September 2nd, 2014

GSM hacking

I knew there would be some cool stuff that came up at the CCC Camp this year (hopefully next time around I can make it, I’m pretty jealous of anyone else that was able to get on the hackers on a plane event :). From Eliot’s (of hack-a-day) report , it sounds like David Hulton and Steve Schear gave an interesting presentation on cracking the A5 encryption used by GSM handsets. If you’re not already familiar with the other work that David Hulton does on cracking with FPGA’s, you should check it out. Even the latest version of wicrawl benefits from his work, and has hardware acceleration support built in for WPA-PSK cracking with Pico computing FPGA’s.

Here is an excerpt from their talk summary:

Some of the most promising attacks include implementing the ciphertext-only attack published by Barkan, Biham, and Keller and other variations that essentially build a rainbowtable for reversing parts of A5/1. We have also found that FPGAs have the potential of being able to brute force the A5/1 keyspace in a reasonable timeframe so we will also present on the feasibility and the amount of hardware required to brute force the keyspace in different scenarios.

And Eliot put together a good summary you should check out. Here’s another excerpt:

Using a box with at least 27 FPGA’s they plan on constructing a 6+ terabyte rainbow table (it’ll take a couple months). Once complete, any GSM conversation can be cracked in less than 5 minutes using a single FPGA. The Hackers Choice has more info on the USRP based GSM analyzer and what they did to crack A5.

6 terabytes. Wow. I wonder if they’ll be torrenting that, :)

Leave a Response

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS