The evil twin hacking methodology involves setting up a rogue WiFi access point with the same SSID as the adjacent legitimate station and waiting for users to log in automatically.
In the DefCon demonstration, a similar strategy was employed, with the base stations apparently hoovering up the mobile phone credentials to `allow' an outbound call to progress.
According to Barmak Meftah, chief products officer with Fortify Software, the DefCon scam demo highlights the fact that the designers of the GSM standard never envisaged the need for ultra-high levels of security on mobile calls.
"When the GSM standard was formulated more than 20 years ago, the developers were required to design a digital successor to the analogue cellular standards of the day. As a result, security was only added after the basic standard was developed", he said.
"Security was not built into the standard from day one, but essentially added as an afterthought. And that is why we have today's crackers able to subvert the technology using an `evil twin' methodology that is widely used when hacking WiFi networks", he added.
According to the software security assurance expert the bad news is that not only are the call contents recordable, but the cracker can then generate the handshake credentials at another cellular base station, and place outgoing calls on the cracked cellular users' account.
Call resale fraud was a major problem in the early analogue days of cellular, says Meftah, and allowed `calling shops' on street corners to rent out mobiles for lengthy calls to foreign destinations for a few pounds/dollars, but end up with the legitimate cellular users footing the bill - or his operator, if the bill is extraordinarily high.
The really bad news about this hack, he said, is that it exploits a structural flaw in the GSM standard that is difficult to fix retrospectively, as there are hundreds of millions of existing standard phones in regular usage.
"Sure, the networks can increase the security of their networks to beat this problem, but that leaves existing mobile users high and dry. It really shows how a lack of investment in security at the development stages - building security firmly into the technology - has not been made", he said.
"It all comes down to the program code that the GSM standard developments worked on. This could have serious repercussions for GSM users across the world," he added.