GSM Encryption Cracked… GSMA's First Response? That's Illegal!

from the yeah,-because-the-eavesdroppers-care dept

The big news in security circles this week is the fact that a security researcher claims to have cracked the encryption used to keep GSM mobile phone calls private. It looks like he and some collaborators used a brute force method. He admits that it requires about $30,000 worth of equipment to de-crypt calls in real-time, but that’s pocket change for many of the folks who would want to make use of this. What’s much more interesting (and worrisome) is the GSM Association’s (GSMA) response to this news:

“This is theoretically possible but practically unlikely,” said Claire Cranton, an association spokeswoman. She said no one else had broken the code since its adoption. “What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.”

There are so many things wrong with that statement it’s hard to know where to begin. First, claiming it’s “theoretically possible, but practically unlikely” means that it’s very, very possible and quite likely. To then say that no one else had broken the code since its adoption fifteen years ago is almost certainly false. What she means is that no one else who’s broken the code has gone public with it — probably because it’s much more lucrative keeping that info to themselves. Next, blaming the messenger by announcing that cracking the code is “illegal in Britain and the United States” is not what anyone who uses a GSM phone should want to hear. They should want to know how the GSMA is responding and fixing the problem — not how they’re responding to the public release. Finally, if it’s “beyond” her why cracking a code used for private conversations and showing that it’s insecure is all about being concerned about “privacy” — she should be looking for a different job. This has everything to do with privacy. The GSMA claims that the code is secure for private conversations, and this group of folks is showing that it is not. That seems to have everything to do with privacy.

Filed Under: , , , ,
Companies: gsma

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “GSM Encryption Cracked… GSMA's First Response? That's Illegal!”

Subscribe: RSS Leave a comment
25 Comments
Ben (profile) says:

A5/3

A5/3, the next encryption level up, has been ignored for many years by a lot of the networks who considered it too costly to implement considering A5/1 was so ‘safe’. I wonder now how many will make the transition?

Since 2006 handset manufacturers have been mandated to remove support for A5/2 (much easier to crack) so that the phone is safe (with no real change to networks). This means your expensive new phone likely wont work in poorer, non western, countries who are only allowed A5/2. A5/1 is likely to go a similar way in the next 5 years, assuming of course traditional voice networks remain. My guess is all future voice will go VoIP with lovely AES etc etc.

Zaphod (profile) says:

$30,000 ? Try $2,000!

Back around September 8th Steve Gibson of Gibson Research Corp. (grc.com) told all the nitty-gritty about how to crack GSM nearly on the fly. All that is needed is a couple of terrabyte HDDs (Rainbow Tables), a laptop, and a special radio device.

He told all on his podcast “Security Now”. The podcast with all the pertinent info is here:

http://twit.tv/sn213

Transcript here:

http://www.grc.com/sn/sn-213.txt

That should put an end to the cell companies blowing smoke up places it doesn’t belong. Also, it’s amazing the cell providers kept a lid on it this long!

Christopher Froehlich (profile) says:

Re: government already had the codes

Exactly. The US had the signals intelligence to do this as early as 2003 and the Brits were certainly ahead of us by that point. Historically, Britain has been years ahead of the US in signals intelligence; but the problem for US operations was not the decryption of the individual frequencies but the multi-frequency modulation of the unique call. This is possible with the right dedicated equipment, but mobile platforms generally had to sacrifice GSM capability due to the overhead. At any rate, all of the problems with GSM intercept have largely been solved for some time in military/DoD operations–that anyone would suggest otherwise is laughable.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »