

GSM encryption broken - tfincannon
http://www.nytimes.com/2009/12/29/technology/29hack.html

======
tptacek
It's nice to see people still follow the old security PR playbook:

[http://chargen.matasano.com/chargen/2009/4/1/how-to-
hidehhha...](http://chargen.matasano.com/chargen/2009/4/1/how-to-hidehhhandle-
security-vulnerabilities-in-your-product.html)

The "modern" game Microsoft plays is boring. It acknowledges and thanks
researchers, often accepts worst-case assessments of impact, and fast-tracks
fixes. What they don't understand is that our stories need an antagonist,
someone we can name and pillory. Thanks, Claire Cranton at GSM.com, for giving
us one.

~~~
alyx
What does Microsoft have to do with the cracking of the GSM encryption code?

~~~
tptacek
Microsoft has more experience handling security disclosures than any other
organization. The GSM manufacturers apparently have very little comparable
experience. I'm just contrasting the two.

( _I upvoted you; it's a fair question._ )

------
jrockway
_“What he is doing would be illegal in Britain and the United States.”_

Hmm, guess which two countries he is not doing this in. I am not sure how this
is relevant, except to say, "oh fuck." (If you can't attack the argument,
attack the person who's arguing.)

 _To do this while supposedly being concerned about privacy is beyond me._

Now I know for sure that I need to encrypt my calls in another way. Before
this announcement, I figured it was handled for me; I didn't assume that
criminals had already broken the crypto and had kept the information secret.
Now I am sure they have, and that my non-encrypted calls are obviously being
monitored. (I exaggerate a bit, but it's clear how this disclosure enhances my
privacy.)

Not sure why the GSM folks are taking this so seriously. Computers are fast.
64-bit encryption has been unsafe for nearly a decade. Everyone knows that
this was going to happen eventually.

Edit: after reading the slides, I am really amazed by this. I remember when I
was a kid and I used to listen in on cordless phones and baby monitors with my
radio scanner. It was really, really interesting. The thought of sitting on
the train and listening to both sides of people's cell-phone calls appeals to
me in a way that I can't quite explain.

~~~
tptacek
In fairness, or whatever, the problem with A5/1 isn't simply that it's got a
64-bit key, but that it's a uniquely bad stream cipher prone to linear
equation-style attacks and precomputation. Nate, Colin, or Bruce may smack me
down for saying this, but I don't think you can apply the same attacks to,
say, RC5.

For roughly a decade, pretty much anyone who attended more than one local 2600
meeting got the tech demo on snooping cell phone calls --- they were analog.
Everything old is new again. It's nice that encrypted digital calls were so
successful that the loss of their security is major news.

~~~
jrockway
Yeah, you are right. The impression that I got from the NYT article was that
this was "given a trace and a bunch of computers, you can get the voice
data... maybe, eventually", but the impression that I get from the talk is
that it is actually realtime. That requires weaknesses in the crypto that are
embarrassing for anything 1980s or 1990s vintage. I don't think this attack
would be feasible if they used DES instead. (I will defer to you or cperciva
for that one, however :)

~~~
siculars
what i got from the 3c talk is that the data stream is on the order of 80MB/s
(tx/rx, because they need to record the entire spectrum due to frequency
modulation) and that currently they have not found a way, it seems due to lack
of fpga programming skillz, to decode in real time. it seems like they are
recording and then decoding some time later via their 2TB lookup table. Even
with the 64bit keyspace the lookup table is 2TB because its a rainbow lookup
which means that only certain values at certain intervals are stored.

------
wrs
If GSM was not already broken, how do all of these products work?

<http://www.google.com/search?q=gsm+passive+intercept>

The point of the presentation is not that GSM has been broken; it's to make it
so blatantly, obviously, publicly broken that the public (i.e., corporate IT
departments) will have to pay attention.

~~~
tptacek
It seems likely that to the extent that things like the GSS-ProA suitcase
interceptors crack A5/1, they do it with special-purpose hardware. A practical
software attack is news.

------
jeremyw
To clarify a few points (I had them confused):

\- If you have an iPhone 3G signal (for example), you're using UMTS (not GSM),
which has longer encryption keys (128-bit) and an enhanced protocol. Brute-
forcing this keyspace (as in the CCC paper) is unlikely, though they mention
the cipher (KASUMI) is "academically broken".

\- Neither system has end-to-end privacy. Data is encrypted to your operator's
equipment. All other hacks apply.

NYT: _In 2007, the GSM developed a 128-bit successor to the A5/1, called the
A5/3 encryption algorithm, but most network operators have not yet invested to
make the security upgrade._

As far as I can determine, this is wrong. Europe has UMTS broadly deployed and
the US came late to this party.

For more: <http://www.google.com/search?q=umts+encryption>

------
atamyrat
For more technical info, here's the link to presentation at CCC
[http://lists.lists.reflextor.com/pipermail/a51/attachments/2...](http://lists.lists.reflextor.com/pipermail/a51/attachments/20091228/3267f143/attachment-0001.pdf)

~~~
stse
Unofficial video torrents can be found at <http://rnmshot.dvrdns.org/>

------
Dilpil
Links to a registration prompt. If anyone is really interested in reading
this, google the URL.

~~~
mrduncan
Clickable:
[http://www.google.com/search?q=Code+That+Protects+Most+Cellp...](http://www.google.com/search?q=Code+That+Protects+Most+Cellphone+Calls+Is+Divulged)

Deleting cookies for nytimes.com will also do the trick.

------
cnvogel
The summary of the talk given on the 26'th Chaos Communication Congress can be
found on the 26c3 wiki, it includes a link to the slides:

[http://events.ccc.de/congress/2009/Fahrplan/events/3654.en.h...](http://events.ccc.de/congress/2009/Fahrplan/events/3654.en.html)

Video recordings can be found on:

<http://events.ccc.de/congress/2009/wiki/Streaming#Unofficial>

(the ones on 26c3.ipv6only.org are good, but, as the name suggests, accessible
via IPv6 only)

------
Dmatig
I'm not sure of the specific relevence to this article, since it was a good
while ago i listened the details mostly escape my memory, but you can grab a
good background on why GSM is insecure listening here: <http://twit.tv/sn213>

------
teeja
Here goes another wave of plastic & silicon hitting the world's dumpgrounds.

If we made less hardware and more software, the world would thank us for it.

------
3pt14159
How is this news? I've known for months that a 100+ petabyte server and a
massive rainbow table can crack the encryption of GSM phones.

~~~
bartman
They are down to ~2TB for rainbow tables, calculated on GPUs, making cracking
feasible. Also, the code and knowledge is put into the public:
<http://reflextor.com/trac/a51/wiki>

------
wendroid
I sent this to press@gsm.com, the email address of Claire Cranton, quoted in
the article :

Dear Ms. Cranton,

[http://www.nytimes.com/2009/12/29/technology/29hack.html?_r=...](http://www.nytimes.com/2009/12/29/technology/29hack.html?_r=1)

“This is theoretically possible but practically unlikely,” said Claire
Cranton, a GSM spokeswoman, noting that no one else had broken the code since
its adoption. “What he is doing would be illegal in Britain and the United
States. To do this while supposedly being concerned about privacy is beyond
me.”

A set of incredible admissions.

* This is theoretically possible but practically unlikely

GSM 64bit encryption is broken. Not theoretically but actually. The likelihood
of it happening to someone now depends on the value of the calls.

* no one else had broken the code since its adoption.

And now they have, that's the point

* would be illegal in Britain and the United States

I don't think criminals are deterred by such niceties and they are hardly
likely to reveal their source while extorting money from me or making insider
trades

* To do this while supposedly being concerned about privacy is beyond me

Knowing that my handset can be eavesdropped by people outside of the law is
the ultimate privacy concern. That you don't understand this is beyond me.

> The association noted that hackers intent on illegal eavesdropping would
> need a radio receiver system and signal processing software to process raw
> radio data, much of which is copyrighted.

Again, copyright infringement would be very low on the list of criminal
organisations.

Your response beggars belief, except it is perfectly reasonable viewed through
the lens of PR.

Yours sincerely

 __ __ __ __

~~~
wendroid
Subsequently the reply : (woo I'm a journalist!)

Dear Sir

Please find below my full reply to the journalist's enquiry.

Regards, Claire Cranton. ~~~~~~~~~~~~~~~~~~~~~~~~

We have been asked about this a number of times and the industry position is
below. A5/1 has been in existence for a long time and so we have developed
A5/3 as a migratory strategy for operators. However what I'd like to stress is
that this activity is highly illegal and in the UK would be a serious RIPA
offence as it probably is in most countries, it is likely also to contravene
IPR. The GSMA heads up a security working group which looks at all issues re
security and this isn't something that we take lightly at all.

Best wishes Claire

STATEMENT ON GSM ENCRYPTION GSM networks use encryption technology to make it
difficult for criminals to intercept and eavesdrop on calls. On most GSM
networks, the communications link between the handset and the radio base
station uses the A5/1 privacy algorithm to scramble the signal.

Over the past few years, a number of academic papers setting out, in theory,
how the A5/1 algorithm could be compromised have been published. However, none
to date have led to a practical attack capability being developed against A5/1
that can be used on live, commercial GSM networks.

Reports of an imminent GSM eavesdropping capability are common. The GSMA,
which welcomes research designed to improve the security of communications
networks, routinely monitors the work of groups in this area. In 2007-8, a
hacking group claimed to be building an attack on A5/1 by constructing a large
look-up table1 of approximately 2 Terabytes - this is equivalent to the amount
of data contained in a 20 kilometre high pile of books. In theory, someone
with access to the data in such a table could use it to analyse an encrypted
call and recover the encryption key.

Another group has announced similar plans in 2009. However, before a practical
attack could be attempted, the GSM call has to be identified and recorded from
the radio interface. So far, this aspect of the methodology has not been
explained in any detail and we strongly suspect that the teams attempting to
develop an intercept capability have underestimated its practical complexity.
A hacker would need a radio receiver system and the signal processing software
necessary to process the raw radio data. The complex knowledge required to
develop such software is subject to intellectual property rights, making it
difficult to turn into a commercial product.

Today, mobile networks are typically configured to optimise call set-up times,
capacity and other aspects related to operational efficiency. But mobile
operators could, if it ever proved necessary, quickly alter these
configurations to make the 1 A definition of a lookup table is available at
<http://en.wikipedia.org/wiki/Lookup_table> interception and deciphering of
calls considerably harder. Moreover, intercepting a mobile call is likely to
constitute a criminal offence in most jurisdictions.

All in all, we consider this research, which appears to be motivated in part
by commercial considerations, to be a long way from being a practical attack
on GSM. More broadly, A5/1 has proven to be a very effective and resilient
privacy mechanism. By comparison, inexpensive and readily available radio
scanners could be used to intercept calls on the analogue cellular networks
that pre-dated GSM and which did not use encryption.

The mobile industry is committed to maintaining the integrity of GSM services
and the protection and privacy of customer communications is at the forefront
of operators' concerns. The GSMA has been working to further enhance privacy
protection on GSM networks and has developed a new high-strength algorithm,
A5/3. Over the past decade, export control agencies have removed many of the
traditional barriers to the sale of cryptographic technologies enabling the
development and use of A5/3. This new privacy algorithm is being phased in to
replace A5/1. \- Show quoted text - The GSMA represents the interests of the
worldwide mobile communications industry. Spanning 219 countries, the GSMA
unites nearly 800 of the world's mobile operators, as well as more than 200
companies in the broader mobile ecosystem. Visit www.gsmworld.com and
www.mobileworldlive.com for more information.

It also produces the premier industry events including Mobile World Congress
in Barcelona www.mobileworldcongress.com and Mobile Asia Congress
www.mobileasiacongress.com

~~~
moe
_a large look-up table1 of approximately 2 Terabytes - this is equivalent to
the amount of data contained in a 20 kilometre high pile of books_

I don't understand. Can someone please translate to libraries of congress?

~~~
paulbaumgart
I agree... it's a ridiculous description, and obviously the point is to
confuse a less technical person into thinking 2 TB requires more than a single
top-of-the-line HDD to store.

