ShmooCon 2008: Intercepting GSM Traffic

Back in August, [h1kari] presented an analysis of the A5 crypto spec used in GSM systems. Almost all GSM conversations in the US and Europe are encrypted using this standard. At the time they were still in the planning stages of building their rainbow table of shift register states. Today we heard an update on the progress. The whole space is 2^58 in size and would take a standard PC 33,235 years to calculate. Not being patient people they built a box containing 68 express card based FPGAs. Each one is capable of doing 72 billion operations per second. So far they’re one month into the 3 month process. Once the table is completed any person can crack a GSM conversation in 30 minutes using 1 FPGA and the 2TB table. They do have plans for building an optimal system that would be based on solid state drives and 16 FPGAs that should do the crack in just 30 seconds.


  1. Crusty Justy says:


    I love when ShmooCon rolls around every year and there is usually an exploit or crack for something wildly popular. The last one i really remember was cracking WEP. good stuff!

  2. ManOnFire says:

    so… cant you just record said conversations and crack them at your leisure?

  3. Pfiffer says:

    I think this is really amazing.

  4. 33Wacki says:

    A5/0 , A5/1 , A5/2, or A5/3. Which one is it?, cause I doubt it is A5/2. It’s prolly the least secure A5/0, the orginal GSM encryption.

  5. Mollshoebbel says:

    Yeah! Relly great!
    Not just that government officials want to peer into gsm encryption. Maybe now we’re even helping them doing it.
    Why do we demolish the technology that should keep our privacy safe???

    Thanks a lot! Morons!

  6. mesatchornug says:

    @ Mollshoebbel:
    it seems you’re missing the point here – they crack this system to force a newer, better system. because if you or i could do it with off the shelf components and a little ingenuity and time, others can too.

  7. Orv says:

    Re 4: Chill. If crackers can do this now with off-the-shelf parts, the government has theoretically been able to for years — except they don’t have to. Why would they go to the trouble of decrypting the over-the-air signal when there are already taps in place on the central office lines, where the signal is in the clear? The privacy of any phone call is largely an illusion.

  8. Warchief says:

    Is there anyone who working on assembling the sniffed traffic stream by nokia phones?
    The thc guys didn’t do any progress about this just copy pasted some xml output from gnokii or whatever tool to the wiki, so I doubt they do anything with it. They rather go with other RF boards for sniffing.
    We found some old tool, and leaked docs about nokias monitoring mode (which easy to find on the web) but the code is undocumented.

  9. Johnny B. Goode says:

    2 Tb?!?! I wonder how long it’s going to take to torrent that. The other thing I wonder is weather or not anybody is hosting videos from shmoo, or has torrents to download them. There’s a couple of the talks I’d really like to watch.

  10. Will Spencer says:


    This is just A5/1.

  11. T.L. says:

    I can’t believe people are suggesting that someone/group are helping our government/agencies hack gsm calls by hacking it and posting it. That is the most ridiculous thing I’ve heard. People, they already have gsm stations that record and analyze gsm calls and no cracking is really involved (I mean no crack time involved I should say), where it is as simple as scanning and listening. Here take a look at this: and this is public information what about the things we dont know about? No some hacker figuring out gsm theirselves and posting it wont help the government/agencies they’ve had it since gsm first came out, through backdoor agreements all telecommunication companies have to abide by (or most of them anyway). Regards,

  12. If you really want to secure your communications, use Cryptophones (use the Google, Luke).

  13. traffic says:

    Awesome work! Cheers ;)

  14. jess says:

    You could just use nvidia graphics cards to do the work with CUDA. A 8800gts can do up to 320GFlops per card. And CUDA is really easy to learn. You can build a 1.2TFlop supercomputer just under $1000. Should help the project progress faster. But really great work.

  15. Babylya says:

    Да,согласен с предыдущими ораторами
    Споки Bye

  16. Gostixel says:

    Вот так,несогласен с предыдущими высказываниями
    ) :-)

  17. katharsis says:

    Bonjour J’ai trouvé un site qui propose un logiciel espion pour controler le portable de n’importe qui via bluetooth voila pour le site :
    En ésperant que cela aideras des personnes tout comme moi !

    i find something to hack all tye of mobile with bluetooh and more easy tu use then ” superbluetooth ”
    if you want the website :

    good bye ! =)

  18. tattoos says:

    WOW just what I was searching for. Came here by searching for cons

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 96,534 other followers