Slashdot Mirror
Cracking GSM
RobertM writes "Professor Eli Biham, one of the worlds most famous crypto analysts, together with two of his students presented an interesting paper on flaws in GSM at the IACR Crypto conference. The GSM association is not happy. Read more on theReg." There's also a Reuters article about the situation.
I wonder how long it will be till they attempt to use the DMCA to silence him - this is after all a typical scenario for the DMCA to be exploited in order to gag scientists and cryptology experts.
Sadly, I wouldn't at all be surprised to see this end up on chillingeffects in the near future.
The US CIA, UK M5 and Israel Mossad are now hiring people with experience with GSM and crypto experience.
I don't see how this is news, I've known about this for months, I heard them talking about it on their GSM pho- uh, nevermind.
The International Journal of Digital Evidencehas a current article about GSM forensics.
1. Does DCMA and its cousins allow such methods to be patented?
2. Will the phreakers care about patents?
the UK M5 is a road. perhaps you mean MI5?
Illegal interception of calls will be prevented by patenting the technology?
I'm sure that a criminal really cares about patent infringements.
Laws should not be used to shore up broken technology. This only impedes law abiding citizens, and does nothing to improve the protection against crime.
This one arguement against gun control, make them illegal and only criminals will have guns.
Make this illegal and only criminals will listen to your phone call.
Elad, Nathan, Eli Biham and Orr Dunkelman (which was not listed for some reason) are friends of mine at the Technion Israeli Institute of Technology. Their previous attack on A5/1 required a few hundred GB of HD space and dedicated telephony equipment to pull. A5/2 is a peace of cake in comparison. This new attack makes it ciphertext only. That means that you don't have to initiate a short call (for example) to the evesdropee or knowing some part of the call (like with voicemail) before breaking the encryption. It uses the signal correction mechanism to initialize itself.
In general, this is no big news, because this equipment is hard to aquire and the benefits are not that great. In comparison, CDMA and TDMA don't (effectively) encrypt calls at all.
Make even shorter URLs - 8LN.org
"they can hear you now."
"they can hear you now."
From theReg...
Both parties agree that the issue does not affect 3G phones, which use different protocols and security mechanisms than legacy GSM handsets.
Hmmm. If I remember well, other Israeli crypto researchers, including Pr Shamir (of RSA fame, Rivest - Shamir - Adelman) mentioned a couple of years ago that GSM crypto could, theoretically, be cracked almost in real time by a (relatively) low-powered machine.
GSM specialists have known for a number of years now that GSM crypto was not that good. Interestingly enough, GSM crypto was designed by French 'military specialists', which has raised the usual (probably justified) suspicions of backdoors.
Sorry for not being able to produce more info, but I am sure other Slashdotters will have interesting links to supply...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
The novelety of this attack is that it is instantanous. The cryptanalysis is done one when the call is being established (when the phone just rings) even before any any real conversation is being done.
The exact details are still secret but the attack exploits a misuse of Error Correcting Codes (ECC - are used in communication protocols to correct random noise errors).
It seems that instead of encrypting the conversation and then employing ECC, the GSM does it the other way thus leaking enough data for the cryptanalysis to be performed
Stupid job ads, weird spam, occasional insight at
It has long been suspected that GSM encryption was specificaly designed with some 'weak spot' to allow law-enforcemant monitoring.
Does anyone know if the article is available online?
I'd like to know if this flaw looks more like a mistake or somthing more intentional.
None of the meadia people who spoke about it seem to understand that "Instant Ciphertext-Only Cryptanalysis" means you are effectivly not protected at all.
As of Postgres v6.2, time travel is no longer supported.
At least they point out that the equipment required costs about $250k.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
REMOB anyone?
...."
REMOB (Remote observation mode) is a TSPS console feature of the american telephone system to allow inward ops to monitor a suspected phone that might be "off the hook" prior to interrupting the line for "life or dire emergency" with the 500Hz tone and issuance of the frequently heard phrase "This is the att operator do you wish to disconnect this call you have an emergecy phone call from
but PRIOR to that for 30 second maximum bursts you get to hear an inverterted sound wave... which you can record.
better... the fbi has is setup to cascade overlapping series of REMOB snippets so when one ends (on any CLASS capable ESS r5) another takes over.
This way no interrupt chirp is heard by the victims, and lots of trivially "scrambled' speech can be secretly recorded.
i have never ever ever seen this in print or any edoc in history of phreaking.
I have seen telephon reps state to congree that REMOB did not exist.
it exists.
it does not take outside intercepts (ECHELON) as reported on 60 Minutes, or any NRO or NSA budgets,
it only takes a 6 digit code and the correct connections to do REMOB.
REMOB makes intercepting cell phones laughable in comparison.
besides... the German Gov records ALL cell phones under that alleged statement that in theory it COULD intercept the airwaves anyways if they tried. Remeber the slashdot article?
also the us gov allows no-warrant affixing of GPS locater emmitter bugs under your car frame under the assumption that it could visually track you from their air if they had the money anyways. Remember the Scott peterson case this summer? No initial warrant to put the gps bug on his car.
recording and intercepting ALL cell phone traffic at the point of origin on the LAND LINES is what the fed gov assumes is their right!
no need to mess with intercepts.
July 1983 the us supreme court ruled the public had a right to intercept and use all radio trasmissions INCLUDING call phones. Then they pverturned it partly years later.
today it is LEGAL for the cops to buy and sell equipment to record cell phones, but not the public across state borders. you have to build it from scratch yourself for your own hobbyist needs... and then its legal to use.
but REMOB is far far more humorous.
I know it exists.... first hand
In the bad old days of analog mobile phones, there wasn't even encryption on the signal. You could literally walk into Radio Shack and walk out carrying a scanner capable of receiving mobile phone frequencies. (They eventually banned the sale of scanners capable of receiving those frequencies.) Later, TDMA and CDMA technologies made it more difficult to intercept signals, but all that's required is the right decoder.
Encryption of the call is a fairly recent trend and I think it's a terrific idea, but any encryption can be broken in time. While the odds are low that someone may be listing in, guaranteed privacy is impossible.
I think as a whole, we tend to trust in technology without really understanding it. I'm reminded of two engineering students who were visiting my apartment in college, and showing off their new cell phones by one calling the other. They were quite surprised when I was able to intercept their call with a cheap radio scanner. They had no idea their call was not private, simply assuming that the technology was secure. It wasn't.
"The question is can somebody deploy a off-the-shelf (or homebuilt) scanner and grab the conversations on-the-air? I know that a PR (pseudo random) number is used with the ESN and A-key to generate some keys for encrypting some of the communications, and that the voice channel is "scrambled", but is there a source where the security implications of this is discussed?"
In theory, anything is possible.
Off-the-shelf scanner - Definately not. Unless you're talking about high-end five-figure and even six-figure sums. A Rohde and Schwartz FSIQ would probably be 90% of the hardware needed to crack a CDMA signal, but FSIQs run $75k used ($120k or so new). An Agilent E4406A VSA starts at $32000 and cdmaOne and CDMA2000 options are extra $$$. And these might not even be sufficient for realtime monitoring and demodulation. It would be possible to build custom equipment for much less, but only a M.S. or Ph. D. in EE would be able to design a system to do adequate realtime demodulation of CDMA.
Non-realtime (capture the signals and post-process them) - Much easier. The hardware is $1000-2000 off-the-shelf (see GNU Radio), and the software is $99 if you're a student (Matlab), although you'll still need thorough knowledge of CDMA and some communications systems background to write the demodulation algorithms.
I don't know about the datastream-level encryption, but CDMA is much tougher to demodulate than the TDMA scheme used by GSM. (Given a captured baseband signal, I could probably tweak my old ECE 467 projects to demodulate GSM down to its datastreamin not too long, while CDMA would be a LOT harder.
retrorocket.o not found, launch anyway?
Criticism, however, allowed him to improve himself.
They say the first thing to go is your penis. Well, it's either that or your brain. I forget which...
If this cracking method is indeed patented then it must be publicly released for anyone to read and understand. But public release would seem to violate DCMA and stifling the publication would seem to violate the constitutional underpinnings of the patent system (to encourage innovation by both granting monopolies and making inventions publicly accessible for further innovation). Does this make DCMA unconstitutional???
Two wrongs don't make a right, but three lefts do.
A: No.
The hash function (A3/A8) used in the default implementation of the GSM protocol for the challenge-response authentication had a vulnerability of a type known about in the cryptographic community for years.
This wasn't a deliberate weakening, because this flaw had no real impact on the ability of law enforcement to intercept, and allowed cloning of GSM handsets: something that was definitely not supposed to be possible.
They've learnt from their mistakes though: the 3G protocol has undergone extensive public review , as has the ciphers they chose.
America is invincible. Other countries will never advance any farther than America wishes them to advance.
Carthage was invicible until Rome turned up.
Rome was invincible until the 'barbarians' turned up.
The Inca were invincible until the Spanish turned up.
There is a proverb from Belarus - Keep one eye on the past and you are half blind. Forget the past altogether and you are totally blind.
--
This sig is inoffensive.
For USians, the roles equate as follows:
MI5 = FBI
MI6 = CIA
GCHQ = NSA
JIC = Senate Oversight Committee (*very* roughly)
UNIX? They're not even circumcised! Savages!
You're not thinking like a hacker would on this.
Think about it -- all the hardware you need to demodulate and decode a CDMA signal in realtime is present in a CDMA phone, so it's only a matter of understanding/controlling the hardware and figuring out how to capture the right spreading code and any other keys in use.
Given that, the hardware is probably close to free once you've figured out how to control a phone or download new software to it.
The initial work didn't totally blow the system open and make on-the-air cracks easy, but it showed that the system was incompetently designed as well as deliberately weakened further, and was yet another reminder that Closed System Design is even worse in cryptography than in software. Subsequent work by people like Biham and Wagner keeps making it worse, and of course computer equipment keeps getting cheaper and larger, which means that attacks that need "hundreds of GB of disk" cost you $200 at Fry's rather than $200000 at the NSA Spook Equipment Shoppe.
In the US, GSM is still a security improvement, weak as it is, because the government bullied the digital cell phone system developers into using even weaker and more broken algorithms (back when they could pretend they were worried about Commie Spies rather than trying to facilitate illegal wiretapping.) (And of course analog cell phones didn't have crypto at all.) But even then, many of the cell phone companies don't bother turning on the crypto - Nokia phones give you a nice friendly indication that they tried to use it and got rejected.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
At great risk of sounding like the Voice of Reason (and God knows how Slashdotters hate that!), could you please present some evidence to back up your assertion that the United States and United Kingdom are colluding to break the laws of both nations?
Look up the Federal laws: if it is illegal for a Federal agency to do $foo, then it is also illegal for a Federal agency to have a third party do $foo on their behalf.
If I break into a home and see a kilo of cocaine lying around, I can then go to the DEA and tell them. They can use my testimony to get a warrant to search the home and impound the drugs. Why? Because I didn't commit the crime on their behalf; I came in entirely of my own accord; there was no understanding between the DEA and myself that "if I see any drugs, I'm going to bring them to your attention".
But if the DEA asks me to break into a home, they'd better damn well have a warrant, otherwise they're breaking all manner of Federal laws.
So what you're positing is there is a tacit understanding between the US and UK that each will spy on the other's citizens and share with each other the fruits of those actions. Hmm. This sounds mind-bogglingly stupid.
Why?
Free hint: this is a Federal crime.
Free hint number two: the FBI and NSA do not get along.
Free hint number three: the FBI is the one with the charter to spy on American citizens--not the NSA.
Free hint number four: the FBI protects its jurisdictional turf very zealously.
Free hint number five: the FBI is one of the nation's intelligence agencies, co-equal with the CIA and NSA. The FBI has no charter to collect intelligence from foreign sources; the CIA and NSA have no charter to collect intelligence from domestic sources.
Free hint number six: if the NSA were to really be involved in this, the FBI would be doing a full-court-press investigation into the matter. (a), because it's a clear and massive violation of Federal law, and more importantly, (b) THE FBI DOES NOT SHARE ITS JURISDICTIONAL TURF.
Period.
So if you have any hard facts proving this tacit agreement, I'd love to hear it. If you have hard facts about it, then I'll talk to my FBI friends tomorrow and tell them about it.
I guarantee you they'll be pissed off.