How’s & Whyto’s of GSM-900 Interception a.k.a GSM Hacking

A researcher at the Def Con security conference in Las Vegas demonstrated that he could impersonate a GSM cell tower and intercept mobile phone calls using only $1500 worth of equipment. The cost-effective solution brings mobile phone snooping to the masses, and raises some concerns for mobile phone security.

How does the GSM snooping work?

Chris Paget was able to patch together an IMSI (International Mobile Identity Subscriber) catcher device for about $1500. The IMSI catcher can be configured to impersonate a tower from a specific carrier. To GSM-based cell phones in the immediate area–the spoofed cell tower appears to be the strongest signal, so the devices connect to it, enabling the fake tower to intercept outbound calls from the cell phone.

What happens to the calls?

Calls are intercepted, but can be routed to the intended recipient so the attacker can listen in on, and/or record the conversation. To the real carrier, the cell phone appears to no longer be connected to the network, so inbound calls go directly to voicemail. Paget did clarify, though, that it’s possible for an attacker to impersonate the intercepted device to the wireless network, enabling inbound calls to be intercepted as well.

But, aren’t my calls encrypted?

Generally speaking, yes. However, the hacked IMSI catcher can simply turn the encryption off. According to Paget, the GSM standard specifies that users should be warned when encryption is disabled, but that is not the case for most cell phones. Paget explained “Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers.”

Did you not see the movie “Sneakers”? Great movie. Starred Robert Redford, Sidney Poitier, Dan Aykroyd, and River Phoenix.

Seriously, are you aware that, given enough time and energy, no code is unbreakable? The one used for GSM has to be relatively lightweight, due both to the way it works, on low power devices, and when it was developed, over ten years ago – when CPU power was at least an order of magnitude less on every scale.

What wireless provider networks are affected?

Good news for Sprint and Verizon customers–those networks use CDMA technology rather than GSM, so cell phones on the Sprint or Verizon networks would not connect to a spoofed GSM tower. However, AT&T and T-Mobile–as well as most major carriers outside of the United States–rely on GSM.

This is probably already known to most, but for the newer readers, GSM is so popular because it is a free protocol, which can be implemented by anyone, without fees. To use the superior CDMA technology, fees must be paid to the developer, Qualcomm. That few dollars per phone is what keeps most of the world on the inferior technology of GSM.

Does 3G protect me from this hack?

This IMSI catcher hack will not work on 3G, but Paget explained that the 3G network could be knocked offline with a noise generator and an amplifier–equipment that Paget acquired for less than $1000. With the 3G network out of the way, most cell phones will revert to 2G to find a viable signal to connect to.

Should I be worried that my mobile phone calls are being tapped?

Yes and no. The hack demonstration at Def Con proves it can be done, but it doesn’t mean that it’s in widespread use. $1500 is a relatively low investment, but it’s still enough to be out of range of most casual hackers that just want to experiment.

If you seriously believe that your calls are important to someone, and you don’t work for an institution that is more known by initials, work for an entity that has corporate secrets that you are privy to – and must speak of them over the phone, or are a criminal involved in high level crime, you generally need not worry. Even so, you can remember that “loose lips sink ships”, keep your mouth shut about anything possibly interesting over the phone, and do just fine.

Now that the information is out there, though, hackers with the financial resources to put the IMSI catcher together could start intercepting calls. But, as noted earlier–if you are a Sprint or Verizon customer you don’t need to worry.

If you are on a GSM network like AT&T and T-Mobile, though, it is possible that an attacker could intercept and record your calls. The range of the IMSI catcher is relatively small, so the odds of your phone connecting to a random IMSI catcher are almost negligible, and it would only be an issue as long as you stayed in close proximity to the IMSI catcher.

However, if a user is specifically targeted, the rogue GSM tower could be an effective means of intercepting calls. The IMSI catcher could be used by corporate spies to target specific high profile individuals in a company to gain corporate secrets or other sensitive information.

Again, either remember “loose lips” and keep mum, get a CDMA phone (much harder to gain access to), or simply don’t use a phone at all – yes, that’s the ticket!

Need all your comments.


Nitin Kushwaha


Categories: Basics, Googled, GSM, Hot and Latest, Linux, Mobile Forensics, MyOwn, Techno | Leave a comment

Post navigation

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: