GSM Encryption Cracked… GSMA's First Response? That's Illegal!
from the yeah,-because-the-eavesdroppers-care dept
The big news in security circles this week is the fact that a security researcher claims to have cracked the encryption used to keep GSM mobile phone calls private. It looks like he and some collaborators used a brute force method. He admits that it requires about $30,000 worth of equipment to de-crypt calls in real-time, but that’s pocket change for many of the folks who would want to make use of this. What’s much more interesting (and worrisome) is the GSM Association’s (GSMA) response to this news:
“This is theoretically possible but practically unlikely,” said Claire Cranton, an association spokeswoman. She said no one else had broken the code since its adoption. “What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.”
There are so many things wrong with that statement it’s hard to know where to begin. First, claiming it’s “theoretically possible, but practically unlikely” means that it’s very, very possible and quite likely. To then say that no one else had broken the code since its adoption fifteen years ago is almost certainly false. What she means is that no one else who’s broken the code has gone public with it — probably because it’s much more lucrative keeping that info to themselves. Next, blaming the messenger by announcing that cracking the code is “illegal in Britain and the United States” is not what anyone who uses a GSM phone should want to hear. They should want to know how the GSMA is responding and fixing the problem — not how they’re responding to the public release. Finally, if it’s “beyond” her why cracking a code used for private conversations and showing that it’s insecure is all about being concerned about “privacy” — she should be looking for a different job. This has everything to do with privacy. The GSMA claims that the code is secure for private conversations, and this group of folks is showing that it is not. That seems to have everything to do with privacy.
Filed Under: encryption, gsm, privacy, reaction, security
Companies: gsma
Comments on “GSM Encryption Cracked… GSMA's First Response? That's Illegal!”
A5/3
A5/3, the next encryption level up, has been ignored for many years by a lot of the networks who considered it too costly to implement considering A5/1 was so ‘safe’. I wonder now how many will make the transition?
Since 2006 handset manufacturers have been mandated to remove support for A5/2 (much easier to crack) so that the phone is safe (with no real change to networks). This means your expensive new phone likely wont work in poorer, non western, countries who are only allowed A5/2. A5/1 is likely to go a similar way in the next 5 years, assuming of course traditional voice networks remain. My guess is all future voice will go VoIP with lovely AES etc etc.
/sigh
Those concerned about security and privicy had best converse inside a sealed, lead encased room. There’s no such thing as privacy anymore.
Re: /sigh
I think you need to use the Cone of Silence
Re: Re: /sigh
Well played.
Re: Re: Re: /sigh
I’m getting tired of the over/mis use of “Well Played”
Just Saying.
Re: /sigh
Perhaps. But at the same time, service providers should not guarantee a level of privacy that does not exist and that they apparently have no intention of working to maintain.
Blame it on France
Blame it on France for not wanting A5/1 to be a stronger algorithm. France wanted authorities to be able to easely tap on conversations. Honestly I’m even surprised it took so long to be “broken”.
Ms. Cranton obviously worships the Goddess of Institutional Inertia
And the Goddess of Institutional Inertia is also known as laziness.
Voip
How about free calls? How about 5 second ads played before the call? Why do we even put up with these phone companies anyway?
Who’s with me!
Voip
How about free calls? How about 5 second ads played before the call? Why do we even put up with these phone companies anyway?
Who’s with me!
Re: Voip
One of them (him?) is redundant.
I guess that solves that. Nobody will ever snoop on a phone call because it’s illegal to do that. And nobody ever uses a cell phone outside the US or UK. Ever. Got it.
Re: Re:
But if you outlaw phone snooping, only the outlaws will snoop phones…
$30,000 ? Try $2,000!
Back around September 8th Steve Gibson of Gibson Research Corp. (grc.com) told all the nitty-gritty about how to crack GSM nearly on the fly. All that is needed is a couple of terrabyte HDDs (Rainbow Tables), a laptop, and a special radio device.
He told all on his podcast “Security Now”. The podcast with all the pertinent info is here:
http://twit.tv/sn213
Transcript here:
http://www.grc.com/sn/sn-213.txt
That should put an end to the cell companies blowing smoke up places it doesn’t belong. Also, it’s amazing the cell providers kept a lid on it this long!
CDMA?
Good reason to use CDMA?
Re: CDMA?
Nope, it’s even worse – all you need to snoop on it is a cloned phone.
This is laughable. “This is illegal. No one committing a crime would use an illegal method to do so. Therefore you are all safe. Sheep.”
government already had the codes
Did he expose what our government and various security agencies have used for years to eavesdrop on cell calls?
Re: government already had the codes
Exactly. The US had the signals intelligence to do this as early as 2003 and the Brits were certainly ahead of us by that point. Historically, Britain has been years ahead of the US in signals intelligence; but the problem for US operations was not the decryption of the individual frequencies but the multi-frequency modulation of the unique call. This is possible with the right dedicated equipment, but mobile platforms generally had to sacrifice GSM capability due to the overhead. At any rate, all of the problems with GSM intercept have largely been solved for some time in military/DoD operations–that anyone would suggest otherwise is laughable.
Re: Re: government already had the codes
There’s no need for governments to crack any encryptions on radio network, at least not in the every day surveillance/eavesdropping. Lawfully Authorized Electronic Surveillance is a functionality in core network.
Make a lot of Live USBs and show it to the world :)
http://en.wikipedia.org/wiki/Live_usb_creator
Microsoft wouldn’t dream of doing this.
That is why to create a live windows CD you have to go to a extensive marathon of steps to accomplish this simple task.
we dont care bout your stinkin laws no more
stuff you
Re: we dont care bout your stinkin laws no more
I’m getting tired of the over/mis use of “Stuff You”
Just Saying.
Cloned phones
Some day they will just switch over to VOIP and public key plus symmetric key would make it near impossible to eavesdrop without access to the carrier.
If all the low level communication was also done via encryption, it would be impossible to even listen in on a CDMA data stream.
GSM is less secure.
GSMA response
So, has GSMA com with a newer response?