On Saturday, during the Defcon Security Conference, Chris Paget (an independent researcher) provided a very risky and surprising demonstration. The demo involved Mr. Paget eavesdropping on AT&T subscriber phone calls in front of a large audience of hackers.
According to Forbes, “With about $1,500 worth of hardware and open source software, Paget turned two on-stage antennas into a setup capable of spoofing the base stations that connect the GSM cell phone signals used by AT&T and T-Mobile.” He went on to tell the crowd that as far as the cell phones are concerned, they cannot tell the difference between himself and AT&T.
During the demo, Paget invited anybody on AT&T to initiate a phone call and when they did, he routed their calls through a VOIP system which then connected the calls while recording them onto a USB thumb drive. After the demo was finished, he destroyed the USB thumb drive with a pair of scissors to avoid violating privacy laws.
The hack was only designed to demonstrate to cell phone carriers how vulnerable GSM networks are in order to get them to fix the problem and was never intended to spy on callers. Apparently, up until minutes before the demo, Paget hadn’t decided if he wanted to proceed because he had received a call from the Federal Communications Commission (FCC) on the Friday prior to the conference.
During the call, they warned him of federal regulations that he could be violating if he proceeded with the demonstration. In an interview with reporters prior to proceeding with the demo, Paget stated “It wasn't a particularly productive conversation, It seemed more like scare tactics to me.” He managed to work around the legal hurdles by using his HAM Radio license to broadcast over GSM.
This “fake base station” trick has been used for years, but Paget managed to perform the hack for less money than was possible in the past. His hack costs a mere $1,500 to perform. While his hack only works with 2G signals, it does broadcast a “jamming” signal in order to force the phones to find a 2G signal. As a result, phones would connect to his hardware.
At the moment, the hack only works for outgoing calls, but it demonstrates that there is a serious security flaw in GSM technology and that the technology may be a lost cause in securing.