Can your calls be intercepted? This tool can tell

LAS VEGAS--A researcher released software at the Black Hat conference on Thursday designed to let people test whether their calls on mobile phones can be eavesdropped on.

The public availability of the software, dubbed Airprobe, means that anyone with the right hardware can snoop on other peoples' calls, unless the target telecommunications provider has deployed a patch that was standardized about two years ago by the GSMA, the trade association representing GSM (Global System for Mobile Communications) providers, including AT&T and T-Mobile in the United States.

Most telecommunications providers have not patched their systems, cryptography expert Karsten Nohl said.

"This talk will be a reminder to this industry to please implement these security measures because now customers can test whether they've patched the system," he told CNET in an interview shortly before his presentation. "Now you can listen in on a strangers' phone calls with very little effort."

An earlier incarnation of Airprobe was incomplete, so Nohl and others worked to make it usable, he said.

Airprobe offers the ability to record and decode GSM calls. When combined with a set of cryptographic tools called Kraken, which were released last week, "even encrypted calls and text messages can be decoded," he said.

To test phones for interception capability, you need: the Airprobe software and a computer; a programmable radio for the computer, which costs about $1,000; access to cryptographic rainbow tables that provide the codes for cracking GSM crypto (another Nohl project); and the Kraken tool for cracking the A5/1 crypto used in GSM, Nohl said.

More information about the tool and the privacy issues is on the Security Research Labs Web site. Nohl had demonstrated the capabilities of the technique in December and talked to CNET about its implications in January.