It's widely accepted that the cryptoscheme in GSM can be broken, but did you know that if you're within radio range of your target you can intercept all of their cellphone calls by bypassing the cryptoscheme entirely? This talk discusses the practical aspects of operating an "IMSI catcher", a fake GSM base station designed to trick the target handset into sending you its voice traffic. Band jamming, rolling LACs, Neighbour advertisements and a wide range of radio trickery will be covered, as well as all the RF gear you'll need to start listening in on your neighbours.
Chris Paget has over a decade of experience as an information security consultant and technical trainer for a wide range of financial, online, and software companies. Chris' work is increasingly hardware-focused, recently covering technologies such as GSM and RFID at venues such as Defcon and Shmoocon. With a wide range of experience encompassing software, networks, radio, cryptography and electronics, Chris enjoys looking at complex systems in unusual ways to find creative attacks and solutions.