GSM Security Nearly Dead.

A report at on 25th August suggests that basic GSM handset encryption will shortly be thwarted.

For several years now, interested people have been doing ever more with GNU Radio and the USRP ‘software radio’ hardware from Ettus Research. The USRP is a USB hardware device that can be made to act like any radio, using the GNU Radio software to alter its behaviour. Thus, the $1000 USRP can be made to act like a GSM phone, a WiFi Router, a regular FM radio or indeed a Tetra radio.

The OpenBTS project first showcased what was possible: a DIY GSM mast that allowed you to use a regular mobile phone to make calls without using the regular legitimate GSM carriers – using just a laptop & USRP peripheral. Calls were routed through an Asterisk VOIP gateway. This project was actually tested for real at The Burning Man festival & also the 2009 Hackers At Random conference .

Once the open-source GPL’d OpenBTS was out there regular coders could look and see how everything fitted together. Of course it was only a matter of time before other GSM applications followed.

The report at The Register states that the Chaos Computer Club (CCC) of Germany will be releasing tools in the next couple of months that will allow anyone with a laptop & antenna (and presumably a USRP) to listen in on encrypted GSM calls. They plan to build a huge A5/1 Rainbow Table of pre-computed encryption hashes (which is basically a lookup table of every possible answer for an encryption key) of some 2 terabytes in size. Presumably you’ll be able to post your key online and get a result from the rainbow table, in the same way you can with Windows Login passwords right now. Of course posting such a request to the table via the internet would probably get you a black mark down at Spooks HQ – and i’m quite sure they’ll be listening!

It’s amazing to think that this year will have seen both Dect and GSM hacked to bits. All this is possible because of the USRP hardware & ever faster PCs. 3G phones however will be safe for some time to come, as it will be only the original implementations of GSM that can eventually be eavesdropped upon.

Also, an article from the German Financial Times, translated to English.


DECT Hacked – Eavesdropping Now Possible!

Looking through the Security News on this evening I was surprised to see a report that DECT has now been hacked.

If you didn’t know already, DECT is the technology used by the current generation of cordless home phones & baby monitors. So now, not only is it probably bad for you, it’s also insecure!

The researchers reverse-engineered a standard Com-On-Air PCMCIA DECT card – which is normally used in a Windows laptop to bridge/ link DECT phones to Asterisk VOIP/SIP networks – and demonstrated their Linux-based sniffer at 25C3 hackers congress.

The PCMCIA Class II card costs just €40 from (in Germany, you can buy one via their eBay shop). You will need a PC running Linux to do anything useful with it, and really it’s just a proof-of-concept tool right now. But watch this space.

Read more about it:

Theme: Premium WordPress Themes | InMotion, Gesundheit