good assumption, very logical and smart at the same time. Is it possible that they do something like this?
(operator cell) -> encrypted channel to (rouge Cell) -> unencrypted (target cell phone) On 5/12/2010 4:33 PM, sascha wrote: > It's not clear to me why you would need to mount a man in the middle > attack if you can break A5/1 encryption. While the processing power > and table storage could be hidden in the white boxes, both are not > mentioned. I would say that the device does not break A5/1 cryptographically, > but works like an IMSI catcher. > It could be an IMSI catcher that does not disable authentication+encryption > on the Um interface between target and catcher. > So it does break A5/1. > Maybe they disable frequency hopping in their rouge cell, so that they > can get away without recording the whole band, and when the target mobile > station get the encrypted channel assignment from the legit BTS it is > just ignored. Or the hopping sequences in the rouge cell are configured > in such a way that no matter what sequence is assigned to the target MS, > it stays inside the 4 channels of the fake BTS. > > On Wed, May 12, 2010 at 07:31:59AM -0300, H2G-Labs Information Security wrote: > >> GSM A5.1 Realtime Cell Phone Interceptor >> URL: http://www.youtube.com/watch?v=1eJ-WGpNQko >> Anybody got extra informations about it? >> Regards... >> >> -- >> H2G-Labs Information Security >> Igor Marcel - Information Security Consultant >> H2GLabs.Information.Security "at" Gmail.com >> _______________________________________________ >> A51 mailing list >> [email protected] >> http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 >> > _______________________________________________ > A51 mailing list > [email protected] > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 > _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
