CCCamp 2007: GSM A5 cracking
posted Aug 11th 2007 1:02pm by Eliotfiled under: cellphones hacks
Steve Schear and David Hulton gave a presentation on A5 cracking. A5 is the encryption employed on GSM cellphone networks between the handset and the tower (nowhere else in the network). To sniff the GSM band, they use the GNU radio USRP. GNU radio is a software defined radio project, which given some effort you should be able to both receive and transmit in any RF band. You could use it to broadcast digital television, track radio tags, or even mess with garage door openers. For their initial investigation they used a Nokia 3310 in trace mode to dump the initial frames. Using a box with at least 27 FPGA’s they plan on constructing a 6+ terabyte rainbow table (it’ll take a couple months). Once complete, any GSM conversation can be cracked in less than 5 minutes using a single FPGA. The Hackers Choice has more info on the USRP based GSM analyzer and what they did to crack A5.
The gnu radio/usrp project looks really neat. It claims to reduce radio problems to software problems, but it actually looks to reduce radio problems to the problem of buying a $700 usrp, and a software problem. If the radio was cheaper (sub $150), that would be a lot of fun to play with, but $700 is too much.