GSM Security Nearly Dead.
A report at TheRegister.co.uk on 25th August suggests that basic GSM handset encryption will shortly be thwarted.
For several years now, interested people have been doing ever more with GNU Radio and the USRP ‘software radio’ hardware from Ettus Research. The USRP is a USB hardware device that can be made to act like any radio, using the GNU Radio software to alter its behaviour. Thus, the $1000 USRP can be made to act like a GSM phone, a WiFi Router, a regular FM radio or indeed a Tetra radio.
The OpenBTS project first showcased what was possible: a DIY GSM mast that allowed you to use a regular mobile phone to make calls without using the regular legitimate GSM carriers – using just a laptop & USRP peripheral. Calls were routed through an Asterisk VOIP gateway. This project was actually tested for real at The Burning Man festival & also the 2009 Hackers At Random conference .
Once the open-source GPL’d OpenBTS was out there regular coders could look and see how everything fitted together. Of course it was only a matter of time before other GSM applications followed.
The report at The Register states that the Chaos Computer Club (CCC) of Germany will be releasing tools in the next couple of months that will allow anyone with a laptop & antenna (and presumably a USRP) to listen in on encrypted GSM calls. They plan to build a huge A5/1 Rainbow Table of pre-computed encryption hashes (which is basically a lookup table of every possible answer for an encryption key) of some 2 terabytes in size. Presumably you’ll be able to post your key online and get a result from the rainbow table, in the same way you can with Windows Login passwords right now. Of course posting such a request to the table via the internet would probably get you a black mark down at Spooks HQ – and i’m quite sure they’ll be listening!
It’s amazing to think that this year will have seen both Dect and GSM hacked to bits. All this is possible because of the USRP hardware & ever faster PCs. 3G phones however will be safe for some time to come, as it will be only the original implementations of GSM that can eventually be eavesdropped upon.
http://www.theregister.co.uk/2009/08/28/mobile_phone_snooping_plan/
Also, an article from the German Financial Times, translated to English.