The algorithm used to protect the security of communications on 80 percent of cell phones in the world can be relatively easily cracked to intercept calls, according to cryptographers at the 26th Chaos Communication Congress, a computer conference in Berlin. A German researcher presented an attack on the Global System for Mobile Communications (GSM)–showing it’s possible to eavesdrop on cell phone calls and intercept SMS messages. Mobile phones worldwide use GSM, though in the United States many carriers, including Verizon and Sprint PCS, use a competing standard.
Karsten Nohl, who has a PhD in computer science from the University of Virginia, says he demonstrated the GSM attack to encourage people to develop a more sophisticated means of protection. GSM encryption was introduced in 1987, and first showed cracks in the 1990s. Nohl points to a series of academic papers illustrating problems with A5/1, which is used to protect GSM calls.
Nohl says that despite these concerns, people trust GSM with ever more sensitive data. In particular, there have been recent moves to use the standard for mobile banking, payments, and authentication.
Working with a group of hackers, Nohl generated and published a “rainbow table” for A5/1. This table is an optimized set of codes that would allow an attacker to quickly find the key protecting a given phone conversation. The group also cracked another algorithm that protects conversations by shifting communications between mobile phones and base stations to a variety of different frequencies during a call.
“It would be a good time to start transitioning GSM systems to more advanced cryptographic algorithms,” says David Wagner, a professor at the University of California at Berkeley who was involved in work in the early 2000s that proved it was possible to break A5/1. “We should be grateful. We don’t always get advance warning that it’s time to upgrade a security system before the bad guys start taking advantage of it.”
Wagner says the research brings no surprises. It simply demonstrates that attacking GSM’s encryption is more feasible than previously realized. “The bottom line for cell phone users is about the same,” he says. “Interception of GSM calls is possible, but takes serious technical sophistication.” Intelligence agencies, however, are probably following this closely, Wagner adds, since they’re in a position to use these techniques to decrypt GSM calls en masse, and may already be doing so.
The GSM Association, a London-based organization that “represents the interest of the worldwide mobile communications industry,” begs to differ. “All in all, we consider this research, which appears to be motivated in part by commercial considerations, to be a long way from being a practical attack on GSM,” the organization said in a statement. “Before a practical attack could be attempted, the GSM call has to be identified and recorded from the radio interface. So far, this aspect of the methodology has not been explained in any detail, and we strongly suspect that the teams attempting to develop an intercept capability have underestimated its practical complexity.”
Cryptographer Bruce Schneier, chief security technology officer at BT Counterpane, dismisses the association’s claims. “Companies always deny that it’s practical,” he says. “The truth about cryptography is that attacks always get better, never worse.” While Schneier believes this work further demonstrates that GSM calls could be intercepted, he says that the recent move to use GSM for payments and authentication is “a bigger reason to be concerned about this attack.” Schneier expects criminals will be more motivated to master the techniques needed to attack GSM when there’s an obvious financial gain to be had.
Nohl says he’s disappointed by the GSM Association’s reaction. “It almost sounds like the association is challenging us to break the system entirely and completely, and so openly that everybody can reproduce it, before they will acknowledge that it is broken.”
The GSM Association’s statement puts researchers in a difficult position, Nohl notes, because it is illegal to build and publicly talk about an intercept radio. However, for an attacker, all the necessary components for such a device are openly available, he says.
By contrast, Nohl says, the DECT forum, a Swiss industry association responsible for the digital enhanced cordless telecommunications standard (DECT), recently reacted to similar research from his group with an effort that he believes will greatly enhance the security of communication over cordless phones.
Nohl says his group now plans to contribute to open-source projects such as OpenBTS, which aims to enable hobbyists to build their own cellular networks. By contributing to tools that enable legitimate research on GSM, Nohl hopes to make it clear that GSM needs to be updated to better algorithms, and probably overhauled completely. Of course, he admits, such tools could also be repurposed by the unscrupulous to attack GSM.