First Public Demo Of Sub-$2K Mobile Phone Interception Posted Online

Threat affects 80% of the world's mobile phone voice calls

April 22, 2010

5 Min Read


PALO ALTO, CA " April 22, 2010 "The first public demonstration of a GSM interception has been posted on the internet, providing concrete evidence of a threat that affects 80% of the world's mobile phone voice calls. In addition, all the interception software required has been loaded on a bootable CD and made publicly available on the internet, bringing non-specialist criminal phone tapping closer to reality.

A recent posting by Nigel Stanley of Bloor Research, reveals a video of hacker Chris Paget performing the first public demonstration of GSM mobile phone call interception. Paget demonstrates the use of equipment needed to intercept and record live GSM calls using a laptop, free open source software and an off-the-shelf radio receiver costing $1,400.

This follows Paget promoting the video via his Twitter account last week to his 1000+ followers, which has generated requests for more details about how the attack was achieved.

Paget has also released OpenBootTS, a bootable CD that delivers all the software required for GSM interception in an "out-of-the-box" software solution to hackers that significantly lowers the technical knowledge required to intercept GSM mobile phone calls. Installed on a standard laptop, and connected to the off-the-shelf radio receiver with a USB cable, hackers are able to intercept, record and redirect mobile phone calls within an area defined by the strength of the antennae used.

Although the software is flexible enough to be configured for several different types of interception, Paget's demonstration showed standard GSM phones in the vicinity being fooled into connecting to the cellular network through his radio receiver rather than nearby legitimate cellular base station antennae. Normal GSM calls were then passed undetected through this equipment where they were secretly recorded.

While organizations in the past may have dismissed GSM interception threat as unrealistic, this demonstration provides overwhelming evidence of a mounting threat. In a second video Paget demonstrates the same interception but uses an off-the-shelf Android smartphone to run the software instead of a laptop.

In his blog, Stanley comments, "For many people the only risk of their mobile phone conversation being intercepted was when they decided to bellow into their phone on a crowded train. Now we all need to face the fact that our calls can be intercepted with little effort."

In December 2009, Chris Paget's hacker colleague Karsten Nohl announced that he had completed the computation of a GSM Codebook " a large lookup table of encryption keys used to scramble GSM calls used in 80% of all mobile phone calls " and published it free on the internet for use by any hackers wanting to crack GSM phone calls.

Furthermore, one of the foremost encryption experts in the world " Adi Shamir, known for inventing the RSA algorithm ('S' in RSA) " revealed on 6th December at ASIACRYPT 2009 in Tokyo that the 3G mobile encryption standard (A5/3) was shown to be vulnerable for the first time to a theoretical attack that can be practically implemented.

A March 2010 survey by the Ponemon Institute of the attitudes of seventy five companies and 107 senior executives in the United States found that despite increasing awareness of this threat, many companies are failing to put in place comprehensive protection measures. For example, only 14% have deployed technological solutions to personnel travelling to high risk locations and a surprising 83% not even providing employee training to raise awareness about the risks of using cell phones in high risk areas.

Simon Bransfield-Garth, CEO Cellcrypt Limited, commented:

"This demonstration combined with several other public announcements over the past few months have clearly demonstrated that GSM, which makes up some 80% of the world's mobile phone calls, is vulnerable to interception. Anyone that discusses valuable or confidential information on their mobile phone is now at increased risk and should seriously be considering how to make those calls more secure."

"Originally reserved to governments or law enforcement organizations, the financial expenditure and technical knowledge required to intercept a GSM mobile phone call has fallen dramatically over the past few months. Organizations need to start taking serious steps to put in place security strategies that protect their sensitive conversations."

Dr. Larry Ponemon, Chairman & Founder, Ponemon Institute:

"The issue of phone interception is often thought to be restricted to government agencies but recently it has become clear that such equipment is now entering the mainstream," said Dr. Larry Ponemon, Chairman & Founder, Ponemon Institute. "The free release of both the GSM encryption codebook and the complete basestation software stack has brought interception into the realm of a graduate IT student and $2,000 of readily available equipment, substantially increasing the scale of the threat to the enterprise."

About Cellcrypt

Cellcrypt is the leading provider of technology to secure mobile voice calls on everyday smartphones. Founded in 2005, Cellcrypt's R&D innovation resulted in Encrypted Mobile Content Protocol (EMCP), an Internet Protocol (IP) based technology that optimises delivery of encrypted data between mobile devices over wireless networks.

Cellcrypt's products are undergoing security certification to the FIPS 140-2 standard approved by the US National Institute of Standards and Technology (NIST), operate over data-enabled networks including 2G (GPRS/EDGE), 3G (HSPA, CDMA/EV-DO), Wi-Fi' and satellite, and are optimised to run on Nokia' Symbian and BlackBerry' smartphones. Cellcrypt is a BlackBerry Alliance Partner and Inmarsat Connect Partner.

Today, Cellcrypt solutions are used routinely by governments, enterprises and senior-level executives worldwide. Cellcrypt is a privately-held, venture-backed company with headquarters in London, UK and offices in USA and Middle East.

For more information please visit:

For media enquiries please contact:

Jill Tsugawa/Jaime Tero

Grant Butler Coomber

Tel: +1 415 989 9803

E-Mail: [email protected]/[email protected]

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights