GSM Hacking With Prepaid Phones

Want to listen in on cellphone calls or intercept test messages? Well that’s a violation of someone else’s privacy so shame on you! But there are black-hats who want to do just that and it may not be quite as difficult as you think. This article sums up a method of using prepaid cellphones and some decryption technology to quickly gain access to all the communications on a cellular handset. Slides for the talk given at the Chaos Communications Congress by [Karsten Nohl] and [Sylvain Munaut] are available now, but here’s the gist. They reflashed some cheap phones with custom firmware to gain access to all of the data coming over the network. By sending carefully crafted ghost messages the target user doesn’t get notified that a text has been received, but the phone is indeed communicating with the network. That traffic is used to sniff out a general location and eventually to grab the session key. That key can be used to siphon off all network communications and then decrypt them quickly by using a 1 TB rainbow table. Not an easy process, but it’s a much simpler method than we would have suspected.

[Thanks Rob]

32 thoughts on “GSM Hacking With Prepaid Phones

  1. Wow… a 1 TB rainbow table. Never heard of it, but it sounds impressive…

    Did I read that you could read someone’s text messages and these messages will eventually arrive at the recepients’ phone? That’s very nice. Too bad I don’t have a 1TB microSD laying around…

  2. Very interesting. Lacking a few important details, as I suspect makes good sense for them to do.

    Unfortunately, I was hoping for something a little more ‘useful’. Any project-based hacking with prepaid phones? That would be great HaD material…

  3. read the link, it said 2 TB so you will need to hot glue two individueal 1TB microSD’s for this one. just in terms of pre-paid hacks, is there somewhere that “how to’s” installing custom firmware?

  4. GSM was broken years ago when they found that the implementation was incomplete. Thus, that 1TB table may sound big, but is several orders of magnitude smaller than it should have been.

  5. come on folks, where’s your memory?

    http://lists.lists.reflextor.com/pipermail/a51/2010-July/000683.html

    hackaday article: http://hackaday.com/2010/07/22/release-the-kraken-open-source-gsm-cracking-tool-released/

    Actually, if you search “gsm” you get a bunch of articles within the last 4 years; “crack GSM in under 30 minutes with 6TB! crack GSM in under 10 minutes with 4TB!” etc etc. Now we’re at 1TB and a few minutes? cool stuff

  6. @rasz: Yeah, I’ll try and stay out of jail for a while. At least until I get my free card…

    The coolest part to me is rewriting the firmware on a cheap prepaid phone. I’ve done a little bit of internet scouring and turned up a little information. It really looks like it has a lot of potential. One of these phones is just begging to be turned into a wireless (cellular wireless) dev board of sorts! I hope somebody with the ambition gets that idea and starts on it.

  7. @NatureTM It never did leave. It either turned its attention to lame voip phreaking or idiots like you kept harping on about it being dead. There is a fairly active phreaking scene if you bother to look around for it and they do some fairly amazing stuff.

  8. How long till the Android app that uses this just to ride the free 3/4G data network?

    Thousands of freeloaders overrunning the network.

    Sprint is also CDMA. This may just be a future oint failure for the GSM carriers unless they come up with a fix!

  9. First of all don’t mix malware into gsm communication since it has nothing to do with it. Just because we have dumbass cell OSes like windows CE doesnt mean that most of the cellphones are in danger. They arent. The current mobile malwares are very primitive and specific since phones are restricted. I remember what a big news retard AV companies made out of that cellphone worm which was spreading between iphones by scanning certain ranges and bruteforcing ssh to replicate.

    Secondly SS7 is not publicly available on the internet its the dumbest thing so far I read in new year and anyway it has nothing to do with the subject once again.

    These pdf slides are just the same old crap again even tho I don’t know why he advertises it as “gsm hacking with prepaid phones” while you still need fpgas and rainbow tables, couple of thousand dollars worth of equipment already.

    The current state of their whole research is just preliminary and their tools are pre-alpha. If telcos would care about their stuff they would’ve gotten paid off already and you would not be hearing about this whole crap.

    But what surprises me is why did they had to spend so much time on analyzing the protocol when you can buy open source phones like n900 which probably has a gsm daemon responsible for all incoming and outgoing calls and authentication and encryption which available with full source code and there is the OpenBTS project as well.

  10. @omgkittenz did you actually read the presentation or did you flick through just looking at the pretty pictures? And as for SS7 not being available through the internet I have news for you buddy…

    Not only do we have SIGTRAN (SS7 over IP) we also have access directly and indirectly via various APIs provided by companies. I suggest you wind your neck in and do a little research. You fucking toad.

  11. Sprint is also CDMA. I use CDMA exclusively for other reasons… and I could even get my UK friend to admit that GSM sucks even though it’s the defacto standard in all of Europe.

  12. Yes I read the presentation you fucking toad and it’s pretty much the same as their 2009 blackhat con slides.
    Their webpage is shit, their presentations are shit, their wiki is shit.
    The only useful resources on this subject is the mailing list archive http://lists.lists.reflextor.com/pipermail/a51/

    That SS7 you talking about runs through MPLS and private circuits where you have no access but if you think the shit publicly available post here ips and tools to fuzz it or go fuck yourself.

    You would be my kid I would break your fuking neck and throw you to the dumpster.

  13. @omgkittenz Oh bless you, rather than come up with an original insult you parrot mine. You sir are a fine addition to the gene pool and are welcome to breed post haste!

    First off all I see is someone complaining about their stuff being shit. This is fine except I see you producing nothing better, in fact all I see is you producing inane drivel.

    That SS7 I’m talking about is direct access well… I guess in your world when you spoof your call (access to SS7 ohshi-)magical little fairies fly through the PSTN and wave their magical little CID wands. HLR look ups, decoding SS7 messages over GSM channels.

    So to conclude, you are a inane, drivel spouting, cock munching sausage jockey. You need to learn a fair bit more before you’re qualified to ever comment on this stuff again. Why not get yourself over to Binrev and post some interesting stuff, then we’ll talk.

  14. @omgkittenz

    Why would you put so much effort into bashing something like this? The developers who have worked on these projects are no less than saints, giving up their own time and skill to provide the community with open source software and hardware for testing GSM networks.

    Be thankful.

    Also I’m surprised your comments made it through moderation, your empty threats and rambling bring nothing of value here.

  15. I guess this unfortunately is becoming less and less relevant, cause though you can now easily find the storage for a ~2GB rainbow table, these methods can’t be applied to 3G networks and up, which almost all phone now use to connect, at least in urban areas.

Leave a Reply to cknoppCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.