Ok but that sounds like a simple, direct MITM for outgoing calls. But real attacks demonstration point also to inbound calls.
Just as an idea, maybe having some SS7 connectivity with roaming agreement we would even announce a BTS with the same MSC "of the local operator", then the phone connect to us, we put the phone "in roaming". For example operators like some in Liechtenstein and a lot of 'small operators' provide for less than 10-20k SS7 interconnection agreement with roaming capabilities. So we could even make the phone connect to our rouge BTS (announced like the home network), that connect to our 'Liechtenstein network' (forwarding via IP over SS7), so the operator of the user intercepted will consider it like "in roaming in Liechtenstein" and will be able to transparently receive and make phone calls crossing our "fake BTS but real GSM network". Could be a feasible attacks? Fabio On 02/gen/10, at 18:17, Jacob Appelbaum wrote: > It is correct that an active MITM is much easier than a passive > attack. > > It is also infinitely more detectable. If you can cause a handset to > join your network, you don't need to crack any kind of crypto at all. > > Here's a recording that I made of my GSM phone call using one of my > base > stations and my very own telephone: > > http://crypto.nsa.org/f-21/cell-tap.ogg > > To capture this recording I configured my phone to join my network > and I > terminated the outgoing call over VOIP. Recording the audio was as > simple as running tcpdump. Nothing special and of course quite easy > to do. > > Best, > Jacob > _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
