Skip to main content

Security Researchers Claim To Hack GSM Calls; The creators of the in-development technology say they'll be able to crack GSM encryption with only abou

Security researchers presenting Wednesday at the Black Hat D.C. conference in Washington, D.C., demonstrated technology in development that they say will be able to greatly decrease the time and money required to decrypt, and therefore snoop on, phone and text message conversations taking placeon GSM networks.

Many mobile operators worldwide use GSM networks, including T-Mobile and AT&T in the United States. The 64-bit encryption method used by GSM, known as A5/1, was first cracked in theory about 10 years.

The security of the most widely used standard in the world for transmitting mobile phone calls is dangerously flawed, putting privacy and data at risk, two researchers warned at the Black Hat conference in Europe last week.
Researchers David Hulton and Steve Muller showed at Black Hat in the U.S. last month how it was possible to break the encryption on a GSM (Global System for Mobile Communications) call in about 30 minutes using relatively inexpensive off-the-shelf equipment and software tools. The hack means they could listen in on phone calls from distances of up to 20 miles (32 kilometers) or farther away.
They're still refining their technique, which involves cracking the A5/1 stream cipher, an algorithm used to encrypt conversations. In about another month, they'll be able to crack about 95 percent of the traffic on GSM networks in 30 minutes or faster with more advanced hardware.
Their research has been motivated in part by the absence of a more secure encryption method despite years of warnings about GSM.
"Ultimately we are hoping that the mobile operators actually initiate a move to secure their networks," Muller said. "They've had about 10 years, and they haven't done it. In my opinion, there is only one language that they speak: that's called revenue. As soon as they lose the revenue, they will actually change."
Since 1991 when GSM networks debuted, the integrity of their security has declined as researchers probed. In 1998, the A5/1 and the A5/2, a weaker stream cipher, were broken.
Commercial interception equipment is available now to eavesdrop on calls, which can cost up to US$1 million. Hulton and Muller were game for a challenge and wanted to do it more cheaply.
For around $700 they bought a Universal Software Radio Peripheral, which can pick up any kind of frequency up to 3GHz. They modified the software to pick up GSM signals broadcast from base stations. They compared those with signals picked up by a Nokia 3310 phone, which had a software feature that allowed for a revealing peek inside how GSM works.
Hulton and Muller studied how a GSM phone authenticates with a base station and sets up an encrypted call. They then built a machine with lots of memory that uses Field-Programmable Gate Arrays, high-powered hardware used for intensive calculations, in order to crack the call's encryption.
And now they're planning to commercialize the technique, although Hulton said they will vet buyers. He said they haven't had any feedback from operators on their research.
Muller warned that faster attacks on GSM will likely emerge, making it more imperative that the mobile industry finds a solution.
"We started [this project] because everyone said we couldn't do it," Muller said. "Attacks will always get better, they'll never get worse."

Comments

Popular posts from this blog

Test New ALFA-AWUS036H v.2 (1.000mW) VS ALFA-AWUS036H v.1 (500mW)

- Recently emerged the New ALFA-AWUS036H v.2 (1.000mW), and these are the tests. TEST WITH NETSTUMBLER 1) usb da 100mW chipset railink 2) usb da 200mW chipset railink rt73 3) intel 2200 b/g con connettore esterno rp-sma 4) Alfa-AWUS036H 500mW 5) New Alfa-AWUS036H V2 da 1.000mW

Creating A Cheap Bluetooth Sniffer

Many papers and posts on internet forums have commented on the success of turning normal everyday bluetooth USB dongles ($10), into their more powerful counterparts that allow the capturing of packets from the airwaves. These more powerful USB dongles are usually sold at a much higher price ($10,000) together with the software to drive and control these devices. The problems associated with BlueTooth sniffing You cant simply just purchase the dongle with the alternate firmware. There is next to no real opensource packet capture program for the bluetooth protocol. Hardware & Limitations Chipsets: Whats the difference? The chipset of the Bluetooth USB Dongles are very important. Broadcom chipsets are cheap hardware and are deemed unsuitable devices for this paper. But unfortunalty nowadays, every manufacturer seems to prefer putting these chips in their products compared to the more reliable Cambridge Silicon Radio (CSR) chipset. If your lucky enough to find a dongle with a CSR chips...

ALFA-­AWUS036H & ALFA-­AWUS050NH INSTALLING/UPDATING DRIVERS RTL8187, r8187, RT2800usb on UBUNTU

NOTE: For surfing Internet with ALFA-AWUS050NH on Ubuntu Jaunty with rt2870sta driver, you must use the Kernel "2.6.28-11-generic #42-Ubuntu", without change or updates the drivers modules. NOTE: The tutorial is not related to Ubuntu karmic. Driver RTL8187/Stacks-­mac80211 (ref. ALFA-­AWUS036h) ­- These drivers, for surfing Internet, are more stable than r8187, and fully compatible with Network-Manager 0.7 installed by default on Ubuntu 9.04. Network-Manager 0.7 installed by default on Ubuntu 9.04. ­- Supports all encryption without problems. (OPEN, WEP and WPA/WPA2) ­- With Compat-Wireless, the "injection" working, but for support “Fragmentation attack” (opt. -5) you need to install one patch. - The RX sensitivity and packets injection is less, related to drivers r8187. Driver r8187/Stacks-ieee80211 (ref. ALFA-AWUS036h) - This driver is recommended for use with the Suite of Aircrack-ng, but not particularly suitable for Internet connections, as less stable and disc...