CCCamp 2007: GSM A5 cracking

posted Aug 11th 2007 1:02pm by Eliot Phillips
filed under: cellphones hacks

Steve Schear and David Hulton gave a presentation on A5 cracking. A5 is the encryption employed on GSM cellphone networks between the handset and the tower (nowhere else in the network). To sniff the GSM band, they use the GNU radio USRP. GNU radio is a software defined radio project, which given some effort you should be able to both receive and transmit in any RF band. You could use it to broadcast digital television, track radio tags, or even mess with garage door openers. For their initial investigation they used a Nokia 3310 in trace mode to dump the initial frames. Using a box with at least 27 FPGA’s they plan on constructing a 6+ terabyte rainbow table (it’ll take a couple months). Once complete, any GSM conversation can be cracked in less than 5 minutes using a single FPGA. The Hackers Choice has more info on the USRP based GSM analyzer and what they did to crack A5.

Read

Comments [14]

Reader Comments

The gnu radio/usrp project looks really neat. It claims to reduce radio problems to software problems, but it actually looks to reduce radio problems to the problem of buying a $700 usrp, and a software problem. If the radio was cheaper (sub $150), that would be a lot of fun to play with, but $700 is too much.

Posted at 4:00 pm on Aug 11th, 2007 by confuted

Does this work with the other ancient cell phone system. CDMA, PCS etc? This was my main concern when choosing a cell phone provider. I heard that there was a way to mess with gsm so I went with cdma.

Posted at 5:22 am on Aug 12th, 2007 by Jay

weird, I read a paper that said you can pretty much crack A5 in real time on P133MHz laptop, it was circa 1995

Posted at 7:12 am on Aug 12th, 2007 by RusH

http://cryptome.org/a51-bsw.htm
After a 2^48 parallelizable data preparation stage (which has to be carried out only once), the actual attacks can be carried out in real time on a single PC

280GB rainbow tables, but realtime after that

Posted at 7:17 am on Aug 12th, 2007 by RusH

So when you get your openmako, you one up them and hack the hack. Sweet ;)

Posted at 11:34 am on Aug 15th, 2007 by srilyk

Well, i am interested in some hardware/stuff to intercept GSM calls in pseudo/real-time. I can pay USD3.000,00 to this. If anybody can do this, please contact me in h2glabs “AT” gmail.com or vugo “at” hotmail.com. I am brazilian, so, sorry to my bad english. Regards.

Posted at 9:10 pm on Aug 15th, 2007 by VUGO

the aliens built it!

Posted at 6:08 pm on Aug 17th, 2007 by nathan belomy

rush, that is an old attack. Read about the best currently known attack here: http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-info.cgi?2006/CS/CS-2006-07

Posted at 4:04 am on Oct 22nd, 2007 by LordB

how can i hack a gsm network to run and use a motorola Q cdma phone?

Posted at 6:00 pm on Oct 10th, 2008 by tristan

why i can’t acses http://wiki.thc.org/cracking_a5 ?
can u help me….
maybe u have another link or share it @rapid/ziddu
thx alot

Posted at 5:15 pm on Jan 31st, 2009 by viper

emege saygi tesekkürler

Posted at 6:14 am on Sep 11th, 2009 by kurye

emege saygi tesekkürler devamini bekleriz.