At the 27th annual Chaos Communication Congress (CCC) in Berlin, German cryptographer Karsten Nohl and team member Sylvain Manaut of the Chaos Computer Club presented their latest exploit - this time against the Global System for Mobile Communications (GSM) network.
Typically, governments tap mobile phones with the co-operation of the mobile phone provider and the call is recorded at a GSM base station. However, a quick internet search reveals that Law enforcement agencies can obtain specialist GSM over-the-air interception hardware for more covert operations!
In August of last year, the GSM association made a statement that they: "strongly suspect the team developing the intercept approach has underestimated its practical complexity. A hacker would need a radio receiver system and the signal processing software necessary to process the raw radio data". Karsten Nohl and team took this as a challenge to create a technique of using inexpensive phones to snoop over-the-air calls.
Within the presentation Karsten and Sylvain conducted a live demonstration using inexpensive (10 Euro) mobile phones (Motorola C123's). Karsten Nohl explained how GSM calls hop frequencies: "So you can appreciate that this is a multi-frequency problem, with a moving unpredictable target".
Above: The Operator's cell tower only uses a fraction of the GSM spectrum
The demonstration used four mobiles phones to get the required frequency coverage to listen to the full conversation on the targets phone.
The phones were connected to a medium-end computer with over 2Terrabytes Bytes of storage capacity. Nohl and his colleague then showed the CCC attendees each step of recording someone else's conversation and text messages. They started with locating a particular phone within the conference room to seizing its unique caller ID, and finally getting hold of data exchanged between a handset and a base station as phone calls are made and messages are sent. After recording the phone calls and text messages, he goes on to use 'Kraken' software to very quickly decrypt the messages and call. In 2010 July's SCN newsletter the article entitled "Kraken Feeds on your Phone Calls" introduces how Karsten Nohl and his team developed the 'Kraken' software.
The team has thus successfully developed a complete toolkit, making it easier for hackers to sniff phone calls anytime, anywhere using open source software and cheap hardware.
The demonstration used Motorola C123 phones, because the phones firmware specification got leaked on the internet enabling opensource advocates 'Osmocom' to create a firmware replacement which enables the phone to record the raw photo call with control data.
Finally let's remember, Karsten's Kraken technology is useful only to crack A5/1 encryption algorithm, not its upgraded version - the A5/3 algorithm. In the presentation Karsten mentions that: "as more iPhones suck up the 3G bandwidth for internet usage, the more phone calls will be pushed down to GSM again. So 3G is no answer to GSM security problems as long as operators operate both as parallel"
Since 1984, CCC has become a platform for world-wide hackers to operate and test the security level in modern systems. CCC and Karsten Nohl intentions are to make people and companies more aware of weak security.
According to Karsten, mobile phone networks do not provide state-of-the art security for complete, all-round protection. He has repeatedly urged the mobile operators to use the more secured A5/3 algorithm in place of the old A5/1 encryption algorithm, but it seems higher cost of upgrading the equipments has prevented the mobile operators from switching over to A5/3 algorithm.
Suparna Sen, Smartcard & Identity News
Wideband GSM Sniffing Homepage: https://events.ccc.de/congress/2010/Fahrplan/events/4208.en.html