Hello, Well, MITM is pretty clear explained in the publicly available paper: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.95.8150&rep=rep1&ty pe=pdf (http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS-2006- 07.pdf )
Page 23 of the PDF gives clear view of the mode and equipment. Perhaps, from the picture on page 23, fake phone and fake bts are almost anything these days - from dedicated highly programmable hardware to general purpose SDR oriented on GSM. Also, to answer "It's not clear to me why you would need to mount a man in the middle attack if you can break A5/1 encryption" Since there are basically active, semi-active and passive (a totally random example: http://www.wi-ltd.com/defence/Covert_Surveillance/Intelligence_Gathering/GSM _Interception/GSM_PassiveActive_Hybrid_Interception_System ), there can be good reasons to have MITM for active types of systems. Thus, at this stage reflextor's A51 + airprobe is aiming towards a passive type of a system (record, crypto-crack, decrypt), unless openbts + openbsc join "right in the middle" of the party, metaphorically speaking HTH, A > -----Original Message----- > From: [email protected] [mailto:a51- > [email protected]] On Behalf Of Dino Pastos > Sent: Wednesday, May 12, 2010 4:40 PM > To: [email protected] > Subject: Re: [A51] GSM A5.1 Realtime Cell Phone Interceptor > > good assumption, very logical and smart at the same time. > > Is it possible that they do something like this? > > (operator cell) -> encrypted channel to (rouge Cell) -> unencrypted > (target cell phone) > > > > On 5/12/2010 4:33 PM, sascha wrote: > > It's not clear to me why you would need to mount a man in the middle > > attack if you can break A5/1 encryption. While the processing power > > and table storage could be hidden in the white boxes, both are not > > mentioned. I would say that the device does not break A5/1 > cryptographically, > > but works like an IMSI catcher. > > It could be an IMSI catcher that does not disable > authentication+encryption > > on the Um interface between target and catcher. > > So it does break A5/1. > > Maybe they disable frequency hopping in their rouge cell, so that > they > > can get away without recording the whole band, and when the target > mobile > > station get the encrypted channel assignment from the legit BTS it is > > just ignored. Or the hopping sequences in the rouge cell are > configured > > in such a way that no matter what sequence is assigned to the target > MS, > > it stays inside the 4 channels of the fake BTS. > > > > On Wed, May 12, 2010 at 07:31:59AM -0300, H2G-Labs Information > Security wrote: > > > >> GSM A5.1 Realtime Cell Phone Interceptor > >> URL: http://www.youtube.com/watch?v=1eJ-WGpNQko > >> Anybody got extra informations about it? > >> Regards... > >> > >> -- > >> H2G-Labs Information Security > >> Igor Marcel - Information Security Consultant > >> H2GLabs.Information.Security "at" Gmail.com > >> _______________________________________________ > >> A51 mailing list > >> [email protected] > >> http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 > >> > > _______________________________________________ > > A51 mailing list > > [email protected] > > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 > > > > _______________________________________________ > A51 mailing list > [email protected] > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
