This kind of GSM snooping has been possible for a long time, but it’s always been prohibitively expensive. Now researchers using simple techniques and inexpensive equipment have managed to find a way to do it by running custom firmware on cheap Motorola handsets.

Researchers have demonstrated an alarmingly simple technique for eavesdropping on individual GSM mobile calls without the need to use expensive, specialised equipment.

During a session at the Chaos Computer Club Congress (CCC) in Berlin, Karsten Nohl and Sylvain Munaut used cheap Motorola handsets running a replacement firmware based on open source code to intercept data coming from a network base station.

Armed with this, they were able to locate the unique ID for any phone using this base, breaking the encryption keys with a rainbow table lookup.

Although far from trivial as hacks go, the new break does lower the bar considerably compared to previous hacks shown by the same reasearchers. In 2009, Nohl published a method for cracking open GSM’s A5/1 encryption design using a lookup table in near real time.

What was missing, however, was a way of identifying the call stream for an individual phone in order to apply the lookup to a real call within the clutter of data moving back and forth between a particular base station and the many phones using it. That is what Nohl appears to have worked out in his latest demo.

It’s by no means a simple or straight forwards attack but it just shows with the knowledge of the crypto algorithms used by GSM base-stations it’s possible to intercept conversations from specific handsets.

There hasn’t been a whole lot of stories about GSM hacking so it’s good to see something in this area as most of the World owns at least 1 GSM device and not a whole of people are looking at the security the networks are relying on.

Another important detail is that Nohl was able to replace the firmware of the handsets with custom software. According to the BBC report on which most stories are being based, this was only possible because the Motorola handsets in question had been reverse engineered after an unspecified leak.

How easy would it be to exploit the new hack? In short, not particularly easy. Creating a custom lookup table similar to Nohl’s would take months of work and any eavesdropper would still need to break into the handset in question.

The crack does lower the bar from being a hardware problem to one of software expertise, which will cause some alarm in the GSM engineering community.

Governments and the military won’t worry unduly as they will be using encrypted satellite phone systems and GSM phones equipped with extra layers of call encryption to make sensitive calls. Large companies might want to take note, however.

As far as I know most military and government phones even when relying on GSM have another layer of encryption on top as stated in the article, so they should be pretty safe. But what about the rest of the World? Some big companies and important people are relying on standard GSM handsets without any extra protection.

I hope to see more news in this area as it has pretty big implications for everyone.

Source: Network World

The Chaos Communication Camp is an international, five-day open-air event for hackers and associated life-forms. The Camp features three conference tracks with interesting lectures, workshops and other stuff.

Chaos Communication Camp 2007 will take place at a brand new location at the Airport Museum Finowfurt, directly at Finow airport. So if you like, you can directly fly to the Camp. You can get to the location easily with a car in the less than 30 minutes starting in Berlin and we will make sure there is a shuttle connection to the next train station.

“In Fairy Dust We Trust!”

CCC 2007 will be held between August 8th and August 12th, 2007.

More info here:

http://events.ccc.de/camp/2007/