I have received dozens of text messages and Emails from unknown sources claiming that I can listen to any call from any handset, as long as I provide the cell phone number to them, and of course money. I myself know clearly that these are just scams; the only purpose is to trick my money to their account -:). After went through a few of those messages; however I decided to find if anyone ever fell victim of those scams.
So I searched one of those numbers and did find one lady really paid those guys a few times to track here husband. Of course she got nothing. I could not believe that people really believe in that bullshit.
But this is not the end of this post, because it’s true, you calls can be eavesdropped, but not using the phone number, and here is how.
You should remember about a while back security expert from German called Karsten Nohl showed us in Chaos Computer Club Congress how he managed to listen in on calls made by people present with a device called IMSI catcher.
We need to know how the GSM network works and how it’s secured in order to figure out how it’s even possible, and I will make it as simple as possible. Generally when you get a mobile phone number from your carrier or its dealer, they give you a SIM card. This SIM card, as thin as it is, contains a serial number, an IMSI number and a 128-bit secret key called Ki. These data together with your number is store in carrier’s database as well. When you switch on your handset, the device will send your IMSI number to the mobile operator, which will query this number and get its phone number and the Ki key. Then the mobile operator will generate a random number and sent it to your handset. Your mobile device will transfer the random number to your SIM card, which will use the in-built Ki key to calculate a 32-bit signed response called Res, and a 64-bit secret session key called Kc which is used to encrypt any call made by your handset subsequently. In the meantime, your carrier will use the same Ki to generate the same Res and Kc. Once the mobile operator receives and conforms the Res sent by your handset, your handset or your SIM will be granted connection to the network, then you can make or receive calls, text messages or browse the internet. This 64-bit key Kc changes every time you turn on your handset, and the mobile operator may demand another authentication which will change it.
Generally, you connection to the cell tower is encrypted, using the A5 encryption algorithm, which was strong enough, now could not withstand the scaring computing power. Once the cell tower receives your data, it decrypts them and sends them in plaintext to the rest of network. Since not all links between the base station and carrier’s network is using wire (in other words it’s wireless connection), attackers gained access to it could easily eavesdrop on any call in the area. And this is not a difficult task, as long as your have the right equipment, which generally is only available to law enforcement and secret agencies.
And that’s not the only vulnerability. Remember the IMSI catcher I mentioned above? This IMEI catcher is in fact a base station; it can force any mobile device in the vicinity to connect to it other than the legitimate cell tower. How could this happen? Because the GSM network makes it this way, a network requires authentication from any mobile device, but the mobile devices do not ask the network to authenticate to them. So your mobile device has no idea if it’s connected to the legitimate network (try open BTS and verify that for yourself or watch the video below). The IMSI catcher will be able to find the IMSI and IMEI number of any handset connected to it. Generally the IMSI catcher is also capable of listening to any calls made by the phone, which will subsequently be transmitted to the real network so that its owner won’t notice any differences. With a fake base station and a laptop, anyone can intercept any calls. These devices were only used by law enforcement but now more commercial equipments are on the market for sale. Ad long as you have enough money (I am already seeing someone’s researching and making a much less expensive one), you can get one possibly.
In addition, there are other possible exploits. I said earlier that your call is encrypted using a 64-bit key Kc, which is generated using the 128-bit secret key Ki. This key is essential since all Res and Kc is generated using it. If anyone can crack it, then he will be able to eavesdrop on your calls too. Experiment has already proved this really works. In the experiment, the SIM card was inserted into a Smartcard reader, which in turn is inserted into a laptop. The laptop made some 150.000 challenges to the SIM card, which used the challenges to produce the Res and Kc. After 8 hours with 6.25 queries was performed each second, the experiment was successfully finished, of course with some computing which won’t take long.
So with physical access to your SIM card for up to hours, the attacker could later eavesdrop on your calls anytime everywhere, he could even make calls at your expense. Luckily the GSM network does not allow two SIM card with the same IMSI number connected at the same time. But what if you shutdown your phone at night?
It’s said it’s also possible for attackers to clone a SIM card without physical access, but it does take much longer and requires the very SIM card connected to the cell tower set up by the attacker.
The encryption algorithm the GSM network uses now becomes weaker and weaker and I doubt with the computing power we own and to develop in the future, it won’t withstand brute-force attack anymore.