14 DAY TRIAL // Chris Paget, a security researcher known for his work in the field of radio communications security, demonstrated how GSM phone calls can be intercepted with inexpensive equipment at the DEFCON hackers conference in Vegas. The technique exploited a loophole in current GSM implementations.
Paget made a name for himself by exploiting flaws in Radio-frequency identification (RFID) technology used in Enahnced Driver Licenses (EDLs), as well as electronic ID and passport cards. In the past the researcher demonstrated how information stored on RFID tags embedded in these government-issued documents can be sniffed with off-the-shelf equipment while driving around in a car.
This year he returned at the Black Hat technical security conference and showed how the same RFID tags can be read from much longer distances. With some custom-made equipment the researcher was able to hit a 217 feet range, smashing the previous record of 69. He also claims that by cranking up the power, the device can read tags from well over 500 feet.
However, his most impressive presentation yet was at DEFCON, the largest annual hackers conference in the world, that immediately follows Black Hat. There he managed to wow the audience by intercepting mobile phone calls made by attendees in the room.
To pull off this feat he used a device dubbed the "IMSI (International Mobile Subscriber Identity) catcher", which he built with cheap and readily available components. The equipment is capable of mimicking an AT&T cell tower operating in the 900MHz band and tricks mobile phones into connecting to it.
The IMSI catcher exploits the fact that in U.S. the 900 MHz frequency range is used by amateur radios, while in most other parts of the world, including Europe, it is used by GSM networks. The problem is that, for compatibility reasons, many mobile phones sold in the United States are capable of operating over the 900 MHz band.
“During the talk at least 30 handsets connected to my tower; there were probably many more than this but the logs were all destroyed on-stage (I broke the USB key into several pieces [...]). Logged data included IMSI, IMEI, all numbers that were dialed, and of course audio recordings of all calls made (a total of 17 calls were connected during the talk),” the researcher writes on his blog.
Since phone call interception is illegal, the U.S. Federal Communications Commission (FCC) expressed concerns prior to the talk. There were also rumors of AT&T intending to intervene and stop the demo from happening. However, Paget enlisted the legal guidance of the Electronic Frontier Foundation (EFF) and to keep the exposure to a minimum, he tweaked the power of his device so the experiment wouldn't affect people outside the conference room.
You can follow the editor on Twitter @lconstantin