Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security IT

GSM Decryption Published 299

Hugh Pickens writes "The NY Times reports that German encryption expert Karsten Nohl says that he has deciphered and published the 21-year-old GSM algorithm, the secret code used to encrypt most of the world's digital mobile phone calls, in what he called an attempt to expose weaknesses in the security system used by about 3.5 billion of the 4.3 billion wireless connections across the globe. Others have cracked the A5/1 encryption technology used in GSM before, but their results have remained secret. 'This shows that existing GSM security is inadequate,' Nohl told about 600 people attending the Chaos Communication Congress. 'We are trying to push operators to adopt better security measures for mobile phone calls.' The GSM Association, the industry group based in London that devised the algorithm and represents wireless operators, called Mr. Nohl's efforts illegal and said they overstated the security threat to wireless calls. 'This is theoretically possible but practically unlikely,' says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption. 'What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.' Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts could put sophisticated mobile interception technology — limited to governments and intelligence agencies — within the reach of any reasonable well-funded criminal organization. 'This will reduce the time to break a GSM call from weeks to hours,' Bransfield-Garth says. 'We expect as this further develops it will be reduced to minutes.'"
This discussion has been archived. No new comments can be posted.

GSM Decryption Published

Comments Filter:
  • by Tackhead ( 54550 ) on Monday December 28, 2009 @09:00PM (#30578212)
    Pna lbh urne zr abj?

    Jul lrf, V pna!
    - AFN

  • A Haiku (Score:3, Funny)

    by Anonymous Coward on Monday December 28, 2009 @09:02PM (#30578228)

    G S M secure
    All your financial passwords
    Are belong to us

  • Ha Ha (Score:4, Insightful)

    by stox ( 131684 ) on Monday December 28, 2009 @09:05PM (#30578238) Homepage

    What the operators really want is something secure enough so you can't practically listen to a politician's conversations, but open enough so the state can listen to any citizen's conversation. All in the same of National Security. We will only be secure when the reverse is true.

    • Re: (Score:2, Informative)

      by Anonymous Coward
      I would imagine they also want something that doesn't take a lot of processing power so that they don't have to upgrade the hardware at their towers. I'd imagine the phone manufacturers don't want to dedicate too much silicon / battery power to stronger encryption either.
      • Re: (Score:3, Informative)

        by TheLink ( 130905 )

        GSM encryption is quite a mess apparently: http://wiki.twit.tv/wiki/Security_Now_213 [wiki.twit.tv]

        As for the OPs talk about "open enough so the state can listen to any citizen's conversation", the government can already listen in - they don't need to crack stuff since GSM stuff is already decrypted at the towers.

        AFAIK, GSM encryption is only used between the phone and the tower. After that the conversations or messages travel unencrypted through the rest of the network.

    • Re:Ha Ha (Score:4, Insightful)

      by mysidia ( 191772 ) on Monday December 28, 2009 @09:30PM (#30578452)

      No... that's not an issue the operators need be concerned with. The government can listen in regardless, through FISA, CALEA, Patriot Act, Lawful Interception technologies on the carrier's networks.

      I wish I could elaborate further on the matter, but that's a dangerous proposition.

      One reason to stick with simpler encryption technology, is it's a cheaper, commodity part. New algorithms take time to develop: R and D costs, mean more expensive products, not to mention the requirement to replace expensive network infrastructure in order to adopt new standards.

      • Re:Ha Ha (Score:5, Insightful)

        by zippthorne ( 748122 ) on Monday December 28, 2009 @10:51PM (#30578916) Journal

        Fortunately, AES is more than capable enough to protect everyone's calls, and current gen phone microcontrollers are more than capable of handling it. And there are other ciphers as well that are as yet unbroken. All they need to do is add or replace an encryption layer with one of 'em.

        Sure, it's not trivial, and neither is the key distribution problem, but it's not impossible. It's not even impractical. It's just more expensive than doing nothing at all. When you factor in the billable hours for the lawyer to demonize people, i'm not even sure you come out ahead by not putting in proper encryption.

    • Re:Ha Ha (Score:5, Informative)

      by QuoteMstr ( 55051 ) <dan.colascione@gmail.com> on Monday December 28, 2009 @10:07PM (#30578700)

      As another poster mentioned, the government can already get a wiretap easily enough without having to break the cipher.

      I am sick and tired of conspiracy theories. Remember the sage advice to never attribute to malice what can be adequately explained by incompetence.

    • Re: (Score:3, Funny)

      by trawg ( 308495 )

      A politician's conversations, when they are being done in his role as a representative of the public, should be a matter of public record anyway, surely?

      • by ceoyoyo ( 59147 )

        Nobody cares about the boring stuff he says officially. The juicy stuff is in the text messages he sends to his mistress.

      • Re: (Score:3, Funny)

        by cerberusss ( 660701 )

        A politician's conversations, when they are being done in his role as a representative of the public, should be a matter of public record anyway, surely?

        This would be an excellent idea.Politicians' phones would be set to broadcast, for all to receive. And at certain hours of the day, their mobile phones will limit themselves and use a private channel for communications. We could dub these hours Warranted Hours Of Risk-free Egress, W.H.O.R.E. for short.

  • "To do this while supposedly concerned about privacy..."

    Duh. Paint me yellow and let me run down the street. OF COURSE he is concerned about privacy because we all know how organizations always act fast and in the interests of their customers with absolutely no outside stimulus! Absolutely shocking, he should be hanged. (Choose whoever you think I'm referring to with "he")
  • by chaboud ( 231590 ) on Monday December 28, 2009 @09:08PM (#30578258) Homepage Journal

    We allow people to fear-monger by saying that this can allow criminals to decrypt calls more easily, but, if a couple of dozen hackers at a conference can piece this together through brute-force-ish tactics, are we sure that others haven't already? That's the point that they've made, a point entirely lost in the article.

    This does *next-to-nothing* to make the system less secure. It was insecure to begin with. Regulations rendering the dissemination of code-breaking and system-compromising codes and techniques illegal aren't there to protect our data security. They're there to allow companies to use inadequate security measures without public shame.

    Of course, this is Slashdot. Anyone who doesn't already know that security through obscurity is ridiculous is an idiot (or a troll). Anyone who relates cryptographic security to fake-rock-key-hiding and calls that rock obscurity (inevitable in a story like this) is just a troll.

    • by Anonymous Coward on Monday December 28, 2009 @09:23PM (#30578402)

      I have never understood why systems like GSM, Wifi, or whatever didn't or don't use well known crypto algorithms (and already implemented in hardware even). Very smart people have already done the hard work and it has been time tested and proven secure. DES (and by extension 3DES) encryption has been available for a long time, long before GSM "encryption" was invented. Why didn't they just use that? New systems should be using AES or equivalent modern and proven algorithms.

      What the hell is wrong with the morons that designed these standards? Cryptography is one of the hardest mathematical fields out there, attempting a home-grown solution is absurd and wasteful.

      It seems like the Wifi groups finally got the hint when they introduced AES to the WPA standard. Why it took them so long baffles me. As I mentioned, we have had good hardware implementation that can do secure crypto work for ages and ages. I mean most of the algorithms like DES and AES are designed to be implemented in hardware.

      • by mrphoton ( 1349555 ) on Monday December 28, 2009 @10:28PM (#30578804)
        Some thoughts, the most terrifying phrase in the abstract was "'What he is doing would be illegal in Britain and the United States". I find these laws are very unscientific, they are effectively trying to hide _the_ truth. Which in this case is that the GSM encryption algorithm is shoddy. Secondly as a brit I find it very worrying when people justify draconian laws by saying other people do it. On to more technical things, the above post mentioned DES and AES, as I remember did EFF not build a 250k$ DES cracking machine some time back. I thought triple DES had now superseded DES. As for AES, according to wikipedia weaknesses have been found quite recently in AES. http://en.wikipedia.org/wiki/Advanced_Encryption_Standard [wikipedia.org]. I don't understand how compromising these attacks are though (presumably very).
      • by Nimey ( 114278 ) on Monday December 28, 2009 @10:49PM (#30578906) Homepage Journal

        At a guess, they didn't use DES back when because DES is computationally intensive, i.e. slow. This is especially important when you've got a small-for-the-day device that runs on batteries and must provide something approaching real-time performance.

        • by dkf ( 304284 ) <donal.k.fellows@manchester.ac.uk> on Tuesday December 29, 2009 @03:04AM (#30580054) Homepage

          At a guess, they didn't use DES back when because DES is computationally intensive, i.e. slow. This is especially important when you've got a small-for-the-day device that runs on batteries and must provide something approaching real-time performance.

          It's more likely that the issue was that the US Government of the day (remember, we are talking mid 80s) would have thrown a total wobbly at the use of DES in technology being installed the world over. Crypto is an area where the effective regulatory landscape has changed rather a lot over the past 25 years.

      • by dachshund ( 300733 ) on Monday December 28, 2009 @11:02PM (#30578970)

        I have never understood why systems like GSM, Wifi, or whatever didn't or don't use well known crypto algorithms
        A combination of factors:

        1. GSM is very old (for a digital standard). The more robust cryptographic algorithms known at the time were enormously expensive on the limited hardware available (this is back in the 80s or so).

        2. GSM was created by a consortium of manufacturers and national governments. Germany in particular was very concerned about calls being eavedropped by the eastern block; countries like France wanted the ability to (more) easily monitor calls. The France block won the negotiation.

        3. Cryptographic techniques have been evolving, even over the past decades. Cracking hardware has gotten faster (distributed computing, FPGAs) and researchers have developed a lot of expertise at breaking symmetric ciphers. Key sizes that seemed appropriate really aren't anymore.

        4. Carriers don't really give a crap about theoretical weaknesses. Unless you can buy a call decryptor on Amazon it doesn't count to them. And even then it's probably still not worth the money to upgrade.

        Wifi does use well known cryptographic algorithms, at least if you use WPA-AES, not WEP or the TKIP hack, both of which were designed to enable secure communications on very weak chipsets.

      • by plover ( 150551 ) * on Monday December 28, 2009 @11:30PM (#30579130) Homepage Journal

        I have never understood why systems like GSM, Wifi, or whatever didn't or don't use well known crypto algorithms (and already implemented in hardware even).

        Because 22 years ago when it was developed, the processing power and electrical power requirements required for DES to keep pace with a voice stream with automatic error recovery and no more than about 100 milliseconds of delay would likely have been prohibitively expensive for a device intended for the mass market. In addition, the U.S. government's ITAR/EAR restrictions would have made it almost impossible to import or export such devices into or out of the country, and ignoring the U.S. cell phone market could have meant financial ruin for the cell phone makers.

        A5/1 probably got laughed at by the NSA wonks, who said, "Sure, let them import it."

        And for those who would point out it's a European standard that doesn't care about American laws, the French have placed far more restrictions on encryption than the U.S. government ever has. Strong encryption would have cut both of those markets out.

      • Bad choice of algorithm isn't normally the cause of a break in a crypto system. Its normally caused by the bad implementation of an algorythm, or handling the keys badly.

        Did you know WEP uses RC4? RC4 *can* be fairly secure, SSL still uses it.

        Unfortunately RC4 has known weaknesses, and the WEP spec wasn't written to avoid these weaknesses.

    • by orlanz ( 882574 )

      ... sophisticated mobile interception technology — limited to governments and intelligence agencies — within the reach of any reasonable well-funded criminal organization.

      I hate it when I hear this crap from the "good guys"! Why do so many people assume the bad guys are always dumber than them, and have the same moral & legal limits? This is rarely true no matter how many PR guys you send out and how many laws you make. Seriously, this isn't rocket science. Stop thinking it is and patting yourself on your back for figuring it out while assuming that no one else will.

    • Why it's unsolvable (Score:5, Interesting)

      by jonaskoelker ( 922170 ) <jonaskoelker@yahoSTRAWo.com minus berry> on Monday December 28, 2009 @09:33PM (#30578480)

      They're there to allow companies to use inadequate security measures without public shame.

      And the politics is really the problem.

      Let's classify the world into four types of people: politicians, security experts, telecommunications lobbyists and the regular citizens.

      The politicians want to stay in office. The security experts want good security. The telecommunications lobbyists want cheap security. The regular citizens don't know there's a security concern (except from what they hear from Hollywood).

      The politicians can stay in office if they can afford a good campaign. The telecommunication lobbyists want to make a deal. The security experts are few, unconnected and don't have much money in comparison. The uneducated masses aren't going to change their voting based on GSM security even if they knew about it and understood the issues.

      And so you will have the politicians portraying the security experts as evil people (which the media will dutifully transmit to the public), all while the telecommunications people get to use cheap and poor security.

      (replace telecommunications with banking if you want to get really bummed out...)

      Or am I wrong? Please, someone tell me I'm wrong.

      • by dgatwood ( 11270 ) on Monday December 28, 2009 @10:11PM (#30578720) Homepage Journal

        Or am I wrong? Please, someone tell me I'm wrong.

        You're wrong. Well, you're right up to a point, but you forgot one thing. Those security people are pissed because this has been buried by those dirty politicians and telecom lobbyists. They have an axe to grind, and now several thousand of them just got the keys to GSM.

        Crooked politicians should be scared out of their minds by this. I'd give it six months before we start to see tapped GSM phone calls showing up on YouTube, resulting in high-profile congress critters resigning in disgrace. Six months max. Maybe much sooner.

  • Guess what, kids!
    A 128-bit code has twice as many ones and zeroes as a 64-bit code. Wow!

    • by jc42 ( 318812 )

      A 128-bit code has twice as many ones and zeroes as a 64-bit code. Wow!

      Well, maybe eventually. But at first, they have the same number of ones; the 128-bit code just has 64 more zeroes.

      And apparently, if you're a cell-phone carrier, it stays that way for years, until some "evil hacker" tells the world what you've been doing.

  • by selven ( 1556643 ) on Monday December 28, 2009 @09:16PM (#30578362)

    worked independently to generate the necessary volume of random combinations until they reproduced the G.S.M. algorithm’s code book — a vast log of binary codes that could theoretically be used to decipher G.S.M. phone calls.

    Wait, so just having the encoding algorithm is enough to decipher a message? That's kindergarten cryptography, not something designed for the real world.

    The group said that hackers intent on illegal eavesdropping would need a radio receiver system and signal processing software to process raw radio data, much of which is copyrighted.

    Yes, that's right. Their main weapon in defending your privacy against crackers who don't care about the law at all is copyright.

    operators, by simply modifying the existing algorithm, could thwart any unintended surveillance.

    If that's not security through obscurity, I don't know what is.

    • by ScrewMaster ( 602015 ) * on Monday December 28, 2009 @09:26PM (#30578416)

      If that's not security through obscurity, I don't know what is.

      Technically, it's insecurity through stupidity.

      • by selven ( 1556643 )

        A false sense of security is worse than no security at all. So yes, it is insecurity and it is stupid.

    • There has to be more to it than that. If the "encryption" literally uses a substitution cypher or something that depends on a "codebook" then that codebook would have to be stored on every device and would be fairly trivial to discover and copy (not to mention any reasonable codebook would have crushed the available memory in any mobile devices back when GSM was invented). There would also be nothing theoretical about decrypting messages.

      I think the article author is using the term figuratively.

    • by Eil ( 82413 )

      The group said that hackers intent on illegal eavesdropping would need a radio receiver system and signal processing software to process raw radio data, much of which is copyrighted.

      Yes, that's right. Their main weapon in defending your privacy against crackers who don't care about the law at all is copyright.

      Yep, it's copyrighted alright. By the Free Software Foundation [gnuradio.org].

  • GSM Association (Score:5, Insightful)

    by Pooch Bushey ( 895121 ) on Monday December 28, 2009 @09:23PM (#30578406)

    "To do this while supposedly being concerned about privacy is beyond me"

    can someone point me to the article where the GSM Association was outraged when it learned of the illegal wiretapping program which the carriers happily participated in as agents of the u.s. government? i'm sure they protested that, right? riiight?

  • Spin city. (Score:5, Insightful)

    by ScrewMaster ( 602015 ) * on Monday December 28, 2009 @09:24PM (#30578408)

    called Mr. Nohl's efforts illegal

    So? What has that to do with whether or not he actually did what he says he did? It's not even worth mentioning. A good encryption system should not depend upon the presumed illegality of breaking it.

    says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption.

    That you know of, lady. If this guy really has cracked it, odds are someone else has sometime in the past two decades, but wasn't kind enough to so inform you.

    • by schon ( 31600 )

      Mr. Nohl's efforts illegal

      So? What has that to do with whether or not he actually did what he says he did? It's not even worth mentioning. A good encryption system should not depend upon the presumed illegality of breaking it.

      Oh, Tosh!

      Don't you know that a criminal would never think of breaking the law!

  • by AdamInParadise ( 257888 ) on Monday December 28, 2009 @09:26PM (#30578422) Homepage

    The weaknesses of this algorithm are well-known and a new version that fixes those issues has been available for a long time. Now, does anyone knows whether this new version has been deployed everywhere? Who is still relying on the older version?

    BTW, the algorithm used by 3G networks is different. It is based on AES and the design is publically available.

    • by QuoteMstr ( 55051 ) <dan.colascione@gmail.com> on Monday December 28, 2009 @09:42PM (#30578558)

      BTW, the algorithm used by 3G networks is different. It is based on AES and the design is publically available.

      No it's not. The cipher used for 3G service is KASUMI [wikipedia.org], which is already vulnerable to a better-than-brute-force attack. (Even if it weren't, a 64-bit block is too small.)

      When will people learn? Never roll your own damn cryptography. No matter how clever or paranoid you are, you're not clever and paranoid enough. Just use AES.

      • No matter how clever or paranoid you are, you're not clever and paranoid enough. Just use AES.

        This sort of statement is equally dangerous by leading people to believe that just because they are using a strong cipher they are secure. Basically, unless a cryptography expert is designing your entire system, you're going to fuck SOMETHING up. There is no magic bullet.

        • Re: (Score:3, Insightful)

          This sort of statement is equally dangerous by leading people to believe that just because they are using a strong cipher they are secure. Basically, unless a cryptography expert is designing your entire system, you're going to fuck SOMETHING up. There is no magic bullet.

          That something is almost always key management.

          (Encryption is simple compared to the complexities involved in keeping key management secure.)
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        No it's not. The cipher used for 3G service is KASUMI [wikipedia.org], which is already vulnerable to a better-than-brute-force attack. (Even if it weren't, a 64-bit block is too small.)

        KASUMI has a 128-bit key. The weakness is in the design of the algorithm, just like weaknesses have been found in 256-bit AES.

        The "64-bit blocks" part of KASUMI is that it works eight bytes of data at a time. It has nothing to do with the strength of the algorithm, but how much data it bites off to chew on at any one time.

        • by zn0k ( 1082797 ) on Tuesday December 29, 2009 @12:08AM (#30579354)

          KASUMI has a 128-bit key. The weakness is in the design of the algorithm, just like weaknesses have been found in 256-bit AES.

          The "64-bit blocks" part of KASUMI is that it works eight bytes of data at a time. It has nothing to do with the strength of the algorithm, but how much data it bites off to chew on at any one time.

          In addition, they "didn't roll their own" and shouldn't have "just used AES". KASUMI was designed by the Security Algorithms Group of Experts, part of the European counterpart to NIST.

      • Re: (Score:3, Insightful)

        by hughk ( 248126 )
        There is an interesting issue that emerged when DES was the standard. With everyone adopting DES it became a 'target' meaning that more people would devote time to attacking it. The eventual attacks using differential cryptanalysis used specialised hardware for breaking DES. Although based on programmable gate arrays, the design was fairly specific and could not so quickly be converted into attacking a different cryptographic system. However, I would agree that unless you have a bunch of experts working for
        • Re: (Score:3, Interesting)

          Did you read the EFF published paper on DES? That's not "differential cryptanalysis". It was simple brute force with dedicated hardware. And the issue wasn't the algorithm, it was the key length, which lent itself to brute force attack in a surprisingly reasonable amount of time.

          I agree that key management remains an issue. Subversion is the worst popular example, with its habit of storing your passwords in your home directory in plain text, with no expiration and no utility for flushing them.

  • by jonaskoelker ( 922170 ) <jonaskoelker@yahoSTRAWo.com minus berry> on Monday December 28, 2009 @09:27PM (#30578428)

    'This is theoretically possible but practically unlikely,' says Claire Cranton, a GSM spokeswoman, [...] 'To do this while supposedly being concerned about privacy is beyond me.'

    What? Come again?

    If Ms. Cranton doesn't even know the argument for full disclosure, why is she the person speaking on behalf of the GSM Association?

    Now, we can discuss among ourselves when full disclosure is better than limited disclosure and vice versa, but at least we understand both positions. She doesn't?

    Also, if the attack is practically unlikely, why the big concern about privacy? Didn't Ms. Cranton just say this wasn't a big problem, yet at the same time shame Nohl for causing a big problem?

    Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts combined with inadequate security designed into the damn thing could put sophisticated mobile interception technology [in the hands of outlaws].

    Fixed that for Mr. Bransfield-Garth. The system isn't weak because of Nohl's deeds or misdeeds. It's weak because it's poorly designed. I have seen telecoms security protocols. Only banks have protocols worse than these :(

    • Re: (Score:3, Insightful)

      by plover ( 150551 ) *

      If Ms. Cranton doesn't even know the argument for full disclosure, why is she the person speaking on behalf of the GSM Association?

      Because she is a mouthpiece paid to denigrate anyone who tarnishes their stellar corporate reputations. It's her job to paint him as a criminal, diverting your attention away from their failed product.

      Literally, her words had no deeper meaning than "Pay no attention to the man behind the curtain!!" But that might be enough to rally some friendly corporate support for trying to pull the curtain shut again.

      • by Unoti ( 731964 )

        It's her job to paint him as a criminal, diverting your attention away from their failed product.

        It's too bad she can't do her publicity job without lying. It'd be great if she could instead say something along the lines of, "Obviously, we'd have preferred that this not be published. We do need to increase the security level on this aging protocol, and we have new technology in development that will be ready for adoption soon. In practice, the actual risk compromising the security is not that great, but

  • GSM Talk Video (Score:5, Informative)

    by marcansoft ( 727665 ) <hector@m[ ]ansoft.com ['arc' in gap]> on Monday December 28, 2009 @09:32PM (#30578470) Homepage

    The NY Times article is missing quite a lot detail. Slashdot users might appreciate the raw video from the talk (torrent): part 1 [dvrdns.org], 2 [dvrdns.org], 3 [dvrdns.org].

  • iirc, when this have come up before, its been pointed out that only a really old, in gsm terms, phone, would still be using said encryption. And that more recent phones are able to use more modern encryptions, if the network allows it...

  • "If you something that you don't want anyone to know, maybe you shouldn't be it in the first place"
    - ~anonymous
  • Surely not the people who loudly yak away on their cellphones in public where everyone can hear.

  • The GSM Association, the industry group based in London that devised the algorithm and represents wireless operators, called Mr. Nohl's efforts illegal and said they overstated the security threat to wireless calls. 'This is theoretically possible but practically unlikely,' says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption. 'What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.'

    Oh, so now it's illegal to divulge impractical attacks that do not threaten privacy?

    So it has come to this... At last I'm a positive badass for my GSM attack where you build a Turing-complete duck-based processor (using tasty duck treats to encourage the ducks to behave like little waddling transistors) and then use that to attack the crypto through brute-quacking-force! Ahhh HA HA HA!

    You'll never catch me, coppers!

  • kinda not news (Score:5, Interesting)

    by Eil ( 82413 ) on Tuesday December 29, 2009 @02:21AM (#30579862) Homepage Journal

    (Note: I have RTFA, but I'm quoting mainly from the summary here.)

    Others have cracked the A5/1 encryption technology used in GSM before, but their results have remained secret.

    Feh. Steve Gibson explained the flaws in GSM in very precise, technical detail in his podcast with Leo LaPorte back in September. See episode 213 of Security Now [grc.com], "Cracking GSM Cellphones". He explained how the algorithm was implemented in hardware, right down to the hardware level.

    The GSM Association, the industry group based in London that devised the algorithm and represents wireless operators, called Mr. Nohl's efforts illegal

    Oh yes, they'd like us to believe that reverse engineering encryption is illegal. It is not. Eavesdropping on cell phone calls is illegal only because cell phone carriers have always used technology decades behind the state of the art. It's a crappy regulatory patch to a massive technical loophole. It's akin to a law forbidding wifi cards from supporting "monitor mode" because you can use it to eavesdrop on unencrypted wifi traffic. Karsten Nohl is not recommending that anyone eavesdrop on other people's phone calls. He's trying to show the public that their conversations are as good as "in the clear" and gosh darn it, the billion-dollar wireless industry just doesn't like that a bit.

    Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts could put sophisticated mobile interception technology -- limited to governments and intelligence agencies -- within the reach of any reasonable well-funded criminal organization.

    Nope, even better: it puts GSM decryption technology within the reach of anyone with a 2TB hard disk, $1000 of radio equipment, and the time to figure out some software. And, as I pointed out already, this has been known for some time. Until recently, the weaknesses of GSM has been the skeleton in the closet of the wireless industry. It should have seen the light of day years ago.

    This is not an easy problem for them to solve, either. A5/3 is much better encryption, but as I understand it, almost every handset in existence can be forced to fall back to A5/1 (or even A5/0, no encryption) relatively easily.

    • by Eil ( 82413 )

      He explained how the algorithm was implemented in hardware, right down to the hardware level.

      Ugh, sleep deprivation fail. I meant "right down to the register level."

    • Re:kinda not news (Score:4, Interesting)

      by snaz555 ( 903274 ) on Tuesday December 29, 2009 @07:19AM (#30580996)

      Oh yes, they'd like us to believe that reverse engineering encryption is illegal. It is not.

      Right you are. However, what is illegal is publically stating someone has committed illegal acts. Nohl should sue for slander.

  • Comparison with CDMA (Score:3, Interesting)

    by Mr2001 ( 90979 ) on Tuesday December 29, 2009 @08:29AM (#30581322) Homepage Journal

    CDMA uses the CMEA [schneier.com] and ORYX [schneier.com] algorithms, which are pretty weak as well, as shown in the linked papers. However, CDMA has somewhat of an advantage, because it's difficult to obtain the encrypted data stream in the first place: the nature of CDMA transmission means you can't pull a signal out of the noise unless you know the codes being used by the base station and handset.

    • Re: (Score:3, Interesting)

      by gregarican ( 694358 )

      Speaking from experience I know that any/all of these older tranmission algorithms are crackable. I was an IT Call Center Manager at a cellular startup company back in 1996. Within the first year after our company launched we had customers is South Florida with their cell phones cloned. We were CDMA-based. And this technology stemmed from the USAF back in the 1970's IIRC.

      Figure that GSM has likely been cracked many years ago too. The more sophisticated the hardware that can gain brute-force leverage any of

  • by MobyDisk ( 75490 ) on Tuesday December 29, 2009 @09:56AM (#30581990) Homepage

    If anyone wants actual security on a phone, the phones should encrypt end-to-end so that the carrier doesn't know the phone call. The difficulty here is getting a certificate system in place. But there are several viable solutions to that.

  • by chord.wav ( 599850 ) on Tuesday December 29, 2009 @11:14AM (#30582812) Journal

    Nohl's efforts could put sophisticated mobile interception technology -- limited to governments and intelligence agencies -- within the reach of any OTHER reasonable well-funded criminal organization.

    Fixed

He who has but four and spends five has no need for a wallet.

Working...