CCCamp 2007: GSM A5 Cracking


Steve Schear and David Hulton gave a presentation on A5 cracking. A5 is the encryption employed on GSM cellphone networks between the handset and the tower (nowhere else in the network). To sniff the GSM band, they use the GNU radio USRP. GNU radio is a software defined radio project, which given some effort you should be able to both receive and transmit in any RF band. You could use it to broadcast digital television, track radio tags, or even mess with garage door openers. For their initial investigation they used a Nokia 3310 in trace mode to dump the initial frames. Using a box with at least 27 FPGA’s they plan on constructing a 6+ terabyte rainbow table (it’ll take a couple months). Once complete, any GSM conversation can be cracked in less than 5 minutes using a single FPGA. The Hackers Choice has more info on the USRP based GSM analyzer and what they did to crack A5.

16 thoughts on “CCCamp 2007: GSM A5 Cracking

  1. The gnu radio/usrp project looks really neat. It claims to reduce radio problems to software problems, but it actually looks to reduce radio problems to the problem of buying a $700 usrp, and a software problem. If the radio was cheaper (sub $150), that would be a lot of fun to play with, but $700 is too much.

  2. Does this work with the other ancient cell phone system. CDMA, PCS etc? This was my main concern when choosing a cell phone provider. I heard that there was a way to mess with gsm so I went with cdma.

  3. Well, i am interested in some hardware/stuff to intercept GSM calls in pseudo/real-time. I can pay USD3.000,00 to this. If anybody can do this, please contact me in h2glabs “AT” gmail.com or vugo “at” hotmail.com. I am brazilian, so, sorry to my bad english. Regards.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.