On 2017-11-17 12:35, juan wrote:
On Fri, 17 Nov 2017 08:47:13 -0500 John Newman <jnn@synfin.org> wrote:
On Thu, Nov 16, 2017 at 09:46:55PM +0000, jim bell wrote:
Judge rules NYPD needed a warrant before using cell-site simulator https://www.yahoo.com/newsroom/vibes/news/v-dd323ebb-416a-3b40-b6ef-7e9c677f...
Speaking of stingrays, does anyone on the list have any good resources to point to on building a DIY "stingray-like" device using OpenBTS? For research only, of course!
Do those things still work by forcing the phone to use an outdated unencrypted mode, or is the Amazing Secure Protocol used by phones broken? Or maybe the cops simply have the keys?
I'm not sure, but a very brief look at the OpenBTS website showed that there is a branch of the code that does support 3G these days. The wikipedia article on "Stingray Phone Tracker" is actually pretty interesting - https://en.wikipedia.org/wiki/Stingray_phone_tracker Relevant excerpt: Interception of communications content[edit] By way of software upgrades,[16][29] the StingRay and similar Harris products can be used to intercept GSM communications content transmitted over-the-air between a target cellular device and a legitimate service provider cell site. The StingRay does this by way of the following man-in-the-middle attack: (1) simulate a cell site and force a connection from the target device, (2) download the target device's IMSI and other identifying information, (3) conduct "GSM Active Key Extraction"[16] to obtain the target device's stored encryption key, (4) use the downloaded identifying information to simulate the target device over-the-air, (5) while simulating the target device, establish a connection with a legitimate cell site authorized to provide service to the target device, (6) use the encryption key to authenticate the StingRay to the service provider as being the target device, and (7) forward signals between the target device and the legitimate cell site while decrypting and recording communications content. The "GSM Active Key Extraction"[16] performed by the StingRay in step three merits additional explanation. A GSM phone encrypts all communications content using an encryption key stored on its SIM card with a copy stored at the service provider.[30] While simulating the target device during the above explained man-in-the-middle attack, the service provider cell site will ask the StingRay (which it believes to be the target device) to initiate encryption using the key stored on the target device.[31] Therefore, the StingRay needs a method to obtain the target device's stored encryption key else the man-in-the-middle attack will fail. GSM primarily encrypts communications content using the A5/1 call encryption cypher. In 2008 it was reported that a GSM phone's encryption key can be obtained using $1,000 worth of computer hardware and 30 minutes of cryptanalysis performed on signals encrypted using A5/1.[32] However, GSM also supports an export weakened variant of A5/1 called A5/2. This weaker encryption cypher can be cracked in real-time.[30] While A5/1 and A5/2 use different cypher strengths, they each use the same underlying encryption key stored on the SIM card.[31] Therefore, the StingRay performs "GSM Active Key Extraction"[16] during step three of the man-in-the-middle attack as follows: (1) instruct target device to use the weaker A5/2 encryption cypher, (2) collect A5/2 encrypted signals from target device, and (3) perform cryptanalysis of the A5/2 signals to quickly recover the underlying stored encryption key.[33] Once the encryption key is obtained, the StingRay uses it to comply with the encryption request made to it by the service provider during the man-in-the-middle attack.[33] I don't know if modern phones are still vulnerable to the "GSM Active Key Extraction" - haven't had more than a few moments to look at it.
The last I recall, OpenBTS did not support 3G or above, and of course has some fairly specific hardware requirements.. but I think there are patches out there, maybe? I need to do some more current research I suppose..
-- GPG fingerprint: 17FD 615A D20D AFE8 B3E4 C9D2 E324 20BE D47A 78C7