Eavesdropping on GSM: Cheap and Easy

GSM mobile phone networks are becoming the backbone of communications and commerce in the developed and developing worlds, but those networks may be easily susceptible to eavesdropping, according to a presentation at the annual Chaos Communication Congress (CCC) in Berlin. 

GSMGSM mobile phone networks are becoming the backbone of communications and commerce in the developed and developing worlds, but those networks may be easily susceptible to eavesdropping, according to a presentation at the annual Chaos Communication Congress (CCC) in Berlin. 

The BBC
Reported
that Karsten Nohl and Silvain Munaut demonstrated a toolkit which
allows them to eavesdrop on any phone calls or text messages made on GSM network at the 27th
annual CCC
in Berlin using four older model Motorola mobile phones.

GSM, Global System for Mobile Communications, is the world’s largest open source standard for mobile telephone systems, servicing an estimated 5 billion users. Nohl and Munaut’s new tool kit demonstrated that one can
locate any GMS phone by taking its unique ID and using that ID to intercept data
transferred between the phone and the base. They can then take that data and use
an encryption key, in this case it was ‘rainbow key, a de-encryption tool
invented by Nohl on a separate project, to unscramble and eavesdrop on the
information traveling between handsets and mobile phone base stations.

A commercial tool using more or less the same process has been available to law enforcement
for years and costs estimated $55,000. Nohl and Munaut’s method
cost a mere $56 to create, they said.

Nohl and Munaut claim the reason for their research was to raise
awareness about and illustrate insecurities to Mobile Phone companies. They did
not release all of the information used to carry out their research at the
conference, but admitted that it would not be very difficult to recreate the
parts they left out of their presentation and recreate the process.

The security and privacy of users and their data has attracted increased attention in recent weeks. Notably, the Wall Street Journal published an article that called attention to loose data privacy practices by leading mobile applications on Apple’s iPhone and phones running Google’s Android operating system. 

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.