GSM encryption can be cracked for $500

That was the shocking claim that popped into my inbox this morning. Spend $500 on a bit of radio hardware, plug it into your laptop and you too can play spooks and listen in to someone’s mobile phone call.

Now before you start panicking, let’s clear a few things up. This is a theoretical possibility – it doesn’t mean your calls are unsecure. Yet. However, whereas before it’d take quite a large chunk of processing power and many, many days of solid number crunching, according to a presentation (PDF) at the recent Hacking at Random (HAR) conference there’s already a plan in place.

The author, Karstan Nohl, needs help though. He’s calling for assistance in computing the rainbow tables required to decrypt the A5/1 ciphered data – all you need apparently is access to BitTorrent, and a certain kind of Nvidia video card (one with a CUDA-enabled GPU, apparently). Karstan reckons with 80 CUDA processors at his disposal he’ll have it cracked by Christmas.

Stan Schatt, Vice President and Practice Director, Healthcare and Security at ABI Research reckons GSM eavesdropping will be a real threat within the next 6-12 months. “Hackers have been quick to break into wireless LANs within the US, so there is no reason to think they won’t move to cell phones once they have the tools in place, particularly because so much valuable information is transmitted over cell phones.

“Potentially this news could have as profound an impact on the cell phone industry as the breaking of WEP encryption had on the wireless LAN industry. When people discovered that their wireless LANs were vulnerable, it slowed the sale of equipment until an industry group—the Wi-Fi Alliance –stepped in and came up with interim security standards. If people do nothing, we are likely to start to hear stories of sensitive information being compromised, acquisition information being leaked, personal financial security information being compromised, etc. We could see tales of blackmail and extortion on the rise.”

Meanwhile, over at risk management specialist Henderson Risk, spokesman Stuart Quick says he’s not suprised A5/1 is being cracked. “It remains a Holy Grail amongst the hacking community and is intriguing because of the associated conspiracy theories. It is believed that the cipher has had weaknesses engineered in to it in order to make it easier for the security services to snoop on calls and that mobile communications providers are therefore misleading or incorrectly advertising their product’s level of security.”

So what can you do to make your mobile calls more secure? A while ago I wrote an article on this very subject, citing some useful tips from Simon Bransfield-Garth, CEO of British tech company Cellcrypt. No article about the security of mobile calls would be complete without a word from Simon: “Everybody has known for quite some time that a theoretical hack of GSM existed. This news means that the theoretical risk will become a very real one within the next six months. Governments have taken steps to manage the threat for years and now this is a very worrying prospect for anyone that discusses valuable or confidential information over their mobile phone.”

In research soon to be published by Cellcrypt, they found in a survey of corporate mobile users in the USA that 79% regularly discuss confidential issues over the phone every few days, with 64% making such calls daily.

So is this all doom and gloom? Will the Sun and sister paper The News of the World be going shopping for this kit to make it a hatrick of sensational eavesdropping stories?* Only time will tell.

* Apart from News of the World and their recent stories apparently involving voicemail ‘hacking’, The Sun caused an uproar in the early 90’s by publishing transcripts of taped conversations between the late Diana Princess of Wales and ‘close friend’ (and apparent Lotus dealer) James Gilbey – under the rather amusing title of ‘Squidgygate‘.

23 Responses to GSM encryption can be cracked for $500

  1. Alex Kerr August 25, 2009 at 1:24 pm #

    This is not quite as out of reach of the average hacker as one might think. Just about as much computing power as you want is available instantly on demand with Amazon's EC2 for example. Nothing really stopping someone fire up 5000 EC2 servers for a few hours (which would cost about £300 per hour) to solve the problem.

    On the flip site of the equation, it would be good to see an implementation of Phil Zimmerman's ZFone on mobile platforms (e.g. Symbian which is open enough and multitasks excellently) which I think would prbably knock the whole problem on the head if one made calls via VoIP from their mobile.
    http://zfoneproject.com/

  2. Mike42 August 26, 2009 at 8:27 am #

    Gaaaa!

    You would only have one side of the call, for a start. Your call goes over 2 separate radio links at once – Tx and Rx. So you would need to scan, lock on to and decypher both to have something that made sense.

    So you would need equipment that could scan and capture *every single radio channel and timeslot* that a particular base station was using, at once. And given that another integral part of GSM is frequency hopping at a rate of many times per second, your $500 kit would need a receiver that could decypher the hopping scheme and trace your call as it hops from frequency to frequency.

    And as you move through cells that receiver would have a much harder job keeping track.

    And given that within a few years UMTS/LTE will be here in the existing 2G bands (giving much better coverage and capacity than GSM can) with a much harder standard of encryption and 6-way handoff, this is nothing I'm loosing sleep over.

    It's taken the combined might of the world hacker community nigh on 15 YEARS to get close to cracking A5/1. Just as it begins to become irrelevant.

    But saying that the neighbour's 15-year old can listen in to your conversations etc is a good headline, is it not? Never mind that it's so far removed from reality you might as well be reporting on Kryptonite-infused Mars Bars.

  3. Ewan August 26, 2009 at 8:46 am #

    Does this mean you're not going to be panicking about the security of your calls then, Mike? 😉

  4. Rodolfo Rosini August 26, 2009 at 1:12 pm #

    Hi Mike,

    the simple hack of moving while on a call defeats all products out there and AFAIK there is no research project to develop that capability. so yeah you're pretty safe to drive and speak on your cellphone (assuming someone else is doing the driving bit).

    There are however some inaccuracies that I would like to point out:

    – the”$500 kit” is a Universal Software Radio Peripheral which is an amazing piece of work that does what it says on the tin
    http://en.wikipedia.org/wiki/Universal_Software

    – GSM transmits and receives on different frequencies so you have to capture two streams. It is not rocket science.

    – the GSM frequency hopping is to reduce interference not to increase security. Hopping is slow and you can simply record everything for a later analysis or simply decode in real time since the hopping pattern is broadcast as well. Military stuff can make '000s of hops/seconds that really makes in hard to eavesdrop but it is not the case when you are using $400 cellphones

    – a back of the envelope you could intercept all conversations from a base station at full capacity with around 10 USRP

    – A5/3 (which is the new encryption algorithm) has already shown to be vulnerable to theoretical attacks and might not have the shelf life A5/1 had for many other reasons.

    – A5/1 becoming irrelevant? Some parts of the world are still using A5/2 (which is even weaker) or no encryption at all

    – it took the research community 5 years to crack A5/1 in the lab. A5/1 was not public and was leaked in 1994. In 1999 Shamir (the “S” in RSA) showed it could be broken and the rainbow table attack was first described in the '80s. Any sane person would have put a roadmap to upgrade the entire infrastructure to something stronger and stopped the whole “it's just a theoretical attack” corporate line. You can play semantics and redefine what “cracking” really means but 1999 was the milestone in A5/1 cracking. What the CCC did was simply to implement that attack with few optimizations.

    If you were to look at an encryption product would be your professional opinion if it was going to pad ten 0s in an already short 64bit key thus effectively reducing its entropy to 54bit? And what about its “new generation” replacement being a 128bit algorithm but the key derived from a 64bit key (which is then used for other less secure algorithms no less) making it vulnerable to a brute-force attack requiring only 2^64 steps?

    Nobody is suggesting the world will end because of this and yes there are solutions that do not involve the public acquiring the software Cellcrypt develops. However pretending that the cellphone my grandmother can buy has voice security features that would satisfy a large corporate or a government it's just not fair.

    You might point out that I have a vested interest in this so do not take my word for it. Bruce Schneier wrote more than 12 years ago a terrific insight on cellphone security that still stands today.

    “The phone industry did not develop phones with unbreakable security because they chose not to. It is possible, with today's technology, to implement digital cellular algorithms in cellular phones without affecting the phone's weight, power consumption, voice quality, or call setup. It takes more computer processing power to digitize the voice than it does to encrypt the digital voice.”

    I would love to see a quote from one of the top security experts currently not on the payroll of a telco, handset manufacturer or GSM provider that says that GSM encryption is awesome. I am not aware of any, in fact quite the opposite.

    -Rodolfo

  5. Mike42 August 26, 2009 at 5:03 pm #

    Hi Rodolfo

    I think the UMTS/LTE point I made is a fair one – we are talking about markets where people a) have $5,000 to blow on gear to capture then process this sort of traffic, and b) therefore the info must be worth the effort. Now that's hardly going to be the case in 90% of the world where folks make a dollar a day (i.e. the parts with 2G systems and no plans to upgrade them).

    I somehow doubt a Djbouti fish merchant is going to be eavesdropped on by a competitor.

    In the developed world it's getting increasingly hard to buy a 2G-only handset, and to find a town or city where you have 2G-only coverage. Yes, yes, 3G is ropey in many places, but only because (here anyway) it's stuck on 2100MHz. Plop it onto 850/900 and watch your coverage blues evaporate as the processing gain and 6-way handoff makes 3G @ 850/900 better then 2G was.

    CDMA at 850 goes a long, long, long way further than AMPS or TDMA (read: GSM) – like over the horizon with the right antenna. I've personally tested all 3 systems for Telecom NZ as part of a court case where the GSM competitor claimed that the TV adverts were misleading showing a fishing boat miles out to sea making a call.

    Anyway, yes, it may be do-able – I never said it wasn't. What I did say (or imply, or hint strongly at) was that this sort of scaremongering does no-one any good at all. Apart from tabloid papers on a very slow news day. Not that MIR is a tabloid you understand – it's purely professional interest round here.

    Many things in life are possible. The chances of you ever suffering personally as a result of a GSM hack, where someone bothered to track your call, decypher it, and then act upon the information therein to your detriment? If you buy that story I've got a nice bridge in the middle of London to sell you. One owner, freshly painted, answers to Tower.

    If someone wanted to f*ck with you, there are many, many other ways/means, much cheaper/quicker/nastier than trying to track your mobile calls.

    Sometimes the mobile geek community should get on with something actually useful instead of non-event stuff like this. I probably shouldn't care, but I don't like science/technology being twisted in this way to imply there is a threat to folks when any edjit can tell there isn't. Well, no moreso than being hit by a 3,000lb Tuna fish.

    Oh, and WEP? Cracked years ago. So why does BT and just about every other ISP sell routers with WEP as the default encryption? Because it's Good Enough. I've never met or even heard of someone “Having their WiFi hacked”. No doubt some have had, but out of how many hundreds of millions of WiFi users?

    Perspective: the enemy of the conspiracy theorist (or mobile security evangalista)

    Cheers

    Mike

  6. Ewan August 26, 2009 at 5:55 pm #

    For Rodolfo and Mike: If you're a drug dealing kingpin (a la Akon or Marlow from the TV series The Wire), should you be using the likes of Cellcrypt to keep the cops who've got a wiretap on your mobile from hearing what you're saying?

  7. Mike42 August 27, 2009 at 3:29 am #

    No. Because you'd have to assume that CellCrypt also had a deal with the LEA's to allow tapping. But they'd never tell us that, of course, because it undermines their business, if they want to sell to drug kingpins. I'm assuming they don't want criminals as customers. No, just large banks.

    er…hang on a sec…

    If you were a crim, you'd talk in code, assume everything was being overheard, use prepay or stolen phones, change numbers constantly and run business old-school.

    To assume that modern drug dealers or criminals in general *need* mobiles is just silly. What – like there weren't drugs around pre-mobile?

  8. Ewan August 27, 2009 at 4:19 am #

    Fair points. Ah you're clearly not a fan of The Wire, Mike… (I've been watching the various series back to back).

  9. Mike42 August 27, 2009 at 4:53 am #

    I can neither confirm nor deny that I'm a fan (or would be), having never watched an episode. I did see the Youtube clip with the 2 detectives using no language apart from a particular expletive, and that was memorable.

  10. Ewan August 27, 2009 at 4:54 am #

    Definitely get hold of it at some point and watch, Mike

  11. Mike42 August 27, 2009 at 9:29 am #

    No. Because you'd have to assume that CellCrypt also had a deal with the LEA's to allow tapping. But they'd never tell us that, of course, because it undermines their business, if they want to sell to drug kingpins. I'm assuming they don't want criminals as customers. No, just large banks.

    er…hang on a sec…

    If you were a crim, you'd talk in code, assume everything was being overheard, use prepay or stolen phones, change numbers constantly and run business old-school.

    To assume that modern drug dealers or criminals in general *need* mobiles is just silly. What – like there weren't drugs around pre-mobile?

  12. Ewan August 27, 2009 at 10:19 am #

    Fair points. Ah you're clearly not a fan of The Wire, Mike… (I've been watching the various series back to back).

  13. Ewan August 27, 2009 at 10:19 am #

    Fair points. Ah you're clearly not a fan of The Wire, Mike… (I've been watching the various series back to back).

  14. Mike42 August 27, 2009 at 10:53 am #

    I can neither confirm nor deny that I'm a fan (or would be), having never watched an episode. I did see the Youtube clip with the 2 detectives using no language apart from a particular expletive, and that was memorable.

  15. Mike42 August 27, 2009 at 10:53 am #

    I can neither confirm nor deny that I'm a fan (or would be), having never watched an episode. I did see the Youtube clip with the 2 detectives using no language apart from a particular expletive, and that was memorable.

  16. Ewan August 27, 2009 at 10:54 am #

    Definitely get hold of it at some point and watch, Mike

  17. Ewan August 27, 2009 at 10:54 am #

    Definitely get hold of it at some point and watch, Mike

Trackbacks/Pingbacks

  1. Alex Kinch - August 25, 2009

    Just wrote this on Mobile Industry Review: "GSM encryption can be cracked for $500" http://bit.ly/yYuoE

  2. Alex Kinch - August 25, 2009

    Just wrote this on Mobile Industry Review: "GSM encryption can be cracked for $500" http://bit.ly/yYuoE

  3. BuzzIrkMobileDeals - August 25, 2009

    GSM encryption can be cracked for $500 | Mobile Industry Review http://tinyurl.com/nb9ern

  4. BuzzIrkMobileDeals - August 26, 2009

    GSM encryption can be cracked for $500 | Mobile Industry Review http://tinyurl.com/nb9ern

  5. Stephen Simpson - September 10, 2009

    If you are using ATT or Tmobile, you may want to switch. The underlying tech, GSM, is highly unsafe! http://bit.ly/3evAL2

  6. Stephen Simpson - September 10, 2009

    If you are using ATT or Tmobile, you may want to switch. The underlying tech, GSM, is highly unsafe! http://bit.ly/3evAL2

Leave a Reply

Powered by WordPress. Designed by Woo Themes

Real Time Analytics