Feeds

Mobile hack shows need for security upgrade

How cracked is mobile encryption?

High performance access to file storage

Last week the Chaos Computer Club announced it had cracked GSM, but by Friday the GSMA was saying the attack was completely impractical - so should you be worried?

The attack proposed by the CCC is based on a Rainbow table: an enormous list of known results to which an encoded message can be compared to look up the key, rather than break the encryption. This approach was swiftly rubbished by the GSMA as needing 2TB of data and thus being impractical, but, as ever, things aren't quite that simple.

GSM's security is based on several algorithms, but the focus here is on the encryption used to secure calls against interception rather than identification or authorisation which, for the moment, remain secure. In GSM parlance the encryption of the call is known as A5, with the encryption options being numbered from zero to three: A5/0 being no encryption at all, A5/1 proper encryption, A5/2 weakened encryption for export to dodgy countries and A5/3 the new standard that's supposed to be part of 3G but isn't really.

A5, and the GSM security standard, only covers the connection between the handset and the nearest base station. Once at the base station any encryption is up to the network operator who might decide to shave a few quid off their microwave backhaul by not bothering to encrypt it at all. Once in the operator's network the call isn't encrypted, and that's where legitimate law enforcement (and shifty employees) can tap your calls.

But back to miscreants listening in on the radio portion: there are several ways that avoid having to break the encryption, besides bribing operator employees. On 2G networks a criminal can set up a fake base station, and configure that station to deny any cryptographic ability - when the target's handset connects, it is then forced not to use encryption as it appears that the network doesn't support any.

Users are supposed to get an on-screen warning when that happens, but handsets haven't done that for years. The 3G standard requires the base station to authenticate itself to the handset, so your miscreant will need to jam 2.1GHz around his fake station if he's going to force handsets down to 2G services only.

But assuming that's not practical, and the call is being placed in a region allowed to use decent cryptography, your criminal will want to break the A5/1 cryptography that's being used to protect the call. A5/1 comes with a 64-bit key, so should be pretty secure against brute force attacks and make a Rainbow Table unfeasibly large as the GSMA contends.

However, the network operators decided to pad the key with ten zeros to make processing faster, so it's really a 54-bit key. Other weaknesses in the originally secret algorithm further reduce the options and make a Rainbow Table eminently practical; as long as one has a decently fast hard drive (or, ideally, some solid-state storage) then real-time cracking of A5/1 can be done.

The GSMA has been claiming that an A5/1 Rainbow Table will need the equivalent of a tower of books 20km high, which is about as useful as saying that such a table couldn't be written on a fish. If the open-source project to compile a distributed Rainbow Table succeeds, then the data will be spread out amongst possibly millions of computers and available to anyone who's interested.

So A5/1 has already been cracked by specialist hardware, and is now being attacked by drafted video cards; but that's OK 'cos the mobile industry is rapidly moving towards the much-more-secure A5/3, isn't it?

A5/3 is indeed much more secure; not only is it based on the well known (and trusted) Kasumi algorithm, but it was also developed to encrypt more of the communication (including the phone numbers of those connecting together), making it much harder for ne'er-do-wells to work out which call to intercept. A5/3 was developed, at public expense, by the European Telecommunications Standards Institute (ETSI) and is mandated by the 3G standard, though can also be applied to 2.5G technologies including GPRS and EDGE.

The standard, which is publicly available, was completed in 2002 and endorsed by everyone at the time as a new dawn in network security - only no one ever used it. We've not been able to discover a single network operator, or handset, which is using A5/3.

Nokia and Sony Ericsson both failed to respond to our questions on the subject, and GSM security experts tell us they've never seen A5/3 in the field. So there is a secure alternative, but no one seems to be bothering to use it.

All of which means that an increasing number of people can indeed listen in to your GSM calls, even if you find a 3G connection and trust your network operator completely. So if you really care about your call security, or have reason to believe that someone with some resources is planning on listening in, you'll have to consider an end-to-end encryption product such as CellCrypt, or Skype and its ilk if you're prepared to rely on a data connection. Otherwise, you can just assume that no one cares what you're saying and be grateful that A3 and A8 remain secure so no one can fake a GSM call - at least not yet. ®

High performance access to file storage

More from The Register

next story
A black box for your SUITCASE: Now your lost luggage can phone home – quite literally
Breakfast in London, lunch in NYC, and your clothes in Peru
Broadband Secretary of SHEEP sensationally quits Cabinet
Maria Miller finally resigns over expenses row
Skype pimps pro-level broadcast service
Playing Cat and Mouse with the media
Beat it, freetards! Dyn to shut down no-cost dynamic DNS next month
... but don't worry, charter members, you're still in 'for life'
Like Google, Comcast might roll its own mobile voice network
Says anything's possible if regulators approve merger with Time Warner
EE dismisses DATA-BURNING glitch with Orange Mail app
Bug quietly slurps PAYG credit - yet EE denies it exists
Turnbull leaves Australia's broadband blackspots in the dark
New Statement of Expectations to NBN Co offers get-out clauses for blackspot builds
Facebook claims 100 MEEELLION active users in India
Who needs China when you've got the next billion in your sights?
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.