GSM Encryption Cracked... GSMA's First Response? That's Illegal!

from the yeah,-because-the-eavesdroppers-care dept

The big news in security circles this week is the fact that a security researcher claims to have cracked the encryption used to keep GSM mobile phone calls private. It looks like he and some collaborators used a brute force method. He admits that it requires about $30,000 worth of equipment to de-crypt calls in real-time, but that's pocket change for many of the folks who would want to make use of this. What's much more interesting (and worrisome) is the GSM Association's (GSMA) response to this news:
"This is theoretically possible but practically unlikely," said Claire Cranton, an association spokeswoman. She said no one else had broken the code since its adoption. "What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me."
There are so many things wrong with that statement it's hard to know where to begin. First, claiming it's "theoretically possible, but practically unlikely" means that it's very, very possible and quite likely. To then say that no one else had broken the code since its adoption fifteen years ago is almost certainly false. What she means is that no one else who's broken the code has gone public with it -- probably because it's much more lucrative keeping that info to themselves. Next, blaming the messenger by announcing that cracking the code is "illegal in Britain and the United States" is not what anyone who uses a GSM phone should want to hear. They should want to know how the GSMA is responding and fixing the problem -- not how they're responding to the public release. Finally, if it's "beyond" her why cracking a code used for private conversations and showing that it's insecure is all about being concerned about "privacy" -- she should be looking for a different job. This has everything to do with privacy. The GSMA claims that the code is secure for private conversations, and this group of folks is showing that it is not. That seems to have everything to do with privacy.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Ben (profile), Dec 29th, 2009 @ 3:24pm

    A5/3

    A5/3, the next encryption level up, has been ignored for many years by a lot of the networks who considered it too costly to implement considering A5/1 was so 'safe'. I wonder now how many will make the transition?

    Since 2006 handset manufacturers have been mandated to remove support for A5/2 (much easier to crack) so that the phone is safe (with no real change to networks). This means your expensive new phone likely wont work in poorer, non western, countries who are only allowed A5/2. A5/1 is likely to go a similar way in the next 5 years, assuming of course traditional voice networks remain. My guess is all future voice will go VoIP with lovely AES etc etc.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    John, Dec 29th, 2009 @ 3:27pm

    /sigh

    Those concerned about security and privicy had best converse inside a sealed, lead encased room. There's no such thing as privacy anymore.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Max, Dec 29th, 2009 @ 3:56pm

    Re: /sigh

    I think you need to use the Cone of Silence

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    The Infamous Joe (profile), Dec 29th, 2009 @ 4:13pm

    Re: Re: /sigh

    Well played.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Marcus Carab (profile), Dec 29th, 2009 @ 4:20pm

    Re: /sigh

    Perhaps. But at the same time, service providers should not guarantee a level of privacy that does not exist and that they apparently have no intention of working to maintain.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Nelson Cruz (profile), Dec 29th, 2009 @ 4:36pm

    Blame it on France

    Blame it on France for not wanting A5/1 to be a stronger algorithm. France wanted authorities to be able to easely tap on conversations. Honestly I'm even surprised it took so long to be "broken".

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    sehlat (profile), Dec 29th, 2009 @ 4:38pm

    Ms. Cranton obviously worships the Goddess of Institutional Inertia

    And the Goddess of Institutional Inertia is also known as laziness.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    CHExecutie, Dec 29th, 2009 @ 5:24pm

    Voip

    How about free calls? How about 5 second ads played before the call? Why do we even put up with these phone companies anyway?
    Who's with me!

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    vgs, Dec 29th, 2009 @ 5:27pm

    Voip

    How about free calls? How about 5 second ads played before the call? Why do we even put up with these phone companies anyway?
    Who's with me!

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Rooker, Dec 29th, 2009 @ 5:30pm

    I guess that solves that. Nobody will ever snoop on a phone call because it's illegal to do that. And nobody ever uses a cell phone outside the US or UK. Ever. Got it.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    Zaphod (profile), Dec 29th, 2009 @ 5:33pm

    $30,000 ? Try $2,000!

    Back around September 8th Steve Gibson of Gibson Research Corp. (grc.com) told all the nitty-gritty about how to crack GSM nearly on the fly. All that is needed is a couple of terrabyte HDDs (Rainbow Tables), a laptop, and a special radio device.

    He told all on his podcast "Security Now". The podcast with all the pertinent info is here:

    http://twit.tv/sn213

    Transcript here:

    http://www.grc.com/sn/sn-213.txt

    That should put an end to the cell companies blowing smoke up places it doesn't belong. Also, it's amazing the cell providers kept a lid on it this long!

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Bengie, Dec 29th, 2009 @ 6:06pm

    CDMA?

    Good reason to use CDMA?

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    Robert Ring (profile), Dec 29th, 2009 @ 6:42pm

    This is laughable. "This is illegal. No one committing a crime would use an illegal method to do so. Therefore you are all safe. Sheep."

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    slander (profile), Dec 29th, 2009 @ 7:05pm

    Re: Voip

    One of them (him?) is redundant.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    thornintheside, Dec 29th, 2009 @ 7:44pm

    government already had the codes

    Did he expose what our government and various security agencies have used for years to eavesdrop on cell calls?

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    Christopher Froehlich (profile), Dec 29th, 2009 @ 8:05pm

    Re: government already had the codes

    Exactly. The US had the signals intelligence to do this as early as 2003 and the Brits were certainly ahead of us by that point. Historically, Britain has been years ahead of the US in signals intelligence; but the problem for US operations was not the decryption of the individual frequencies but the multi-frequency modulation of the unique call. This is possible with the right dedicated equipment, but mobile platforms generally had to sacrifice GSM capability due to the overhead. At any rate, all of the problems with GSM intercept have largely been solved for some time in military/DoD operations--that anyone would suggest otherwise is laughable.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    :), Dec 29th, 2009 @ 9:28pm

    Make a lot of Live USBs and show it to the world :)

    http://en.wikipedia.org/wiki/Live_usb_creator

    Microsoft wouldn't dream of doing this.

    That is why to create a live windows CD you have to go to a extensive marathon of steps to accomplish this simple task.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    a hacker, Dec 29th, 2009 @ 9:38pm

    we dont care bout your stinkin laws no more

    stuff you

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Jari Winberg, Dec 29th, 2009 @ 9:58pm

    Re: Re: government already had the codes

    There's no need for governments to crack any encryptions on radio network, at least not in the every day surveillance/eavesdropping. Lawfully Authorized Electronic Surveillance is a functionality in core network.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Azrael, Dec 29th, 2009 @ 11:59pm

    Re: CDMA?

    Nope, it's even worse - all you need to snoop on it is a cloned phone.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Yakko Warner, Dec 30th, 2009 @ 7:56am

    Re:

    But if you outlaw phone snooping, only the outlaws will snoop phones...

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Dec 30th, 2009 @ 10:06am

    Re: Re: Re: /sigh

    I'm getting tired of the over/mis use of "Well Played"

    Just Saying.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Dec 30th, 2009 @ 10:09am

    Re: we dont care bout your stinkin laws no more

    I'm getting tired of the over/mis use of "Stuff You"

    Just Saying.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Benjie, Dec 30th, 2009 @ 5:26pm

    Cloned phones

    Some day they will just switch over to VOIP and public key plus symmetric key would make it near impossible to eavesdrop without access to the carrier.

    If all the low level communication was also done via encryption, it would be impossible to even listen in on a CDMA data stream.

    GSM is less secure.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Tangoman, Jan 4th, 2010 @ 4:49am

    GSMA response

    So, has GSMA com with a newer response?

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This