Penetration Testing mailing list archives

Re: Questions on GSM Penetration test

From: "Tom Buelens" <email () tombuelens com>
Date: Sat, 26 Jan 2002 19:40:54 +0100

For anybody who's interested I have written a paper last year (that was
presented at Blackhat Hong Kong and Singapore) on GSM security, so feel
free to ask and I'll send you a copy.


So the Blackhat has fallen :-)

The info that I found comes from the CCC.
On their congress of last december they had a guy from a German Telecom
operator that spoke of the IMSI catcher.See
http://www.ccc.de/congress/2001/fahrplan/event/340.en.html
ftp://ftp.ccc.de/pub/congress/congress01/mp3/vortraege/tag2/saal2/28-s2-1300
-IMSI-Catcher.mp3
http://channelnet.tv/18c3.html

It's a tool from a german firm called Rohde & Schwarz that uses the methode
1 (see previous mail). The tool comes in 2 versions, one compliant with
german law and one exclusively for export. It is an expencive piece of
equipement. It's use is not undetectable but because of the complexity and
vastness of modern networks it does not raise any allarmbells.

Methode 2 can be done with a DIY kit. Again see CCC site for more details :
http://www.ccc.de:8080/thema/gsm/
On the encryption part: yes encryption is used in many parts of the GSM
concept. That does not mean it is 'Good Crypto' (tm) as in 'Unbreakable' (c)
(tm) (Pat.Pend.)

Know that these are powerfull tools. This power is easy to abuse. Proven by
the incident from the ComversInfosys guys.
There once was a post on Fox news. It has 'gone away'.
http://www.newsmax.com/archives/articles/2001/12/18/224826.shtml
http://www.security.nl/misc/comverse-scandal/file02.txt

They make a Lawfull Investigation tool according to CALEA J-STD-025 and ETSI
ES-201-671 standards for both circuit switched and Next Generation networks.
But they are not the only one.
Comverse Inofsys
http://anon.free.anonymizer.com/http://www.cominfosys.com/Content/CTMiniHome
Page.asp?CID=1
Nice http://www.nice.com/iss/products/nicetrack.html
European ETSI
http://webapp.etsi.org/workprogram/Report_WorkItem.asp?WKI_ID=8789
US
http://global.ihs.com/search_res.cfm?RID=TIA&INPUT_DOC_NUMBER=IS%2DJ%2DSTD%2
D025&partial_match=on&nbr_rows=25

Happy clicking.
(I hope I don't lose my NATO clearance :-)

Cheers,
Tom
CISSP 27411


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

RE: Questions on GSM Penetration test Lubomir.Nistor (Jan 25)
- <Possible follow-ups>
- RE: Questions on GSM Penetration test Emmanuel Gadaix (Jan 26)
  - Re: Questions on GSM Penetration test Tom Buelens (Jan 27)
- RE: Questions on GSM Penetration test Toni Heinonen (Jan 27)