The algorithm used to protect the security of communications on 80 percent of cell phones in the world can be relatively easily cracked to intercept calls, according to cryptographers at the 26th Chaos Communication Congress, a computer conference in Berlin. A German researcher presented an attack on the Global System for Mobile Communications (GSM)--showing it's possible to eavesdrop on cell phone calls and intercept SMS messages. Mobile phones worldwide use GSM, though in the United States many carriers, including Verizon and Sprint PCS, use a competing standard.

Karsten Nohl, who has a PhD in computer science from the University of Virginia, says he demonstrated the GSM attack to encourage people to develop a more sophisticated means of protection. GSM encryption was introduced in 1987, and first showed cracks in the 1990s. Nohl points to a series of academic papers illustrating problems with A5/1, which is used to protect GSM calls.

Nohl says that despite these concerns, people trust GSM with ever more sensitive data. In particular, there have been recent moves to use the standard for mobile banking, payments, and authentication.

Working with a group of hackers, Nohl generated and published a "rainbow table" for A5/1. This table is an optimized set of codes that would allow an attacker to quickly find the key protecting a given phone conversation. The group also cracked another algorithm that protects conversations by shifting communications between mobile phones and base stations to a variety of different frequencies during a call.

"It would be a good time to start transitioning GSM systems to more advanced cryptographic algorithms," says David Wagner, a professor at the University of California at Berkeley who was involved in work in the early 2000s that proved it was possible to break A5/1. "We should be grateful. We don't always get advance warning that it's time to upgrade a security system before the bad guys start taking advantage of it."

Wagner says the research brings no surprises. It simply demonstrates that attacking GSM's encryption is more feasible than previously realized. "The bottom line for cell phone users is about the same," he says. "Interception of GSM calls is possible, but takes serious technical sophistication." Intelligence agencies, however, are probably following this closely, Wagner adds, since they're in a position to use these techniques to decrypt GSM calls en masse, and may already be doing so.

The GSM Association, a London-based organization that "represents the interest of the worldwide mobile communications industry," begs to differ. "All in all, we consider this research, which appears to be motivated in part by commercial considerations, to be a long way from being a practical attack on GSM," the organization said in a statement. "Before a practical attack could be attempted, the GSM call has to be identified and recorded from the radio interface. So far, this aspect of the methodology has not been explained in any detail, and we strongly suspect that the teams attempting to develop an intercept capability have underestimated its practical complexity."