GSM: We Can Hear Everyone Now!

DEF CON 27

Presented by: Eoin Buckley, James Kulikowski, Campbell Murray
Date: Saturday August 10, 2019
Time: 13:00 - 13:45
Location: Track 2

The presentation demonstrates that the security of the A5/1 and A5/3 ciphers used to protect cellular calls are vulnerable to compromise leading to full decryption of GSM communications, using freely available open source solutions along with our tools we developed for this task.

The flaw being exploited lies in the heart of the design of GSM. In all implementations the standard requires GSM messages to first be error control encoded using a convolutional code and then encrypted. In the vast majority of implementations used today, encryption is performed using the A5/1 or A5/3 cipher. The convolutional code adds redundancy to the transmitted message, which can act like a fingerprint to identify the key used to encrypt the GSM message.

To exploit the vulnerability an attacker simply needs to capture a transmission and identify the GSM channel used. The standard defines the convolutional code and therefore how the redundancy may be interpreted to recover the encryption key.

This presentation considers passively capturing GSM traffic using A5/3 encryption and demonstrates a novel solution to cracking the key used without interacting with the mobile or network.

Campbell Murray

Campbell Murray is the global head of BlackBerry Cybersecurity Delivery and joined the organization through the acquisition of Encription Ltd, of which he was a founder and director. He has over 20 years’ cybersecurity experience with an emphasis on offensive security techniques and security engineering in the IoT, industrial and transport arenas. Campbell is a founding director of both the TigerScheme and the CyberScheme. Twitter: @zyx2k

Eoin Buckley

Michael Eoin Buckley is a senior cybersecurity consultant at BlackBerry with over 20 years’ experience spanning cybersecurity consultancy, product security and both security and physical layer aspects of 3GPP cellular, Zigbee and IETF standards. In his role he leads the cybersecurity engineering effort and specializes in product security assessments of several areas such as automotive, healthcare and aerospace. Eoin holds a Ph.D. from Cornell University with a thesis focus on error control coding.

James Kulikowski

James Kulikowski is a senior cybersecurity consultant at Blackberry and an active member at Unallocated Space in Baltimore Maryland. In his 15 years, James has worked with clients from the DoD and Intel community to companies in finance, healthcare and transportation. James previously specialized in risk management and policy development before transitioning to hardware and software security assessments.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats