
$15 phone, 3 minutes all that's needed to eavesdrop on GSM call - blhack
http://feeds.arstechnica.com/~r/arstechnica/index/~3/ZubJwpxmyjM/15-phone-3-minutes-all-thats-needed-to-eavesdrop-on-gsm-call.ars
======
hiroprot
Very misleading title.

The article mentions that 4 phones, a laptop computer, and a lot of
specialized software were needed (they mention open-source, but there are no
details).

Also, the process they describe seemed to be much more time-consuming than
just 3 minutes.

~~~
cnvogel
The process itself is quite fast, after watching the talk I'd guess 3 minutes
for singling out a single phone via sending SMS, and maybe 2 minutes for
cracking the key itself.

The software is indeed very specialized, and according to the guy doing the
demo it will be released, but without the last polishing to run the attack on
an actual live network, but claims that it took him less than 1 week of work
to come from currently published code to the stuff he's shown in the attack.

But of course to come to the level of expertiese of Sylvain Munaut will take a
mere mortal more than a year of studying GSM... ;-)

------
runjake
Well, and 2 TB of key tables.

~~~
ROFISH
To be fair, you can easily carry around 2 TB in a single large-form external.
Coupled with a general car to wall AC adaptor, you can travel around town with
it.

Not to mention the fact that since it's just a simple look-up table with lots
of small entries, you could store it in the cloud and only get what you need
via the same GSM connection.

~~~
runjake
That's a lot of data to be uploading to the cloud, but I read you.

I wasn't saying it wasn't doable, but rather it's not just as easy as grabbing
your laptop and a $15 phone, which is how it's being reported, for the most
part.

~~~
sp332
You can send a USB or eSATA external drive to Amazon (up to 8TB) and they'll
import the data into S3 for you. <http://aws.amazon.com/importexport/>

~~~
runjake
This is great, I didn't know about this. It's important to note that you're
looking at a cost of $100+ when you factor in Amazon's fees and shipping.

------
sspencer
I wonder if one could crack it even faster with more than 4 phones sniffing.
Maybe 8 or 16 phones? You could easily fit those in a backpack, along with a
2TB external HDD. Assuming the sampling rate is the bottleneck, you could
maybe get down into the sub-60second range with a few more phones....

Amazing stuff as usual from the CCC!

~~~
246tNt
no, more phone wouldn't make it faster Also, having the hdd with you is really
not required, you can just use a beefy external server you ssh to via a 3G
data connection or something.

------
ajays
FTA: "Munaut demonstrated the way in which GSM . . . allows anyone to
determine a subscriber’s current location with a simple Internet query, to the
level of city or general rural area."

Is he talking about reverse IP lookup?

~~~
246tNt
No, I'm talking about HLR queries. See the related 25C3 talk.

~~~
sp332
"Locating Mobile Phones Using SS7"

Abstract and slides:
[http://events.ccc.de/congress/2008/Fahrplan/events/2997.en.h...](http://events.ccc.de/congress/2008/Fahrplan/events/2997.en.html)

You can see the talk on Youtube: <http://www.youtube.com/watch?v=OEcW4HlrpYE>

or download the video via bittorrent:
ftp://media.ccc.de/pub/congress/2008/video_h264_720x576/25c3-2997-en-
locating_mobile_phones_using_ss7.mp4.torrent

