How hard is it to intercept SMS (two-factor authentication)?

Question

A lot of two-factor authentication mechanisms use SMS to deliver single-use passphrase to the user. So how secure is it? Is it hard to intercept the SMS message containing the passphrase? Do mobile networks use any kind of encryption on SMS?

I found an interesting article regarding two-factor authentication and the ways it could be attacked.

Answer 1

GSM includes some protection through cryptography. The mobile phone and the provider (i.e. the base station which is part of the provider's network) authenticate each other relatively to a shared secret, which is known to the provider and stored in the user's SIM card. Some algorithms known under the code names "A3" and "A8" are involved in the authentication. Then the data (as sent through the radio link) is encrypted with an algorithm called "A5" and a key derived from A3/A8 and the shared secret.

There are several actual algorithms which hide under the name "A5". Which algorithm is used depends on the provider, who, in turn, is constrained by local regulations and what it could license from the GSM consortium. Also, an active attacker (with a fake base station) can potentially force a mobile phone to use another variant, distinct from what it would have used otherwise, and there are not many phones which would alert the user about it (and even fewer users who would care about it).

• A5/0 means "no encryption". Data is sent unencrypted. In some countries, this is the only allowed mode (I think India is such a country).
• A5/1 is the old "strong" algorithm, used in Europe and North America.
• A5/2 is the old "weak" algorithm, nominally meant for "those countries who are good friends but that we do not totally trust nonetheless" (it is not spelled out that way in the GSM specifications, but that's the idea).
• A5/3 is the newer algorithm for GPRS/UMTS.

A5/3 is a block cipher also known as KASUMI. It offers decent security. It has a few shortcomings which would make it "academically broken", but none really applicable in practice.

A5/2 is indeed weak, as described in this report. The attack requires a fraction of a second, subject to a precomputation which takes less than an hour on a PC and requires a few gigabytes of storage (not much). There are technical details, mostly because the GSM protocol itself is complex, but one can assume that the A5/2 layer is breakable.

A5/1 is stronger, but not very strong. It uses a 64-bit key, but the algorithm structure is weaker and allows for an attack with complexity about 2^42.7 elementary operations (see this article that I wrote 12 years ago). There have been several publications which turn around this complexity, mostly by doing precomputations and waiting for the algorithm internal state to reach a specific structure; although such publications advertise slightly lower complexity figures (around 2⁴⁰), they have drawbacks which make them difficult to apply, such as requiring thousands of known plaintext bits. With only 64 known plaintext bits, the raw complexity is 2^42.7. I have not tried to implement it for a decade, so it is conceivable that a modern PC would run it faster than the workstation I was using at that time; as a rough estimate, a quad core PC with thoroughly optimized code should be able to crack it in one hour.

The size of the internal state of A5/1, and the way A5/1 is applied to encrypt data, also make it vulnerable to time-memory trade-offs, such as rainbow tables. Again, see the Barkan-Biham-Keller article. This assumes that the attacker ran once a truly massive computation, and stored terabytes of data; afterwards, the online phase of the attack can be quite fast. Details very quite a bit, depending on how much storage space you have, how much CPU power is available for the online phase, and how long you are ready to wait for the result. The initial computation phase is huge but technologically doable (a thousand PC ought to be enough); there was an open distributed project for that but I do not know how far they went.

SMS interception is still a specific scenario. It is not a full voice conversation; the actual amount of exchanged data is small, and the connection is over after a quite short time. This may limit the applicability of the attacks exposed above. Moreover, the attack must be fast: the point of the attack is to grab the secret password sent as a SMS, so that the attacker can use it before the normal user. The attacker must be quick:

• The server typically applies a short timeout on that password, such as a few minutes. SMS transmission is supposed to be a matter of a few seconds.
• The user is not patient (users never are). If he does not get his SMS within five minutes, he will probably request a new one, and a well-thought two-factor authentication system on the server would then invalidate the previous one-time password.

Things are easier for the attacker if he already broke the first authentication factor (that's why we use two-factor authentication: because one is not enough). In that case, the attacker may initiate the authentication request while the target user is blissfully unaware of it, and thus unlikely to raise any alarm if he fails to receive a SMS, or, dually, if he receives an unwanted SMS (the attacker may do the attack late at night; the attacked user will find the unwarranted SMS only in the morning, when he wakes up, giving a few hours for the attacker to enact his mischiefs).

GSM encryption is only for the radio link. In all of the above, we concentrated on an attacker who eavesdrop on data as sent between the mobile phone and the base station. The needed radio equipment appears to be available off-the-shelf, and it is easily conceived that this scenario is applicable in practice. However, the SMS does not travel only from the base station to the mobile phone. Its complete journey begins at the server facilities, then goes through the Internet, and then the provider's network, until it reaches the base station -- and only at that point does it get encrypted with whatever A5 variant is used.

How is data secured within the provider's network, and between the provider and the server which wants the SMS to be sent, is out of scope of the GSM specification. So anything goes. Anyway, if the attacker is the provider, you lose. Law enforcement agencies, when they want to eavesdrop on people, typically do so by asking nicely to the providers, who invariably comply. This is why drug cartels, especially in Mexico and Colombia, tend to build their own cell networks.

Answer 2

GSM Network is encrypted. But that doesn't make it bullet-proof of course. It can be compromised. However, the attacks Rook (and later in much more detail Thomas Pornin) described are very localized and requires significant effort to accomplish. They are not impossible, but very difficult. It requires breaking the GSM network in proximity of the mobile phone at the same time the SMS is sent. There is also a potential for someone at the network operator to intercept SMS. If we're talking about national-security/espionage scenarios, where a specific person is targeted and the attackers have very sophisticated means and lots of money to spend, then it is definitely possible. Pretty much the same applies to getting the seed values from your hardware token provider though.

Even if this SMS attack is successful, it might also require obtaining the username and password (assuming SMS is not the only method of authentication, but rather a 2nd component). There are other alternatives, where the user initiates the SMS message to the server, and the server can check it matched the requested challenge/token. The server can also verify the originator caller ID. Of course this too has its limitations, but if done right can provide slightly more protection theoretically.

If, as in most cases, the idea is to improve security by offering 2 factor authentication, then adding SMS into the mix dramatically improves it over standard username/password. The fact that you're using two separate communication channels (TCP/IP and GSM) makes it already more secure. As a very rough personal estimate, I would say SMS tokens are more or less on par with hardware based tokens, security wise. Of course god (or the devil) is in the detail.

Answer 3

The other answers already explain the security of GSM and the technologies involved against technical attacks.

However, there are a number of other attacks which bypass the technical protections.

The German Wikipedia article on transaction authentication numbers (which are often sent by SMS) lists some attacks:

• stealing or stealthily access the victim's mobile phone
• installing malware on the mobile phone, particularly if it is a smartphone
• insider attacks at the mobile service provider
• using social engineering to circumvent the system, for example by:
  • obtaining access to messages
  • obtaining a new SIM card from the service provider
  • porting the phone number to a different account (SIM swap scam)

For example, in 2015 there was a series of fraudulent money transfers in Germany, where the fraudsters obtained a new SIM card under the customer's name. Similar attacks had happened before, therefore mobile phone providers had improved authentication of customers ordering new SIM cards. To circumvent this, when calling the phone provider, the fraudsters impersonated employees from a mobile phone shop, and claimed to be activating SIMs on behalf of customers (Source [German]: Online-Banking: Neue Angriffe auf die mTAN).

Obviously, all the technical protections are useless if the attacker manages to circumenvent them.

Answer 4

While discussions about encryption are interesting, I think the key question is: are the carriers incented to care about security? I fear the answer is "no". What is their incentive to spend money securing their SMS systems? Do they even manage them or is it out-sourced? What guarantees of security do they offer? How much do you trust the people administering the servers ?

Further, this about this: If you have 100 million customers and you make it slightly harder to reset your password your helpdesk calls would go through the roof. This is why it can be so easy to take-over someone's account.

Additionally, just as you see with the Certificate Authority framework, the SMS infrastructure will be a target for attack.

I recently wrote a blog post about summarizing these points with links: http://www.wikidsystems.com/WiKIDBlog/fraudsters-defeat-poor-risk-management-not-two-factor-authentication. From a risk management standpoint, SMS auth is better than passwords, but don't count on it for long. The current attacks target financial institutions, but as the cost of attacks drop, there will be more.

Answer 5

A multi-factor security system is worthless if the service has common vulnerabilities like XSS, SQL Injection or insufficient transport layer protection. These flaws can lead to an account or information compromise regardless of the authentication system you use.

That being said if you are physically close to the victim you can perform very nasty attacks. For instance if your victim is using a GSM carrier then an attacker can break GSM with a rainbowtable and intercept the SMS message. If you control your victim's network then you could use a tool like SSLStrip or SSLSniff to attack HTTP login portal.

"Remember Me" is evil. Some implementations of SMS mutulti-factor authentication (Like Google's) allow you bless a device for 30 days. This is just a persistent cookie that works as an authentication token for 30 days. If you have owned your victims machine, then you can obtain this cookie and use it for authentication. There is no way to implement a "Remember Me" feature safely.

Hardware based cryptographic tokens are much more difficult to compromise. This is really the step up from SMS, in that this is a token that you have and it should be difficult to compromise. This is true for the most part, unless of course you use RSA's hardware tokens.

Answer 6

Lately, Many mobile phone apps request access to SMS messages and the users allow it because they are interested in the app. This makes the attack less difficult than intercepting the SMS on mobile networks.

Answer 7

I know this doesn't directly answer your question, but I hope it addresses some concerns:

If the implementation is done properly, I wouldn't be very concerned about SMS interception. This is because one-time SMS authenticators offer a great opportunity for real-time alerting to potential attacks. If the authenticator is intercepted, it's very likely that you will be immediately aware of it and quickly able to react.

If the SMS is intercepted during an authentication session you've attempted to initiate, one of two things should happen:

• If you successfully authenticate first, the attacker's attempt should fail. This is because the system should reject authenticator reuse attempts. In this situation, the attack is thwarted entirely.

• If the attacker manages to authenticate first, your authentication attempt should fail due to authenticator reuse. The system should also inform you that this is the reason for the failure. At this point, you should take whatever actions are necessary to re-secure your account. Being able to do so quickly will limit the potential impact of the attack.

If the attacker tries to initiate authentication while you are not, you should be alerted by the fact that you will receive an SMS that you did not request. There are few practical means by which someone might surreptitiously intercept an SMS sent to your phone without you also receiving it or soon noticing something else amiss.

This is all rendered moot anyway, if you're subjected to a Man-in-the-Browser attack.

Also, since most SMS authentication implementations use the SMS authenticator as a second factor, I'd really be more concerned about how the first authentication factor was compromised. If not done via bare social engineering, it was probably through some browser or OS exploit which resulted in a keylogger on your system. Then, we're not many steps from the Man-in-the-Browser situation that effectively results in total compromise regardless of your authentication method.

Answer 8

Everybody (even Schneier?) seems to be missing a crucial piece:

If your phone is lost/stolen, you're already toast, since your SIM is in it!

It's astonishing to me that no one seems to have noticed this as far as I can tell, but SMS suffers from the fact that it doesn't require you to even be able to access the data on your phone.

Even if telecommunication was encrypted, and even if your phone is locked and encrypted, if you have SMS or call-based authentication enabled and your phone is stolen, you're completely toast until the time you manage to find a way to get your provider to deactivate your SIM (and report to law enforcement, etc.) An attacker literally needs less than 1 minute to remove your SIM card and put it in another phone to get the text message, so by the time you manage to report the issue, he'll almost certainly have had the chance to try this a dozen times and then turn off your phone or just put it back so he can't be tracked.

Your only luck here when using SMS 2FA is if the attacker doesn't know your username, or that your SIM is locked securely against use in another phone:

1. If your phone was on when it was lost or stolen, chances are it's written somewhere on your login screen or will pop up as a notification at some point.

2. If you just got mugged and you managed to turn off your phone, your ID or credit card probably went with your phone, in which case your username or email is probably not that hard to guess or find on Google. If your phone was on, then (1) is still a risk too.

3. If the attacker knew you somehow, then you're almost definitely toast.
   Like, say, you leave your phone on your desk while you're out to lunch, and someone comes by to swap the SIM, get the SMS, and swap it back. It'd only take a few minutes if no one is watching.

So while you can worry about someone trying to intercept your communication with a Stingray-like apparatus or by infiltrating your telephone provider's facilities, the reality is that a man-in-the-middle is not the actual risk for most people. The real risk is at the endpoint -- i.e., you. Lose your phone, and phone call- and SMS-based verification will completely turn against you no matter how strong your passwords or encryption are.