As reported previously by Infosecurity, Nohl of Security Research Labs and Sylvain Munaut of OsmocommBB detailed at last December's conference of Germany's Chaos Computer Club how it is possible - using a laptop and four low-cost GSM handsets - to eavesdrop on 2G voice calls.
Nohl's breakthrough was based on fellow cellular cracker Chris Paget's development of a $1,500 home brew system that captures all outgoing data from GSM mobiles in the area.
Paget, who is reknowned for publicly cracking the RFID technology in US passports, allowing him to download the credentials of a passport in close proximity, staged his GSM homebrew demonstration at the summer DefCon event in Las Vegas last year.
Now Nohl appears to have refined his techniques to monitor multiple GSM data channels, and create an open source application that monitors the transmissions for online data sessions.
The use of multiple GSM channels for data is known as GPRS - short for GSM packet radio service - and allows data throughputs of up around 40 to 50,000 bits per second – some way slower than the data speeds seen on 3G or mobile broadband connections, Infosecurity notes.
Nohl's latest GSM breakthrough has been made possible by work that Nohl revealed at the December 2009 Chaos Computer Club conference, in which he announced he had painstakingly computed all possible A5/1 encryption hashes, generating a two terabyte code table in the process.
Fast forwarding to this week and the New York Times quotes Nohl as saying his software runs on a multi-core laptop and a legacy Motorola C-123 GSM handset, which was used as an interceptor phone.
“The interceptor phone was used to test networks in Germany, Italy and other European countries that Mr. Nohl declined to identify. In Germany, Mr. Nohl said he was able to decrypt and read data transmissions on all four mobile networks - T-Mobile, O2 Germany, Vodafone and E-Plus”, says the New York Times, adding that he described the level of encryption provided by operators as “weak.”
And here's where it gets interesting, as in Italy, Nohl said his interceptions revealed that two operators – TIM and Wind - did not encrypt their mobile data transmissions at all. A third, Vodafone Italia, however, does use weak encryption.
Infosecurity notes that Nohl's research is based wholly on GSM/GPRS data transmissions, and that most mobile broadband units and smartphones use 3G technology for most of their data calls, although 3G systems do fall back on 2G (GSPM/GPRS) technology for data calls in very rural areas.
The New York Times, meanwhile, quotes Nohl as saying that the reason why operators switch off encryption is their ability to monitor data traffic, looking for Skype and other voice over the internet systems, as with encryption switched on, the cellco cannot normally monitor the data traffic.