GSM hacking with prepaid phones

Want to listen in on cellphone calls or intercept test messages? Well that’s a violation of someone else’s privacy so shame on you! But there are black-hats who want to do just that and it may not be quite as difficult as you think. This article sums up a method of using prepaid cellphones and some decryption technology to quickly gain access to all the communications on a cellular handset. Slides for the talk given at the Chaos Communications Congress by [Karsten Nohl] and [Sylvain Munaut] are available now, but here’s the gist. They reflashed some cheap phones with custom firmware to gain access to all of the data coming over the network. By sending carefully crafted ghost messages the target user doesn’t get notified that a text has been received, but the phone is indeed communicating with the network. That traffic is used to sniff out a general location and eventually to grab the session key. That key can be used to siphon off all network communications and then decrypt them quickly by using a 1 TB rainbow table. Not an easy process, but it’s a much simpler method than we would have suspected.

[Thanks Rob]

Comments

  1. HACKY says:

    Wow… a 1 TB rainbow table. Never heard of it, but it sounds impressive…

    Did I read that you could read someone’s text messages and these messages will eventually arrive at the recepients’ phone? That’s very nice. Too bad I don’t have a 1TB microSD laying around…

  2. charper says:

    Very interesting. Lacking a few important details, as I suspect makes good sense for them to do.

    Unfortunately, I was hoping for something a little more ‘useful’. Any project-based hacking with prepaid phones? That would be great HaD material…

  3. SlurmMcKenzie says:

    that is indeed a hell of a rainbow ;-)

  4. NatureTM says:

    Phreaking’s back, mofos!

    cue the guy who says phreaking never left

  5. Shadyman says:

    With a 2TB drive, you could have DOUBLE RAINBOW TABLES ALL THE WAY.

  6. strider_mt2k says:

    Wow awesome.

    I’ll get my bro’s blue box!

    Well done!

  7. rasz says:

    charper they cant just post a howto, but I suspect subscribing to OsmocomBB and just lurking around would provide info needed to do it yourself.

  8. Patrick (not the right-wing one) says:

    F*****g rainbow tables!

    How do they work?

  9. Jelly says:

    The tables are infact almost 1.7TB…
    And you can get them here:
    http://reflextor.com/e100torrents/
    (Please seed if you download them!)

  10. VV says:

    Surely its easier just to mug the poor sod of his phone and read his texts?

  11. already-dead says:

    read the link, it said 2 TB so you will need to hot glue two individueal 1TB microSD’s for this one. just in terms of pre-paid hacks, is there somewhere that “how to’s” installing custom firmware?

  12. LMGTFY says:

    GSM was broken years ago when they found that the implementation was incomplete. Thus, that 1TB table may sound big, but is several orders of magnitude smaller than it should have been.

  13. dax says:

    come on folks, where’s your memory?

    http://lists.lists.reflextor.com/pipermail/a51/2010-July/000683.html

    hackaday article: http://hackaday.com/2010/07/22/release-the-kraken-open-source-gsm-cracking-tool-released/

    Actually, if you search “gsm” you get a bunch of articles within the last 4 years; “crack GSM in under 30 minutes with 6TB! crack GSM in under 10 minutes with 4TB!” etc etc. Now we’re at 1TB and a few minutes? cool stuff

  14. BiOzZ says:

    @VV
    well if the guy your after you cant reach than no

  15. charper says:

    @rasz: Yeah, I’ll try and stay out of jail for a while. At least until I get my free card…

    The coolest part to me is rewriting the firmware on a cheap prepaid phone. I’ve done a little bit of internet scouring and turned up a little information. It really looks like it has a lot of potential. One of these phones is just begging to be turned into a wireless (cellular wireless) dev board of sorts! I hope somebody with the ambition gets that idea and starts on it.

  16. addidis says:

    lol mike

    Want to listen in on cellphone calls or intercept test messages? Well that’s a violation of someone else’s privacy so shame on you! Let us show u how.

  17. Neckbeard says:

    @NatureTM It never did leave. It either turned its attention to lame voip phreaking or idiots like you kept harping on about it being dead. There is a fairly active phreaking scene if you bother to look around for it and they do some fairly amazing stuff.

  18. Gert says:
  19. Justin says:

    Simpler Solution: Use a CDMA network phone. For US users use US Cellular, and I believe Verizon may have some CDMA coverage as well. This exploit is used on GSM networks.

  20. Anon says:

    @Justin

    Certain phones can be set to use GSM or CDMA. For mine I set it to use CDMA, then fall back to GSM.

  21. holy crap :)

  22. cknopp says:

    How long till the Android app that uses this just to ride the free 3/4G data network?

    Thousands of freeloaders overrunning the network.

    Sprint is also CDMA. This may just be a future oint failure for the GSM carriers unless they come up with a fix!

  23. poiso says:

    yeah, I use US cellular as well, so CDMA is what I have right now as well ;)

  24. omgkittenz says:

    First of all don’t mix malware into gsm communication since it has nothing to do with it. Just because we have dumbass cell OSes like windows CE doesnt mean that most of the cellphones are in danger. They arent. The current mobile malwares are very primitive and specific since phones are restricted. I remember what a big news retard AV companies made out of that cellphone worm which was spreading between iphones by scanning certain ranges and bruteforcing ssh to replicate.

    Secondly SS7 is not publicly available on the internet its the dumbest thing so far I read in new year and anyway it has nothing to do with the subject once again.

    These pdf slides are just the same old crap again even tho I don’t know why he advertises it as “gsm hacking with prepaid phones” while you still need fpgas and rainbow tables, couple of thousand dollars worth of equipment already.

    The current state of their whole research is just preliminary and their tools are pre-alpha. If telcos would care about their stuff they would’ve gotten paid off already and you would not be hearing about this whole crap.

    But what surprises me is why did they had to spend so much time on analyzing the protocol when you can buy open source phones like n900 which probably has a gsm daemon responsible for all incoming and outgoing calls and authentication and encryption which available with full source code and there is the OpenBTS project as well.

  25. Neckbeard says:

    @omgkittenz did you actually read the presentation or did you flick through just looking at the pretty pictures? And as for SS7 not being available through the internet I have news for you buddy…

    Not only do we have SIGTRAN (SS7 over IP) we also have access directly and indirectly via various APIs provided by companies. I suggest you wind your neck in and do a little research. You fucking toad.

  26. Jimbo says:

    Sprint is also CDMA. I use CDMA exclusively for other reasons… and I could even get my UK friend to admit that GSM sucks even though it’s the defacto standard in all of Europe.

  27. omgkittenz says:

    Yes I read the presentation you fucking toad and it’s pretty much the same as their 2009 blackhat con slides.
    Their webpage is shit, their presentations are shit, their wiki is shit.
    The only useful resources on this subject is the mailing list archive http://lists.lists.reflextor.com/pipermail/a51/

    That SS7 you talking about runs through MPLS and private circuits where you have no access but if you think the shit publicly available post here ips and tools to fuzz it or go fuck yourself.

    You would be my kid I would break your fuking neck and throw you to the dumpster.

  28. Neckbeard says:

    @omgkittenz Oh bless you, rather than come up with an original insult you parrot mine. You sir are a fine addition to the gene pool and are welcome to breed post haste!

    First off all I see is someone complaining about their stuff being shit. This is fine except I see you producing nothing better, in fact all I see is you producing inane drivel.

    That SS7 I’m talking about is direct access well… I guess in your world when you spoof your call (access to SS7 ohshi-)magical little fairies fly through the PSTN and wave their magical little CID wands. HLR look ups, decoding SS7 messages over GSM channels.

    So to conclude, you are a inane, drivel spouting, cock munching sausage jockey. You need to learn a fair bit more before you’re qualified to ever comment on this stuff again. Why not get yourself over to Binrev and post some interesting stuff, then we’ll talk.

  29. sm10sm20 says:

    @omgkittenz

    Why would you put so much effort into bashing something like this? The developers who have worked on these projects are no less than saints, giving up their own time and skill to provide the community with open source software and hardware for testing GSM networks.

    Be thankful.

    Also I’m surprised your comments made it through moderation, your empty threats and rambling bring nothing of value here.

  30. vicky agarwal says:

    nice

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 91,816 other followers