A researcher at the Def Con security conference in Las Vegas demonstrated that he could impersonate a GSM cell tower and intercept mobile phone calls using only $1500 worth of equipment. The cost-effective solution brings mobile phone snooping to the masses, and raises some concerns for mobile phone security.
How does the GSM snooping work?
Chris Paget was able to patch together an IMSI (International Mobile Identity Subscriber) catcher device for about $1500. The IMSI catcher can be configured to impersonate a tower from a specific carrier. To GSM-based cell phones in the immediate area--the spoofed cell tower appears to be the strongest signal, so the devices connect to it, enabling the fake tower to intercept outbound calls from the cell phone.
What happens to the calls?
Calls are intercepted, but can be routed to the intended recipient so the attacker can listen in on, and/or record the conversation. To the real carrier, the cell phone appears to no longer be connected to the network, so inbound calls go directly to voicemail. Paget did clarify, though, that it's possible for an attacker to impersonate the intercepted device to the wireless network, enabling inbound calls to be intercepted as well.
But, aren't my calls encrypted?
Generally speaking, yes. However, the hacked IMSI catcher can simply turn the encryption off. According to Paget, the GSM standard specifies that users should be warned when encryption is disabled, but that is not the case for most cell phones. Paget explained "Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers."
What wireless provider networks are affected?
Good news for Sprint and Verizon customers--those networks use CDMA technology rather than GSM, so cell phones on the Sprint or Verizon networks would not connect to a spoofed GSM tower. However, AT&T and T-Mobile--as well as most major carriers outside of the United States--rely on GSM.
Does 3G protect me from this hack?
This IMSI catcher hack will not work on 3G, but Paget explained that the 3G network could be knocked offline with a noise generator and an amplifier--equipment that Paget acquired for less than $1000. With the 3G network out of the way, most cell phones will revert to 2G to find a viable signal to connect to.
Should I be worried that my mobile phone calls are being tapped?
Yes and no. The hack demonstration at Def Con proves it can be done, but it doesn't mean that it's in widespread use. $1500 is a relatively low investment, but it's still enough to be out of range of most casual hackers that just want to experiment.
Now that the information is out there, though, hackers with the financial resources to put the IMSI catcher together could start intercepting calls. But, as noted earlier--if you are a Sprint or Verizon customer you don't need to worry.
If you are on a GSM network like AT&T and T-Mobile, though, it is possible that an attacker could intercept and record your calls. The range of the IMSI catcher is relatively small, so the odds of your phone connecting to a random IMSI catcher are almost negligible, and it would only be an issue as long as you stayed in close proximity to the IMSI catcher.
However, if a user is specifically targeted, the rogue GSM tower could be an effective means of intercepting calls. The IMSI catcher could be used by corporate spies to target specific high profile individuals in a company to gain corporate secrets or other sensitive information.