What does it take to listen in on a GSM phone signal?
August 24, 2007 7:10 AM   Subscribe

The GSM Security FAQ says the ciphers involved have been cracked. Allegedly interceptor devices are commercially available. Also allegedly available only to governments.
posted by grouse at 7:21 AM on August 24, 2007

I'm no communications expert, but from what I remember from my college communications course, it depends a lot on the technology the phone is using. The two primary encoding techniques for 2G cell phone networks are Time Division Multiple Access (TDMA) and Code Division Multiple Access (CDMA). GSM systems that are still 2G usually use TDMA, while everyone else uses CDMA.

Briefly, here's more or less how they work. TDMA is a pretty simple concept. If you've got 10 cell phones talking to a single cell phone tower, they split every second (in practice, they probably do it in much shorter bursts, but you get the idea) into ten bits. Each phone promises to only broadcast when it's its turn. You can think of it kind of like a conference call - only one person talks at once, while everyone else keeps their mute buttons on. This works because you can compress the contents of one second of audio into much less than a second of full bandwidth transmission time, so everyone stays live. Now, if you want to listen in, I think it's just a question of syncing up with the tower to watch the audio traffic in someone else's time slice. This isn't totally trivial, though. The towers are constantly reassigning time slices to deal with handoffs between cells, calls ending, calls starting, etc. That's really the hard part of TDMA, making sure phones don't broadcast over each other and that everyone's on the same page about when they're supposed to be talking. I don't know much about how that process works, but I imagine if you were confident messing around with phone firmware, it would be pretty easy to watch for other phones checking in with the tower and when the tower tells them when they're supposed to be communicating just have your phone listen at the same time.

CDMA is trickier. There isn't really a nice metaphor here, but I'll try to cobble something together. In CDMA, all phones are broadcasting all the time on the exact same frequencies. Each phone agrees with the tower to use what's more or less a different language. It's a little like if you're traveling in a foreign country and you don't speak the language, you can pick out someone speaking a language you know from far away and hear it over the gibberish of languages you don't understand. The way this works technically is that phones and towers trade special binary codes (eg 011101011101100010101, but much much longer). The phone multiplies the signal it wants to send by this code, so it's effectively only broadcasting when there are 1s in the code. Because of some fancy math, it turns out that as long as the codes are unique, it doesn't matter if lots of people are transmitting at once, because if you add all the cell phone signals together (and get a big jumbled mess) and then multiply by a particular special code, you'll get back the signal that was encoded with that code. Crazy, huh? This means that for eavesdropping, it's really hard to get at the content on the channel without the special code. You can tell people are transmitting, but it looks like random noise without the code. I think each phone has a unique code, and the phone just sends its ID to the tower, and the tower looks up the right code in some crazy database. If that's true, then without access to that database you're pretty much hosed. Even if you scan through possible codes looking for signals, the odds of you finding one for a phone currently transmitting near you is effectively zero. So if you're talking on a CDMA based phone, my impression is that it's a hell of a lot harder to intercept the contents. There might be weaknesses in the actual protocol that the towers and phones use, but provided they don't do something dumb like send the code over in the clear, CDMA is pretty secure.

I've just been talking about the ease of seeing what's on a given communication channel. I don't have any idea if cell phones further encrypt their contents. Certainly, military devices use strong encryption so just getting access doesn't guarantee you'll know what they're saying.

PS. There are other ways to do this, of course. The one with which you're most familiar is just dividing different phones up on different frequencies. This is how most communication technology works, like radios, walkie-talkies, 802.11 basestations, etc. I don't really know why they don't use that for phones, but the implications for eavesdropping are the same as TDMA, except it's even easier - everyone knows which frequencies are available, so it's really easy to just watch what's being sent on that channel. That technique is called (surprise) Frequency Division Multiple Access (FDMA).
posted by heresiarch at 7:41 AM on August 24, 2007 [2 favorites]

British journalists have been known to eavesdrop on conversations in the past, eg Princess Diana's; maybe the security measures have been beefed up since then.
posted by londongeezer at 7:41 AM on August 24, 2007

Israel cracked GSM in 1999, and since then intelligence agencies have been able to eavesdrop on GSM calls. Here's a 2003 story mentioning eavesdropping on Israeli reporters' calls.

Even without cracking the encryption, you can eavesdrop on cell phone calls (not limited to GSM) by tapping at the base station, switch, or end office (i.e. anywhere call traffic is routed in bulk). There was a story of the Greek cell phone system (GSM) being tapped in this way.

It should be obvious that any call can be intercepted or tapped. At some point calls have to be decrypted into their audio signals, because an encrypted cell call can be made to and received on a pure analog phone from the 1950's.

The phone system (POTS or cell) is not secure, nor was it ever designed to be.
posted by Pastabagel at 8:03 AM on August 24, 2007

Ah, for the older, analog days. It used to be that all you needed was snip a diode or two in certain handheld scanners to fully open up the cellular bands. Hours of entertainment.
posted by jquinby at 8:06 AM on August 24, 2007

It is possible and can be done relatively cheaply via several methods. GSM is quite easy. CDMA is an order of magnitude harder but still achievable.

All this being said, additional encryption is not impossible.

The costs to do this are less than you might expect and the equipment is not quite as specialized any more these days.
posted by arimathea at 8:21 AM on August 24, 2007

people above are talking about the "air" part of gsm - the transmission between phone and mast. but a telecom provider isn't going to tap messages there - they'll do it within the core network.

this case shows that it is possible. from that article: Modern GSM systems, such as Vodafone's, secure the wireless links with a sophisticated encryption mechanism. A call to another cellphone will be re-encrypted between the remote cellphone and its closest base station, but it is not protected while it transits the provider's core network. For this reason—and for the ease of monitoring calls from the comfort of their lair—the perpetrators of the Vodafone wiretaps attacked the core switches of the Vodafone network. Encrypting communications from the start of the chain to its end—as banks, for example, do—makes it very difficult to implement legal wiretaps.
posted by andrew cooke at 8:27 AM on August 24, 2007

See also here, here, and here.
posted by zabuni at 10:24 AM on August 24, 2007

Previously on Ask MeFi, it was pointed out that the signals on the air are reasonably well protected. It's possible, but a huge pain in the ass.

Anyone wanting to listen to cellphone calls will just pluck 'em out of the soft, squishy core of the network, where they've already been unwrapped from the encryption that protected them on the air.
posted by Myself at 7:54 PM on August 24, 2007

« Older I understand that it's, um, ha...   |   I liked doing fun runs and hal... Newer »