Slashdot Mirror
GSM Decryption Published
Hugh Pickens writes "The NY Times reports that German encryption expert Karsten Nohl says that he has deciphered and published the 21-year-old GSM algorithm, the secret code used to encrypt most of the world's digital mobile phone calls, in what he called an attempt to expose weaknesses in the security system used by about 3.5 billion of the 4.3 billion wireless connections across the globe. Others have cracked the A5/1 encryption technology used in GSM before, but their results have remained secret. 'This shows that existing GSM security is inadequate,' Nohl told about 600 people attending the Chaos Communication Congress. 'We are trying to push operators to adopt better security measures for mobile phone calls.' The GSM Association, the industry group based in London that devised the algorithm and represents wireless operators, called Mr. Nohl's efforts illegal and said they overstated the security threat to wireless calls. 'This is theoretically possible but practically unlikely,' says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption. 'What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.' Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts could put sophisticated mobile interception technology — limited to governments and intelligence agencies — within the reach of any reasonable well-funded criminal organization. 'This will reduce the time to break a GSM call from weeks to hours,' Bransfield-Garth says. 'We expect as this further develops it will be reduced to minutes.'"
Jul lrf, V pna!
- AFN
G S M secure
All your financial passwords
Are belong to us
Wow, what an interesting way to force innovation at such a "minor" expense to the people their efforts are supposed to help. Kinda ironic their efforts have done the exact opposite of their goals... and if the past is any indication, the harm they may have just caused will be around for a while.
If he can do it, so can the bad guys.
What the operators really want is something secure enough so you can't practically listen to a politician's conversations, but open enough so the state can listen to any citizen's conversation. All in the same of National Security. We will only be secure when the reverse is true.
"To those who are overly cautious, everything is impossible. "
"To do this while supposedly concerned about privacy..."
Duh. Paint me yellow and let me run down the street. OF COURSE he is concerned about privacy because we all know how organizations always act fast and in the interests of their customers with absolutely no outside stimulus! Absolutely shocking, he should be hanged. (Choose whoever you think I'm referring to with "he")
Shh.
We allow people to fear-monger by saying that this can allow criminals to decrypt calls more easily, but, if a couple of dozen hackers at a conference can piece this together through brute-force-ish tactics, are we sure that others haven't already? That's the point that they've made, a point entirely lost in the article.
This does *next-to-nothing* to make the system less secure. It was insecure to begin with. Regulations rendering the dissemination of code-breaking and system-compromising codes and techniques illegal aren't there to protect our data security. They're there to allow companies to use inadequate security measures without public shame.
Of course, this is Slashdot. Anyone who doesn't already know that security through obscurity is ridiculous is an idiot (or a troll). Anyone who relates cryptographic security to fake-rock-key-hiding and calls that rock obscurity (inevitable in a story like this) is just a troll.
Guess what, kids!
A 128-bit code has twice as many ones and zeroes as a 64-bit code. Wow!
If he can do it, so can the bad guys.
And the bad guys aren't going to publish the how-to at a conference.
I am become
Ubj vf guvf n gebyy cbfgvat? ;-C
Fubhyq unir orra "-1 snvyrq gb or vagrerfgvat"
worked independently to generate the necessary volume of random combinations until they reproduced the G.S.M. algorithm’s code book — a vast log of binary codes that could theoretically be used to decipher G.S.M. phone calls.
Wait, so just having the encoding algorithm is enough to decipher a message? That's kindergarten cryptography, not something designed for the real world.
The group said that hackers intent on illegal eavesdropping would need a radio receiver system and signal processing software to process raw radio data, much of which is copyrighted.
Yes, that's right. Their main weapon in defending your privacy against crackers who don't care about the law at all is copyright.
operators, by simply modifying the existing algorithm, could thwart any unintended surveillance.
If that's not security through obscurity, I don't know what is.
I'm more concerned about compromise of the user authentication process.
In the worst case it could result in the ability of an eavesdropper to capture your subscriber ID, and make international roaming calls as you, so they avoid racking up expensive charges themselves.
"To do this while supposedly being concerned about privacy is beyond me"
can someone point me to the article where the GSM Association was outraged when it learned of the illegal wiretapping program which the carriers happily participated in as agents of the u.s. government? i'm sure they protested that, right? riiight?
called Mr. Nohl's efforts illegal
So? What has that to do with whether or not he actually did what he says he did? It's not even worth mentioning. A good encryption system should not depend upon the presumed illegality of breaking it.
says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption.
That you know of, lady. If this guy really has cracked it, odds are someone else has sometime in the past two decades, but wasn't kind enough to so inform you.
The higher the technology, the sharper that two-edged sword.
If that's not security through obscurity, I don't know what is.
Technically, it's insecurity through stupidity.
The higher the technology, the sharper that two-edged sword.
The weaknesses of this algorithm are well-known and a new version that fixes those issues has been available for a long time. Now, does anyone knows whether this new version has been deployed everywhere? Who is still relying on the older version?
BTW, the algorithm used by 3G networks is different. It is based on AES and the design is publically available.
Nobox: Only simple products.
It has been known for a while that GSM can be hacked and that it can be done with a relatively trivial amount of readily available hardware. If you wanted to do it, you could do it. The current effort is mostly a public awareness thing and an ongoing optimization of the attack. People are not going to buy multiple software defined radio boards, tune them with an improved clock source, download or create terabytes of rainbow tables and put it all together just to listen in on their neighbors (which everybody knows would be illegal). People who go to these lengths with anything but research in mind do not need this kind of public "guide" to GSM cracking. GSM is not safe. It hasn't been for quite a while and now people know it. (Two more talks on GSM issues are on the Tuesday schedule. Apparently there are a lot of facepalm type of bugs which are undiscovered purely due to lack of attention.)
'This is theoretically possible but practically unlikely,' says Claire Cranton, a GSM spokeswoman, [...] 'To do this while supposedly being concerned about privacy is beyond me.'
What? Come again?
If Ms. Cranton doesn't even know the argument for full disclosure, why is she the person speaking on behalf of the GSM Association?
Now, we can discuss among ourselves when full disclosure is better than limited disclosure and vice versa, but at least we understand both positions. She doesn't?
Also, if the attack is practically unlikely, why the big concern about privacy? Didn't Ms. Cranton just say this wasn't a big problem, yet at the same time shame Nohl for causing a big problem?
Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts combined with inadequate security designed into the damn thing could put sophisticated mobile interception technology [in the hands of outlaws].
Fixed that for Mr. Bransfield-Garth. The system isn't weak because of Nohl's deeds or misdeeds. It's weak because it's poorly designed. I have seen telecoms security protocols. Only banks have protocols worse than these :(
One of the basic rules of the game for anyone who's a competent cryptographer is that if you're not selling snake-oil, you expose your algorithm to public scrutiny. The modern approach to crypto is based on the assumption that it's only the keys that are secret, not the algorithm. If you don't take this approach, then essentially you never have any way of knowing whether what you've got is any good. Imagine if Toyota thought that it was a good idea to suppress discussion and research about reports of uncontrolled acceleration in their cars. Now imagine that Toyota was able to get the government to pass a law suppressing such discussion. Then how would you ever know if your car was safe or not?
They can't even keep their story straight. First they say that the attack is "theoretically possible but practically unlikely." Then they say that it's so bad and evil that it's a good thing that "What he is doing would be illegal in Britain and the United States." How can it be so bad and evil if it's not workable?
I can understand why companies that sell DRM'd media want to outlaw academic research into their encryption methods. It makes sense, because DRM is fundamentally snake-oil, and it can never be anything but snake oil. Therefore the only way they can keep on selling their snake oil is to forbid open discussion. This is why we have the anti-circumvention parts of the DMCA. It's an evil position, but it's an intelligent, self-consistent evil position.
But cell phone carriers really can provide good security, if they try hard enough. There is nothing fundamentally theoretically suspect about secure communication, as there is about DRM. So why do they need to try to suppress research? It seems like it would have to be because they're either incompetent or stupid.
Find free books.
The NY Times article is missing quite a lot detail. Slashdot users might appreciate the raw video from the talk (torrent): part 1, 2, 3.
They're there to allow companies to use inadequate security measures without public shame.
And the politics is really the problem.
Let's classify the world into four types of people: politicians, security experts, telecommunications lobbyists and the regular citizens.
The politicians want to stay in office. The security experts want good security. The telecommunications lobbyists want cheap security. The regular citizens don't know there's a security concern (except from what they hear from Hollywood).
The politicians can stay in office if they can afford a good campaign. The telecommunication lobbyists want to make a deal. The security experts are few, unconnected and don't have much money in comparison. The uneducated masses aren't going to change their voting based on GSM security even if they knew about it and understood the issues.
And so you will have the politicians portraying the security experts as evil people (which the media will dutifully transmit to the public), all while the telecommunications people get to use cheap and poor security.
(replace telecommunications with banking if you want to get really bummed out...)
Or am I wrong? Please, someone tell me I'm wrong.
No, they use it silently to collect sensitive information instead. Much better...
iirc, when this have come up before, its been pointed out that only a really old, in gsm terms, phone, would still be using said encryption. And that more recent phones are able to use more modern encryptions, if the network allows it...
comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
"To do this while supposedly being concerned about privacy is beyond me."
And thence lies the problem.
If he can do it, so can the bad guys.
And the bad guys aren't going to publish the how-to at a conference.
No, they are just going to go to Defcon and give everybody the exact hardware and software to do it
"Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption. 'What he is doing would be illegal in Britain and the United States."
a. So Mr. Nohl is the ONLY person that succeeded in breaking this crypt? I doubt it, he is the only one that published it just because its limp. Did you really believe it was impenetrable? Soooo naive.
b. So hackers would not crack messages because thats illegal? Ms. Cranton must be living in some delusional never never land.
Wake up folks. This BS won't stop the Mafia, CIA, alqada or anyone else that is determined. What will stop them is replacing your 21 year old spaghetti code with a new, clean encryption algorithm. In evolutionary terms, you have succumbed to The Darwin Principal, get a grip on it.
Good thing he's not in the states or Britain. I hope he doesn't plan on visiting or get extradited to either.
To anyone who says there's a difference, I want proof.
For justice, we must go to Don Corleone
"This is theoretically possible but practically unlikely"
"This will reduce the time to break a GSM call from weeks to hours"
encryption is nothing more than security through calculated obscurity.
I think you can only prosecute an argument for that claim successfully if you engage in semantic shifting.
That is to say, you're right only if you take the word `obscurity' to mean something different from what everybody else takes it to mean.
Security by obscurity generally means you're relying on the adversary to be ill-informed about some aspect of the crypto which wouldn't be a problem for him to know about in a "real" cryptosystem, and/or extremely limited in computational power.
For instance, the windows 95 screen saver password (at most 14 characters) was stored in the registry, xor'ed with a fixed key of length 14. Probably a const char screen_saver_xor_pad[14] = [...], "safely" hidden away in some undisclosed source code. Security by obscurity.
This is also how DRM works: encrypt a bit string f with key k, then send k and e_k(f) to the recipient, but sneakily, hoping that the recipient will only decrypt and use f in accordance with the rules your piece of software implements. Security by obscurity.
Take on the other hand AES. Go do an exhaustive key search. If you're smart, do a meet-in-the-middle. That's sqrt(2^n), which is still exponential (it's sqrt(2)^n). Okay, n is fixed, but still: the best attack is (essentially) brute force. That's real security.
Then there's of course the gold-plated but impractical security (well, encryption): whenever you want to send a message m that's b bits long, come up with a uniformly random b-bit key k, then transmit m XOR k. Perfectly secure, but good luck sending k to the recipient. You can pre-share it, though, so if you put 4 TB of random key in your submarine, it can send 4 TB back to HQ confidentially. Or you can do quantum key distribution (if you have the required equipment).
I recommend that while your post has a valid point, you try to refrain from commenting on the more technical aspects of security.
I recommend you try to refrain from assessing peoples' understanding of the technical aspects of security and making recommendations based upon that assessment. I haven't seen anything in your parent's post which suggests they don't understand the subject matter, unless we take your semantic shift to be The Right Way to understand "obscurity."
A false sense of security is worse than no security at all. So yes, it is insecurity and it is stupid.
"... beyond me."
That's exactly right. Beyond him.
"If you something that you don't want anyone to know, maybe you shouldn't be it in the first place"
- ~anonymous
What the operators really want is something secure enough so you can't practically listen to a politician's conversations, but open enough so the state can listen to any citizen's conversation. All in the same of National Security. We will only be secure when the reverse is true.
Things are only encrypted over the air. Once it hits the tower and starts bouncing around SSPs and STPs the signals are in the clear and can be tapped easily. There's no point having a weak cipher for the radio component as any lawful (!) tapping will occur over the back haul.
*woosh*?
Does anyone have a link to the Chaos Computer Club presentation?
A5/1 and A5/3 are Authentication Algorithms and not ENCRYPTION/Decryption. The Ciphering Encryption Algorithm for GSM/GPRS is either gea1, gea2 and gea3.
In the United States, a certain 3 letter network operator specifically forces the newer authentication algorithms to be disabled
Even if decryption of GSM is easy, it's still more secure than AMPS.
I just stopped using AMPS last year and I fully knew that anything I say can easily be overheard.
You just don't say anything sensitive over the phone.
Those worried about corporate espionage need a smart-phone with end to end encryption.
Maybe this will entice some hardware company to create an option for this.
If he can do it, so can the bad guys.
Not quite. If he can do it, maybe some bad guys can. If he publishes it, anyone who cares can.
I see how decrypting a phone call could be cool...if this was 1985 and i wanted to brag to my friends on BBS about it. I know it wouldnt be impossible but how difficult would it be to follow one user around all day with surveillance equipment waiting for them to make one phone call. i guess the thing to do would be to set up shop around a busy work place and setup a piece of hardware to log ALL of the GSM data traffic (text, net, and other packets) until you have a harddrive full of information. At some point you would luck out and get some poor schmoes passwords and dirty text messages.
or is that the actually concern.
there is a story floating around about terrorist using $26 software to watch the video feeds from UAV's. Basically they can do this because no one wants to spend the money to make the hardware and software secure...so the terrorist win. But the only people affected by this dont have any recourse against the government if they are killed because of intercepted information. But god forbid that my BFF Jill has her facebook password intercepted and stolen via text, because this will result in an endless series of lawsuits that will never fix the problem.
This doesn't have anything to doe with global government, they could care less (they are always one subpeona (if you are lucky) from ALL of your personal data). This comes down to the fact that, for what its worth, GSM encryption worked well enough, it was reliable, and most importantly, it had payed for itself.
So now, the real concerns is how can they replace it before GSM providers start getting their asses sued off, and how cheaply can they do it.
they say it is often more relevant then the comment above, all we know is its called the Sig!
An increasing number of people I know are stopping using mobile phones blindly. One should use mobile phones like postcards -- you say something over the phone only if you could shout the same thing to the public without having privacy concerns.
Colorless green Cthulhu waits dreaming furiously.
Anyone know if this has any effect on those who use their phones for POS (eg, buying a soft drink from a vending machine) purposes? We can't do that here so I'm just wondering.
Since its been going on for 21years u might figure out if HE DOESNT PUBLISH, MOST BAD GUYS WILL DO IT FOREVER.
Security through obscurity vs full disclosure.
Full disclosure always win for the customer, regular citizens and the greater good.
Obscurity always wins for the bad guys, companies who make money and governments.
ITS AS SIMPLE AS THAT
It's already been broken.
All this does is scare people into not putting stuff on so-called secure airwaves that really are anything but.
And if you're sending patient records over a GSM network then you deserve to get stomped by the HIPAApottamus anyway.
Seriously, at least encrypt the fuckers.
How stupid! While I wouldn't be happy about having my work decrypted, throwing the whole 'it's illegal' red herring out there is just plain dumb-assery!
The fact is, you want to know when your OUTDATED encryption techniques are no longer useful.... but perhaps Bransfield-Garth would prefer a hostile agency do the work and leave it unpublished?? Yeah, I thought that was the less desirable option.
What a dick!
I am open source, and Linux baby!
From TFA:
"The group said that hackers intent on illegal eavesdropping would need a radio receiver system and signal processing software to process raw radio data, much of which is copyrighted."
I feel much easier knowing that the G.S.M. Association will be wielding its copyright to ensure my security. Who needs security when we have copyright?! Security via copyright assertion has worked so well for the film and music industries. Hasn't it?
Perhaps there should be a license to practice security, like there is a license to practice medicine.
I can't just flop open a sturdy table and hang out a cardboard sign "Your Appendix Out -- CHEAP!"
Likewise, perhaps we can cut down on some of this security theater crap if there was a license to practice security.
Offering and defending quack remedies like security through obscurity would be grounds to have your license permanently revoked.
Selling unapproved encryption as "secure" would also be grounds for license revocation. (Selling unapproved encryption as "experimental and probably insecure" is fine, so long as that's clearly labeled on the product.)
Surely not the people who loudly yak away on their cellphones in public where everyone can hear.
Hip Hip Horay !! Hip Hip Horay !! For H'e's a Jolly Good Felon, for he's a jolly good felon, for he's a jolly go felon, which nobody can catch.
Bloody well right indeed, you got a bloody well right to say. Illegal?
This is why GSM was invented. In the days of analog phones, it was not hard at all for a decently equipped thief to clone a phone and either make calls, or sell the cloned phone for cash. This goes until the victim calls the cellphone provider about the multi-thousand dollar bills.
For a long while, GSM's security through obscurity did well for protection, but if this guy can decrypt the algorithm, I'm sure blackhat organizations have been exploiting this for fraud for years.
And the bad guys aren't going to publish the how-to at a conference.
Of course we do; and you would know that if you would bother to attended our regular super-villain's conferences at Microsoft HQ instead of wasting your time gold-farming on World of Warcraft. Come to think of it... that is one helluva pathetic way for a super-villain to spend his time. If you don't get off your ass and get busy doing some *real* evil we will ban you from the super-villain's society, lock you in a room for the rest of your life and force you to watch endless re-runs of "Sound of Music" ...well... actually.... it'll be either be that or a life sentence debugging Perl code. We are still debating which is worse.
You mean there's a difference between the three?
Obscurity has a unfairly bad rap.
There are two different meanings of obscurity in use in computing these days: one is a standard based on a secret that can be theoretically reverse-engineered; and the other is the non-standard implementation of a standard.
The first, which is what GSM was, is really a "secret algorithm" approach. People call it "obscure" because it could be reverse engineered, but it really was based on keeping a secret from the people who all shared it. It violated Kerckhoff's principle which means it could be exposed, and now it has been. But it took 3.5 billion people 22 years to figure it out, which means that it was a pretty effective secret. That sounds a lot more effective than just plain "obscurity."
Useful obscurity is all about misdirection. It's an opaque curtain, or a mirror, or a fog; it's not an armored wall. Simply configuring your web server to report its identity as IIS when it's really running Apache won't confuse the humans viewing your pages, but it could make an automated attack fail that's based on attacking Apache servers. Changing default port numbers, or default security settings, or reported version numbers, or really shifting anything from the default to a place where it won't be expected by an automated attack is highly effective at keeping the port scanners and script kiddies at bay.
Consider the attack vectors on the internet. Bots and automated scanners make up the vast majority of threats out there. You can't swing a null modem without hitting some zombie that's probing your web server looking for default PHP weaknesses. Obscurity lets you dodge these clumsy attacks for free, and lets you focus your resources on other measures to more effectively improve your security -- IDPs, monitors, etc.
When used properly, obscurity is a wonderful tool that can make your life much easier. It doesn't provide security by itself, but adds another layer that does make you "more secure" overall by removing you from the first waves of automated attacks, giving you time to patch your systems.
John
That's isn't exactly new. Toxyn was showing that back in '97 at HIP.
There has to be more to it than that. If the "encryption" literally uses a substitution cypher or something that depends on a "codebook" then that codebook would have to be stored on every device and would be fairly trivial to discover and copy (not to mention any reasonable codebook would have crushed the available memory in any mobile devices back when GSM was invented). There would also be nothing theoretical about decrypting messages.
I think the article author is using the term figuratively.
From TFA:
"The group said that hackers intent on illegal eavesdropping would need a radio receiver system and signal processing software to process raw radio data, much of which is copyrighted."
I feel much easier knowing that the G.S.M. Association will be wielding its copyright to ensure my security. Who needs security when we have copyright?! Security via copyright assertion has worked so well for the film and music industries. Hasn't it?
So, all I need is a software defined radio and GNU Radio? wow that make it simple and cost under $500 to get.
Since its been going on for 21years u might figure out if HE DOESNT PUBLISH, MOST BAD GUYS WILL DO IT FOREVER.
Security through obscurity vs full disclosure. Full disclosure always win for the customer, regular citizens and the greater good.
Obscurity always wins for the bad guys, companies who make money and governments.
ITS AS SIMPLE AS THAT
Please explain how this is so with, say, nuclear weapons technology.
Advice: on VPS providers
The material published was not the GSM encryption algorithm, A5/1, which has been known for a long time. What is new is precomputed tables that make decryption very fast. These are similar to rainbow tables but combine additional compression techniques a better time-memory tradeoff.
operators, by simply modifying the existing algorithm, could thwart any unintended surveillance.
I love the use of the term "unintended surveillance".
If he can do it, so can the bad guys.
And I'm guessing if he only told the responsible companies, they'd ignore it rather than spend any money fixing it before it becomes a problem. Or maybe even say it's illegal and try to have him punished anyway. It's a little like how if you see a politician taking bribes, you tell the media, not the politician himself.
The Nth country experiment showed how useful secrecy was in that regard 45 years ago and the vast advances in computer technology since then have not made it any more useful.
upon the advice of my lawyer, i have no sig at this time
The GSM Association, the industry group based in London that devised the algorithm and represents wireless operators, called Mr. Nohl's efforts illegal and said they overstated the security threat to wireless calls. 'This is theoretically possible but practically unlikely,' says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption. 'What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.'
Oh, so now it's illegal to divulge impractical attacks that do not threaten privacy?
So it has come to this... At last I'm a positive badass for my GSM attack where you build a Turing-complete duck-based processor (using tasty duck treats to encourage the ducks to behave like little waddling transistors) and then use that to attack the crypto through brute-quacking-force! Ahhh HA HA HA!
You'll never catch me, coppers!
you missed one where it is crucial: imei N/A, non-stationary multi-cell, GPS or other. please think before posting or better still don't post misleading replies as you are obviously ignorant of the subject matter.
No. In 22 years only one person in 3.5 billion cracked GSM encryption and published his findings. According to the article others have cracked the encryption but haven't published.
What we now know is that it's crackable based purely on data analysis. That tells us everything worth knowing about GSM encryption. Anyone with a need for secure communications now has to treat GSM encryption as if it has been cracked by everyone they want to secure the communications against. To do otherwise would be about the only thing worse than security through obscurity.
This was a selfish and thoughtless act. His own security and that of his country may be at risk eventually.
[...] do a meet-in-the-middle. That's sqrt(2^n), which is still exponential (it's sqrt(2)^n).
Nitpick: it's 2^(n/2). Still exponential, though (you have halved the effective key length, but you might be paying a high price for that).
Totally agree with the rest, though.
Honestly, I suspect that a few things are in play here:
- A5/1 is relatively easy to implement in limited hardware.
Schneier forwards the guess that the French government (which was ever wary of strong cryptography) pushed for a deliberately weak standard, whereas (West) German government (which was near to the iron curtain and seemed not to like the idea of "Russians" eavesdropping) pushed for a stronger cryptography. French won.
(And yes, I know that governments can eavesdrop anyway and so on, but honestly: since when do behave governments logically? Look at all this export restriction nonsense (PGP anyone?). Heck. Look at the TSA.
The mere idea that individuals can encrypt something in a way that "law enforcement" cah't decrypt it seems to put governments into stupid mode.
What we now know is that it's crackable based purely on data analysis. That tells us everything worth knowing about GSM encryption. Anyone with a need for secure communications now has to treat GSM encryption as if it has been cracked by everyone they want to secure the communications against. To do otherwise would be about the only thing worse than security through obscurity.
I don't think anyone with a brain ever considered a phone call as a secure medium. Phone taps have been around for a very, very, very long time.
(Note: I have RTFA, but I'm quoting mainly from the summary here.)
Feh. Steve Gibson explained the flaws in GSM in very precise, technical detail in his podcast with Leo LaPorte back in September. See episode 213 of Security Now, "Cracking GSM Cellphones". He explained how the algorithm was implemented in hardware, right down to the hardware level.
Oh yes, they'd like us to believe that reverse engineering encryption is illegal. It is not. Eavesdropping on cell phone calls is illegal only because cell phone carriers have always used technology decades behind the state of the art. It's a crappy regulatory patch to a massive technical loophole. It's akin to a law forbidding wifi cards from supporting "monitor mode" because you can use it to eavesdrop on unencrypted wifi traffic. Karsten Nohl is not recommending that anyone eavesdrop on other people's phone calls. He's trying to show the public that their conversations are as good as "in the clear" and gosh darn it, the billion-dollar wireless industry just doesn't like that a bit.
Nope, even better: it puts GSM decryption technology within the reach of anyone with a 2TB hard disk, $1000 of radio equipment, and the time to figure out some software. And, as I pointed out already, this has been known for some time. Until recently, the weaknesses of GSM has been the skeleton in the closet of the wireless industry. It should have seen the light of day years ago.
This is not an easy problem for them to solve, either. A5/3 is much better encryption, but as I understand it, almost every handset in existence can be forced to fall back to A5/1 (or even A5/0, no encryption) relatively easily.
Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts could put sophisticated mobile interception technology — limited to governments and intelligence agencies — within the reach of any reasonable well-funded criminal organization.
Can someone please tell me the difference between "governments" and "well-funded criminal organizations"?
It could be more secure if the TSA were put in charge. Random body cavity searches for cellphone users would make me feel more secure about talking on my cellphone. Limiting calls to between 3am and 3:15 am local time would also be effective at defeating any attempt to use Al Gore-isms to decrypt my calls. The TSA is da bomb.
Yep, it's copyrighted alright. By the Free Software Foundation.
See also, http://en.wikipedia.org/wiki/Radioactive_boyscout, the "Radioactive Boyscout", about a kid that came close to building his own breeder reactor.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
If he can do it, so can the bad guys.
If he can do it, so have the bad guys already done.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
You mean there's a difference between the three?
There are definitely individuals who are "Bad Guys" but neither profit-making corporations or governments. This is completely independent of whether or not you consider either corporations or governments to be "Bad". (FWIW, I consider them to be independent axes; a large organization - government, corporation, whatever - can be overall mainly good or mainly bad. There's no inherent implication involved.)
"Little does he know, but there is no 'I' in 'Idiot'!"
whenever i hear about a crack like this, there's always this threat to sue/ jail immediately put forth. why shouldn't there be an open promise to reward crackers instead? why don't they HIRE the guy who cracked their scheme to fix the weakness?
1. it encourages crackers to go to you, rather than going underground
2. it suggests to your clients that there are no challenges to your scheme out there, it ensures your algorithm/ scheme is sound, since a crack would reveal itself in an open, non criminal/ non litigious, reward-oriented environment
surely there's someone in business who understands these two attributes are worth far more to you than paying some lawyers to chase ghosts around the internet
and the secret always gets out regardless, its not like they ever stop the crack from gaining wide knowledge
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
GSM was not designed to be safe. Law enforcement wouldn't let it be.
See my journal, I write things there
Are you practicing security through repetition?
http://it.slashdot.org/comments.pl?sid=1491648&cid=30579990
http://it.slashdot.org/comments.pl?sid=1491648&cid=30579998
http://it.slashdot.org/comments.pl?sid=1491648&cid=30580026
http://it.slashdot.org/comments.pl?sid=1491648&cid=30580012
Please tell us all about "When a PHB hears..." and "Security, through hidden algorithm..." again. I don't think saying it four times is enough.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Attempting to decrypt the air interface is just plain stupid and far too much effort and chances are by the time you do it the call you were after is over anyway. Just as in most other security breaches, clever bad guys attack from within, slipping someone a few dollars to listen on the inside, typically at the exchange where its all good old unencrypted TDM.
Yes, they have. But phone taps used to require a court order. (This is no longer true in the USA with the Patriot Act and other unconstitutional laws in play.) But a "point and tap this phone" technology is a wonderful dream for legitimate police trailing drug runners or smugglers who use throw away phones, and it's even more wonderful for illegal wiretaps to avoid leaving any paper trail of the tap with the telephone company or any outside agency.
There have been numerous attempts to provide genuinely secure telephone technologies, such as the "Clipper Chip" technologies. Those foundered when it was found that, with a significant negotiation time, you could put in your own keys, ones for which the US government did _not_ have registered copies. That killed the project dead, although most of the technology was sound. The Clipper Chip was also noticeable in that it ruined the career of Dorothy Denning, a formerly respected security expert who espoused the technology and its classified algorithms. That classification led directly to the mishandling of the "Law Enforcement Access Field", the checksum used to ensure that keys used were only those registered with the federal government.
Look it up: a big factor that helped kill it was that anyone who cared enough could easily buy encryption technologies from overseas, and it would cost American manufacturers business. (Do any of the rest of us remember getting our encryption software for UNIX systems on separate tapes?)
It's no big deal either way. Details of practical attacks on the GSM protocols were published in the Journal of Cryptology last year, the article is behind a pay wall here. There are no technical details in the NY Times article and I can't be arsed to track down the original source but I would guess that the main difference is that last years work attacked the protocols used, rather than the underlying encryption system. So in particular, the break on A5/3 used a weakness caused by operators using A5/1 on the same network.
Anyway, well said. The NYT article seems fundamentally flawed and has led to a huge (predictable for slashdot) thread below on the merits of security through obscurity. Completely irrelevant here as the algorithms involved were published and have been known for a long time. We only find out that systems are weak because people try to break them and publish the results. Papers like this are essential for us to make progress.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
http://news.ycombinator.com/item?id=1019162
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
This sounds a bit like the Scientology Defense - "this is completely made up and it's also copyrighted by us."
...You're complaining that your CELL PHONE call is insecure? Really? Isn't that like complaining that your neighbor can hear when you're shouting from the rooftop?
If you want a secure conversation, don't use a cellphone. (And hint1: without supplemental hardware, that's not secure either; hint2:even WITH supplemental hardware, its probably not secure anyway.)
-Styopa
And the bad guys aren't going to publish the how-to at a conference.
You mean, didn't.
Security through obscurity vs full disclosure. Full disclosure always win for the customer, regular citizens and the greater good.
...writes Anonymous Coward.
Profit making businesses are not concerned with security until the problems become public knowledge and it starts hurting their profit...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
No. In 22 years only one person in 3.5 billion cracked GSM encryption and published his findings. According to the article others have cracked the encryption but haven't published.
Note that, ironically, the attackers used security through obscurity to keep safe their own gains of power over GSM network. Of course, if you find out of "open sesame", you certainly don't want to inform the 40 thieves to change the pass phrase.
When we talk about solidness of published secure algorithms, we usually forget that exact part: even if none sees (and tells) it, there may be a gapping hole, whose finder has interest in not disclosing it to the public. "See for yourself" is not good enough. As we are not clever enough and paranoid enough to roll our own secure encryption algorithm, also we are probably not clever enough to assess the possibility that some of the trusted algorithms may not be safe anymore. Perhaps the best bet is to work without presumption of secrecy and rely on other features: minimum need to know, fast turnover, exhaustive covering of possible outcomes in planning, etc. , basically playing game of chess instead of playing game of poker. Privacy/secrecy/stealth is just a comfortable but treacherous illusion and should not be used as foundation of any real security. It could make a difference in critical situation (if you are lucky), but it is to be used on top of everything else. When you look at it that way, even obscurity could be added, just in case, but beneath it there should be trusted strong encryption, beneath which should be a secrecy-breach-tolerant (or at least -resilient) security structure.
According to the article others have cracked the encryption but haven't published.
Its been published alright, if you know where to look. This is bizarre cus it really is common knowledge--well it is to anyone with any interest in decrypting cell phone calls.
The Grey Goo disaster happened 3 billion years ago. This rock is covered in self replicating machines!
Bad also depends on your definition. Various security agencies have regarded GSM as hopelessly broken for at least ten years. When I asked someone from GCHQ back in the mid '90s if digital mobiles were harder to intercept than analogue ones, he said that the frequency hopping made intercepting the digital signal slightly harder but the encryption wasn't an issue. I assume that they have faster computers now.
Whether you define GCHQ, the NSA, and so on as 'bad guys' probably depends a lot on your perspective. It's unclear whether the same technology is available to organised crime, but given how long it's existed, I'd be surprised if it hasn't made its way to at least some. The Russian mafia almost certainly recruited some very competent ex-KGB cryptographers for this kind of thing - they could easily make back in blackmail what they were paying their crypto guys.
I am TheRaven on Soylent News
Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts could put sophisticated mobile interception technology — limited to reasonably well-funded criminal organizations — within the reach of any government and intelligence agency.
There, fixed that for you.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
CDMA uses the CMEA and ORYX algorithms, which are pretty weak as well, as shown in the linked papers. However, CDMA has somewhat of an advantage, because it's difficult to obtain the encrypted data stream in the first place: the nature of CDMA transmission means you can't pull a signal out of the noise unless you know the codes being used by the base station and handset.
Visual IRC: Fast. Powerful. Free.
'This is theoretically possible but practically unlikely,' says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption.
"There has never been a successful escape from Stalag 13." - Werner Klemperer as Colonel Klink, Hogan's Heroes
Slides from Karsten's presentation at the CCC.
The A5/1 cracking project.
A5/1 was cracked in 1999.
http://cryptome.org/a51-crack.htm
Don't be stupid, you record the encrypted call and break it offline.
Support my political activism on Patreon.
Yes, true... but they (the "bad guys") tend not to publish the results so that every two bit wannabe hacker and script kiddie can benefit from the information.
Apparently, based on my mod on my original post, I shoulda expounded on my intent a bit.
Point was, yeah, I know others will figure this out - probably ones with more malicious intents...
BUT, (1) they are unlikely to publish the findings, (2) now, they dont even have to do the work... they can jump in now and take advantage of the work that the above people did (meaning the network's security, in effect, has already been breached by the more malicious types thanks to them releasing this info), and (3) those of less technical inclination can now also jump right in with invasive stuff to utilize their research.
Inotherwords, (bad analogy time) to point out that there was a hole in the boat letting water in, they (a) made the hole a lot bigger so everyone's feet got wet, and (b) made holes in every other boat too (ie: people who would never have the skills to figure this out now dont need to worry about that - they too have access to this info and dont need to figure it out).
The bad guys no longer have to do it... it's been done for them, regardless of whether they have or can buy the skills to have done it on their own. Would you rather every crazed criminal out there having guns, or just the ones with the means to find em?
Best, Robert
StarTrekPhase2 - The Five Year Mission Continues!
If anyone wants actual security on a phone, the phones should encrypt end-to-end so that the carrier doesn't know the phone call. The difficulty here is getting a certificate system in place. But there are several viable solutions to that.
Actually was cracked ten years ago.
You must be new here, welcome!
FTS:
noting that no one else had broken the code since its adoption
...cause nobody told them it's been done... Cause bad guys always show up on screens declaring they have your encryption, and demand one MILLION dollars to get it back!
/pinky
Well ok, but in this case you're comparing it to a stream cipher that doesn't work: it's not secure and it hasn't been for quite some time.
AES isn't the only cipher that they could use. It's just an example of a cipher that is known to be "pretty good" that they could implement without doing huge amounts of cyptorgraphy research: if it's good enough for the NSA to recommend it for "Secret" and below, it's good enough for protecting a bunch of tweets.
Pick something else that is faster though if necessary. There is probably some favorably licensed open source code out there you could grab on any of the well-known ciphers, reducing the effort and cost even further.
It's a disservice to your customers to do nothing at all about it.
Can you be Even More Awesome?!
Storing passwords securely is anything but trivial
It's a solved problem, and it was a solved problem in the 70's.
Store the sha1 hash of the password. Then, when the user inputs "open sesame", compare sha1("open sesame") to the stored hash. If they're the same, assume the user input the right password.
(Other cryptographic hash functions will do, and you probably want to add salt, but that's the basic idea.)
I don't see why you wouldn't want to use the secure solution over the obscure one. If it takes 1ms rather than 1ns to check the password, is the human typing it in really going to notice?
When there is a secure solution, why settle for the obscure one?
The carrier would have the other copy of the key in it's servers.
No! No, no, no!
I don't want to talk privately with my carrier.
Or at least, that's not my primary concern. I want my carrier to require me to prove my identity to them (so no one can impersonate me and rack up my bill), and I want to be able to prove my identity to them (so I can make calls).
I don't know the telephone protocol header diagrams; if I'm roaming it might be the case that I want to tell a bit of routing information to the other provider, tell something in secret to my service provider, but my main concern is that I want to communicate in private with the call recipient.
And to do that with gold-plated privacy I really need to pre-distribute long keys to every person I want to talk to. Not going to happen. It appears we will need a public key infrastructure. And for people to sign up to it without even knowing it's there, it'll probably have to be run by either the government or the telecommunications operators. But if it's run by the telecoms, they can MITM me, so that means the government. Meh...
Nitpick: it's 2^(n/2). [rather than sqrt(2)^n]
2^(n/2) = 2^(1/2 * n) = (2^(1/2)) ^ n = sqrt(2) ^ n.
Which nit were you picking? That I went too fast? Your observation that the key length is effectively halved is still true, FWIW.
Nohl's efforts could put sophisticated mobile interception technology -- limited to governments and intelligence agencies -- within the reach of any OTHER reasonable well-funded criminal organization.
Fixed
Come on... anybody who thought GSM was secure and nobody could intercept it is a moron. There are other well-known techniques such as IMSI-catchers which allow you to perform a MITM-attack and force the phone to use A5/0-mode (which means no encryption).
Not to mention that most governments can intercept the phone calls anyway.
How do you know that?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
.. but there aren't any links in TFA. Could anyone provide it here?
I was very surprised when I figured companies like Nokia calls their "smart phones" or even dumb phones as "Terminals" in documents.
Basically the thing we call a "phone" today is a handheld, almost general purpose computer with advanced communication capabilities and sensors (GPS etc.).
So, if you think outside the box and use your "phone" (terminal) as a TCP/IP connected client rather than using the network's GSM system for voice, the problem should be solved. Why not use Skype, Nimbuzz, Fring, Gizmo instead of GSM internally at company or between friends? Well, Skype can be cracked at some point, that is the time you move to another system/api.
The real solution is of course, using SIP/XMPP and openly encyripting it with real, time tested protocols which are documented. The third parties above (excluding Gizmo, which is open) are temporary solutions. If Google doesn't mess it up with privacy questionable "add in" stuff, Gizmo seems to be more scalable and open way of doing it.
Bad guys usually want to disguise as companies who make money and governments. Not the other way around.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
That's what the weak encryption is all about.
Moreover, any such equipment can be purchased or rented from a number of suppliers without any licensing whatsoever, at least in the US. There might be "watch lists" for that sort of thing -- who knows -- but regardless, the availability of such equipment is no barrier whatsoever.
https://www.eff.org/https-everywhere
..and cloning was demonstrated. See... http://www.scard.org/gsm/ http://cryptome.org/gsm-a512.htm http://cryptome.org/jya/gsm-cloned.htm http://www.isaac.cs.berkeley.edu/isaac/gsm.html
Since when does anyone but the completely clueless expect cel phones to be secure? People know not to ask about drugs over a cel phone, but they're dumb enough to give out personal and/or financial information? They deserve what they get. No amount of security can protect the willfully ignorant. All that can be done is to make breaches inconvenient, which GSM has accomplished adequately.
War as we knew it was obsolete
Nothing could beat complete denial
- Emily Haines
Wow... seems there are some idiots with Mod Points...
I'm thrilled if this gets things updated to be more secure... but this method can in the meantime create a LOT of damage. Perhaps I should have expounded on my original post.
Point was, yeah, I know others (the bad guys) will figure this out eventually - probably ones with more malicious intents...
BUT, (1) they are unlikely to publish the findings, (2) now, they (the bad guys) dont even have to do the work... they can jump in now and take advantage of the work that the above people did (meaning the network's security, in effect, has already been breached by the more malicious types thanks to them releasing this info), and (3) those of less technical inclination can now also jump right in with invasive stuff to utilize their research.
Simple math folks... before "the bad guys" were limited to however many or few figured this out on their own... now EVERY "bad guy" in this line of "bad-guyness" can just jump right in.
Inotherwords, (bad analogy time) to point out that there was a hole in the boat letting water in, they (a) made the hole a lot bigger so everyone's feet got wet, and (b) made holes in every other boat too (ie: people who would never have the skills to figure this out now dont need to worry about that - they too have access to this info and dont need to figure it out).
The bad guys no longer have to do it... it's been done for them, regardless of whether they have or can buy the skills to have done it on their own. Would you rather every crazed criminal out there having guns, or just the ones with the means to find em?
Best, Robert
-1 Troll is not an "I don't like what you wrote even though it's true" option.
StarTrekPhase2 - The Five Year Mission Continues!
Just a little comment
you can look at the presentation in PDF (powerpoint slides) here
http://events.ccc.de/congress/2009/Fahrplan/events/3654.en.html
The reason it took Ian Goldberg three hours to crack one of the main GSM algorithms back then is that the Chinese restaurant near campus was having the good lunch special that day - he estimates it would have been more like two hours otherwise. It was really incompetently done, some variant on a fast Fourier transform, and the "we developed it in Seekrit so nobody can crack it" approach meant that there was no adult supervision. Had they developed the standard in public, they'd have been advised to use an algorithm that provided some actual cryptographic protection.
The "malice" part is that the most common implementation sets 10 of the 64 key bits to zero. (And that, of course, depends on whether your carrier even bothers to do the encryption - back when that version of the crack was announced, my GSM-based cellphone would always tell me that encryption wasn't enabled when I made calls, and I'm not sure if the reason it doesn't do that now is that the carrier's behaving themselves or if they just dropped the error message.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It seems that the real attack and the real code needed to do it was never released or proved to be working:
http://lists.lists.reflextor.com/pipermail/a51/2010-January/000341.html
Just a matter of misunderstanding or some delay due to the legal inquiry that the founder of the project received?
http://lists.lists.reflextor.com/pipermail/a51/2009-December/000296.html
Is this encryption only secure until I tell people that this is ROT-13?
Yes, but what you are doing is illegal in Britain and in the United States.
I say if corporations overlook the evidential failures in the technology they use, then they should blame no one but themselves. Ultimately all encryption will be 'cracked, bruted or hacked, etc' for various reasons. But what this gent has done is nothing more than show them there flaws, in order to force them to address a percievable serious concern.
The term:"Proof of Concept" springs to mind.
If the company has any interested in repairing any form of damamge (media, puplic & corporate image, branding, etc...) then they rather should focus work on correcting the software/technology failures, instead of taking the 'cheaper shot' of pointing out his actions are illegal in two countries.
And, for that matter, if he's in Germany and its (suppossedly) then not illegal for him to do so, whom claims they can stop him?
I don't see a Arab in Dubai, claiming that my drinking of alcohol in a Western Country, is illegal in Dubai; regardless of where the alcohol was made.
- Peanut Gallery