Today Karsten Nohl presented the final blow to GSM security at the 27th Chaos Computer Club Congres 27C3. Last year he already presented his ongoing work on constructing the rainbow tables that allow a modern PC to recover the session key used to encrypt the communication between a mobile and the base station within a minute.
As I discussed back then, this did not immediately imply a practical attack to eavesdrop on GSM calls in real time.
The problem is that GSM uses frequency hopping to reduce interference on the channel from the mobile to the base station, and the command to switch to a particular frequency is encrypted as well. To decrypt a conversation one would therefore have to record all traffic on all possible frequencies. Once the session key is recovered (after a minute or so), one can use this to extract the conversation from the right parts in the recorded frequencies. The equipment to eavesdrop all frequencies in parallel is rather expensive.
However, Karsten has now further optimised the attack. First, the attack can now recover the session key in 20 seconds. But, more importantly, Karsten found that a session key is not refreshed with every communication (really, I am not making this up)! Instead it is reused for some time. This allows an attacker to first recover the current session key (using silent sms-es to a phone he wants to eavesdrop). Any call made with this phone can then be eavesdropped in real time using this session key. In fact, one can use a cheap phone with a reprogrammable hardware to do this.
This was all shown live during the presentation at 27C3.
Note that session key reuse also makes SMS based authentication less secure, at least for targetted attacks.