×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Demo New GSM Attacks at Chaos Communications Congress

timothy posted more than 2 years ago | from the your-party's-on-the-line dept.

Cellphones 17

First time accepted submitter aeturnus writes "A new attack on the GSM mobile communications protocol has been demonstrated by Karsten Nohl and Luca Melette of Security Research Labs, based off their previously published attacks around vulnerabilities in the GSM A5/1 encryption protocol. This new attack, which Nohl indicates already in use by criminals, allows an attacker to simulate a GSM mobile and use it to make calls and send text messages. Nohl also discussed protective measures users should take against these attacks, and others in use by intelligence communities around the world." This was just one of many presentations at the 28th Chaos Communications Congress.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

17 comments

Congress (3, Funny)

ShaunC (203807) | more than 2 years ago | (#38527820)

Too bad they didn't demonstrate it at the US Congress instead, I'd love to hear some intercepted conversations between a few Senators and their puppet-masters.

Re:Congress (3, Insightful)

Anonymous Coward | more than 2 years ago | (#38528078)

From what I reckon when you demonstrate any kind of technology to Congress they furrow their brows in confused frustration and seek advice from the nice people that give them things.

So pretty useless I'd say.

Re:Congress (4, Insightful)

Anonymous Coward | more than 2 years ago | (#38528128)

when you demonstrate any kind of technology to Congress they furrow their brows in confused frustration and seek advice from the nice people that give them things.

That's what happens when they're vaguely concerned. When they're scared, they pass horrible acts of legislation that do nothing productive, but ruin the lives of millions.

Do you want them to do that to your cell phones?

Re:Congress (3, Interesting)

ShaunC (203807) | more than 2 years ago | (#38530060)

When they're scared, they pass horrible acts of legislation that do nothing productive, but ruin the lives of millions. Do you want them to do that to your cell phones?

Absolutely. Joe Sixpack doesn't know what the fuck SOPA is, and couldn't care less how his representatives are voting on it, or who's supporting it. He's never heard of RIAA or MPAA and his idea of a torrent is when the water main bursts down the street. But he has a cell phone, and he's not going to be happy if the government wants to dick around with it.

When stupid laws start interfering with everyone, instead of a few percent of the population, maybe more folks will wake up.

Re:Congress (1)

BronsCon (927697) | more than 2 years ago | (#38530846)

So, when SOPA passes?

The masses might not care about it now, but when Google can't keep up with takedown notices on Youtube, and gets shut down because of it, people will care. Millions of Facebook posts link to Youtube, if Youtube is in violation, Facebook would be, as well; so, for those who never use Youtube, Facebook will be the real eye-opener.

This news is completely -- (1)

Anonymous Coward | more than 2 years ago | (#38527926)

FALSE!

--
Sent from my Fake Mobile Handheld

protective measures (4, Informative)

Trepidity (597) | more than 2 years ago | (#38528050)

Nohl also discussed protective measures users should take against these attacks, and others in use by intelligence communities around the world.

From the summary, it doesn't sound like there are actually particularly feasible protective measures to use on a routine basis. All I see is some discussion of the "Catcher Catcher" [srlabs.de] software, which can be used to estimate the likelihood of an "IMSI catcher" being used in the vicinity. But this isn't something most users can practically use on a routine basis.

Re:protective measures (0)

Anonymous Coward | more than 2 years ago | (#38528232)

unfortunately the user has few possibilities.
there are some quick fixes, but those would need investments from the telcos.
but, as the 99% of users dont care, nobody does it

Carriers might be able to deal with this (0)

rickb928 (945187) | more than 2 years ago | (#38528288)

Maybe stuff like Lookout Mobile [h-online.com] can trap those premium SMS messages and at least warn you.

But this is a cat and mouse game now, and we'll have to explore how to punish the carriers and operators that enable fraudulent services by permitting them to bill victims. That's about the only way to deal with this sometimes.

Re:Carriers might be able to deal with this (3, Informative)

gregulator (756993) | more than 2 years ago | (#38528560)

The aren't using your physical phone to send the SMS/Calls. They are only using your phone's identity.

Re:Carriers might be able to deal with this (2, Interesting)

Joce640k (829181) | more than 2 years ago | (#38529102)

What's the difference if it appears on your bill?

I saw Kevin Mitnick do something like this last July. He was giving a talk and asked for two people in the audience to give him their phone numbers. He typed them into his laptop and a couple of seconds later one phone received an SMS from the other one.

Couple this with a few premium-rate phone lines and thieves basically have a license to print money.

Re:Carriers might be able to deal with this (3, Informative)

Anonymous Coward | more than 2 years ago | (#38529198)

Firewall software on your phone doesn't stop people from using your phone's ID on a fake phone, so "maybe stuff like lookout mobile" cannot do shit about it.

Re:Carriers might be able to deal with this (0)

Anonymous Coward | more than 2 years ago | (#38532182)

Not at all the same. There's no source verification on SMS in the SMSC, it's just like spoofing the from header in a mail.

Re:Carriers might be able to deal with this (1)

gl4ss (559668) | more than 2 years ago | (#38535582)

all you need for sending sms "from" a phone number is a sms gw that let's you put anything on the sender field, it's like email in that sense.

that doesn't effect billing though. this attack does and would look more authentic in the logs, though just generating costs for the victim isn't the worst you could do with it.

Safety in the past. (0)

Anonymous Coward | more than 2 years ago | (#38528370)

So with all these attacks on GSM, isn't it a good idea for the US to stick with the old standards?

fp 7ucker (-1)

Anonymous Coward | more than 2 years ago | (#38528384)

They're gone Came clear she couldn't to deCline for Opinion in other

Victim (1)

net28573 (1516385) | more than 2 years ago | (#38530834)

I was a victim. I kept getting charged for calls that were made at odd hours of the day. The solution was to simply change my phone number. After that, no more crazy charges.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...