It's not clear to me why you would need to mount a man in the middle attack if you can break A5/1 encryption. While the processing power and table storage could be hidden in the white boxes, both are not mentioned. I would say that the device does not break A5/1 cryptographically, but works like an IMSI catcher. It could be an IMSI catcher that does not disable authentication+encryption on the Um interface between target and catcher. So it does break A5/1. Maybe they disable frequency hopping in their rouge cell, so that they can get away without recording the whole band, and when the target mobile station get the encrypted channel assignment from the legit BTS it is just ignored. Or the hopping sequences in the rouge cell are configured in such a way that no matter what sequence is assigned to the target MS, it stays inside the 4 channels of the fake BTS.
On Wed, May 12, 2010 at 07:31:59AM -0300, H2G-Labs Information Security wrote: > GSM A5.1 Realtime Cell Phone Interceptor > URL: http://www.youtube.com/watch?v=1eJ-WGpNQko > Anybody got extra informations about it? > Regards... > > -- > H2G-Labs Information Security > Igor Marcel - Information Security Consultant > H2GLabs.Information.Security "at" Gmail.com > _______________________________________________ > A51 mailing list > [email protected] > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
