[HN Gopher] Looking at GSM security 30 years later
___________________________________________________________________
Looking at GSM security 30 years later
Author : 8sfLes
Score : 90 points
Date : 2021-02-08 14:17 UTC (1 days ago)
(HTM) web link (harrisonsand.com)
(TXT) w3m dump (harrisonsand.com)
| cies wrote:
| A related topic... GSM security is better in western nations than
| other nations:
|
| > Many western countries use the "strong" encryption algorithm
| A5/1, while other countries are "forced" to rely on the much
| weaker A5/2. [1]
|
| So in non-western countries breaking GSM security is much cheaper
| than in the rest. Why would that be? Who would want that and has
| the ability to exert such force?
|
| So tether the open source running latop internet access over the
| burner phone and use a VPN to protect your privacy.
|
| 1: https://www.diva-portal.org/smash/get/diva2:19603/fulltext01
| cpgxiii wrote:
| > Why would that be? Who would want that and has the ability to
| exert such force?
|
| Essentially every country ever has desired to have an
| "unbreakable" cipher for its own use and breakable ciphers for
| everyone else. Only in the modern era has the general
| cryptographic security of civilian communications become a
| concern.
|
| You can't prevent other nations from independently implementing
| or inventing better ciphers, but in the modern era where only a
| limited number of vendors implementing a given technology
| exist, those vendors are constrained by export restrictions in
| their countries of origin.
| lxgr wrote:
| > use the "strong" encryption algorithm A5/1, while other
| countries are "forced" to rely on the much weaker A5/2
|
| Aren't they both equally bad due to being completely broken at
| this point?
|
| >So in western countries breaking GSM security is much cheaper
| than in the rest.
|
| You got it the wrong way around: A5/2 is the "export" version
| used in "non-western countries". The reason for that is crypto
| export controls which were very fashionable at the time GSM was
| developed.
|
| > use a VPN to protect your privacy.
|
| This is off-topic, but I'd challenge that as a general
| recommendation.
| cies wrote:
| > You got it the wrong way around
|
| Sorry, fixed it.
| monocasa wrote:
| It's the classic "export grade encryption" setup.
|
| As for who would want it that way, the answer is five eyes.
| secondcoming wrote:
| I think it had the potential to be, but I'm not sure that it
| actually was. I have no means to back it up, but I recall that
| the French were heavily involved in GSM and, well, they liked a
| lot of zeros in encryption keys...
| ss7teleco wrote:
| This is brings back very old memories. My first job out of uni
| was as an SDE at Ericsson and my first job was writing VLR and
| MSC software for the first GSM networks in the US. My initial
| project was handling DTMF so if you pressed a number on the
| phone, my code handed that! Back in the day, prior to the web
| taking off, many exceptionally talented programmers/hackers
| worked in telephony. Then the web took off and most left for
| greener pastures.
| LinuxBender wrote:
| This brings back memories. I helped set up the first GSM network
| in California / Nevada. Strange to see its remnants still out
| there. I would have expected it to all be deprecated by now.
| Anyone from HN still currently working with it?
| dang wrote:
| That's interesting. Would you be willing to share some of your
| memories of this project/technology?
| LinuxBender wrote:
| I can try. Here [1] is some of the terminology. We were
| assisted by Orange (from the UK) to set up the first GSM
| network in the U.S. using primarily Ericsson equipment. We
| soft launched in San Diego at the RNC, then re-launched
| officially state wide in California and Nevada using Ericsson
| AXE-10 switches (mainframes). We had several MSC's. These
| were the switches that routed calls to the SS7 network. Those
| had BSC's which were the switches that routed calls from
| within a region to the MSC's. The cell sites attach to the
| BSC's. The cell sites were connected to the telco network
| with channelized T1's. (24 channels) Each channel was divided
| up into multiple voice and stand alone dedicated control
| channels. The phones registered to an HLR (Home Location
| Register). The HLR, ALR and EIR used for hardware and user
| mapping / registration. That data fed into billing systems.
| Access to those systems was performed using the x.25vbis
| protocol. We also had value added systems that provided
| support for SMS (text messaging), message waiting indicators
| (for voicemail) and other various services. It turned out
| that text messaging was super popular, so it went from being
| a value added service to a primary service. We did not charge
| per message, despite our sister company in the UK doing so.
| In the early days, you could tail all the text messages and
| almost keep up. All of our vendor documentation was in
| massive binders. None of the documentation was digital. Any
| changes to code would take many months to get revised
| documentation if it was revised. I think I may have been one
| of the few people to ever use the EIR to block a stolen
| phone. One of our cell techs left their Nokia-9000 (fancy
| early prototype keyboard flip phone, promoted in the move The
| Saint) and they were very expensive. I spoke with the phone
| thief, offered them a reward, but they declined so I turned
| the phone into a paperweight. That feature was never used by
| customer support as far as I know, for fear of bricking the
| wrong phones. One of the cool features of GSM is call
| prioritization. If a phone is flagged as a first responder,
| they can kick a person off a congested cell site to free up a
| voice channel.
|
| One service we never implemented was Wildfire. (no documents
| to cite that I know of). She used the same tech the NSA used
| to monitor voice calls. She was created in response to the
| hands-free laws that were about to be passed. You could say
| in the middle of a call, "Wildfire!" "Yes" "Call mom" or
| "bridge on mom". She had some funny Easter-eggs as well, at
| least in demo mode. "Wildfire!" "Yes" "What sound does a cow
| make?" "mooo..." I guess she could be considered the first
| iteration of something like Siri, but on the server side. The
| coolest thing about Wildfire was that she could understand
| every language and every dialect with zero training. [EDIT: I
| stand corrected, see threads below, apparently she did
| require training, but came to use fully populated / trained.
| ] She ran on SCO Unix. Thankfully our lobbyists were able to
| kick that can far down the road and cell phones evolved to a
| point where hands-free was possible on the devices vs. being
| required on our network. No idea what the official name of
| that code was. This was in the late 90's and cellphones were
| a bit more primitive than they are today.
|
| I was responsible for doing switch upgrades in the off peak
| hours (generally start around 2am). In most cases this was
| not service interrupting. We injected code written in PLEX
| [2] live into the switches. To test call routing I would dial
| 911 to verify it worked, then call coworkers. One time I
| forgot to apply a U.S. specific code patch that muted the
| operator override tone to tell you the operator is on your
| call. That made call quality testing awkward. "Who is that?
| Is someone on our call?". They would put me up in really
| shady cheap hotels. One of the hotels in El Cajon had walls
| so thin you could hear people 4 rooms away. I woke up every
| day to cops yelling at someone to get on the ground any time
| I had to go there.
|
| One time a switch upgrade went sideways while I was at the
| kids basketball game. They escalated to me to fix it. Problem
| was that the only fix was a full rollback. If I recall
| correctly, the B-Tree tables were corrupted and most calls
| were not routing properly to landline. Cell to cell was still
| functional. I had to reboot an MSC (full reload) from my
| Nokia-9000. I had to telnet into the gateway then connected
| via x.25vbis and ran a full reload. Hopefully they have at
| least moved to ssh by now. So if you were curious, rebooting
| those mainframes from disk (MFM disks IIRC) took 40 minutes.
| SYREI:RANK=RELOAD,REASON="Resume updated"
|
| That took Northern California off the network for 40 minutes.
| The moment I executed the command, everyone around me stopped
| ignoring their kids and put their phone away. The problem was
| resolved when everything finished loading and initializing.
|
| I was also also had the privilege of monitoring one of the
| first mass-spammers of cell phones in the U.S. I was going to
| have their SS7 link cut, but my management said "They are
| paying their bills, keep your nose out of it". Most of the
| folks loaned out from Orange were our management and
| leadership team. I did not get along with some of them as
| some of them openly hated Americans. One of the times they
| messed with me was paging me to go watch a modem light all
| night, repeatedly, because. Between the many layers of
| bureaucracy of telco and the wildly toxic management, I left
| wireless telco and never looked back. The mostly hired people
| from the military, probably assuming they would just say "yes
| sir" to anything. Clearly they did not talk to my former
| commanders.
|
| I also had to debug cell site issues. Nine times out of ten
| we would have to either reboot a sector or re-initialize it.
| In the mean time, bugs would be submitted to Ericsson
| developers. We had many developers from Sweden on site. I
| enjoyed working with the folks from Sweden. They had a good
| sense of humor and knew how to enjoy life. This was
| impressive considering the vast knowledge of both mainframes
| and cellsites they were required to have low-level knowledge
| of.
|
| I know I am leaving out a lot of things, but most of the
| other experiences you could have at any big company. This is
| from a long time ago, so apologies in advance if I get a few
| details wrong. I already corrected one of them thanks to
| added details from leon1das. Nice to see there are other GSM
| folks here!
|
| [1] -
| https://en.wikipedia.org/wiki/Network_switching_subsystem
|
| [2] - https://en.wikipedia.org/wiki/AXE_telephone_exchange
| LeoPanthera wrote:
| I grew up in the UK, but now live in CA, and Wildfire is
| the technology I miss the most. The fact that you could
| summon it during arbitrary calls seemed like far-future
| tech but it worked incredibly well. I loved the idea that
| you could store your contact list in the network instead of
| on the handset so it didn't matter if you got a new
| handset.
| the_only_law wrote:
| Neat story. Digital comms is an area I'm interested in, but
| don't have any real experience in, although I have
| experimented as a hobbyist before. I recall reading about
| PLEX a few years back along with some other domain specific
| language from the ITU that was used for a similar purpose.
| CHILL, I believe it was[0].
|
| [0]https://en.m.wikipedia.org/wiki/CHILL
| LinuxBender wrote:
| I remember one of the Swedish developers telling me that
| it was not pure PLEX, but also contained some Rexx but to
| what degree I don't know.
| rootsudo wrote:
| Your stories are so cool :) Any experience with
| AMPS/TDMA/CDMA? Cali, so Qualcomm was probably your main
| competitor alongside Sprint, MCI networks?
|
| oki 900?
| LinuxBender wrote:
| I only worked with GSM. One of our competitors at the
| time was Sprint and they used CDMA. I did some testing of
| prototype phones that supported AMPS, TDMA and CDMA, but
| they attached to their respective networks and used GSM
| on our network. Most of the prototype phones never saw
| the light of day.
| abstractbarista wrote:
| Thank you for this excellent read!
| c0nsumer wrote:
| I'm very curious about that Wildfire service. Anything more
| you can share on that?
| leon1das wrote:
| Most likely based on Nuance Communication ASR. It wasn't
| "free speech", you had to design a closed grammar tree of
| all the voice commands using an atrocious file
| format/language...
|
| > could understand every language and every dialect with
| zero training
|
| Errrrr.... No. The accuracy was inversely proportional to
| the size of the grammar tree.
| LinuxBender wrote:
| In that case I probably missed out on all of that. She
| came to us pre-loaded with the ability to understand all
| of those things. Perhaps from your network? I remember
| the vendor batch loading a lot of .au files when the
| servers were first stood up. The test users did not have
| to do any interactive training with Wildfire.
| LinuxBender wrote:
| Not really. We only did a PoC and never moved beyond
| that. It was a fallback plan if the lobbyists failed, but
| people seemed quite confident they would not fail.
| Apparently someone else did the speech training. _revised
| comment above_
| tpmx wrote:
| Back in 2004-2006 when we were building the first version of
| Opera Mini mobile phone usage statistics were really lacking. The
| mobile phone market was insanely fragmented, and varied so much
| per country. This was the time when there was like 1-2 new
| devices launched every day. We had a hard time figuring out
| exactly which devices to prioritize debugging for.
|
| So I had this idea that we'd do wardriving to figure out what
| brands (and perhaps even models) were popular in different
| regions. We got quite far into this idea before abandoning it.
|
| GSM insecurity was a key enabler. If I remember correctly, at
| that time it was possible to get at least the IMEI via passive
| eavesdropping, somehow.
|
| The reason we abandoned this idea: A combination of our inhouse
| lawyer's opinion plus we realized we could just brute-force it by
| manually testing thousands of devices with a staff of about 5
| manual testers of the proper ability. The most productive person
| we hired for that role was 60+. She had previously worked as
| COBOL programmer for a local bank.
|
| I guess this could illustrate a key difference between a bay area
| company and a nordic company, at the time...
| Ayesh wrote:
| > 2004-2006 when we were building the first version of Opera
| Mini mobile phone usage statistics
|
| Hi, I just wanted to say that Opera Mini was such a major part
| of my life, and I'm sure I speak for many others as well. I was
| in Sri Lanka at the time, and those Java apps enabled the world
| to us!
|
| I read whole documentations on some software on a Nokia 6630,
| and I made my way to here 15 years later.
|
| Thank you for being part of an amazing software that changed
| many lives.
| asveikau wrote:
| I was thinking similar at the mere mention of Opera Mini. I
| imagine a fair number of us reading remember how great that
| thing was for its time.
| tpmx wrote:
| That's so fantastic to read - thank you - I actually never
| really connected with a former dedicated user like this
| before. I'm so happy :).
|
| So weird, especially since the service peaked at 150 million
| average monthly active users.
___________________________________________________________________
(page generated 2021-02-09 23:00 UTC)