backtop


Print 18 comment(s) - last by Pessimism.. on Jan 18 at 9:06 AM


Business users talking on the cell phone beware -- wire-tapping solutions are now widely available for GSM networks at under $1,000, meaning that you may be blabbing your financial secrets to unwanted parties. In recent months A5/1 GSM encryption, a 64-bit algorithm was cracked, and now A5/3, a 128-bit algorithm, has been cracked as well.  (Source: The Phone Coach)
The security woes of the cell phone sector continue

For those in the know about the current state of cell phone security, it's a mess. With current 64-bit encryptions on GSM (used by about 3.5 billion people worldwide), publicly cracked after 21 years of secrecy, wire-tapping is now no longer the realm of the government alone.  Security researchers have demonstrated that malicious users and corporate spies alike can tap 64-bit GSM and decrypt it using equipment that can cost under $1,000 (most of the software involved is open source).  That's scary news for anyone who wants to avoid letting their company's financial results slip in a seemingly private, behind-closed-doors conversation with your financial staff.

Equally scary is the cell phone companies' response.  They only acknowledged the insecurity when the algorithm was publicly cracked by Karsten Nohl, PhD, a 28-year-old German computer security researcher and member of Berlin's Chaos Computer Club.  Even now they're dragging their feet on adopting more secure algorithms across their networks.

And now the next best encryption, the KASUMI system -- a 128-bit A5/3 algorithm implemented across 3G networks -- has been cracked as well.  Where as A5/1 was brought down by 2 terabyte time-memory tradeoff attack tables generated over a couple months on an NVIDIA GPU cluster (via CUDA code) early last year, the effort used the sophisticated, "related-key sandwich attack" to crack the more advanced algorithm in only 2 hours.  A paper on the work is published here (PDF).

The research was led by faculty members of the Mathematics and Computer Science departments at the Weizmann Institute of Science in Israel.  The participating researchers included Orr Dunkelman, Nathan Keller, and Adi Shamir, the last of which is famous for having his last name being part of the acronym RSA -- which stands for a popular public-key encryption algorithm.

They used an approach that involved first using one key for encryption of a message, and then changing it to a different key.  Writes the researchers, "By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full Kasumi by using only 4 related keys, 226 data, 230 bytes of memory, and 232 time. These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity."

The attack is less effective than the recent A5/1 crack, though, according to Karsten Nohl.  Professor Nohl says that the new method requires the collection of "several million known plaintexts" to get a single key.  A plaintext is transmitted approximately every second, so cracking a particular carrier's encryption could require a long period of data collection.  It also would take two hours to crack the particular call on a single PC, though researchers said using a cluster could reduce this time to a manageable amount.

The current KASUMI (A5/3) algorithm was the result of a tweaked MISTY algorithm.  The original MISTY algorithm was developed by researchers at Mitsubishi.  The MISTY algorithm was more secure, but more computationally intensive, than the modified KASUMI variant.

Mr. Nohl says despite the new research shows that the GSM industry should perhaps reconsider KASUMI as they move away from A5/1 he states, "The attack should stand as a reminder that A5/3 and any other cipher will need to be replaced eventually.  Hopefully this fact is considered when upgrading GSM."

Currently most of the telecommunications industry has no definite timetable for even rolling out KASUMI, so it seems doubtful that it will act very fast, though.  That means that for now, you probably shouldn't say anything on GSM networks that you don't want repeated.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

The point of security
By dflynchimp on 1/15/2010 4:55:50 PM , Rating: 5
In any form is more or less a placebo for the protectee. It's like locks on doors and bars on windows. Yes it will keep most small timers out, or make it so they see it as too much of a hassle to attempt a break-in.

It's impressive that they're able to crack this code in so short a time, but this only proves yet again that given the high cost high power equiptment and the determination, a well learned individual or group will prevail in whatever misdeeds they intended to do.

Of course what makes me so confident that my email won't be hacked is the revelation that I'm pretty insignificant in terms of monetary or information value. I guess some days being the small fry does have its fringe benefits.




RE: The point of security
By ChrisHF on 1/15/2010 5:11:26 PM , Rating: 3
But at the same time, the security in this particular case could be greatly enhanced if the cellular providers were more agile in their ability to replace a cracked or threatened scheme.


RE: The point of security
By Qapa on 1/15/2010 6:03:00 PM , Rating: 2
Agree with what you said.

But, can the phone companies roll this out on their own?
Wouldn't we need to have new firmware (at least) on the phones?
Wouldn't this trigger some, not so great companies that wouldn't provide new firmware, to get people out of the phone network?

Well, I guess you get the point: I have no clue on how is this implemented, can anyone provide info?

Thanks


RE: The point of security
By TheRequiem on 1/15/2010 10:10:29 PM , Rating: 2
I relent to the fact that even though I may be insignificant in a massive data-centric pool of 3GPP... it still represents a timed fashion of neglect. Actually, as of this point in time this means nothing. What I see is, a complex cause for distaste, but not an eventual disaster. The cell networks will be upgraded before this can take affect in a practical manner and what I mean by that is, it won't be average people with devices plugging into your sound waves anytime soon. The next generation will be able to hack and modify old GSM networks in attempts to take a swing at broke down equipment for simple satisfaction, but the rest of humanity will be on much more complex then 128-bit encyrption schemes.

Should you still be worried? In short, yes... but in what field of danger does this fall under? Especially when there are so many things in this world already that overshadow our daily lively protection rather than someone reigning down in on what your picking up for dinner?


RE: The point of security
By foolsgambit11 on 1/16/2010 12:27:51 AM , Rating: 2
quote:
Of course what makes me so confident that my email won't be hacked is the revelation that I'm pretty insignificant in terms of monetary or information value. I guess some days being the small fry does have its fringe benefits.

While currently, it seems like most non-governmental cell phone snooping is targeted, that doesn't mean a more widespread attack methodology won't become popular in the near future, especially with reduced costs to exploit calls and store data. A company may plant themselves near a cell tower they think may carry important conversations, record everything, and sell it to the highest bidder. They can put all the equipment they need into the trunk of a car already.

The point being, insignificance may not make it less likely that you'll be attacked - it just makes it less likely you'll be damaged by the attack. These days, with the cost for a single exploitation so low, e-mail hackers bundle people together into large groups and get a decent price. Buyers work on what I'm going to call the 'Topps' concept. Like with baseball cards, you may not want everybody in the package, but you hope there's a valuable guy in there to make it worth your while. Cell phone hackers could create a viable business plan doing the same thing.


RE: The point of security
By CSMR on 1/18/2010 7:05:15 AM , Rating: 3
I'm not a security expert but... no-one can break RSA encryption in polynomial time, so isn't it secure at least until quantum computers? More so than "locks and bars" because you can break in to Fort Knox if you have a big army but there isn't a cluster big enough to crack a long RSA key.


Can you hear me now?
By Devo2007 on 1/16/2010 12:33:09 AM , Rating: 5
Can you hear me now? You can? Oh crap! :(




The chances of this working in the field?
By croc on 1/16/2010 2:42:53 AM , Rating: 2
...Somewhere between slim, and none. Slim, if you are stock-still, only homed in on one tower, and are the only user on that tower. Another user hops on that tower? Frequencies get re-assigned. New keys get exchanged. Change towers? Same scenario. Now, if one somehow manages to get inside of the wireless core, everything changes. THAT'S where the real security needs to take place, not so much on the radio side.




By TheEinstein on 1/16/2010 1:00:52 PM , Rating: 2
Your incorrect.

In New York City I cannot see a tower changing EVERYONES keys the moment a new call is made by someone new.

This from my view sounds like a brilliant approach... I can think this must be the backdoor in AES as well perhaps... I should see if this can be done.


By pkoi on 1/16/2010 11:47:11 AM , Rating: 2
FTFY




Verizon and CDMA
By JonB on 1/17/2010 8:02:04 PM , Rating: 1
Looks like Verizon made a good choice by avoiding the GSM system. CDMA is a much tougher nut to crack.




Several million
By rvertrees on 1/15/10, Rating: -1
RE: Several million
By zpdixon on 1/15/2010 10:08:42 PM , Rating: 5
1 million second is 11.6 days.

Given your math skills, you are probably not qualified to comment on the result of this cryptanalysis... Also attacks only get better, never worse, over time.


RE: Several million
By ekv on 1/16/2010 3:51:49 AM , Rating: 2
To be fair, I don't think he'd have his phone on for 11.6 days straight. I don't have a cell, but aren't most plans at 300 or so minutes per month.

I agree however that attacks only get better. GSM would be wise to hire Adi Shamir -- one bad a** dude (cryptographically speaking).

Having said that, why the hell doesn't GSM just use AES? is it some kind of licensing / money problem?


RE: Several million
By Solandri on 1/17/2010 2:23:48 AM , Rating: 2
quote:
Having said that, why the hell doesn't GSM just use AES? is it some kind of licensing / money problem?

If I had to guess, I'd say it's because of politics. AES is a U.S. government standard, and GSM began as a European standard. (Though to be fair, hardware AES probably wasn't fast enough at the time GSM was initially standardized to encrypt the real-time data streams needed for a cell phone conversation. It should be plenty fast enough now, since hardware AES is included in most contemporary wireless routers.)


RE: Several million
By Nil Einne on 1/17/2010 3:16:14 AM , Rating: 3
Why not? I rarely turn off my phone. In some cases when I want to make sure it doesn't do anything, I do, but this isn't that common. For ordinary meetings and the like, IMHO just turning it to silent is fine as when I'm sleeping or don't want to be disturbed. I think many people do the same.

300 minutes is referring to call/talk minutes. The article didn't specify that a plaintext is only sent while in a call, presuming it's sent all the time while the phone is in contact with a tower, then minutes are irrelevant (in any case, many people in the world are on prepay and don't have minutes although many would use less then 300 minutes).


RE: Several million
By Pessimism on 1/18/2010 9:06:34 AM , Rating: 2
11.6 days? This is nothing for the average teenage girl.


"There's no chance that the iPhone is going to get any significant market share. No chance." -- Microsoft CEO Steve Ballmer














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki