Can anyone elaborate on why it's supposedly only a problem for 2G? "If someone intercepted the encryption keys used in 3G or 4G SIMs they would not be able to connect to the networks and consequently would be unable to spy on communications." Why not? I feel like there is a "merely" missing from this sentence -- if so, what more than keys do they need to spy?
Are they basing this on the specific type of key discussed in the documents? I don't know a lot about it, but I'm inclined to believe there are valuable keys burned-in to 3G+ cards too.
I also wonder if there is a downgrade attack to force 2G, so that those keys are not completely worthless.
I had a chat to a friend who's worked in the mobile industry for decades. He said that 4G phones (possibly 3G too, I don’t recall) only use the shared secret key for the initial sign-on to the parent mobile network. Thereafter, new keys are generated and stored at both ends and it's these keys that are used to authenticate the end points and bootstrap encrypted connections. New keys are re-issued at intervals, although I don’t know what the interval time is.
So whilst it would be possible to decrypt phone connections if you had your hands on the original secret Ki stored in the SIM, you'd have to record every connection between the phone and the network in order to obtain all the subsequent keys as well & if you miss out on the initial sign-on, or any individual re-keying then you’ll be shut out of that phone’s radio communications thereafter.
I imagine the NSA would be willing to try and do this for some target networks, but where they already have internal network access (US/UK/Five Eyes, any other network they've hacked into) it would be a lot of pointless effort.
The fake base station attack presumably works by forcing a downgrade to 2G, which is another approach, but one that requires local assets on the ground within phone range (unless you can do something with high gain antennas pointed at a specific target phone from a distance? That sounds hard, but the NSA likes hard as we know - throwing resources at something isn’t a problem for them.)
Short version: Knowing the OTA key lets you push malware to the target phone SIM which you can use to surreptitiously exfiltrate data from the phone via SMS messages, amongst other things.
Hopefully someone more knowledgable can weigh in, but as I understand the key stored on a 3G sim is more useful for authentication/identification rather than encryption.
3G/4G somehow uses random, short lived keys for encrypted communication, which change frequently enough to be a pain.
EDIT: It has been a while since I studied this, but I believe the shared key is used for trust - that this isn't a fake base station and the client is who they say they are. Then they use the equivalent of public key cryptography to establish short lived encryption keys. Stealing keys would probably enable a MitM only?
I've been trying to figure this out for days now, by reading the specs. I originally thought the same as you - the shared symmetric key is used only for authentication. But reading descriptions of the protocol closely I don't believe they are really using forward secrecy at all.
The problem is that whilst, yes, unique and constantly rotating randomness is used to establish unique session keys, the session keys are derived from the random nonce that's an encryption of the network selected randomness. In other words if you have the SIM key, you can figure out what the session keys also were. Ultimately the standard SIMs don't seem to use asymmetric crypto anywhere, meaning a compromise of the SIM key still allows you to undo all the encryption. Ultimately everything is derived from these shared keys.
And yes the problem of 2G downgrade attacks remain. There doesn't seem to be any good solution for those short of phasing out 2G entirely.
I was also taken aback by this Perfect Forward Secrecy claim, and I hate how "anything goes" in this context because outright lies are hard to refute...
It would be a huge service to humanity if you summarized your findings and published them, with references to the specs...
There's a lot of legacy hardware that still uses 2G, like alarm systems and ATMs. There's no doubt it'll have to be sunset at some point, but the cell & tower companies will need to see what percentage of their traffic it makes up before coming to a decision.
Except that they haven't 'phased out' 2G, because that would be a nightmare for their customers when they're in poor reception. Instead, they've just subcontracted it to another company.
That sounds plausible. One problem I still see is that if $agency gets the authentication key, they can impersonate the user and possibly hijack their traffic. Maybe not as bad as passive decryption in some ways.
I think that is actually worse. Say a person isn't liked by the current regime, but they haven't got any solid (i.e. legally useable in court) evidence to put them away. The agency could log onto the GSM network and impersonate that person performing an illegal act they know will be picked up by law enforcement.
I wondered about that too, not sure why this was downvoted.
Sorry for being OT, but maybe HN should recheck whether downvoting a comment just to express disagreement about a factual statement (as opposed to punishing bad or trollish ones) is conducive to a civil and constructive discourse here.
To be completely honest I find down-vote button way to close to up-vote button, so sometimes I am not sure if I clicked right one.
So some of them might be accidental.
It's also annoying that the arrows disappear the instant that you click on them. If the up/downvote was just highlighted after a click, you could then let users click again to correct their choice.
Yeah I have no idea what is happening to HN lately, a lot of posts that add information are being downvoted. I personally feel like getting rid of the downvote button altogether would be a great step forward, since we already have the flag button.
From what I understand the 3G/4G uses a different mechanism for authenticating the mobile and the tower (AKA). As such, having the encryption key, will not make it possible for a bad actor to connect to the tower and listen on the conversations, because the data encryption key is different from the shared key used for mutual authentication.
Now, while this is true, I believe that a bad actor can still listen to the radio transmissions passively and decrypt those. But that is a lot harder than just plugging in to the tower and listening.
>>I also wonder if there is a downgrade attack to force 2G, so that those keys are not completely worthless.
You can very cheaply(~$100) buy a 2G/3G/4G jammer from any Chinese wholesaler site(but don't,because it's illegal pretty much everywhere). Most of these jammers have a switch to jam only 3G and 4G, leaving 2G functional - that would force the phone you are attacking to switch to 2G mode as it couldn't find any 3G/4G towers.
I also have trouble believing is that 3G/4G networks would not be affected. All of these protocols are based on symmetric cryptography, i.e. a shared secret between Operators and their SIM cards. Once you get the shared secret you have the keys to the kingdom.
Their protection is that many MNOs are using proprietary authentication algorithms, making it harder to scale global surveillance. But that applies equally to 2G/3G/4G.
Are they basing this on the specific type of key discussed in the documents? I don't know a lot about it, but I'm inclined to believe there are valuable keys burned-in to 3G+ cards too.
I also wonder if there is a downgrade attack to force 2G, so that those keys are not completely worthless.