backtop


Print 51 comment(s) - last by formulav8.. on Jan 5 at 1:56 PM


The cat's out of the bag -- after 28 years the 64-bit A5/1 algorithm that encrypts over 3.5 billion users' cell phone traffic, has been cracked and the results published.  (Source: Suldog)
Cell phone industry group calls the research "illegal"; insists that there is little threat

For 21 years, the same encryption algorithm, A5/1, has been employed to protect the privacy of calls under the Global Systems for Mobile communications (GSM) standard.  With the GSM standard encompassing 80 percent of calls worldwide (AT&T and T-Mobile use it within the U.S.) -- far more than the leading rival standard CDMA -- this could certainly be considered a pretty good run.  However, someone has finally deciphered and published a complete analysis of the standard's encryption techniques in an effort to expose their weaknesses and prompt improvement.

Karsten Nohl, a 28-year-old German native, reportedly cracked the code and has published his findings to the computer and electronics hacking community.  Mr. Nohl, who cites a strong interest in protecting the privacy of citizens against snooping from any party, says that his work showcases the outdated algorithms' flaws.

At the Chaos Communication Congress, a four-day conference of computer hackers that runs through Wednesday in Berlin, he revealed his accomplishments.  He describes, "This shows that existing GSM security is inadequate.  We are trying to push operators to adopt better security measures for mobile phone calls."

The GSM Association, the London-based group that developed the standard and represents wireless companies, was quick to blast the publication calling Mr. Nohl's actions illegal and counterintuitive to the desire to protect the privacy of mobile phone calls.  However, they insist that the publication in no way threatens the standard's security.

Claire Cranton, an association spokeswoman, confirmed that Mr. Nohl was the first to break the code, commenting, "[Security threats from the publication of this standard are] theoretically possible but practically unlikely.  What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me."

Mr. Nohl attended college in the U.S. and received a PhD in computer engineering from the University of Virginia.  Via a similar publication, he managed to convince the DECT Forum, a separate standards group based in Bern, to upgrade its own security algorithm, improving the protection to the standard's 800 million customers in the process.

And while the trade group is only on yellow alert, some security experts disagree with the group's threat analysis, as well, saying the threat could be far more serious.  One expert suggested that calls may soon need to be scanned for malicious activity, much as an antivirus scanner works on a computer.

Stan Schatt, a vice president for health care and security at the technology market researcher ABI Research in New York, opines, "Organizations must now take this threat seriously and assume that within six months their organizations will be at risk unless they have adequate measures in place to secure their mobile phone calls."

The process of cracking the algorithm involved the help of 24 members of the Chaos Computer Club in Berlin, who helped generate the random combinations needed to try and reproduce the standard's code book, so to speak.  The vast log of binary combinations forms the basis of the A5/1 encryption -- and how to undo it.  And it's now on torrents worldwide.

Despite that, Mr. Nohl insists that his actions aren't illegal.  He says he took great precautions to make sure his work was kept purely academic, in the public domain, and that it was not used to crack any actual digital telephone calls.  He states, "We are not recommending people use this information to break the law.  What we are doing is trying to goad the world’s wireless operators to use better security."

A5/1 is a 64-bit security algorithm.  Despite this particular algorithm's run, 64-bit encryption is considered weaker by today's standards.  Today 128-bit algorithms are considered to be strong enough to protect most data.  The GSM Association has devised a 128-bit successor to A5/1, dubbed A5/3, but it has failed to push the standard out across much of the industry.

The Association claims that there's little danger of calls being intercepted as hackers would have to pick one call stream out of thousands at a cell phone tower.  They say that this would take prohibitively expensive sophisticated equipment and software.  Security experts disagree with this assessment -- including Mr. Nohl who pointed out that there was a wealth of open source software and cheap equipment to accomplish exactly those sort of objectives. 

Simon Bransfield-Garth, the chief executive of Cellcrypt, a company based in London that sells software, agrees, saying that the publications opens call interception to "any reasonable well-funded criminal organization".  He adds, "This will reduce the time to break a GSM call from weeks to hours.  We expect as this further develops it will be reduced to minutes."

Why is that a big deal?  Over 3.5 billion people use GSM worldwide, including 299 million in North America.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

64 bit?
By amanojaku on 12/29/2009 9:48:12 AM , Rating: 4
It's a wonder this wasn't cracked sooner. I've read that even 128 bit can be cracked, and people are nervous about 192 bit. 256 bit is the only thing that, so far, is considered truly secure.




RE: 64 bit?
By BrandtTheMan on 12/29/2009 9:50:11 AM , Rating: 5
technically nothing is truly secure.


RE: 64 bit?
By LRonaldHubbs on 12/29/2009 9:57:19 AM , Rating: 5
I think by 'truly secure' they really mean that it would take an impractically long amount of time for a modern supercomputer to brute-force.


RE: 64 bit?
By tastyratz on 12/29/2009 10:05:54 AM , Rating: 5
yup, and 23 years ago 64 bit WAS "truly secure" by the same standard.
As computers get faster the algorithms need to become increasingly complex even if only because of the ever increasing brute strength capabilities.

Security is never perfect, only cost vs benefit. All forms of security are just a pricetag.


RE: 64 bit?
By bennyg on 1/5/2010 8:04:12 AM , Rating: 2
...while the theoretical chance still exists that the first key tried in a brute force attempt works no matter what the length, that isn't what I'd call "Truly secure", but of course I'm a legal not a marketing man.

I think more accurate is "Practically" secure ;)


RE: 64 bit?
By DEVGRU on 12/29/2009 12:04:25 PM , Rating: 5
quote:
After 21 Years, GSM Encryption is Cracked Putting 3.5B Users at Risk


This is news? Yeah, I'm pretty sure the US Government had this cracked 21 years ago. Nothing to see here, move along.


RE: 64 bit?
By foolsgambit11 on 12/29/2009 12:36:55 PM , Rating: 3
Yeah, that's what I thought, too. It's like the invention of open key cryptography. It was invented in classified realms before it was invented by the private sector, but it couldn't be released for public consumption, so the first inventors weren't known for years. Governments may reveal that they've known how to crack GSM for years, but it won't be for a very long time, since this tech would actually have been practically used for collection, and will be classified for 30-50 years, depending on the country.


RE: 64 bit?
By jnolen on 12/29/2009 12:51:47 PM , Rating: 5
Or they had a back door in to begin with.


RE: 64 bit?
By FITCamaro on 12/29/2009 7:49:56 PM , Rating: 2
You are correct. US law requires that the government be able to eavesdrop on any communication taking place. Same goes for most other advanced nations.


RE: 64 bit?
By leexgx on 12/31/2009 9:20:36 AM , Rating: 2
the 64bit Encryption is only from phone to cell tower so they would listen on the tower or routed via the eavesdrop equipment (i know its more complicated then that but snooping on the phone call over the air would require a lot of compute power)


RE: 64 bit?
By amagriva on 1/3/2010 11:46:07 AM , Rating: 1
Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety.

Other advanced nations?

You meant that US can spy other advanced nations with Echelon?

In real advanced nations to tap phones you need a judge's order.

Years of Bush brainwashing have accomplished the mission...
You got chains without knowing it...


RE: 64 bit?
By frobizzle on 12/29/2009 1:29:33 PM , Rating: 2
You are correct - this is definitely not news. Back in September, Steve Gibson did a podcast on this and as far as I could tell, it was all over but the shouting.

http://www.grc.com/sn/sn-213.htm


RE: 64 bit?
By tsb3 on 12/29/2009 2:57:39 PM , Rating: 2
LOOOOOOOOOOOOOOOOOL !!!!!!!!!!!!!!!!


RE: 64 bit?
By Mike Acker on 12/30/2009 8:02:22 AM , Rating: 2
="technically nothing is truly secure. "

INCORRECT

Suggested reading: Vernam cypher. you need a 1-time pad though so it isn't practical for most use.

For most use your cypher only needs to be passable. If you have truly sensitive data you need to put more thought into how to secure the data... in an extreeme case: are you willing to trust someone else' cypher? I don't think so.


RE: 64 bit?
By jimhsu on 1/3/2010 6:34:38 PM , Rating: 2
Also incorrect. I could also say that quantum cryptography is truly secure, but all security protocols involve more than exchanges of data through a connection - think about the users! I could easily defeat your one time pad by attacking you during the encryption process and capturing your one time pad material (that is precisely what happened MULTIPLE times with Enigma back in WWII), or sifting through the ashes to find a trace of paper that didn't burn, or I could also capture you and send you off to be waterboarded to get the material that way.

Security is more than algorithms. Cryptonomicon teaches that well.


RE: 64 bit?
By jimhsu on 1/3/2010 6:38:02 PM , Rating: 2
What the one time pad guarantees is Shannon security - that is, the crypttext can be decrypted into any number of plaintext messages of the same length. This guarantee only holds when the one time pad is truly random (and humans are TRULY horrible at generating random numbers, even with the assistance of devices such as dice). Cryptonomicon has a nice section on this.


RE: 64 bit?
By tdktank59 on 12/29/2009 9:56:05 AM , Rating: 3
Well nothing is truly ever secure. Its all a matter of how much effort it takes. (mostly time now a days)

As for the article saying everyone was bashing on him for wanting to protect peoples data and not expose it by leaking the information.

Id have to say I agree, at least this person was willing to release his findings in an academic manner (most likely repeatable) so it should be easier to patch/upgrade the existing system.

Think about if someone who was malicious found this before his team did and never revealed it. How long would it have taken to figure out that peoples calls were being listened in on (of course the government is doing it anyways but besides them)


RE: 64 bit?
By wrekd on 12/29/2009 12:43:27 PM , Rating: 3
Well with GSM, the encryption comes from the frequency hopping between 80 channels. It's not like they had the ciphertext or plaintext laying around for analysis. Yes 64 bit encryption is easy to break if you have an actual file to analyze. They had to sniff the hops. This was far more than just cryptanalysis, it also took some good frequency analysis as well.


RE: 64 bit?
By fox12789 on 12/30/09, Rating: -1
RE: 64 bit?
By fox12789 on 12/30/09, Rating: -1
RE: 64 bit?
By formulav8 on 1/5/2010 1:56:31 PM , Rating: 1
You are absolutely pathetic. You know very well that no one wants to view your useless spam post. Go spam your own website...


RE: 64 bit?
By Shining Arcanine on 1/2/2010 8:31:35 PM , Rating: 2
I think 4096 bits are necessary to prevent it from being cracked some time in the next 30 years.


That'll Stop Them
By DtTall on 12/29/2009 10:11:22 AM , Rating: 5
quote:
Claire Cranton, an association spokeswoman, confirmed that Mr. Nohl was the first to break the code, commenting, "[Security threats from the publication of this standard are] theoretically possible but practically unlikely. What he is doing would be illegal in Britain and the United States . To do this while supposedly being concerned about privacy is beyond me."


Great defense. What he's doing is illegal so we don't have to worry. Yeah, because the people who would want to hack into cell phone calls are trying to follow all of the existing laws.

New defense idea: Own up and upgrade the security.




RE: That'll Stop Them
By Golgatha on 12/29/2009 10:21:35 AM , Rating: 3
quote:
Claire Cranton, an association spokeswoman, confirmed that Mr. Nohl was the first to break the code, commenting, "[Security threats from the publication of this standard are] theoretically possible but practically unlikely. What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me."


That's what I was thinking too. Like organized criminals care about what is and isn't legal to do?! Also, what he was doing was something purely academic. Not once did he intercept a private conversation.


RE: That'll Stop Them
By daemonios on 12/29/2009 10:42:09 AM , Rating: 5
That's a typical reply from someone who's trying to divert attention from the real issue. I can't say I fully agree with disclosing this type of information - he should at least have sent the message privately to the GSM association, maybe suggesting quick action before he would disclose it more broadly. As it stands, there is no guarantee that the industry will get its act together in a reasonable time frame but the bad guys will already have all the instruments to take advantage of the weakness. Unless Mr. Nohl left out a crucial part of the cracking process in his public disclosure, which again I'd think would be reasonable.


RE: That'll Stop Them
By AssBall on 12/29/2009 11:16:28 AM , Rating: 3
He probably did warn them and they were all: "Meh, it'll be fine."


RE: That'll Stop Them
By 3minence on 12/29/2009 12:44:31 PM , Rating: 3
If he had disclosed to them first they probably would have tried to gag and sue him. Remember the guy who cracked the smartcard system and was going to publish it?


RE: That'll Stop Them
By jRaskell on 12/30/2009 11:23:55 AM , Rating: 2
Exactly. History has clearly shown that organizations will more than likely take legal action to prevent such knowledge from going public, and thus protect the perception of security they've been portraying for years. After all, it's easier and cheaper to pay a crack legal team to hush the party pooper than it is to address the problem.


RE: That'll Stop Them
By Mike Acker on 12/30/2009 8:37:19 AM , Rating: 2
how much security do you need?

that will depend on what you are protecting

you need enough security such that breaching security will cost more than whatever may be stolen by that means

what is in communication that might be of value? bank data, mostly

and the main reason that is of value is because the banks do not require adequate authentication for the use of that data. steal an account number? you can steal the money. that's [special term deleted]


RE: That'll Stop Them
By WinstonSmith on 12/30/2009 10:51:36 AM , Rating: 2
"What he is doing would be illegal in Britain and the United States."

Unless you're the NSA who probably broke this encryption years ago.


Brute force?
By Spivonious on 12/29/2009 9:50:06 AM , Rating: 2
With processors as fast as they are these days, it would be totally possible to brute-force crack a 64-bit encryption. I'm really surprised that the cell phone providers are still using this outdated encryption technology.




RE: Brute force?
By JasonMick (blog) on 12/29/2009 10:05:37 AM , Rating: 3
It sounds like that's how he did it, followed by further testing, verification, and analysis.

It is disappointing that telecoms haven't kept up with modern encryption efforts, but then again, most telecoms rarely let concern for customers get in the way of profit-bumping cost savings.


RE: Brute force?
By zpdixon on 12/30/2009 2:53:04 AM , Rating: 3
They use mostly graphics cards, not processors to generate the rainbow tables. Read their mailing list archives:

http://lists.lists.reflextor.com/pipermail/a51/

Also, it is incorrect to say that "this is the first time A5/1 is cracked". David Hulton presumably cracked it back in 2006-2007 and gave a Black Hat presentation. The only thing he did differently is that he used FGPAs instead of GPUs to create his rainbow tables. Also A5/1 has been cracked for years by companies selling GSM espionage hardware (check David Hulton's slides for some references).


RE: Brute force?
By Oregonian2 on 1/2/2010 12:04:00 PM , Rating: 2
quote:
It is disappointing that telecoms haven't kept up with modern encryption efforts, but then again, most telecoms rarely let concern for customers get in the way of profit-bumping cost savings.


They'd be delighted to (some portions of the telecom business anyway). Would require everybody buying a new cell phone and probably new equipment for all of the cell towers. Lots of equipment sales -- only problem is that the FCC probably needs to demand the change because users are probably NOT going to demand the change with their pocketbooks which will have to be stretched a bit.


OMG!
By chagrinnin on 12/29/2009 10:03:33 AM , Rating: 5
So when my wife calls and says "Can you pick up a loaf of bread on the way home?" somebody could be listening in!? Oh wait,...iPhone/New York...nm. :P




RE: OMG!
By amanojaku on 12/29/2009 10:33:05 AM , Rating: 5
<Enter Luke Wilson>
Who offers the best whole wheat experience? Let's compare.

The nation's best whole wheat bread work?

AT&T

The network that lets you toast and butter the bread at the same time?

AT&T

The most popular jellies?

AT&T

Access to more than 100,000 jams?

AT&.

Bread that contains yeast?

(Hey, the other guys got one!)

When you compare, there's no comparison: AT&T provides a better whole wheat experience.
</Exit Luke Wilson>


Security at its Best
By hiscross on 12/29/2009 11:15:07 AM , Rating: 2
"The system worked" Janet
"I'm playing golf, I'll say something later" Barry

GSM has been cracked .. OMG stop selling iPhones in NYC

Get a Droid or better yet a WinMoble device.

Problem solved.




RE: Security at its Best
By mcnabney on 12/29/2009 5:24:31 PM , Rating: 3
WinMobile is dying. MS is hemorrhaging market share like crazy. Apple, RIM, and Android are all gaining share, and Win Mobile to the source of it. Expect WinMo7 in late 2010/early 2011 to be too little, too late. I guess you can only get so far pushing crappy Microsoft bloatware. The only successful products have used custom UI from device manufactures.


RE: Security at its Best
By hiscross on 12/29/2009 8:26:08 PM , Rating: 1
sarcasm my friend and nothing more. Who cares what happens to WinMobile or for that matter Microsoft. Barry is in charge now and that should scare everyone by now.


RE: Security at its Best
By frobizzle on 12/30/2009 11:07:29 AM , Rating: 2
quote:
arry is in charge now and that should scare everyone by now

You're right. Things were just so much better with George "I've still got one or two brain cells working...maybe" W. Bush


RE: Security at its Best
By hiscross on 12/30/2009 1:12:27 PM , Rating: 2
Sorry frobizzle but Barry and his merry team has no brian cells, not that the pervious group had any as well. 2010 will show you and all liberals how non-productive socialism really is. You asked for it and now you have to live it. "Who is John Galt?"


about time
By Autisticgramma on 12/29/2009 10:43:58 AM , Rating: 2
quote:
The GSM Association, the London-based group that developed the standard and represents wireless companies, was quick to blast the publication calling Mr. Nohl's actions illegal and counterintuitive to the desire to protect the privacy of mobile phone calls. However, they insist that the publication in no way threatens the standard's security.


Is there a quote of what was actually said? This seems to be a paraphrase.

This type of action is designed to prod lazy companies to actually spend the money to maintain their money machines, you would think those guys with their Master Business degree would get it.

Security is an arms race and your either in it, or out of business.




RE: about time
By Lerianis on 12/29/2009 4:38:57 PM , Rating: 2
Security of stuff like this is an arms race..... other forms of 'security' like DRM are simply things that should go 'bye-bye' forever.


Wasn't this done already?
By JDHack42 on 12/29/2009 4:22:02 PM , Rating: 2
I remember seeing something about a hardware approach that would hardnose the encryption in pretty much real time. The parts cost less than $2000 if I recall.




RE: Wasn't this done already?
By Narbo on 12/30/2009 11:46:13 AM , Rating: 2
Yes, the title is VERY misleading. GSM was cracked a LONG time ago.

This is simply the first time a method has been made public and also it is a method that requires quite low amounts of computing power. (i.e: no implementation in hardware solution required)


Encryption is nummy
By TheEinstein on 12/29/2009 11:14:29 AM , Rating: 1
There are rumors... hush hush hey you wont believe this but I heard type... that the NSA has a backdoor crash system on the 256 bit encryption system they have helped propagate around the world.

Of course now a man dressed in black will visit you to remove all memory of reading this post.

But honestly now, 128 bit encryption with some of the tech we keep reading about coming out in the future... some great stuff, but what if it is already out and about, paid for quietly to make that super computer you only wish you knew about.

But 64 bit encryption? Pfft, this is childs play to the cloud, the borg, and the botnets we suffer with today. This is why the President cannot use his blackberry for most uses... Consider it wisely.




RE: Encryption is nummy
By Lerianis on 12/29/2009 4:41:14 PM , Rating: 2
Well, there is an easy solution to this... simply mandate that any encryption on something like phones HAS to be able to last AT LEAST 100 years before being cracked at the current computer processing level that a 'newbie' would have access to.

That would mean that they would have to go 512-bit or BETTER... but that wouldn't necessarily be a 'bad' thing.


CDMA FTW
By hellokeith on 12/29/2009 5:10:06 PM , Rating: 2
I can finally say, I'm a Sprint owner and proud of it! :D




Is this new ?
By Landiepete on 12/30/2009 3:26:00 AM , Rating: 2
In fact, hasn't SIGINT (or Echelon as it's known by to us mere mortals) been doing this for years ? I believe they did a major upgrade in the 90's.




He's got bigger problems
By Suntan on 12/29/2009 12:50:32 PM , Rating: 1
Seriously? The guy’s last name is Schatt?

-Suntan




Mercury is rising!!!
By Spookster on 12/29/2009 6:37:32 PM , Rating: 1
Mercury is rising, I say again Mercury is rising.

You're a stranger.
You're a stranger.
You're a stranger.




“Then they pop up and say ‘Hello, surprise! Give us your money or we will shut you down!' Screw them. Seriously, screw them. You can quote me on that.” -- Newegg Chief Legal Officer Lee Cheng referencing patent trolls














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki