Check out this video from last August’s CCC Camp, which describes using a Universal Software Radio Perhiperal (USRP) to record GSM messages, and then using an FPGA to defeat the A5/1 encryption that’s used to secure an encrypted GSM channel in the span of a couple weeks. By spending a couple months to precompute a 5 TB lookup table you could bring the decryption process down to just a few minutes.
First half of the talk is an introduction into GSM interception. Second half presents a new method for cracking the GSM encryption A5/1. This is a new attack that can crack any encrypted channel (SMS, Voice) within 3-5 minutes regardless of how long the conversation is (e.g. can crack a telephone conversation that only lasts 4 seconds).
Now, most of us won’t be running out right now to grab an FPGA and a software radio so we can start cracking GSM voice converstations and SMS messages, but the actual discussion of how GSM works and how the team went about putting together a real-time cracking method for A5/1 is fascinating. What’s really crazy is that for a few thousand dollars, anyone could really set up a GSM recording and cracking system. This isn’t just NSA or government-funded spy stuff.
At about the 19 minute mark, Steve talks a little about how mobile identification and position information is transmitted. If you’ve ever called the phone company to track down a stolen phone, you’ve probably been told this isn’t possible. Turns out that if you’ve had a phone lost or stolen, it actually transmits its position information _all_the_time_. So, technically, your network operator should be able to tell you the phone’s location to within 200 meters.