Researchers Hack Mobile Calls On GSM Network

Use Netsparker


Gotta love a bit of hardware hacking in the new year, this Karsten Nohl guy has been busy lately – he recently exposed Car Immobilisers Using Weak Encryption Schemes and more relevant to this article we’ve written about him and GSM Hacking Coming To The Masses Script Kiddy Style before.

This kind of GSM snooping has been possible for a long time, but it’s always been prohibitively expensive. Now researchers using simple techniques and inexpensive equipment have managed to find a way to do it by running custom firmware on cheap Motorola handsets.

Researchers have demonstrated an alarmingly simple technique for eavesdropping on individual GSM mobile calls without the need to use expensive, specialised equipment.

During a session at the Chaos Computer Club Congress (CCC) in Berlin, Karsten Nohl and Sylvain Munaut used cheap Motorola handsets running a replacement firmware based on open source code to intercept data coming from a network base station.

Armed with this, they were able to locate the unique ID for any phone using this base, breaking the encryption keys with a rainbow table lookup.

Although far from trivial as hacks go, the new break does lower the bar considerably compared to previous hacks shown by the same reasearchers. In 2009, Nohl published a method for cracking open GSM’s A5/1 encryption design using a lookup table in near real time.

What was missing, however, was a way of identifying the call stream for an individual phone in order to apply the lookup to a real call within the clutter of data moving back and forth between a particular base station and the many phones using it. That is what Nohl appears to have worked out in his latest demo.

It’s by no means a simple or straight forwards attack but it just shows with the knowledge of the crypto algorithms used by GSM base-stations it’s possible to intercept conversations from specific handsets.

There hasn’t been a whole lot of stories about GSM hacking so it’s good to see something in this area as most of the World owns at least 1 GSM device and not a whole of people are looking at the security the networks are relying on.


Another important detail is that Nohl was able to replace the firmware of the handsets with custom software. According to the BBC report on which most stories are being based, this was only possible because the Motorola handsets in question had been reverse engineered after an unspecified leak.

How easy would it be to exploit the new hack? In short, not particularly easy. Creating a custom lookup table similar to Nohl’s would take months of work and any eavesdropper would still need to break into the handset in question.

The crack does lower the bar from being a hardware problem to one of software expertise, which will cause some alarm in the GSM engineering community.

Governments and the military won’t worry unduly as they will be using encrypted satellite phone systems and GSM phones equipped with extra layers of call encryption to make sensitive calls. Large companies might want to take note, however.

As far as I know most military and government phones even when relying on GSM have another layer of encryption on top as stated in the article, so they should be pretty safe. But what about the rest of the World? Some big companies and important people are relying on standard GSM handsets without any extra protection.

I hope to see more news in this area as it has pretty big implications for everyone.

Source: Network World

Posted in: Cryptography, Hardware Hacking, Privacy


Latest Posts:


StaCoAn - Mobile App Static Analysis Tool StaCoAn – Mobile App Static Analysis Tool
StaCoAn is a cross-platform tool which aids developers, bug bounty hunters and ethical hackers performing mobile app static analysis on the code of the application for both native Android and iOS applications.
snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.


Comments are closed.