----- Forwarded message from Dave Emery
Several radio enineers I talked with speculated that it /might/ even be possible to modify a standard GSM phone to act as a rouge "key reaper" base station. I am not a radio engineer and have no way to verify this claim.
The modifications would be fairly major and rather difficult on a surface mount high density low cost phone PC board. A lot of the stuff required is in ASICs in a typical phone, and they are not in general easily adapted to playing a different role even if the full design database and phone schematics are available to the hacker which it would not be. On the other hand, some of the components of a standard GSM phone could be used to fill a number of functions in such an animal, and a couple of partially stripped GSM phone PC cards would certainly be useful as part of such. I would see such a probe base station as a briefcase size object run by a laptop or powerful palmtop spliced into two or three hacked up phone PC cards with some added signal processing logic in a FPGA or two (and maybe an added RF modem chip as well). There would be a significant amount of software required, depending on how completely one would have to emulate a base stations and mobile switch. Of course some older phone designs might be less ASIC intensive and more adaptable, although the 1.9 ghz PCS US versions are mostly pretty recent. And there may be some universal multi-standard brand that is much more software configured than others and might be an easier jumping off place - I certainly have not investigated this at all (nor do I expect to). On another topic - privacy... Your break suggests that A3/A8 may have been deliberately weakened to allow such SIM probing. Intelligence agencies are not in general interested in cloning, but for those without access to whatever magic hardware (or software) exists for cracking A5/1 at low cost in real time, the ability to once recover the SIM secret allows easy listening to all subsequent calls from that phone (or SIM) with no required cracking hardware time or access. And this is very valuable in lots of situations, such as covert operations out of hotels in foreign places where having highly classified A5 cracking boxes in tow would be a significant security risk. And for countries with GSM phone systems interested in spying on visiting diplomats, heads of state, or trade delegations who are using their GSM phones in a roaming mode and depending on the fact the GSM home switching office does not disclose their long term secret, such probing can be quietly concealed in the real traffic of a legitimate base station. The secrets recovered can then be used to crack traffic back in the visitor's home country where he may be trusting his local system to be secure. And the ability to probe the phones of visiting dignitaries from nearby hotel rooms and recover their secrets must be awfully useful to many even third rate intelligence operations - this allows listening to all their subsequent traffic without requiring an A5/1 cracking capability at all - let alone one that works real time from low cost portable units. And even if there is some sanity test in GSM phone firmware that would catch or prevent enough probes to crack the SIM secret, your physical access method allows black bag jobs to recover the SIM secret of phones left poorly guarded for a few hours. This alone is very obviously of great use to intelligence types (at least unless there is some hardware backdoor in the SIM to allow the readout in seconds rather than hours). -- Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18