Hacker demos GSM call hijack, calls for 2G end

A security researcher has demonstrated how to use a makeshift base station to trick handsets into allowing calls to be intercepted and recorded

A security researcher has demonstrated a makeshift mobile base station that can intercept people's GSM voice calls, arguing that the hack is so easy that 2G cellular usage should be discontinued.

At the Defcon security conference in Las Vegas on Saturday, Chris Paget tricked at least 30 audience members' handsets into connecting to his base station. He pointed out that if he had not limited the base station's transmissions to a total of 25 milliwatts, many more handsets would have connected. At least 17 calls were intercepted and recorded, although Paget confined all logs to a USB stick that he destroyed at the end of the demonstration.

In the medium to long term, GSM simply needs to be turned off.

– Chris Paget

"In the medium to long term, GSM simply needs to be turned off," Paget wrote in a subsequent blog post on Sunday. "It'd be more work to fix it than it would be to upgrade (given that 3G/3.5G/3.9G/4G are all available, are being deployed now, and offer far superior security)."

Most handsets sold in the UK now are 3G-capable, and 3G coverage is steadily expanding, but outside of coverage those handsets will fall back to 2G voice connectivity.

Paget's technique is based on his 'tower' offering a slightly stronger signal than that of the closest real tower in the operator's network — in the case of Defcon, AT&T's network. In a GSM network, the tower dictates security-related settings to the handset. This means the homemade base station can tell the phone to use the A5/0 algorithm, which has no encryption. Therefore, as Paget described it in a presentation slide (PowerPoint link), "Strong signal + negotiate A5/0 = pwned".

Intercepting calls made over 3G networks is much more difficult, he pointed out. He suggested that the best way to do this might be to jam the 3G signal, forcing the victim to 2G instead. Otherwise, he said, the "3G cipher is showing cracks [but] is not broken yet".

In his blog post, Paget noted that AT&T has a voice and SMS encryption service that it offers to business and government users. "I'd very much like to see it deployed more widely," he wrote. "It's a good approach to the security problems in GSM (assuming it works as stated).

"BlackBerry is another good option — they add a second layer of crypto for data — not sure if it adds anything for voice — and I've been told they have a setting to disable 2G," Paget wrote. "This is a very good thing; I'd love to see someone add this setting to Android as well if it's at all possible."

In the run-up to his presentation, Paget wrote, rumours had appeared suggesting that AT&T might sue him to stop the talk going ahead. In the event, this did not happen, but Paget noted he had in any case gained legal advice from the Electronic Frontier Foundation.

On Monday, ZDNet UK asked Ofcom how viable it would be to switch off GSM and rely purely on 3G for mobile voice calls, but a spokesperson for the regulator said there were no such plans.

"From our perspective, we'll continue licensing 2G networks while there's still a market for it," the spokesperson said.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All