Slashdot Mirror
Cell Phone Encryption Exploit Demonstrated
Saxophonist brings us a story from Forbes about security researchers who demonstrated a new method for breaking the encryption on GSM cellular signals. The presentation was made at the recent Black Hat conference, and it's notable for the fact that the technique only requires "about half an hour with just $1,000 in computer storage and processing equipment." The researchers also claim to have found a faster method, which they intend to market for $200,000 - $500,000. Quoting:
"Undetectable, 'passive' systems like the one that Muller and Hulton have created aren't new either, though previous technologies required about a million dollars worth of hardware and used a "brute force" tactic that tried 33 million times as many passwords to decrypt a cell signal. All of that means, Hulton and Muller argue, that their cheaper technique is simply drawing needed attention to a problem that mobile carriers have long ignored--one that well-financed eavesdroppers may have been exploiting for years. 'If governments or other people with millions of dollars can listen to your conversations right now, why shouldn't your next-door neighbor?' Muller says."
While this is an extremely powerful re-discovery, I'm not that afraid of average Joe attempting to listen to my conversations, which are boring if anything most of the time. It would still probably take a reasonably quick computer and technical know-how to implement this kind of scheme on a usable scale. Plus, if the FBI and CIA already have the privilege to tap into my conversations, then the fear of security loss is already somewhat of a non-unique one.
What a stupid comment. In other words, if some people are going to break the law, let's make sure everyone can. Good idea.
Way back when (1994) I had a scanner and listened to a few conversations of my neighbors. Turns out that if you don't know the person and what they're talking about then the conversations are extremely boring. People just aren't that interesting on the phone.
"Freedom Through Vigilance"
There are stories like this all the time, but tech people still have trouble convincing most users that end-to-end encryption is important. How is it that it caught on for the web (credit card payments over SSL), but still barely for personal communications (gpg, encrypted IM)? Even in the situations where it's easy to use encryption, many users still can't be made to care -- especially if it's not something enabled by default. Maybe just that those doing the sniffing are suitably quiet about it...
--
Electronics kits for the digital generation.
This sucks, for those three people still using GSM.
What about the security of UMTS ?
knowledge of this can *only* have some impact if you tell everyone about it. just look WEP, better encryption is the way to go.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
It's really a matter of publicizing the weakness to the point where manufacturers and network providers are forced to do something about it. Average people generally don't care about issues like this until they're really an issue.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
What a stupid comment. In other words, if some people are going to break the law, let's make sure everyone can. Good idea.
Let him sit on his couch eating Cheetos. He has the right to be happily oblivious as every personal right slowly disappears because no one is complaining (too busy eating Cheetos!) while the technology that makes it possible keeps getting cheaper and more powerful.My first thought about this was privacy and the government. Obviously.
From my understanding though, this encryption is certainly not applied over the whole transmission, meaning endpoint to endpoint. Just the handset to the tower.
The government does not actually need to crack this encryption, or even intercept transmission between handsets and towers. They can just order digital wiretaps, which cannot be detected. Speaking of which, I have always been amused when people state they you can just buy hardware to detect that too. The location of the handset is easily determined, and in most cases the identity of the user. The government already has the ability to access all of this information with the cooperation of the telecommunications companies anyways. With Telco Immunity being pushed, there won't even be room to dispute it anymore.
So not trivializing the serious issues with our privacy and the government, they are still the least of our concern here.
What strikes me as very problematic is that this opens up a whole new "market" for identity theft, banking fraud, etc. I do quite a lot of business over the phone, and just about every single company uses the touch tones to gather data. Capturing the the numbers by listening to the tones is trivial. This can be done quite easily by software and hardware.
So if all the popular company phone numbers are known, and all the data being sent to it by customers can be recorded, this presents quite a security problem. With the right amount of equipment you can start capturing all sorts of data being sent over the phone. It will only be a matter of time before you gain enough information to compromise someones identity.
I am not worried about my neighbors, not worried about my government, but I am very worried about the stranger interested in the fact I called Washington Mutual.
I can assure you, governments of any technical sophistication have been able to listen to your phone calls for a while now, whether they're encrypted or not. Unless of course you're using aftermarket bolt-on crypto solutions, in which case they're still going to get the info if it really matters.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Not really. What could you do with his telephone (or online) banking PIN? My credit union's online banking allows the following activities: Transfers between sub-accounts (savings, checking, etc), loan payments, bill payments, check images, statements and direct deposit adjustments (this much into savings, this much into checking, etc, etc).
Nothing within my online banking would allow you to "move all of my money away". I suppose you could setup a payee in bill payer for yourself, but even at that my credit union wouldn't allow you to directly supply the ACH information -- they'd mail you a check -- and even at that it would take a few days to get the custom payee setup.
Don't get me wrong. You could screw me pretty badly -- moving all of the funds from my checking account into savings would cause transactions to bounce if I didn't catch it.... But you couldn't drain my account and walk away with the funds for yourself.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.