Feeds

Mobile hack shows need for security upgrade

How cracked is mobile encryption?

Intelligent flash storage arrays

Last week the Chaos Computer Club announced it had cracked GSM, but by Friday the GSMA was saying the attack was completely impractical - so should you be worried?

The attack proposed by the CCC is based on a Rainbow table: an enormous list of known results to which an encoded message can be compared to look up the key, rather than break the encryption. This approach was swiftly rubbished by the GSMA as needing 2TB of data and thus being impractical, but, as ever, things aren't quite that simple.

GSM's security is based on several algorithms, but the focus here is on the encryption used to secure calls against interception rather than identification or authorisation which, for the moment, remain secure. In GSM parlance the encryption of the call is known as A5, with the encryption options being numbered from zero to three: A5/0 being no encryption at all, A5/1 proper encryption, A5/2 weakened encryption for export to dodgy countries and A5/3 the new standard that's supposed to be part of 3G but isn't really.

A5, and the GSM security standard, only covers the connection between the handset and the nearest base station. Once at the base station any encryption is up to the network operator who might decide to shave a few quid off their microwave backhaul by not bothering to encrypt it at all. Once in the operator's network the call isn't encrypted, and that's where legitimate law enforcement (and shifty employees) can tap your calls.

But back to miscreants listening in on the radio portion: there are several ways that avoid having to break the encryption, besides bribing operator employees. On 2G networks a criminal can set up a fake base station, and configure that station to deny any cryptographic ability - when the target's handset connects, it is then forced not to use encryption as it appears that the network doesn't support any.

Users are supposed to get an on-screen warning when that happens, but handsets haven't done that for years. The 3G standard requires the base station to authenticate itself to the handset, so your miscreant will need to jam 2.1GHz around his fake station if he's going to force handsets down to 2G services only.

But assuming that's not practical, and the call is being placed in a region allowed to use decent cryptography, your criminal will want to break the A5/1 cryptography that's being used to protect the call. A5/1 comes with a 64-bit key, so should be pretty secure against brute force attacks and make a Rainbow Table unfeasibly large as the GSMA contends.

However, the network operators decided to pad the key with ten zeros to make processing faster, so it's really a 54-bit key. Other weaknesses in the originally secret algorithm further reduce the options and make a Rainbow Table eminently practical; as long as one has a decently fast hard drive (or, ideally, some solid-state storage) then real-time cracking of A5/1 can be done.

The GSMA has been claiming that an A5/1 Rainbow Table will need the equivalent of a tower of books 20km high, which is about as useful as saying that such a table couldn't be written on a fish. If the open-source project to compile a distributed Rainbow Table succeeds, then the data will be spread out amongst possibly millions of computers and available to anyone who's interested.

So A5/1 has already been cracked by specialist hardware, and is now being attacked by drafted video cards; but that's OK 'cos the mobile industry is rapidly moving towards the much-more-secure A5/3, isn't it?

A5/3 is indeed much more secure; not only is it based on the well known (and trusted) Kasumi algorithm, but it was also developed to encrypt more of the communication (including the phone numbers of those connecting together), making it much harder for ne'er-do-wells to work out which call to intercept. A5/3 was developed, at public expense, by the European Telecommunications Standards Institute (ETSI) and is mandated by the 3G standard, though can also be applied to 2.5G technologies including GPRS and EDGE.

The standard, which is publicly available, was completed in 2002 and endorsed by everyone at the time as a new dawn in network security - only no one ever used it. We've not been able to discover a single network operator, or handset, which is using A5/3.

Nokia and Sony Ericsson both failed to respond to our questions on the subject, and GSM security experts tell us they've never seen A5/3 in the field. So there is a secure alternative, but no one seems to be bothering to use it.

All of which means that an increasing number of people can indeed listen in to your GSM calls, even if you find a 3G connection and trust your network operator completely. So if you really care about your call security, or have reason to believe that someone with some resources is planning on listening in, you'll have to consider an end-to-end encryption product such as CellCrypt, or Skype and its ilk if you're prepared to rely on a data connection. Otherwise, you can just assume that no one cares what you're saying and be grateful that A3 and A8 remain secure so no one can fake a GSM call - at least not yet. ®

Security for virtualized datacentres

More from The Register

next story
Crouching tiger, FAST ASLEEP dragon: Smugglers can't shift iPhone 6s
China's grey market reports 'sluggish' sales of Apple mobe
Sea-Me-We 5 construction starts
New sub cable to go live 2016
EE coughs to BROKEN data usage metrics BLUNDER that short-changes customers
Carrier apologises for 'inflated' measurements cockup
Comcast: Help, help, FCC. Netflix and pals are EXTORTIONISTS
The others guys are being mean so therefore ... monopoly all good, yeah?
Surprise: if you work from home you need the Internet
Buffer-rage sends Aussies out to experience road rage
EE buys 58 Phones 4u stores for £2.5m after picking over carcass
Operator says it will safeguard 359 jobs, plans lick of paint
MOST iPhone strokers SPURN iOS 8: iOS 7 'un-updatening' in 5...4...
Guess they don't like our battery-draining update?
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.