what you need to know about the interception of your mobile calls by spies

Last week a presentation rocked the ITscene. A security researcher bought for 1500$ the necessary
hardware to install his laptop (powerful laptops these days ....) and set it up as a GSM tower.
In practice this meant that he intercepted all the OUTGOING calls nearby where rerouted through his tower on which he could intercept (and record) them and break any encryption.

Since a few years there are already rumors and some articles that the encryption of GSM was broken or
easy to break. This guy has done it the easy way. Instead of trying to break something that takes days and
lots of processing power, he just plays for the imposter and acts as a go-between.

This looks like the rogue hotspots (or wireless access providers in hotels and airports)
You could also set up a laptop like a wireless access provider and record all the logins and passwords.

Here are some interesting facts

* only the OUTgoing calls were intercepted, the incoming didn't find the phonenumber and just arrived at the mailbox

* the encrypted 3G service could be directed to his GSM tower by jamming at the same time the 3G service in the room. This means that those who pay for 3G should know when they fall back on GSM and lose all security.

* this interception attack is interesting around official and financial buildings, not far from business lounges in
airports or at specific targeted locations.

* the typical mobile is not secure enough for high-secure communications and was never intended to be.

* this is an easier way for the police or intelligence services to get all the mobile communications during social
unrest, football riots or drug raids (or antiguerilla operations). It could also be used by the other side if the official services have no secured communications.

In practice it means that only those that could be targeted will be targeted because of this easier and cheap technology. And those who know that they could be targeted will have to take the appropriate measures to secure their communications and/or limit the communication of confidential information.

The comments are closed.