Researchers Hack Mobile Calls On GSM Network

The New Acunetix V12 Engine


Gotta love a bit of hardware hacking in the new year, this Karsten Nohl guy has been busy lately – he recently exposed Car Immobilisers Using Weak Encryption Schemes and more relevant to this article we’ve written about him and GSM Hacking Coming To The Masses Script Kiddy Style before.

This kind of GSM snooping has been possible for a long time, but it’s always been prohibitively expensive. Now researchers using simple techniques and inexpensive equipment have managed to find a way to do it by running custom firmware on cheap Motorola handsets.

Researchers have demonstrated an alarmingly simple technique for eavesdropping on individual GSM mobile calls without the need to use expensive, specialised equipment.

During a session at the Chaos Computer Club Congress (CCC) in Berlin, Karsten Nohl and Sylvain Munaut used cheap Motorola handsets running a replacement firmware based on open source code to intercept data coming from a network base station.

Armed with this, they were able to locate the unique ID for any phone using this base, breaking the encryption keys with a rainbow table lookup.

Although far from trivial as hacks go, the new break does lower the bar considerably compared to previous hacks shown by the same reasearchers. In 2009, Nohl published a method for cracking open GSM’s A5/1 encryption design using a lookup table in near real time.

What was missing, however, was a way of identifying the call stream for an individual phone in order to apply the lookup to a real call within the clutter of data moving back and forth between a particular base station and the many phones using it. That is what Nohl appears to have worked out in his latest demo.

It’s by no means a simple or straight forwards attack but it just shows with the knowledge of the crypto algorithms used by GSM base-stations it’s possible to intercept conversations from specific handsets.

There hasn’t been a whole lot of stories about GSM hacking so it’s good to see something in this area as most of the World owns at least 1 GSM device and not a whole of people are looking at the security the networks are relying on.


Another important detail is that Nohl was able to replace the firmware of the handsets with custom software. According to the BBC report on which most stories are being based, this was only possible because the Motorola handsets in question had been reverse engineered after an unspecified leak.

How easy would it be to exploit the new hack? In short, not particularly easy. Creating a custom lookup table similar to Nohl’s would take months of work and any eavesdropper would still need to break into the handset in question.

The crack does lower the bar from being a hardware problem to one of software expertise, which will cause some alarm in the GSM engineering community.

Governments and the military won’t worry unduly as they will be using encrypted satellite phone systems and GSM phones equipped with extra layers of call encryption to make sensitive calls. Large companies might want to take note, however.

As far as I know most military and government phones even when relying on GSM have another layer of encryption on top as stated in the article, so they should be pretty safe. But what about the rest of the World? Some big companies and important people are relying on standard GSM handsets without any extra protection.

I hope to see more news in this area as it has pretty big implications for everyone.

Source: Network World

Posted in: Cryptography, Hardware Hacking, Privacy


Latest Posts:


Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.


Comments are closed.