Mobile phone eavesdropping made easy: Hackers crack GPRS encryption

After outer space was proclaimed as hackers' newest target, thunderous applause followed at the opening of Chaos Communication Camp 2011 in Finowfurt, Germany. In the next ten years, hackers want to have their own communication satellites in orbit, reported Heise Online. Nick Farr (@hackersonaplane) of Hackers on a Plane said, "We can conquer the entire galaxy, if we stop for five minutes, to behave like idiots."

The plan to conquer space was followed by former WikiLeaks Daniel Domscheit-Berg announcing four days of public testing of Open.Leak.org. Domscheit-Berg told Forbes, "We need to be sure for the people who use such a system that it can't be compromised. Whistleblowers are the ones who take the risks. And they're the ones that get screwed if something goes wrong. So it's inherently important for us to make these people as comfortable as possible." The live testing will be here.

In case you didn't guess, this is no small hackers' shindig. Chaos Communication Camp is an international hackers' camp that takes place every four years. Among the attendees are EFF Senior Staff Technologist Seth Schoen and EFF co-founder John Gilmore.

How creepy would it be if it were easy to snoop and intercept all those texts, emails and photos you send over your mobile phone? Do you think that's impossible, that the majority of the world's mobile Internet traffic is protected by encryption? Think again.

The greatly anticipated presentation by crypto specialist Karsten Nohl, chief scientist of Berlin-based Security Research Labs, will show how to crack the encryption that is meant to protect information sent over General Packet Radio Service (GPRS). Mobile phones that do not support 3G use GPRS and iPhones use GPRS when the connection reads "E" as opposed to "3G." 

GPRS-crypto-cracking.jpg

The New York Times reported that Nohl and a colleague, Luca Melette, intercepted and decrypted all wireless data traffic in a 3.1-mile radius by "using an inexpensive, modified, 7-year-old Motorola cellphone and several free software applications."

Golem.de added that Nohl modified the Motorola C-123 and enhanced it with the open-source software project Osmocom, then recorded and decrypted transmissions in the German mobile networks of T-Mobile, O2 Germany, Vodafone and E-Plus. Nohl called the level of encryption "weak" and he will demonstrate ways to decrypt GPRS traffic. While he does not intend to publish the encryption keys, Nohl will release software that he used for the attack. Almost all of the world's networks that use GPRS, do not bother to encrypt at all.

Nohl also told the NYT, "One reason operators keep giving me for switching off encryption is, operators want to be able to monitor traffic, to detect and suppress Skype, or to filter viruses, in a decentralized fashion. With encryption switched on, the operator cannot 'look into' the traffic anymore while in transit to the central GPRS system." 

According to MIT's Technology Review, it costs 10 euros (about $14) for the radio equipment that Nohl and Melette designed to attack GPRS. Nohl said companies that ignore the risks "will be negligent." He hopes this applies pressure to improve security and require "better authentication among devices and base stations communicating over GPRS." He suggested "mobile applications take steps now to use encryption such as SSL, which already protects much of the sensitive information sent over the Internet."

Nohl has spent the last two years researching and releasing tools which should twist carriers' arms to upgrade the security in their networks. In 2009, he worked with others to release a 2-terabyte GSM rainbow table to "inform about the fact that GSM calls are already being intercepted and decrypted using commercial tools." Then Nohl and Chris Padget spent $1,500 on hardware and cracked the code that was supposedly meant to prevent such snooping of radio signals as they hopped between mobile phones and base stations. The researchers said, "Cloning, spoofing, man-in-the-middle, decrypting, sniffing, crashing, DoS'ing, or just plain having fun. If you can work a BitTorrent client and a standard GNU build process then you can do it all, too. Prepare to change the way you look at your cell phone, forever."

Then in 2010, Nohl "bundled many of the various tools he helped develop into a comprehensive piece of software that gave amateurs the means to carry out many of the attacks," reported The Register. "That same year, other cryptographers cracked the encryption scheme protecting 3G phone calls before the so-called Kasumi cipher had even gone into commercial use."

Before you next send that naughty photo, text or IM, consider the possibility that the GPRS encryption protecting your "sensitive" mobile device data can be cracked for cheap . . . and the German researchers behind it are showing other hackers how to snoop and create chaos too.

Image credit: Coban Group 

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies