Feeds

Mobile hack shows need for security upgrade

How cracked is mobile encryption?

Security and trust: The backbone of doing business over the internet

Last week the Chaos Computer Club announced it had cracked GSM, but by Friday the GSMA was saying the attack was completely impractical - so should you be worried?

The attack proposed by the CCC is based on a Rainbow table: an enormous list of known results to which an encoded message can be compared to look up the key, rather than break the encryption. This approach was swiftly rubbished by the GSMA as needing 2TB of data and thus being impractical, but, as ever, things aren't quite that simple.

GSM's security is based on several algorithms, but the focus here is on the encryption used to secure calls against interception rather than identification or authorisation which, for the moment, remain secure. In GSM parlance the encryption of the call is known as A5, with the encryption options being numbered from zero to three: A5/0 being no encryption at all, A5/1 proper encryption, A5/2 weakened encryption for export to dodgy countries and A5/3 the new standard that's supposed to be part of 3G but isn't really.

A5, and the GSM security standard, only covers the connection between the handset and the nearest base station. Once at the base station any encryption is up to the network operator who might decide to shave a few quid off their microwave backhaul by not bothering to encrypt it at all. Once in the operator's network the call isn't encrypted, and that's where legitimate law enforcement (and shifty employees) can tap your calls.

But back to miscreants listening in on the radio portion: there are several ways that avoid having to break the encryption, besides bribing operator employees. On 2G networks a criminal can set up a fake base station, and configure that station to deny any cryptographic ability - when the target's handset connects, it is then forced not to use encryption as it appears that the network doesn't support any.

Users are supposed to get an on-screen warning when that happens, but handsets haven't done that for years. The 3G standard requires the base station to authenticate itself to the handset, so your miscreant will need to jam 2.1GHz around his fake station if he's going to force handsets down to 2G services only.

But assuming that's not practical, and the call is being placed in a region allowed to use decent cryptography, your criminal will want to break the A5/1 cryptography that's being used to protect the call. A5/1 comes with a 64-bit key, so should be pretty secure against brute force attacks and make a Rainbow Table unfeasibly large as the GSMA contends.

However, the network operators decided to pad the key with ten zeros to make processing faster, so it's really a 54-bit key. Other weaknesses in the originally secret algorithm further reduce the options and make a Rainbow Table eminently practical; as long as one has a decently fast hard drive (or, ideally, some solid-state storage) then real-time cracking of A5/1 can be done.

The GSMA has been claiming that an A5/1 Rainbow Table will need the equivalent of a tower of books 20km high, which is about as useful as saying that such a table couldn't be written on a fish. If the open-source project to compile a distributed Rainbow Table succeeds, then the data will be spread out amongst possibly millions of computers and available to anyone who's interested.

So A5/1 has already been cracked by specialist hardware, and is now being attacked by drafted video cards; but that's OK 'cos the mobile industry is rapidly moving towards the much-more-secure A5/3, isn't it?

A5/3 is indeed much more secure; not only is it based on the well known (and trusted) Kasumi algorithm, but it was also developed to encrypt more of the communication (including the phone numbers of those connecting together), making it much harder for ne'er-do-wells to work out which call to intercept. A5/3 was developed, at public expense, by the European Telecommunications Standards Institute (ETSI) and is mandated by the 3G standard, though can also be applied to 2.5G technologies including GPRS and EDGE.

The standard, which is publicly available, was completed in 2002 and endorsed by everyone at the time as a new dawn in network security - only no one ever used it. We've not been able to discover a single network operator, or handset, which is using A5/3.

Nokia and Sony Ericsson both failed to respond to our questions on the subject, and GSM security experts tell us they've never seen A5/3 in the field. So there is a secure alternative, but no one seems to be bothering to use it.

All of which means that an increasing number of people can indeed listen in to your GSM calls, even if you find a 3G connection and trust your network operator completely. So if you really care about your call security, or have reason to believe that someone with some resources is planning on listening in, you'll have to consider an end-to-end encryption product such as CellCrypt, or Skype and its ilk if you're prepared to rely on a data connection. Otherwise, you can just assume that no one cares what you're saying and be grateful that A3 and A8 remain secure so no one can fake a GSM call - at least not yet. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Brit telcos warn Scots that voting Yes could lead to HEFTY bills
BT and Co: Independence vote likely to mean 'increased costs'
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Turnbull: NBN won't turn your town into Silicon Valley
'People have been brainwashed to believe that their world will be changed forever if they get FTTP'
Blockbuster book lays out the first 20 years of the Smartphone Wars
Symbian's David Wood bares all. Not for the faint hearted
Bonking with Apple has POUNDED mobe operators' wallets
... into submission. Weve squeals, ditches payment plans
ISPs' post-net-neutrality world is built on 'bribes' says Tim Berners-Lee
Father of the worldwide web is extremely peeved over pay-per-packet-type plans
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.