GSM cell phone encryption crack may force operators to upgrade

Karsten Nohl, a widely known encryption expert, has cracked the GSM encryption algorithm and claims software is available for hackers to eavesdrop on calls.

Encrypted data on GSM-supported cell phones may not be as secure as previously thought after a widely known encryption expert presented research showing how hackers can poke holes in the algorithm to eavesdrop on calls. 

SearchSecurity.com:

To get security news and tips delivered to your inbox, click here to  sign up for our free newsletter.

Karsten Nohl, chief research scientist at Sunnyvale, Calif.-based H4RDW4RE LLC, who asked hackers last summer to focus on cracking the widely used GSM encryption algorithm, presented research this week showing how an earnest hacker can find tools on hacking forums to intercept calls protected by the GSM A5/1 algorithm, a 64-bit binary code.

In an interview with SearchSecurity.com, Nohl said a newer A5/3 encryption algorithm exists, but operators have been slow to deploy it.

"Were urging operators to think of security as something that should be a moving part rather than something that's created and used for 20 years," Nohl said. "With research picking up, A5/3 will be broken at some point too." 

Cell phone network cracks:

MMS messaging spoof hack could have global ramifications: Researchers have figured out a way to spoof sender numbers, bypass carrier protections and trick mobile devices to pull content from an attacker's server.

Karsten Nohl at Black Hat 2008:

Security Wire Weekly - Wireless insecurities In this special edition of Security Wire Weekly, Karsten Nohl, the security researcher who was part of a team that broke the crypto algorithm in the Mifare Classic RFID-based smart card, talks about his upcoming briefing at the Black Hat briefing in Las Vegas. Nohl talks about how RFID use could improve security in smart cards. 

The older A5/1 encryption algorithm is used in 80% of cell phones worldwide. It was first introduced in 1987 and Nohl points out that it became publicly available in 1994. A technique cracking the algorithm has been widely used in government intelligence gathering and law enforcement investigations, but until now, technology hasn't been available to make it practical for hackers to crack it. The GSM hacking technique has been too expensive and too complicated to pull off.

Nohl's GSM research presented this week at the Chaos Communications Congress in Berlin, shows that the technology has finally caught up to make it easier for hackers. Nohl said he is being pressured by the GSM Association (GSMA), an organization of licensed GSM mobile network operators, to cancel or scale back a demonstration planned Wednesday at the conference. A GSMA spokesperson did not return a request for comment.

It takes a mixture of hardware and computational software to pull off an attack, he said.

"The equipment used is getting cheaper and cheaper," Nohl said. "This will not be a vulnerability as widespread as Internet spam; it will always stay a targeted attack."

Nohl urged security professionals at enterprises to be aware of the potential threat and use additional security mechanisms to protect sensitive calls. For now, breaking the algorithm means a hacker can intercept text messages, conversations and data only on rare occasions. Data on GSM networks is routed through faster networks, which protects the information, but banking applications designed to work on GSM enabled phones may also be under an increased risk.

"They should treat the Internet as an untrusted network and [should] take precautions by adding their own encryption on top of it," Nohl said of enterprises concerned about secure communications. 

In the United States, GSM operators include AT&T Corp. and T-Mobile. Other operators, including Verizon Communication Inc. and Sprint operate using a different standard -- Code division multiple access (CDMA) -- that is not affected by the hacking method.

In his presentation, Nohl describes both an active technique, in which cell phone calls are routed through a base station and a more challenging passive technique that involves more heavy computation. While it takes a savvy hacker to make the attack work, all of the parts making up the radio receiver system and signal processing software are open source and can be found on file swapping services and hacking websites, he said.

Nohl said he found an India-based equipment manufacturer advertising GSM cracking machines for as little as $200,000. Using the same techniques a hacker can build a machine from scratch much cheaper, he said.

"As the attack becomes cheaper, more people will be interested in listening in to steal information on phone calls," Nohl said. "It's only a matter of time."

Dig deeper on Wireless Network Protocols and Standards

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close