backtop


Print 51 comment(s) - last by formulav8.. on Jan 5 at 1:56 PM


The cat's out of the bag -- after 28 years the 64-bit A5/1 algorithm that encrypts over 3.5 billion users' cell phone traffic, has been cracked and the results published.  (Source: Suldog)
Cell phone industry group calls the research "illegal"; insists that there is little threat

For 21 years, the same encryption algorithm, A5/1, has been employed to protect the privacy of calls under the Global Systems for Mobile communications (GSM) standard.  With the GSM standard encompassing 80 percent of calls worldwide (AT&T and T-Mobile use it within the U.S.) -- far more than the leading rival standard CDMA -- this could certainly be considered a pretty good run.  However, someone has finally deciphered and published a complete analysis of the standard's encryption techniques in an effort to expose their weaknesses and prompt improvement.

Karsten Nohl, a 28-year-old German native, reportedly cracked the code and has published his findings to the computer and electronics hacking community.  Mr. Nohl, who cites a strong interest in protecting the privacy of citizens against snooping from any party, says that his work showcases the outdated algorithms' flaws.

At the Chaos Communication Congress, a four-day conference of computer hackers that runs through Wednesday in Berlin, he revealed his accomplishments.  He describes, "This shows that existing GSM security is inadequate.  We are trying to push operators to adopt better security measures for mobile phone calls."

The GSM Association, the London-based group that developed the standard and represents wireless companies, was quick to blast the publication calling Mr. Nohl's actions illegal and counterintuitive to the desire to protect the privacy of mobile phone calls.  However, they insist that the publication in no way threatens the standard's security.

Claire Cranton, an association spokeswoman, confirmed that Mr. Nohl was the first to break the code, commenting, "[Security threats from the publication of this standard are] theoretically possible but practically unlikely.  What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me."

Mr. Nohl attended college in the U.S. and received a PhD in computer engineering from the University of Virginia.  Via a similar publication, he managed to convince the DECT Forum, a separate standards group based in Bern, to upgrade its own security algorithm, improving the protection to the standard's 800 million customers in the process.

And while the trade group is only on yellow alert, some security experts disagree with the group's threat analysis, as well, saying the threat could be far more serious.  One expert suggested that calls may soon need to be scanned for malicious activity, much as an antivirus scanner works on a computer.

Stan Schatt, a vice president for health care and security at the technology market researcher ABI Research in New York, opines, "Organizations must now take this threat seriously and assume that within six months their organizations will be at risk unless they have adequate measures in place to secure their mobile phone calls."

The process of cracking the algorithm involved the help of 24 members of the Chaos Computer Club in Berlin, who helped generate the random combinations needed to try and reproduce the standard's code book, so to speak.  The vast log of binary combinations forms the basis of the A5/1 encryption -- and how to undo it.  And it's now on torrents worldwide.

Despite that, Mr. Nohl insists that his actions aren't illegal.  He says he took great precautions to make sure his work was kept purely academic, in the public domain, and that it was not used to crack any actual digital telephone calls.  He states, "We are not recommending people use this information to break the law.  What we are doing is trying to goad the world’s wireless operators to use better security."

A5/1 is a 64-bit security algorithm.  Despite this particular algorithm's run, 64-bit encryption is considered weaker by today's standards.  Today 128-bit algorithms are considered to be strong enough to protect most data.  The GSM Association has devised a 128-bit successor to A5/1, dubbed A5/3, but it has failed to push the standard out across much of the industry.

The Association claims that there's little danger of calls being intercepted as hackers would have to pick one call stream out of thousands at a cell phone tower.  They say that this would take prohibitively expensive sophisticated equipment and software.  Security experts disagree with this assessment -- including Mr. Nohl who pointed out that there was a wealth of open source software and cheap equipment to accomplish exactly those sort of objectives. 

Simon Bransfield-Garth, the chief executive of Cellcrypt, a company based in London that sells software, agrees, saying that the publications opens call interception to "any reasonable well-funded criminal organization".  He adds, "This will reduce the time to break a GSM call from weeks to hours.  We expect as this further develops it will be reduced to minutes."

Why is that a big deal?  Over 3.5 billion people use GSM worldwide, including 299 million in North America.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: 64 bit?
By FITCamaro on 12/29/2009 7:49:56 PM , Rating: 2
You are correct. US law requires that the government be able to eavesdrop on any communication taking place. Same goes for most other advanced nations.


RE: 64 bit?
By leexgx on 12/31/2009 9:20:36 AM , Rating: 2
the 64bit Encryption is only from phone to cell tower so they would listen on the tower or routed via the eavesdrop equipment (i know its more complicated then that but snooping on the phone call over the air would require a lot of compute power)


RE: 64 bit?
By amagriva on 1/3/2010 11:46:07 AM , Rating: 1
Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety.

Other advanced nations?

You meant that US can spy other advanced nations with Echelon?

In real advanced nations to tap phones you need a judge's order.

Years of Bush brainwashing have accomplished the mission...
You got chains without knowing it...


"Death Is Very Likely The Single Best Invention Of Life" -- Steve Jobs














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki