Current GSM encryption in Germany does not seem be enough anymore. A GSM expert named Karsten Nohl demonstrated how a recorded cell phone call could be cracked during the Black Hat Conference. With the tool he called Kraken; he showed how to crack an A5/1 encrypted call in just a few seconds. The call was recorded using a GMS catcher.

It would take some effort on your part to build a GSM catcher. It would cost about $1000 just to get a Universal Software Programmable Radio (USRP) and you would also have to get proper software. An open source alternative would be to use GNURadio. Once the call is recorded, it is only a matter of decoding it to make it useful.

To decrypt the call, the tool Kraken made use of Rainbow tables generated with ATI graphics processors or GPUs. The time it took the key to be cracked took less than a minute. With Nohl decoding the file with the software Airprobe and finally converting it into an audio file using the program Toast. The demonstration clearly showed that the security used in GSM is as weak as that used in WiFi more than a couple of years ago. Security experts also agree with these findings.

Nohl pointed out that there were measures to prevent these kinds of attacks and that the GSM Association published this updated standard in 2008. But sadly in Germany, no mobile communications provider has bothered to update their networks. To protect new mobile communications providers and not discourage them, Nohl even made sure his cracking procedure would be quite difficult to learn.

Another hacker going by the alias “The Grugq” pointed out another vulnerability of cell phone networks currently in use but was not able to demonstrate it during the conference. He said that with just a laptop, the open source software OsmocomBB, and a cheap Motorola cell phone you could perform a “RACHell attack” and prevent a base station from accepting any calls. How this happens is that the cell phone tries to reserve all available channels of the base station for itself thus preventing other mobile communications from getting through. Only calls that are currently on-going would not be affected by this kind of attack.

This kind of attack is quite common and Network operators know about this issue. T-Mobile addressed this problem in Germany with the use of Special firewalls. Although some experts like Harald Welte, author of OpenBSC, disagree with its use citing that a firewall or any other filter for that matter in the GSM backbone would not stop an attack over the air.

A reverse approach to this kind of attack could also hamper mobile users, “The Grugq” pointed out. If the base station kept on receiving drop/detach commands with the IMEI of the user, the mobile phone with that IMEI would not be able to connect to the base station until it reports back. One way of that happening is if the mobile user sends a text message. Mobile calls of course would be out of the question.

More questions about our products and services? See About SecPoint, IT Security Products, and IT Security Jobs.