Researcher Chris Paget pulled off a stunt at the Defcon security conference Saturday that required as much legal maneuvering as technical wizardry: eavesdropping on the cell phone calls of AT&T subscribers in front of thousands of admiring hackers.
With about $1,500 worth of hardware and open source software, Paget turned two on-stage antennas into a setup capable of spoofing the base stations that connect the GSM cell phone signals used by AT&T and T-Mobile. Paget set his hardware to impersonate an AT&T signal, and dozens of phones in the room connected to his fake base station. "As far as your cell phones are concerned, I'm now indistinguishable from AT&T," he told the crowd.
Paget invited anyone with an AT&T phone to make a call, and using his GSM hijacking trick, routed their calls through a voice-over-Internet system that connected their calls even while recording the audio to a USB stick--which he promptly destroyed with a pair of scissors to make sure he hadn't violated any privacy laws. The hack, after all, was intended to show the fundamental insecurity of GSM cell signals--not spy on callers. (more)
P.S. This works on G2 protocol systems, not G3.
The GSM Association responded in a statement that lists the limitations to Paget's method: the eavesdropper would have difficulties identifying or targeting any specific user, the interception only works within a certain range, in some cases, the call's encryption could prevent eavesdropping, and GSM phones are designed to alert users when encryption is removed by a base station. (Paget said in his talk that no device he's tested--including iPhone and Android phones--has had this option enabled.)
In summary, the GSM Association spokeswoman writes, "The overall advice for GSM calls and fixed line calls is the same. Neither has ever offered a guarantee of secure communications. The great majority of users will make calls with no reason to fear that anyone might be listening. However users with especially high security requirements should consider adding extra, end to end security features over the top of both their fixed line calls and their mobile calls."