136

A lot of two-factor authentication mechanisms use SMS to deliver single-use passphrase to the user. So how secure is it? Is it hard to intercept the SMS message containing the passphrase? Do mobile networks use any kind of encryption on SMS?

I found an interesting article regarding two-factor authentication and the ways it could be attacked.

Paul Podlipensky
  • 2,837
  • 4
  • 22
  • 25
  • 6
    You're talking about *two step* authentication, not two *factor*. SMS cannot be a valid "something you have" authentication factor, for several reasons - but it is a good out-of-band solution, and does improve security in some scenarios. – AviD Jul 24 '15 at 12:04
  • Interestingly, every year for the last 3 years I have met different people at security conferences who have told me that they have or know people who have "black phones" which can employ more or less arbitrary networks without registration or detection. While this is purely anecdotal, the repetition and popularity of the claim suggests there may be some truth in it. I imagine that however secure the algorithms are in theory, theory and practice are often bitterly divorced. – Max von Hippel Mar 30 '18 at 20:39

8 Answers8

121

GSM includes some protection through cryptography. The mobile phone and the provider (i.e. the base station which is part of the provider's network) authenticate each other relatively to a shared secret, which is known to the provider and stored in the user's SIM card. Some algorithms known under the code names "A3" and "A8" are involved in the authentication. Then the data (as sent through the radio link) is encrypted with an algorithm called "A5" and a key derived from A3/A8 and the shared secret.

There are several actual algorithms which hide under the name "A5". Which algorithm is used depends on the provider, who, in turn, is constrained by local regulations and what it could license from the GSM consortium. Also, an active attacker (with a fake base station) can potentially force a mobile phone to use another variant, distinct from what it would have used otherwise, and there are not many phones which would alert the user about it (and even fewer users who would care about it).

  • A5/0 means "no encryption". Data is sent unencrypted. In some countries, this is the only allowed mode (I think India is such a country).
  • A5/1 is the old "strong" algorithm, used in Europe and North America.
  • A5/2 is the old "weak" algorithm, nominally meant for "those countries who are good friends but that we do not totally trust nonetheless" (it is not spelled out that way in the GSM specifications, but that's the idea).
  • A5/3 is the newer algorithm for GPRS/UMTS.

A5/3 is a block cipher also known as KASUMI. It offers decent security. It has a few shortcomings which would make it "academically broken", but none really applicable in practice.

A5/2 is indeed weak, as described in this report. The attack requires a fraction of a second, subject to a precomputation which takes less than an hour on a PC and requires a few gigabytes of storage (not much). There are technical details, mostly because the GSM protocol itself is complex, but one can assume that the A5/2 layer is breakable.

A5/1 is stronger, but not very strong. It uses a 64-bit key, but the algorithm structure is weaker and allows for an attack with complexity about 242.7 elementary operations (see this article that I wrote 12 years ago). There have been several publications which turn around this complexity, mostly by doing precomputations and waiting for the algorithm internal state to reach a specific structure; although such publications advertise slightly lower complexity figures (around 240), they have drawbacks which make them difficult to apply, such as requiring thousands of known plaintext bits. With only 64 known plaintext bits, the raw complexity is 242.7. I have not tried to implement it for a decade, so it is conceivable that a modern PC would run it faster than the workstation I was using at that time; as a rough estimate, a quad core PC with thoroughly optimized code should be able to crack it in one hour.

The size of the internal state of A5/1, and the way A5/1 is applied to encrypt data, also make it vulnerable to time-memory trade-offs, such as rainbow tables. Again, see the Barkan-Biham-Keller article. This assumes that the attacker ran once a truly massive computation, and stored terabytes of data; afterwards, the online phase of the attack can be quite fast. Details very quite a bit, depending on how much storage space you have, how much CPU power is available for the online phase, and how long you are ready to wait for the result. The initial computation phase is huge but technologically doable (a thousand PC ought to be enough); there was an open distributed project for that but I do not know how far they went.

SMS interception is still a specific scenario. It is not a full voice conversation; the actual amount of exchanged data is small, and the connection is over after a quite short time. This may limit the applicability of the attacks exposed above. Moreover, the attack must be fast: the point of the attack is to grab the secret password sent as a SMS, so that the attacker can use it before the normal user. The attacker must be quick:

  • The server typically applies a short timeout on that password, such as a few minutes. SMS transmission is supposed to be a matter of a few seconds.
  • The user is not patient (users never are). If he does not get his SMS within five minutes, he will probably request a new one, and a well-thought two-factor authentication system on the server would then invalidate the previous one-time password.

Things are easier for the attacker if he already broke the first authentication factor (that's why we use two-factor authentication: because one is not enough). In that case, the attacker may initiate the authentication request while the target user is blissfully unaware of it, and thus unlikely to raise any alarm if he fails to receive a SMS, or, dually, if he receives an unwanted SMS (the attacker may do the attack late at night; the attacked user will find the unwarranted SMS only in the morning, when he wakes up, giving a few hours for the attacker to enact his mischiefs).

GSM encryption is only for the radio link. In all of the above, we concentrated on an attacker who eavesdrop on data as sent between the mobile phone and the base station. The needed radio equipment appears to be available off-the-shelf, and it is easily conceived that this scenario is applicable in practice. However, the SMS does not travel only from the base station to the mobile phone. Its complete journey begins at the server facilities, then goes through the Internet, and then the provider's network, until it reaches the base station -- and only at that point does it get encrypted with whatever A5 variant is used.

How is data secured within the provider's network, and between the provider and the server which wants the SMS to be sent, is out of scope of the GSM specification. So anything goes. Anyway, if the attacker is the provider, you lose. Law enforcement agencies, when they want to eavesdrop on people, typically do so by asking nicely to the providers, who invariably comply. This is why drug cartels, especially in Mexico and Colombia, tend to build their own cell networks.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • 1
    So in summary, this is possible and moreover there is an equipment which will do interception and decipher, right? But should the hacker be located nearby to the victim? If so, only local hackers could do the attack, which make it less possible to happen... – Paul Podlipensky Feb 09 '12 at 00:28
  • And another good point - it's better to turn off your phone while you're asleep ;) – Paul Podlipensky Feb 09 '12 at 00:31
  • 4
    See [wikipedia article](http://en.wikipedia.org/wiki/A5/1#Attacks_on_A5.2F1_as_used_in_GSM). Attack can be completed in a few seconds. Please, edit your answer if it's true – Andrei Botalov Mar 16 '12 at 09:08
  • @PaulPodlipensky unless you want people to be able to contact you in the event of an emergency. – Kenny Evitt Feb 09 '15 at 00:16
  • 2
    Also, in summary, it seems that SMS is a reasonably secure means of transmitting short-lived secrets, e.g. for two-factor authentication. An attacker must know your (phone's) physical location, know when you're likely to receive a secret, possess and know how to use what is most-likely pretty expensive radio equipment, and have completed a fairly involved project to run "a truly massive computation" (correctly). Attacks would almost certainly be made only against very high value targets. – Kenny Evitt Feb 09 '15 at 00:24
  • 2
    A working attack seen recently is to get a new SIM sent to the attacker for the number they want to intercept. There is only the time from powering the new SIM to the target noticing loss of service and managing to convince the provider it is not a technical fault. But this is usually hours. – ewanm89 Sep 16 '16 at 16:34
  • What about UMTS (3G) and LTE (4G)? – Tomer Sep 22 '17 at 17:37
  • Can we assume that in most cases the step completed over the internet, if secured at all, is secured symmetrically? I imagine that would make it easier to decrypt on the fly for law enforcement (because I perhaps naively view symmetric encryption as simpler)? – Max von Hippel Mar 30 '18 at 20:43
  • @Tomer You can force a GSM downgrade by acting as a MitM base station. At least, that's what I was taught in school in 2016. – Magnus Mar 11 '20 at 07:59
14

GSM Network is encrypted. But that doesn't make it bullet-proof of course. It can be compromised. However, the attacks Rook (and later in much more detail Thomas Pornin) described are very localized and requires significant effort to accomplish. They are not impossible, but very difficult. It requires breaking the GSM network in proximity of the mobile phone at the same time the SMS is sent. There is also a potential for someone at the network operator to intercept SMS. If we're talking about national-security/espionage scenarios, where a specific person is targeted and the attackers have very sophisticated means and lots of money to spend, then it is definitely possible. Pretty much the same applies to getting the seed values from your hardware token provider though.

Even if this SMS attack is successful, it might also require obtaining the username and password (assuming SMS is not the only method of authentication, but rather a 2nd component). There are other alternatives, where the user initiates the SMS message to the server, and the server can check it matched the requested challenge/token. The server can also verify the originator caller ID. Of course this too has its limitations, but if done right can provide slightly more protection theoretically.

If, as in most cases, the idea is to improve security by offering 2 factor authentication, then adding SMS into the mix dramatically improves it over standard username/password. The fact that you're using two separate communication channels (TCP/IP and GSM) makes it already more secure. As a very rough personal estimate, I would say SMS tokens are more or less on par with hardware based tokens, security wise. Of course god (or the devil) is in the detail.

Yoav Aner
  • 5,329
  • 3
  • 25
  • 37
  • 1
    How can verifying the originator caller ID provide slightly more protection theoretically? What is the theoretical comparison here and how does this advantage arise? – dionyziz Aug 01 '18 at 21:41
11

The other answers already explain the security of GSM and the technologies involved against technical attacks.

However, there are a number of other attacks which bypass the technical protections.

The German Wikipedia article on transaction authentication numbers (which are often sent by SMS) lists some attacks:

  • stealing or stealthily access the victim's mobile phone
  • installing malware on the mobile phone, particularly if it is a smartphone
  • insider attacks at the mobile service provider
  • using social engineering to circumvent the system, for example by:
    • obtaining access to messages
    • obtaining a new SIM card from the service provider
    • porting the phone number to a different account (SIM swap scam)

For example, in 2015 there was a series of fraudulent money transfers in Germany, where the fraudsters obtained a new SIM card under the customer's name. Similar attacks had happened before, therefore mobile phone providers had improved authentication of customers ordering new SIM cards. To circumvent this, when calling the phone provider, the fraudsters impersonated employees from a mobile phone shop, and claimed to be activating SIMs on behalf of customers (Source [German]: Online-Banking: Neue Angriffe auf die mTAN).

Obviously, all the technical protections are useless if the attacker manages to circumenvent them.

sleske
  • 1,642
  • 12
  • 22
10

While discussions about encryption are interesting, I think the key question is: are the carriers incented to care about security? I fear the answer is "no". What is their incentive to spend money securing their SMS systems? Do they even manage them or is it out-sourced? What guarantees of security do they offer? How much do you trust the people administering the servers ?

Further, this about this: If you have 100 million customers and you make it slightly harder to reset your password your helpdesk calls would go through the roof. This is why it can be so easy to take-over someone's account.

Additionally, just as you see with the Certificate Authority framework, the SMS infrastructure will be a target for attack.

I recently wrote a blog post about summarizing these points with links: http://www.wikidsystems.com/WiKIDBlog/fraudsters-defeat-poor-risk-management-not-two-factor-authentication. From a risk management standpoint, SMS auth is better than passwords, but don't count on it for long. The current attacks target financial institutions, but as the cost of attacks drop, there will be more.

nowen
  • 777
  • 3
  • 8
7

A multi-factor security system is worthless if the service has common vulnerabilities like XSS, SQL Injection or insufficient transport layer protection. These flaws can lead to an account or information compromise regardless of the authentication system you use.

That being said if you are physically close to the victim you can perform very nasty attacks. For instance if your victim is using a GSM carrier then an attacker can break GSM with a rainbowtable and intercept the SMS message. If you control your victim's network then you could use a tool like SSLStrip or SSLSniff to attack HTTP login portal.

"Remember Me" is evil. Some implementations of SMS mutulti-factor authentication (Like Google's) allow you bless a device for 30 days. This is just a persistent cookie that works as an authentication token for 30 days. If you have owned your victims machine, then you can obtain this cookie and use it for authentication. There is no way to implement a "Remember Me" feature safely.

Hardware based cryptographic tokens are much more difficult to compromise. This is really the step up from SMS, in that this is a token that you have and it should be difficult to compromise. This is true for the most part, unless of course you use RSA's hardware tokens.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
rook
  • 47,004
  • 10
  • 94
  • 182
4

Lately, Many mobile phone apps request access to SMS messages and the users allow it because they are interested in the app. This makes the attack less difficult than intercepting the SMS on mobile networks.

AdnanG
  • 707
  • 2
  • 8
  • 18
2

I know this doesn't directly answer your question, but I hope it addresses some concerns:

If the implementation is done properly, I wouldn't be very concerned about SMS interception. This is because one-time SMS authenticators offer a great opportunity for real-time alerting to potential attacks. If the authenticator is intercepted, it's very likely that you will be immediately aware of it and quickly able to react.

If the SMS is intercepted during an authentication session you've attempted to initiate, one of two things should happen:

  • If you successfully authenticate first, the attacker's attempt should fail. This is because the system should reject authenticator reuse attempts. In this situation, the attack is thwarted entirely.

  • If the attacker manages to authenticate first, your authentication attempt should fail due to authenticator reuse. The system should also inform you that this is the reason for the failure. At this point, you should take whatever actions are necessary to re-secure your account. Being able to do so quickly will limit the potential impact of the attack.

If the attacker tries to initiate authentication while you are not, you should be alerted by the fact that you will receive an SMS that you did not request. There are few practical means by which someone might surreptitiously intercept an SMS sent to your phone without you also receiving it or soon noticing something else amiss.

This is all rendered moot anyway, if you're subjected to a Man-in-the-Browser attack.

Also, since most SMS authentication implementations use the SMS authenticator as a second factor, I'd really be more concerned about how the first authentication factor was compromised. If not done via bare social engineering, it was probably through some browser or OS exploit which resulted in a keylogger on your system. Then, we're not many steps from the Man-in-the-Browser situation that effectively results in total compromise regardless of your authentication method.

Iszi
  • 27,027
  • 18
  • 99
  • 163
  • " There are few practical means by which someone might surreptitiously intercept an SMS sent to your phone without you also receiving it or soon noticing something else amiss." Dangerous advice - insider attacks, or social engineering attacks (see my answer) can indeed allow an attacker to intercept SMS. And good two-factor authentication offers some protection even if the browser is utterly compromised (e.g. [German ChipTAN](https://en.wikipedia.org/wiki/Transaction_authentication_number#chipTAN_.2F_cardTAN) ). – sleske Oct 28 '16 at 15:02
2

Everybody (even Schneier?) seems to be missing a crucial piece:

If your phone is lost/stolen, you're already toast, since your SIM is in it!

It's astonishing to me that no one seems to have noticed this as far as I can tell, but SMS suffers from the fact that it doesn't require you to even be able to access the data on your phone.

Even if telecommunication was encrypted, and even if your phone is locked and encrypted, if you have SMS or call-based authentication enabled and your phone is stolen, you're completely toast until the time you manage to find a way to get your provider to deactivate your SIM (and report to law enforcement, etc.) An attacker literally needs less than 1 minute to remove your SIM card and put it in another phone to get the text message, so by the time you manage to report the issue, he'll almost certainly have had the chance to try this a dozen times and then turn off your phone or just put it back so he can't be tracked.

Your only luck here when using SMS 2FA is if the attacker doesn't know your username, or that your SIM is locked securely against use in another phone:

  1. If your phone was on when it was lost or stolen, chances are it's written somewhere on your login screen or will pop up as a notification at some point.

  2. If you just got mugged and you managed to turn off your phone, your ID or credit card probably went with your phone, in which case your username or email is probably not that hard to guess or find on Google. If your phone was on, then (1) is still a risk too.

  3. If the attacker knew you somehow, then you're almost definitely toast.
    Like, say, you leave your phone on your desk while you're out to lunch, and someone comes by to swap the SIM, get the SMS, and swap it back. It'd only take a few minutes if no one is watching.

So while you can worry about someone trying to intercept your communication with a Stingray-like apparatus or by infiltrating your telephone provider's facilities, the reality is that a man-in-the-middle is not the actual risk for most people. The real risk is at the endpoint -- i.e., you. Lose your phone, and phone call- and SMS-based verification will completely turn against you no matter how strong your passwords or encryption are.

user541686
  • 2,522
  • 2
  • 22
  • 28
  • 1
    Sorry, this does not make sense to me. The question is about _2FA_ - the "2" means SMS is used in addition to something else, usually username+password. So while stealing the SIM card is a way to access the 2nd factor, you still need username+password. Thus to me this answer boils down to "You can intercept an SMS by obtaining someone's SIM card", which is true but obvious. – sleske Sep 08 '17 at 09:27
  • And yes, most security is lost if you login and do business on the same phone that you used to receive the SMS. As a matter of fact, most German banks explicitly forbid the use of SMS authentication and online banking on a single phone - you're supposed to use a computer (or different phone) for the actual banking, in case your phone is compromised. – sleske Sep 08 '17 at 09:29
  • @sleske: Have you seen what Google does when you tell it you forgot your password? It takes your 2FA SMS number and [**suggests this**](https://i.stack.imgur.com/4U96l.png). That's what I'm talking about. Any attacker could reset your password like this. And I don't know why you're talking about business phones in Germany. I'm talking about ordinary people -- consumers. And somewhere more typical than Germany in terms of strictness (generally US unless specified otherwise). – user541686 Sep 08 '17 at 09:52
  • @sleske: (Note that I'm not *just* talking about Google. I'm pretty sure I've seen other companies do this too. Google is just a prominent example here.) – user541686 Sep 08 '17 at 10:15
  • 1
    Yes, Google allows you to recover your account via SMS. But that is not 2FA - because you only need the phone. The question is about 2FA, which by definition requires _more_ than just a SMS. That's what I wanted to point out: What you write is true, but _does not answer the question as asked_. And incidentally, I'm genuinely curious what "typical strictness" is for you, and why Germany is not representative. – sleske Sep 08 '17 at 11:19
  • @sleske: It doesn't seem like you understood what I just wrote? The question was *"A lot of two-factor authentication mechanisms use SMS to deliver single-use passphrase to the user. So how secure is it?"* I said that *Google uses **your 2FA SMS phone number*** to let you reset your password, meaning **2FA via SMS is insecure** (again, Google is not alone in implementing this behavior), which is a direct answer to *"How secure is it?"* The entire *point* is to show that interception is not always the biggest security risk in SMS 2FA. The question is a practical one and so is my answer. – user541686 Sep 08 '17 at 12:12
  • And I don't get why you're asking again. (Did you read my comment?) I already answered your question: I said generally we assume USA unless otherwise specified. And even if it were Germany, there's no indication that we can assume a business phone like you did. – user541686 Sep 08 '17 at 12:17
  • Ok, seems we understood the question differently - I interpreted "2FA" more narrowly. As to "generally we assume USA": Do you have any reference for that? The StackExchange sites have a global audience, you usually can't assume a certain nationality. – sleske Sep 08 '17 at 14:16
  • And sorry to confuse you with the online banking thing: the "German banks" comment was about online banking by regular customers, not about internal use. – sleske Sep 08 '17 at 14:17
  • One final (hopefully :-) ) comment: As far as I can see, Google does _not_ let you automatically use your 2FA SMS phone number to reset your password. Numbers for 2FA ("2-Step-Verification") and "Account Recovery" are configured seperately. Of course you _can_ use the same number, but that's not Google's fault... – sleske Sep 08 '17 at 14:38
  • @sleske: Again: This was **NOT** the account recovery phone number. This was 2FA SMS phone number which Google decided to use for account recovery. I know this is counterintuitive, that's why I keep repeating it to you. Try it yourself before telling me I'm wrong. That screenshot was from myself trying it to confirm I'm not hallucinating before replying to you. – user541686 Sep 08 '17 at 19:11