GSM Mobile Phone Security is now practically dead. Anyone with a spare couple of grand can now do what was previously the exclusive preserve of national security agencies. Previously you’d have to spend £100K and prove you were a suitable government-grade customer.
According to the theregister.co.uk’s security pages, several talks at the Black Hat security conference in Las Vegas this week will take GSM hacking down to the script-kiddie level – all you need is enough cash for a modified USRP USB radio peripheral & a 2000GB hard drive to store the rainbow lookup tables.
With that kit you can grab big chunks of the mobile phone spectrum in real time and target individual IMSI numbers. The researchers reckon that 80% of mobile traffic passes over the old A5/1 GSM system. A5/3 & 3G phones should still be considered secure. But remember if your 3G phone isn’t near a strong signal it will be stepping back down to A5/1 anyway.
Think about all those corporate espionage guys out there, they must be salivating like crazy. The rainbow lookup tables are a hefty download at 2TB, but if you’re prepared to travel to Oslo, The Register reports that Frank A. Stevenson (guy who cracked the CSS encryption scheme on DVDs) will swop you a blank drive for one with the rainbow tables on. (Rainbow Tables are lookup tables with the answers to all the possible challenge answers for the GSM A5/1 algorithm – this saves lots of time working each one out indivdually, and crucially makes near real-time decryption possible).
Of course the GSM Alliance makes light of all this, still calling it theoretical – and in some ways they have a point, it’s not like you can do this on an old reprogrammed Nokia 3310 after all!
When Dect (the cordless phone you use at home) was hacked last year we didn’t see UK identity thieves having a field day, gathering up bank pins etc. Only a couple of thousand of the PCMCIA Dect cards were in circulation, and most were probably bought up by security researchers quite quickly. So the hardware to hack Dect became expensive & you had to be able to configure a Linux laptop yourself to use it – the barrier to entry was therefore set high.
With GSM it’s even higher. You needs lots of Linux knowledge & £1000 worth of USRP radio hardware + soldering skills too. Sure organised criminals, corporate spies & bent media companies will use this technology to spy on the rich and famous, but it won’t become a massive problem in the UK. If anything, it will just speed along the adoption of 3G smartphones.
I wonder where Karsten Nohl & friends will be heading next with their USRPs? Dect cracked last year, this year GSM. Airwave/Tetra next year, maybe?
http://en.wikipedia.org/wiki/IMSI-catcher