T 5.98 Interception of mobile telephone calls

The easiest way of listening in on a conversation conducted over a mobile phone is simply to listen from close by. It is no rare occurrence to hear a person divulging a lot of company-internal information by talking loudly on the telephone in a public place (see also T 3.45 Inadequate checking of the identity of communication partners).

But generally there are also very elaborate technical means available for intercepting telephone calls.

If, for example, an adversary can gain access to the technical facilities of the network provider (lines, switching exchanges, base stations), he will then be able to listen to any telephone conversation conducted over this equipment. This applies to connections both in the mobile communication network and in the landline network. However, deliberate tapping of conversations which are assigned to a particular call number is extremely effort-intensive, due to the huge flood of data.

If the calls are connected over line-connected paths from the base station to the mobile telephone exchange, a physical attack on the cable paths is necessary. If a base station is connected to the mobile telephone exchange over an unencrypted directional radio link, as is the case with some network providers, it is possible to intercept and tap these radio signals unnoticed using antennae and special receivers. The threat is all the greater if all phone calls for the connected base station are transmitted over these directional radio links.

Telephone conversations are also transmitted bundled over directional radio relay links in the landline network. As these transmissions are generally unencrypted, conversations transmitted by this route can also be tapped with a certain amount of technical effort.

In Germany, the transmission of radio signals between mobile phone and base station is encrypted in all GSM mobile communication networks. There are special interception devices around which exploit the weakness of one-sided authentication in the GSM network (the only authentication which occurs is the authentication of the mobile phone to the base station), by pretending to mobile phones to be a base station, disabling encryption and instituting plaintext operation. Depending on the statutory requirements, in some countries encryption of transmissions can be completely disabled. It may also be possible that other security parameters such as the frequency of key changes are weaker.

Other possible ways of disabling this encryption are tampering with the mobile phone or the technical facilities of the network provider.