliberately weakened
A8 feeds it weakened keys
Weaker algorithm (A5/2) for export
Short Message Service : Short Message Service 20 billion SMS messages per month from 553 million GSM subscribers
Carried in GSM logical data channel
Increasing applications
Youth market (Instant Messenger)
eBay outbidding
Remote monitoring
TDMA and CDMA have similar
'Tacked on'
Some SMS Issues : Some SMS Issues Early pre-pay phones had free SMS due to lack of billing system integration
SMS Identity spoofing
Faked 'caller-ID' data
SMS viruses
Crash certain phones
Badly-formatted binary messages
Integrated Dispatch Enhanced Network (iDEN) : Integrated Dispatch Enhanced Network (iDEN) Grew out of Specialized Mobile Radio (SMR), dispatch/group environment
Equipment from Motorola
Service from Nextel
TDMA, 6 timeslots, 15 ms each
Continuous forward control channel
VSELP voice
Test equipment can monitor
Mobitex : Mobitex Cingular Interactive (US)
Rogers (Canada)
'Palm.Net' service
Ericsson standard
700,000 customers
Mobitex coverage : Mobitex coverage
Mobitex : Mobitex 2,500 U.S. base stations
30 mile radius
10 - 30 channels per site
12.5 kHz
8 kbps signaling rate
895 - 910 MHz
2 watts
Mobitex monitoring : Mobitex monitoring Specification publicly available
Source code to monitor released on Usenet
Receiver with 800 MHz coverage
PC with simple interface board
Network interfaces via Internet, frame relay, X.25
Advanced Radio Data Information System (ARDIS) : Advanced Radio Data Information System (ARDIS) IBM field personnel, Motorola network
Motient (US), Bell Mobility (Canada)
40 million messages/month
1,500 base stations
40 watt transmitter, 10 - 15 mile range
X.25 or TCP/IP to ARDIS switch
ARDIS Network : ARDIS Network Radio Packet Modem (RPM)
Base stations talk to Radio Network Controller (RNC) via leased lines with dialup restoral
Switch is 'ARDIS Service Engine'
ARDIS Airlink : ARDIS Airlink DataTac 4000 (US)
MDC 4800 or RD-LAP 19.2
2048 maximum message
240 or 512 byte max packet payload
Logical Link Identifier (unique device ID), either 4 or 8 bytes
CRC and FEC
ARDIS Protocols : ARDIS Protocols Standard Context Routing (SCR)
Basic Inbound (from server to mobile)
Basic Acknowledgement (mobile ACK)
Basic Outbound (from mobile to server)
Peer-to-peer
'Message Generator' (MG) protocol
Poorly validated field values
Sender (spoof)
Recipient (spam)
Message length (crash client application)
ARDIS Message Filtering : ARDIS Message Filtering Radio Packet Modem uses Hayes AT command-style interface
'The modem’s two-character S50 register contains the current user header. When a wireless modem receives an outbound message from the ARDIS network, the modem examines the user header in the message header. If the user header in the message matches the user header in an S50 register, the message can be received. If it does not match, the message is discarded.'
ATS50=QA
ARDIS Security Recommendations : ARDIS Security Recommendations 'Customers with sensitive data may want to provide data encryption within their applications. For example, an exclusive OR could be applied to ASCII data with a randomly generated encryption key selected for each terminal during logon.
NOTE: Only user data can be encrypted; ARDIS must be able to read SCR and other user header data to determine the proper disposition of a message.'
'A wireless device application should allow a command from the host to dump all RAM contents and disable the application. This command could be used if a wireless device were lost or stolen. This feature could be activated automatically when a logon is attempted, or by a host user.'
MicroCellular Data Network (Ricochet) : MicroCellular Data Network (Ricochet) Mesh topology
FHSS, every 10 - 25 ms
Synchronous heartbeat, 30 sec
Ricochet modems: 900 MHz
Poletop radios: 2.3, 2.4 GHz
Density 5 - 12 per square mile
Wireless Access Point (WAP)
Covers 10 - 12 square miles
Ricochet Network : Ricochet Network Name Server: The Ricochet Name Server maintains access control and routing information for every radio and service within the Ricochet network. Every time a Ricochet device (subscriber device, microcell radio, or gateway) is powered on, it registers with the Name Server to verify that it has network authorization. Whenever a Ricochet device requests a connection, the Name Server validates the request. If authorized, the originator is provided with a network routing path to the requested destination.
MCDN Path
List of addresses (IP, phone number, microcell number) of waypoints
part of header, used to route the packet
Packet delivery services
Lightweight: in-order, windowed, no end-to-end retries
Heavyweight: in-order, windowed, end-to-end retries
Metricom and Ricochet : Metricom and Ricochet Metricom
51,000 customers in 21 cities
Bankruptcy
Ricochet Networks (part of Aerie Networks)
Gen II: 176 kbps, up to 400 kbps bursts
FLEX (One-way paging) : FLEX (One-way paging) Four level FSK
1600, 3200, 6400 bps
Four-minute FLEX protocol cycle
Short capcodes: 7 digits
Long capcodes: 9 digits
FLEXsuite: 128-bit RC4, symmetric keys
ReFLEX (Two-way paging) : ReFLEX (Two-way paging) Narrowband PCS
Nationwide frequencies
Forward: 896-902 MHz
Reverse: 929 - 931, 940 - 941 MHz
ReFLEX inbound messaging : ReFLEX inbound messaging Send request on shared ALOHA channel
Receive timeslot assignment
Send data in assigned timeslot on data channel
ReFLEX forward link : ReFLEX forward link ReFLEX frame is 1.875 s
128 frames = cycle (4 minutes)
21 data, 11 error correction (21,32) BCH
'collapse', sleep for 2n frames
Bluetooth : Bluetooth Peer-to-peer, proximity-based 'personal area network'
Low power, short range
Multiple devices in a 'piconet'
one device is master
Up to 10 piconets may link to form 'scatter nets'
Each device has a unique 48-bit address
Initialization process uses a PIN
Bluetooth Airlink : Bluetooth Airlink 2.45 GHz
1,600 hops per second
Master and up to 7 active Slaves
Hop sequence based on master’s address
GMSK, BPSK
FEC
Master: up to 721 kbps, even timeslots
Slave: 57.6 kbps, odd timeslots
79 frequencies
3.2 kHz clock, 28 bits
Bluetooth device modes : Bluetooth device modes Four modes:
active (continuous)
sniff (check at intervals)
hold (check again later)
park (listen for beacon only)
Bluetooth Protocol Stack : Bluetooth Protocol Stack Application Group
Middleware Protocol Group
Transport Protocol Group
Transport Protocol Group : Transport Protocol Group Radio
Baseband
L2CAP (Logical Link Control and Adaptation Protocol)
Protocol multiplexing
Fragmentation/reassembly
Audio
Control
Link Manager
Bluetooth Identifiers : Bluetooth Identifiers Device Address, 48 bits
Private Authentication Key, 128 bits
Private Encryption Key, 8 to 128 bits
RAND, 128 bits
Bluetooth Security Modes : Bluetooth Security Modes Security Mode 1
non-secure
Security Mode 2
service-level
after channel establishment
Security Mode 3
link-level
prior to channel establishment
Bluetooth Security Levels : Bluetooth Security Levels Device
Trusted
Untrusted
Service
Authorization and Authentication
Authentication Only
Open to all devices
Bluetooth Unit Key : Bluetooth Unit Key Unit Key
E21( Device Address, Random Number)
Usually fixed for the lifetime of the device
Bluetooth Initial Key Generation : Bluetooth Initial Key Generation
Verifier sends Claimant IN_RAND
Verifier computes Kinit from E22( IN_RAND, PIN)
Kinit is temporary link key
PIN can be
Fixed in simple device
Keyed in by user (typically 4 digits)
Generated by user device
Bluetooth Authentication : Bluetooth Authentication Device A generates AU_RAND and sends it to Device B
Device B sends Device AddressB to Device A
Device A and Device B both compute SRES and ACO from SAFER+ based MAC function E1(Kinit, AU_RAND, Device Address )
Device B sends SRESB to Device A
If SRESA equals SRESB, then devices are authenticated
Bluetooth Link Key : Bluetooth Link Key Two types of link keys
Unit key of one of the devices
Unit A computes K = KA XOR Kinit and sends K to Unit B
Unit B computes KA = K XOR Kinit
KA is used as link key
Key derived from both unit keys
Unit A generates LK_RANDA, sends it to Unit B and computes LK_KA = E21(LK_RANDA, Device AddressA )
Unit B generates LK_RANDB, sends it to Unit A and computes LK_KB = E21(LK_RANDB, Device AddressB)
Both units compute each other’s key and the link key KAB = LK_KA XOR LK_KB
Bluetooth Encryption Key : Bluetooth Encryption Key KC = E3( EN_RANDA, Klink, COF )
Ciphering Offset Figure (COF)
Authenticated Ciphering Offset (ACO) or
For broadcast, Device Address concatenated with itself
Bluetooth Encryption : Bluetooth Encryption Kcipher = E0( Device AddressA, clockA, KC )
Data is exclusive-OR’ed with Kcipher before transmission and after reception
Bluetooth Security Issues : Bluetooth Security Issues Privacy
Devices can be closely tracked
Only devices are authenticated, not users
Key variables exchanged in the clear
Link key a shared secret among too many
A, B use A’s unit key as the link key
B can later use A’s unit key and a faked address to eavesdrop on traffic
3GPP : 3GPP 3rd Generation Partnership Project
Crypto developed in the open
Air interface will use KASUMI encryption
Evolve GSM
Multimedia Messaging Service (MMS)
General Packet Radio Service (GPRS)
GSM overlay (Phase 1: 4x14 kbps, Phase 2: 8x14kbps)
Cingular,ATandamp;T: TDMA to GSM to GPRS
Enhanced Data rates for GSM Evolution (EDGE)
Universal Mobile Telephone Service (UMTS)
High Speed Circuit Switched Data (HSCSD)
Questions? : Questions?