Researchers Demonstrate GSM Phone Call Hack

Security researchers have demonstrated how they can intercept any GSM call, in as little as 20 seconds

Question marks are once again being raised about the security of GSM phone calls, after security researchers showed how they have eavesdrop on any calls and text messages made on a GSM network.

Security researchers Karsten Nohl and Sylvain Munaut demonstrated the technique at the Chaos Computer Club Congress (CCC) in Berlin, using nothing more than four cheap phones and open source software.

They were apparently able to intercept a call in 20 seconds, so that it could be decrypted at a later stage.

Vulnerable Cipher

Of course, it has been known for some time now that GSM is vulnerable to being hacked. Approximately 80 percent of mobile phone calls worldwide are made using GSM, but it is protected by a 21-year-old algorithm. Known as the A5/1 algorithm, the cipher has been used to secure digital phone conversations since 1988.

Back in December 2009 Karsten Nohl revealed that he had cracked and published that encryption cod, but the Global System for Mobile Communications Association (GSMA) downplayed any concerns over the security of mobile phone calls.

Then in January 2010 researchers cracked the 768-bit RSA encryption, used for protecting sensitive data in transit. And in August fresh concerns were raised after security specialists uncovered a flaw that could turn the mobile phone into a listening device that could literally bug its owners (i.e. listen in on their conversation).

It seems however that Karsten Nohl has used the year since he first demonstrated the vulnerability of GSM phones back in December 2009, to develop his so called eavesdropping toolkit, in conjunction with Sylvain Munaut.

“Now there’s a path from your telephone number to me finding you and listening to your calls,” Nohl told the BBC. “The whole way.”

Eavesdropping Toolkit

He said many of the pieces in the eavesdropping toolkit already existed thanks to work by other security researchers but there was one part the pair had to create themselves.

“The one piece that completed the chain was the ability to record data off the air,” he said.

Nohl used his demonstration at the CCC to show all the steps used to locate a particular phone, to capturing its unique ID. He also then showed how they were able to seize any data swapped between a handset and a base station, when calls or SMS messages were made.

According to the BBC, Nohl toolkit consisted of cheap Motorola phones that had their onboard software swapped for an open source alternative.

“We used the cheap Motorola telephones because a description of their firmware leaked to the internet,” Nohl told the BBC. This led to the creation of open source alternative firmware that, he said, has its “filters” removed so it could see all the data being broadcast by a base station.