GSM Decryption Published

Hugh Pickens writes "The NY Times reports that German encryption expert Karsten Nohl says that he has deciphered and published the 21-year-old GSM algorithm, the secret code used to encrypt most of the world's digital mobile phone calls, in what he called an attempt to expose weaknesses in the security system used by about 3.5 billion of the 4.3 billion wireless connections across the globe. Others have cracked the A5/1 encryption technology used in GSM before, but their results have remained secret. 'This shows that existing GSM security is inadequate,' Nohl told about 600 people attending the Chaos Communication Congress. 'We are trying to push operators to adopt better security measures for mobile phone calls.' The GSM Association, the industry group based in London that devised the algorithm and represents wireless operators, called Mr. Nohl's efforts illegal and said they overstated the security threat to wireless calls. 'This is theoretically possible but practically unlikely,' says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption. 'What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.' Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts could put sophisticated mobile interception technology — limited to governments and intelligence agencies — within the reach of any reasonable well-funded criminal organization. 'This will reduce the time to break a GSM call from weeks to hours,' Bransfield-Garth says. 'We expect as this further develops it will be reduced to minutes.'"

Re:Irony

Wow, what an interesting way to force innovation at such a "minor" expense to the people their efforts are supposed to help. Kinda ironic their efforts have done the exact opposite of their goals... and if the past is any indication, the harm they may have just caused will be around for a while.

If he can do it, so can the bad guys.

Ha Ha

[stox]

What the operators really want is something secure enough so you can't practically listen to a politician's conversations, but open enough so the state can listen to any citizen's conversation. All in the same of National Security. We will only be secure when the reverse is true.

Re:Ha Ha

[mysidia]

No... that's not an issue the operators need be concerned with. The government can listen in regardless, through FISA, CALEA, Patriot Act, Lawful Interception technologies on the carrier's networks.

I wish I could elaborate further on the matter, but that's a dangerous proposition.

One reason to stick with simpler encryption technology, is it's a cheaper, commodity part. New algorithms take time to develop: R and D costs, mean more expensive products, not to mention the requirement to replace expensive network infrastructure in order to adopt new standards.

Re:Ha Ha

[zippthorne]

Fortunately, AES is more than capable enough to protect everyone's calls, and current gen phone microcontrollers are more than capable of handling it. And there are other ciphers as well that are as yet unbroken. All they need to do is add or replace an encryption layer with one of 'em.

Sure, it's not trivial, and neither is the key distribution problem, but it's not impossible. It's not even impractical. It's just more expensive than doing nothing at all. When you factor in the billable hours for the lawyer to demonize people, i'm not even sure you come out ahead by not putting in proper encryption.

And this is a nearly unsolveable problem.

[chaboud]

We allow people to fear-monger by saying that this can allow criminals to decrypt calls more easily, but, if a couple of dozen hackers at a conference can piece this together through brute-force-ish tactics, are we sure that others haven't already? That's the point that they've made, a point entirely lost in the article.

This does *next-to-nothing* to make the system less secure. It was insecure to begin with. Regulations rendering the dissemination of code-breaking and system-compromising codes and techniques illegal aren't there to protect our data security. They're there to allow companies to use inadequate security measures without public shame.

Of course, this is Slashdot. Anyone who doesn't already know that security through obscurity is ridiculous is an idiot (or a troll). Anyone who relates cryptographic security to fake-rock-key-hiding and calls that rock obscurity (inevitable in a story like this) is just a troll.

Re:And this is a nearly unsolveable problem.

I have never understood why systems like GSM, Wifi, or whatever didn't or don't use well known crypto algorithms (and already implemented in hardware even). Very smart people have already done the hard work and it has been time tested and proven secure. DES (and by extension 3DES) encryption has been available for a long time, long before GSM "encryption" was invented. Why didn't they just use that? New systems should be using AES or equivalent modern and proven algorithms.

What the hell is wrong with the morons that designed these standards? Cryptography is one of the hardest mathematical fields out there, attempting a home-grown solution is absurd and wasteful.

It seems like the Wifi groups finally got the hint when they introduced AES to the WPA standard. Why it took them so long baffles me. As I mentioned, we have had good hardware implementation that can do secure crypto work for ages and ages. I mean most of the algorithms like DES and AES are designed to be implemented in hardware.

Re:And this is a nearly unsolveable problem.

[mrphoton]

Some thoughts, the most terrifying phrase in the abstract was "'What he is doing would be illegal in Britain and the United States". I find these laws are very unscientific, they are effectively trying to hide _the_ truth. Which in this case is that the GSM encryption algorithm is shoddy. Secondly as a brit I find it very worrying when people justify draconian laws by saying other people do it. On to more technical things, the above post mentioned DES and AES, as I remember did EFF not build a 250k$ DES cracking machine some time back. I thought triple DES had now superseded DES. As for AES, according to wikipedia weaknesses have been found quite recently in AES. http://en.wikipedia.org/wiki/Advanced_Encryption_Standard. I don't understand how compromising these attacks are though (presumably very).

Re:And this is a nearly unsolveable problem.

[Nimey]

At a guess, they didn't use DES back when because DES is computationally intensive, i.e. slow. This is especially important when you've got a small-for-the-day device that runs on batteries and must provide something approaching real-time performance.

Re:And this is a nearly unsolveable problem.

[dachshund]

I have never understood why systems like GSM, Wifi, or whatever didn't or don't use well known crypto algorithms
A combination of factors:

1. GSM is very old (for a digital standard). The more robust cryptographic algorithms known at the time were enormously expensive on the limited hardware available (this is back in the 80s or so).

2. GSM was created by a consortium of manufacturers and national governments. Germany in particular was very concerned about calls being eavedropped by the eastern block; countries like France wanted the ability to (more) easily monitor calls. The France block won the negotiation.

3. Cryptographic techniques have been evolving, even over the past decades. Cracking hardware has gotten faster (distributed computing, FPGAs) and researchers have developed a lot of expertise at breaking symmetric ciphers. Key sizes that seemed appropriate really aren't anymore.

4. Carriers don't really give a crap about theoretical weaknesses. Unless you can buy a call decryptor on Amazon it doesn't count to them. And even then it's probably still not worth the money to upgrade.

Wifi does use well known cryptographic algorithms, at least if you use WPA-AES, not WEP or the TKIP hack, both of which were designed to enable secure communications on very weak chipsets.

Re:And this is a nearly unsolveable problem.

[plover]

I have never understood why systems like GSM, Wifi, or whatever didn't or don't use well known crypto algorithms (and already implemented in hardware even).

Because 22 years ago when it was developed, the processing power and electrical power requirements required for DES to keep pace with a voice stream with automatic error recovery and no more than about 100 milliseconds of delay would likely have been prohibitively expensive for a device intended for the mass market. In addition, the U.S. government's ITAR/EAR restrictions would have made it almost impossible to import or export such devices into or out of the country, and ignoring the U.S. cell phone market could have meant financial ruin for the cell phone makers.

A5/1 probably got laughed at by the NSA wonks, who said, "Sure, let them import it."

And for those who would point out it's a European standard that doesn't care about American laws, the French have placed far more restrictions on encryption than the U.S. government ever has. Strong encryption would have cut both of those markets out.

Re:And this is a nearly unsolveable problem.

[dido]

But doing that would expose them to some level of accountability for their actions, at least for those governments that still pretend at the game of democracy. Weak crypto gives them the ability to surreptitiously snoop on anyone's communications without any accountability. Unfortunately, it also gives everyone with technical know-how the same ability as well, so they are engaged in the Sisyphean task of restricting the flow of technical information in the age of the Internet. Lots of luck to them there. Making it illegal isn't going to stop criminals who are already engaged in serious criminal behavior to begin with.

But then again perhaps I'm attributing to malice that which can be explained more easily by stupidity...

Re:And this is a nearly unsolveable problem.

[nsayer]

Honestly, I suspect that a few things are in play here:

I think maybe you left one out, that changes things a bit.

I remember AMPS. I remember the tail end of those days and having my phone get cloned. Repeatedly. Gigantic hassle to deal with, even when the cell companies had figured out what was happening to them and had procedures in place for folks who got hit.

I haven't read TFA, but if the risk merely is disclosure of the communication, then fine, what you say is accurate. But if part of the risk includes the ability for an attacker to duplicate the complete credentials of someone's phone, then we're back to the cloning problem, with all of the billing hijinks that implies. Ugh.

Re:Irony

[Cidolfas]

If he can do it, so can the bad guys.

And the bad guys aren't going to publish the how-to at a conference.

This is the epitome of security through obscurity

[selven]

worked independently to generate the necessary volume of random combinations until they reproduced the G.S.M. algorithm’s code book — a vast log of binary codes that could theoretically be used to decipher G.S.M. phone calls.

Wait, so just having the encoding algorithm is enough to decipher a message? That's kindergarten cryptography, not something designed for the real world.

The group said that hackers intent on illegal eavesdropping would need a radio receiver system and signal processing software to process raw radio data, much of which is copyrighted.

Yes, that's right. Their main weapon in defending your privacy against crackers who don't care about the law at all is copyright.

operators, by simply modifying the existing algorithm, could thwart any unintended surveillance.

If that's not security through obscurity, I don't know what is.

GSM Association

[Pooch+Bushey]

"To do this while supposedly being concerned about privacy is beyond me"

can someone point me to the article where the GSM Association was outraged when it learned of the illegal wiretapping program which the carriers happily participated in as agents of the u.s. government? i'm sure they protested that, right? riiight?

Spin city.

[ScrewMaster]

called Mr. Nohl's efforts illegal

So? What has that to do with whether or not he actually did what he says he did? It's not even worth mentioning. A good encryption system should not depend upon the presumed illegality of breaking it.

says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption.

That you know of, lady. If this guy really has cracked it, odds are someone else has sometime in the past two decades, but wasn't kind enough to so inform you.

Re:This is the epitome of security through obscuri

[ScrewMaster]

If that's not security through obscurity, I don't know what is.

Technically, it's insecurity through stupidity.

Re:Irony

It has been known for a while that GSM can be hacked and that it can be done with a relatively trivial amount of readily available hardware. If you wanted to do it, you could do it. The current effort is mostly a public awareness thing and an ongoing optimization of the attack. People are not going to buy multiple software defined radio boards, tune them with an improved clock source, download or create terabytes of rainbow tables and put it all together just to listen in on their neighbors (which everybody knows would be illegal). People who go to these lengths with anything but research in mind do not need this kind of public "guide" to GSM cracking. GSM is not safe. It hasn't been for quite a while and now people know it. (Two more talks on GSM issues are on the Tuesday schedule. Apparently there are a lot of facepalm type of bugs which are undiscovered purely due to lack of attention.)

What the hell is wrong here?

[jonaskoelker]

'This is theoretically possible but practically unlikely,' says Claire Cranton, a GSM spokeswoman, [...] 'To do this while supposedly being concerned about privacy is beyond me.'

What? Come again?

If Ms. Cranton doesn't even know the argument for full disclosure, why is she the person speaking on behalf of the GSM Association?

Now, we can discuss among ourselves when full disclosure is better than limited disclosure and vice versa, but at least we understand both positions. She doesn't?

Also, if the attack is practically unlikely, why the big concern about privacy? Didn't Ms. Cranton just say this wasn't a big problem, yet at the same time shame Nohl for causing a big problem?

Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts combined with inadequate security designed into the damn thing could put sophisticated mobile interception technology [in the hands of outlaws].

Fixed that for Mr. Bransfield-Garth. The system isn't weak because of Nohl's deeds or misdeeds. It's weak because it's poorly designed. I have seen telecoms security protocols. Only banks have protocols worse than these :(

Re:What the hell is wrong here?

[plover]

If Ms. Cranton doesn't even know the argument for full disclosure, why is she the person speaking on behalf of the GSM Association?

Because she is a mouthpiece paid to denigrate anyone who tarnishes their stellar corporate reputations. It's her job to paint him as a criminal, diverting your attention away from their failed product.

Literally, her words had no deeper meaning than "Pay no attention to the man behind the curtain!!" But that might be enough to rally some friendly corporate support for trying to pull the curtain shut again.

Re:Irony

[tagno25]

If he can do it, so can the bad guys.

And the bad guys aren't going to publish the how-to at a conference.

No, they are just going to go to Defcon and give everybody the exact hardware and software to do it

Illegal?

"Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption. 'What he is doing would be illegal in Britain and the United States."

a. So Mr. Nohl is the ONLY person that succeeded in breaking this crypt? I doubt it, he is the only one that published it just because its limp. Did you really believe it was impenetrable? Soooo naive.

b. So hackers would not crack messages because thats illegal? Ms. Cranton must be living in some delusional never never land.

Wake up folks. This BS won't stop the Mafia, CIA, alqada or anyone else that is determined. What will stop them is replacing your 21 year old spaghetti code with a new, clean encryption algorithm. In evolutionary terms, you have succumbed to The Darwin Principal, get a grip on it.

Re:Security through incompetance?

You shouldn't use words like thence if you don't know what they mean.

Re:TFA is incomplete/incorrect.

Care to explain that? According to everything I've read, A5/1 is a stream cipher, which you normally use either for encryption and decryption, or as a CSPRNG.

Re:Irony

Anyone know if this has any effect on those who use their phones for POS (eg, buying a soft drink from a vending machine) purposes? We can't do that here so I'm just wondering.

Re:Irony

Since its been going on for 21years u might figure out if HE DOESNT PUBLISH, MOST BAD GUYS WILL DO IT FOREVER.

Security through obscurity vs full disclosure.
Full disclosure always win for the customer, regular citizens and the greater good.

Obscurity always wins for the bad guys, companies who make money and governments.

ITS AS SIMPLE AS THAT

Re:Irony

[plover]

Obscurity has a unfairly bad rap.

There are two different meanings of obscurity in use in computing these days: one is a standard based on a secret that can be theoretically reverse-engineered; and the other is the non-standard implementation of a standard.

The first, which is what GSM was, is really a "secret algorithm" approach. People call it "obscure" because it could be reverse engineered, but it really was based on keeping a secret from the people who all shared it. It violated Kerckhoff's principle which means it could be exposed, and now it has been. But it took 3.5 billion people 22 years to figure it out, which means that it was a pretty effective secret. That sounds a lot more effective than just plain "obscurity."

Useful obscurity is all about misdirection. It's an opaque curtain, or a mirror, or a fog; it's not an armored wall. Simply configuring your web server to report its identity as IIS when it's really running Apache won't confuse the humans viewing your pages, but it could make an automated attack fail that's based on attacking Apache servers. Changing default port numbers, or default security settings, or reported version numbers, or really shifting anything from the default to a place where it won't be expected by an automated attack is highly effective at keeping the port scanners and script kiddies at bay.

Consider the attack vectors on the internet. Bots and automated scanners make up the vast majority of threats out there. You can't swing a null modem without hitting some zombie that's probing your web server looking for default PHP weaknesses. Obscurity lets you dodge these clumsy attacks for free, and lets you focus your resources on other measures to more effectively improve your security -- IDPs, monitors, etc.

When used properly, obscurity is a wonderful tool that can make your life much easier. It doesn't provide security by itself, but adds another layer that does make you "more secure" overall by removing you from the first waves of automated attacks, giving you time to patch your systems.

Re:Is the newest version deployed everywhere?

No it's not. The cipher used for 3G service is KASUMI [wikipedia.org], which is already vulnerable to a better-than-brute-force attack. (Even if it weren't, a 64-bit block is too small.)

KASUMI has a 128-bit key. The weakness is in the design of the algorithm, just like weaknesses have been found in 256-bit AES.

The "64-bit blocks" part of KASUMI is that it works eight bytes of data at a time. It has nothing to do with the strength of the algorithm, but how much data it bites off to chew on at any one time.

Re:Is the newest version deployed everywhere?

[WuphonsReach]

This sort of statement is equally dangerous by leading people to believe that just because they are using a strong cipher they are secure. Basically, unless a cryptography expert is designing your entire system, you're going to fuck SOMETHING up. There is no magic bullet.

That something is almost always key management.

(Encryption is simple compared to the complexities involved in keeping key management secure.)

Re:Is the newest version deployed everywhere?

[zn0k]

KASUMI has a 128-bit key. The weakness is in the design of the algorithm, just like weaknesses have been found in 256-bit AES.

The "64-bit blocks" part of KASUMI is that it works eight bytes of data at a time. It has nothing to do with the strength of the algorithm, but how much data it bites off to chew on at any one time.

In addition, they "didn't roll their own" and shouldn't have "just used AES". KASUMI was designed by the Security Algorithms Group of Experts, part of the European counterpart to NIST.

Re:Irony

[akpoff]

But it took 3.5 billion people 22 years to figure it out, which means that it was a pretty effective secret. That sounds a lot more effective than just plain "obscurity."

No. In 22 years only one person in 3.5 billion cracked GSM encryption and published his findings. According to the article others have cracked the encryption but haven't published.

What we now know is that it's crackable based purely on data analysis. That tells us everything worth knowing about GSM encryption. Anyone with a need for secure communications now has to treat GSM encryption as if it has been cracked by everyone they want to secure the communications against. To do otherwise would be about the only thing worse than security through obscurity.

Criminals?

[sjdude]

Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts could put sophisticated mobile interception technology — limited to governments and intelligence agencies — within the reach of any reasonable well-funded criminal organization.

Can someone please tell me the difference between "governments" and "well-funded criminal organizations"?

Re:Is the newest version deployed everywhere?

[hughk]

There is an interesting issue that emerged when DES was the standard. With everyone adopting DES it became a 'target' meaning that more people would devote time to attacking it. The eventual attacks using differential cryptanalysis used specialised hardware for breaking DES. Although based on programmable gate arrays, the design was fairly specific and could not so quickly be converted into attacking a different cryptographic system. However, I would agree that unless you have a bunch of experts working for you, the system an individual entity will come up with will probably be flawed. And then key management usually turns out to be a minefield of exploits.

Re:Why it's unsolvable

Actually, let me put this in a different way: You have three groups of people.

The governments.
Businesses (not just meaning the megacorps, but even SMBs).
The people.

The governments WANT good security, cost be damned. They want to have AES-256 while the other guys are still using rot-13. If their secrets get cracked, it might be that they may not be around in a few years. Look at WWII and how the cracked Enigma hurt Germany and the Navajo code talkers kept the US secrets protected.

The people want good security too, but ease of use matters. They want to know that if they send something via a secure tunnel, that some attacker won't have that info. Same with having files encrypted on a laptop and the laptop getting stolen. However, the difference between people and governments is that governments don't care about ease of use. People rather have ease of use over security. Look how PGP webs of trust have almost gone extinct while S/MIME and SSL are the dominant factor... and I'm sure almost no people have looked through the trusted root certificate store to see whom they are trusting.

Now businesses: Their overriding motive is cost. If they can get away with outright lying about encryption when in reality they are using no security at all, that's good for their bottom line. To them, security has no ROI, and every dollar spent towards security is one that is wasted and could be going to an exec's retirement fund, or to fund more advertising.

I have seen numerous businesses that didn't even want to secure their corporate wireless network. Why? They believed no hacker would drive to their facility with a high gain antenna. To boot, most businesses I encountered that had this lax mentality, when I posed the question about what they would do if breached: "I'll just call Geek Squad." A lot of businesses, a security breach will cost them nothing, even if all their payroll data and personal employee data ends up leaked.

Upper level business management just has zero incentive for security. Public relations mishaps can be easily patched up by putting out a new security "policy" that makes no sense, then paying for an ad blitz. I don't know about Europe, but Americans have a short memory, and are used to hearing "company foo had someone store 5,000,000 records on a laptop and the laptop got stolen and all the stuff is now on the Internet... want a year's subscription to a ID theft detection plan if you are one of those victimized?"

You won't be seeing any improvements in security from the private sector because there is no real reason to actually institute it. If a backup tape is lost, throw the guy the guy who dropped the tape under the bus and call it done. Security is a cost center, thus by modern MBA philosophy, it needs to be cut no matter what, even if it leaves a company at major risk.

So, if you want to see any real security in the commercial sector, you have to get after governments to get regulations out there. Not knee-jerk shit like Sarbanes Oxley which has made the storage companies rich but has done nothing for data confidentiality, but stuff like PCI-DSS which makes it hurt and hurt bad if there is a security breach. We also need data storage time limits, and laws requiring as little information as possible to complete a transaction.

The key is that businesses are not self policing. Unless they are kicked in the butt by the government to do honest to God security measures which work, they will not do a single thing except PR campaigns.

GSM falls under this. What the EU and US need to do is get the next iteration of the GSM standard to use well known hardware protocols, with a failover algorithm in case of the feared complete crack. The SIM card should use AES-256 and a fall back to Serpent or even 3DES for the bulk encryption algorithm. Yes, we will have to use block ciphers in stream mode, but modern chips can handle that. For the public keys, RSA [1] goes without saying, but a backup algorithm should be ECC, as that is re

Re:Is the newest version deployed everywhere?

[marcansoft]

Security experts get to roll their own cryptography, publish it, have it reviewed for years by many other security experts, and eventually it might be deemed secure.

Rolling your own and using it yourself is a guaranteed failure.

Re:Irony

[YourExperiment]

Security through obscurity vs full disclosure. Full disclosure always win for the customer, regular citizens and the greater good.

...writes Anonymous Coward.

Hogan's Heroes anecdote

[DickieRay]

'This is theoretically possible but practically unlikely,' says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption.

"There has never been a successful escape from Stalag 13." - Werner Klemperer as Colonel Klink, Hogan's Heroes

Phones should encrypt end-to-end

[MobyDisk]

If anyone wants actual security on a phone, the phones should encrypt end-to-end so that the carrier doesn't know the phone call. The difficulty here is getting a certificate system in place. But there are several viable solutions to that.

Re:Why it's unsolvable

I think you overestimate the long-term consequences of politicians who "resign in disgrace". As an example, Elliot Spitzer is already invited to news shows as a commentator and is teaching a college course named "Law and Public Policy".

- T

Re:Why it's unsolvable

[dgatwood]

In the long term, nothing happens because nearly all politicians are crooked. That said, if enough of them resign in disgrace quickly enough, we might--*might*--have a chance.