Karsten Nohl and Sylvain Munaut from Security Research Labs have cracked GSM, enabling them to eavesdrop on any call made by a target device. The pair demonstrated their research at the Chaos Computer Club Congress (CCC), and have released a rough guide to the attack on their website.
What appears to be unique to this type of attack on GSM is that an attacker can specify an actual target device to eavesdrop on. Using a set of cheap Motorola phones with open-source firmware, the researchers were able to see all data being broadcast by the GSM base station. Once a target device is located, the relevant data can be unencrypted by finding the GSM encryption key using a set of rainbow tables. The set of tables used by the researchers was generated over a two month period in a previous research project, and is 2TB in size. An attacker only needs two encrypted known plaintext messages to have a 90% chance of finding the secret key.
In Nohl’s own words, “Now there’s a path from your telephone number to me finding you and listening to your calls, the whole way.”
Let’s just hope the GSM Association (GSMA) take on board the research, and pay special attention to the relative easiness and low cost of actually executing the attack. According to the BBC News write-up, the association have yet to comment on the attack.