At Blackhat USA 2010, Karsten Nohl has been presenting on a practical real-world A5/1 cracking attack. For recent years, Karsten, myself and others have been speaking at various opportunities, indicating that a practical attack using readily-available information and tools from the Internet is very possible, and that it is only a matter of time for somebody actually does it.
While Karsten has focused on the actual cryptographic attack, I've been putting in some time in projects like airprobe (a GSM receiver/decoder).
Now finally, a team of friends at the new Security Research Labs (founded by Karsten) in Berlin has put the pieces of the puzzle together.
Airprobe has been extended to fully support decoding of TCH/F (FACCH, SACCH and traffic), as well as SDCCH/SACCH control channels, and to specify the timeslot and physical channel configuration from the command line. Using this, you can
- decode the AGCH, wait for an IMMEDIATE ASSIGNMENT of a SDCCH
- decode that very SDCCH and wait until encryption is turned on
- dump an encrypted burst where you have sufficient known plaintext
- use a different program to actually recover the A5/1 ciphering key
- feed that key into airprobe and decrypt+decode the ASSIGNMENT COMMAND of the TCH
- use airprobe to decrypt+decode that assigned TCH/F
The external program to recover the A5/1 ciphering key is called Kraken and is also available from the SRLabs website.
So what are the limitations? Well, so far this only works on non-hopping cells with a single ARFCN. The limitations are those of the receiver hardware (and SDR software), and not really limitations of the airprobe GSM decoder or the actual software tools.
In the past I would have assumed that non-hopping and/or single-ARFCN cells are rare, but in fact we can find them even inside a big city like Berlin, from at least two of the four German GSM operators. So that's why this attack is very practical, no matter what the GSMA might say.