Hacker Intercepts GSM Calls With $1500 Homemade Kit

by Gaurav Kheterpal on August 3, 2010

The security vulnerabilities of GSM networks have been exposed yet again. At the DEF CON Hacking Conference in Las Vegas, security researcher and famous white hat hacker Chris Paget demonstrated a homemade IMSI catcher to intercept and even record phone calls.  What’s most impressive about Paget’s achievements is that his home-built kit costs merely $1,500 and is remarkably accurate.

GSMA has always maintained that GSM is a fully secure protocol. On the contrary, Paget believes “GSM is broken — it’s just plain broken”. As they say, actions speak louder than words!

Paget’s homemade IMSI catcher kit includes open source software and two on-stage antennas that can spoof the base stations which connect the GSM cell phone signals used by AT&T and T-Mobile. Since his bogus tower provided the strongest signal impersonating AT&T network during the demo, all cellphones connected to his fake base station.

That’s not all, he then demonstrated how to re-route a call using a GSM hijacking by employing a voice-over-Internet system. The scary part – he even managed to record the audio conversation in a USB stick. If you think encryption can save you from such vulnerabilities, you’re mistaken. Paget’s technique turns the encryption off for a particular handset. While creating your own GSM cell tower isn’t legal, it should serve as a final warning to FCC & GSMA to get their act together regarding the fundamental insecurity of GSM cell signals.

Paget’s technique blocks 3G connections by sending out a jamming signal and forces devices to search for 2G signals. And as soon as a phone begins probing for a 2G signal, it gets hooked on to Paget’s fake base station. Paget’s technique can intercept out going calls and spoof the caller ID on the phone of the call’s recipient. Only Quadband phones connect to Paget’s IMSI catcher and it doesn’t work for U.S. phones that do not support this 900MHz band.

Paget was in the news last year when he managed to download vital information of U.S. passports while safely sitting at a distance in a car. There were speculations over Paget’s participation in the conference with concerns alleging that he could be arrested or fined by federal authorities.

Forbes quotes the following response from GSMA and it’s sorry to say the least. The standards body is still trying to defend the protocol instead of coming up with a solution to fix the vulnerabilities. There are nearly 3 billion GSM users worldwide and it’s scary to imagine the implications of GSM calls being intercepted for malicious and criminal intentions.

Chris Paget – Take a Bow. GSMA & FCC – Time for action.

Did you like this post? TheTelecomBlog.com publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Gaurav Kheterpal. www.digitcom.ca >. Follow TheTelecomBlog.com > by: RSS>, Twitter >, Identi.ca >, or Friendfeed >

{ 1 comment }

Alam September 21, 2011 at 6:44 am

Horrible research that could put 3 billion GSM subscribers at risk as soon more details goes public mailing lists by author which is not recommended.

Comments on this entry are closed.

Previous post:

Next post: