Decoding GSM

Abstract

We have participated in the creation of almost two terabytes of tables aimed at cracking A5/1, the most common ciphering algorithm used in GSM. Given 114-bit of known plaintext, we are able to recover the session key with a hit rate of 19%. The tables are expected to be unique as they provide the best coverage yet known to the authors, and they are the first step in a real-world passive attack against GSM. An initial investigation and analysis into the air interface of GSM were performed, from both a theoretical and practical point of view. These examinations would be essential in order to utilize the generated tables in a practical attack.Additionally, a rogue GSM network was built and deployed without enabling ciphering and frequency hopping. This active attack was purely based on open-source software and hardware, implying that real GSM networks could be spoofed with resources available to the general public.