Hello, yes this is a solution but you have to double the cost of the attack buying a second USRP. The other thing is that you then need to synchronize your two different stream in order to deal with the time slot allocation and be sure to get the uplink timeslot with respect to the corresponding downlink one. RegardsSylvain
--- On Mon, 1/4/10, Alexander Chemeris <[email protected]> wrote: From: Alexander Chemeris <[email protected]> Subject: Re: [A51] Truth about this work To: "Sylv1" <[email protected]> Cc: "p q" <[email protected]>, "A51 A51list" <[email protected]> Date: Monday, January 4, 2010, 6:41 AM Hi Sylvain, What if you use two USRPs? Also I recall that someone at CCC (Dejkstra?) said he succeededdecoding real GSM conversation, but I don't recall exactly, I was not that interested in the topic. On Sun, Jan 3, 2010 at 22:28, Sylv1 <[email protected]> wrote: Hi all, i agree with p q for all the presented points. I just would like that someone contradicts me with an example. Is anybody abble to listen and record his own GSM conversation up and downlink? I'm trying to do that with the USRP and airprobe stuff but im stuck with some problems. Just forget about frequency hopping to simplify. Im trying to eavesdrop with 2 RFX900 DB on for each frequencies of the ARFCN and i want to record it in two cfile in order to use gsmreceiver and gsmdecode and get at least the not encrypted information. But im stuck for the moment. Getting two raw streams directly from the USRP leads to the USB bottleneck problem. Is anyone really able at that day to eavesdrop and record his own conversation?it is the required step to run the attack on A5/1 and finally proove that we did the job. Any input please. Regards, sylvain --- On Sat, 1/2/10, p q <[email protected]> wrote: From: p q <[email protected]> Subject: Re: [A51] Truth about this work To: "javier falbo" <[email protected]> Cc: [email protected] Date: Saturday, January 2, 2010, 3:26 PM Thanks for the first practical answer . so , would you please capture one of your own conversations and upload it somewhere until we see if there is anybody out there can decode it ? i'd like to see that . see , that's the whole point of my first email . its just all talk and talks only interests people who dont already know about it . what do we have besides that ? if there us anybody who can decode real world A5/1 protected conversation out there please answer to this thread and make it clear how to make a real air interface capture and give it you i'd do it and that's gonna be fun . right ? ;) On Sat, Jan 2, 2010 at 6:50 PM, javier falbo <[email protected]> wrote: p q: Decoding third parties calls is an illegal activity. As you notice on CCC, there was a workshop that you could bring your own GSM stream to be decoded. :) Or just capture your own GSM Live Conversation, uploaded somewhere on internet, and maybe someone from here, decoded and send you the audio in mp3 format. What you are requesting is illegal. :) Javier Date: Sat, 2 Jan 2010 18:44:48 +0330 Subject: Re: [A51] Truth about this work From: [email protected] To: [email protected] CC: [email protected] thanks Javier , how do you do ? ;)do you notice you didnt do but talking ? you stated the very facts that i already stated in my first emails that they are known to be out there . its certain . so what are we doing here ? just republishing what's known ? you just did it again in your email . i KNOW all these things are either theoretically possible or are being used by law enforcement . you know that too ? good . so we are just exchanging obvious things here , right ? ;) On Sat, Jan 2, 2010 at 6:40 PM, javier falbo <[email protected]> wrote: p q: Are you ok?? :) Encryption is the core of digital radio transceivers nowadays. Breaking the algorythm is 90% of the actual mobile structure. I have personally seen in real-time how GSM Voice Conversation are listen in 2-3 seconds. (Since 2003, in my case) Frequency hoping is not a problem. I remember my first project on channels hoping on Analog radios, where a BURST that increase the power from Base to Moble, advice PREVIOUSLY the next channel. More info, and updates here: http://wireless.agilent.com/rfcomms/refdocs/gsmgprs/egprsla_gen_bse_fhopping.php (or use google). Frequency hoping is not a problem for the USRP, it is SOFTWARE BASED!!! Tables are out there since 1998. Also THC project has finished his table, but they do not want to distributed. (or maybe they are interested in $$$). A53 is useless nowadays, as KASUMI is academically broken (and computer simulated). I heard that next February 2010, GSMA (Association) will call for an immediately security update and check for a new stronger algorythm. My comments: NOWADAYS, it is IMPOSSIBLE to be secured. There are NO algorythms capable of defending against a multiple CUDA distributed attack with more than 150 CUDA MACHINES in a network. Keep in mind, that the algorythm must have particularities: FAST, no power consumption, easy to code, etc. Javier Date: Sat, 2 Jan 2010 18:18:09 +0330 From: [email protected] To: [email protected] Subject: [A51] Truth about this work happy new year peopleas much as i like this project i need to publish my comments and let others think about them too : 1- its claimed that "we are cracking A5/1 so the industry can replace it with the newer A5/3" . this is wrong . industry can not change A5/1 with A5/1 because we cracked A5/1 . to utilize A5/3 we need a UMTS network . most networks around the world are 2G based , usually 2.75 . changes in operators needs highly expensive procedure , law , regulations and alike . i know people with academic only background dont get this but that's their fault . this is not just about industrial profit , its also about people expenses and the general wireless regulation and condition in a country . dont bullshit people . phones that are made for 2G can not simply upgrade to offer A5/3 as well . its not just possible . we can stand and cluelesslly talk about it but its not possible . so the whole idea to present the danger to shift the technology at operators side is just garbage 2- its claimed that GSM is now broken . GSM is broken but it does not have anything to do with this project . this project is about A5/1 . A5/1 is not GSM . GSM contains RF and Radio management and spectrum budget too . this project didnt and in my opinion is never going to break GSM . at best we can expect to break A5/1 . these are different things people . dont get yourself fooled . its the same with Kasumi . maybe Kasumi is broken maybe not , i'm not sure but i'm sure UMTS is not broken . GSM and UMTS are complicated systems . its not just about the cryptography 3- its claimed finally somebody did it and now A5/1 is broken . this is also wrong . this project never proved it has broken A5/1 . where is the proof ? we have generated our tables , which they are partial and they are shared . that's what happened . the presentation and all the media coverage , while i respect them , dont offer anything new to the tables . seriously , how its been proved A5/1 can be broken with the Tables that this project has been generated and is going to be generated ? its all talks , speculations and ideas . nobody even decoded a real GSM conversation with anything produced by this project . i'd be more than happy if somebody can show i am wrong , not with idea and speculations but with a real GSM capture and a real decode procedure filmed on youtube ! that's proof . the rest is just talk . so , why we are so excited about it ? because its wide now and most people who didnt know a thing about GSM before know are hearing cool things about the possibility of listening to ATM traffic for example . we all knew its possible . its out there for years . but as for this project what have we done ? we have reproduced THC's content and ideas on different site , different names and some tables that are just claimed to be true are published . so what ? 4- its claimed this project will generate the tables fully then Airprobe will build an interceptor using open or cheap hardware and this all together will prove GSM is broken .ok , so , until now we dont have all the tables we are not even sure the ones that are generated are Ok and no one has proved it , we just talked about it . great ! on Airprobe , we have some ideas its possible to capture GSM with USRP but we didnt actually solve the Hopping problem , so in reality we dont have even correct ideas how to capture real world GSM traffic and given the facts i think that's not gonna happen anytime soon . if i am wrong please give me a link to a page that filed the real GSM traffic has captured with USRP and can be analyzed . anything else is just talk and talk is cheap i will be more than glad to see people prove me wrong on these 4 items but i think nobody can . what happened here was just a bunch of republications and getting the information to a wider audience . nohl's work is good but i'm also as an ex academic and current convict of industry can not just stand up and applause for something i clearly see is half truth , in doubt , unproved or maybe even wrong . people are attacking GSMA . i think they have every right to do that but i believe they are right on one thing . " the team has underestimated the..." by the way there was another presentation at CCC about playing with RF interface of cellphones . what a load of crap . i had high hopes and i saw just a bunch of republications of THC work and some general knowledge . nothing more . he said its possible to play around TI's calypso and control it . so what ? you guessed that alone all by yourself that's possible ? good job ! in A5/1 presentation its been said its possible to build an IMSI catcher using open source stuff . how it is possible ? why would we lie about this ? openbts and openbsc and USRP alltogether can not do what IMSI catchers do , not now and not in near future . so why would we publish some general information we have on IMSI catchers ( widely available in law enforcement and old articles like Barkan and biham also explained it ) and add some misinformation to it to make it legit ? that's not called honest Academic work people even if in another world all these were theoretically possible , we havent done them yet . so ? its just all talk . how is talking about something is equal to doing it ? i'm looking for people who can explain this to me no offence intendedall the bests ¿Cansado de borrar spam de tu bandea de entrada? ¡Ganá tiempo con el nuevo filtro anti spam de Hotmail! ¿Te llegan demasiados emails? Organizate con Hotmail. ¡Creá carpetas para todos tus correos! -----Inline Attachment Follows----- _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 -- Regards, Alexander Chemeris.
_______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
