ShmooCon 2008: Intercepting GSM Traffic

Back in August, [h1kari] presented an analysis of the A5 crypto spec used in GSM systems. Almost all GSM conversations in the US and Europe are encrypted using this standard. At the time they were still in the planning stages of building their rainbow table of shift register states. Today we heard an update on the progress. The whole space is 2^58 in size and would take a standard PC 33,235 years to calculate. Not being patient people they built a box containing 68 express card based FPGAs. Each one is capable of doing 72 billion operations per second. So far they’re one month into the 3 month process. Once the table is completed any person can crack a GSM conversation in 30 minutes using 1 FPGA and the 2TB table. They do have plans for building an optimal system that would be based on solid state drives and 16 FPGAs that should do the crack in just 30 seconds.

18 thoughts on “ShmooCon 2008: Intercepting GSM Traffic

  1. :O

    I love when ShmooCon rolls around every year and there is usually an exploit or crack for something wildly popular. The last one i really remember was cracking WEP. good stuff!

  2. Yeah! Relly great!
    Not just that government officials want to peer into gsm encryption. Maybe now we’re even helping them doing it.
    Why do we demolish the technology that should keep our privacy safe???

    Thanks a lot! Morons!

  3. @ Mollshoebbel:
    it seems you’re missing the point here – they crack this system to force a newer, better system. because if you or i could do it with off the shelf components and a little ingenuity and time, others can too.

  4. Re 4: Chill. If crackers can do this now with off-the-shelf parts, the government has theoretically been able to for years — except they don’t have to. Why would they go to the trouble of decrypting the over-the-air signal when there are already taps in place on the central office lines, where the signal is in the clear? The privacy of any phone call is largely an illusion.

  5. Is there anyone who working on assembling the sniffed traffic stream by nokia phones?
    The thc guys didn’t do any progress about this just copy pasted some xml output from gnokii or whatever tool to the wiki, so I doubt they do anything with it. They rather go with other RF boards for sniffing.
    We found some old tool, and leaked docs about nokias monitoring mode (which easy to find on the web) but the code is undocumented.

  6. 2 Tb?!?! I wonder how long it’s going to take to torrent that. The other thing I wonder is weather or not anybody is hosting videos from shmoo, or has torrents to download them. There’s a couple of the talks I’d really like to watch.

  7. I can’t believe people are suggesting that someone/group are helping our government/agencies hack gsm calls by hacking it and posting it. That is the most ridiculous thing I’ve heard. People, they already have gsm stations that record and analyze gsm calls and no cracking is really involved (I mean no crack time involved I should say), where it is as simple as scanning and listening. Here take a look at this: and this is public information what about the things we dont know about? No some hacker figuring out gsm theirselves and posting it wont help the government/agencies they’ve had it since gsm first came out, through backdoor agreements all telecommunication companies have to abide by (or most of them anyway). Regards,

  8. You could just use nvidia graphics cards to do the work with CUDA. A 8800gts can do up to 320GFlops per card. And CUDA is really easy to learn. You can build a 1.2TFlop supercomputer just under $1000. Should help the project progress faster. But really great work.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.