GSM Algorithm Cracked Leaving Voice Calls Unsecure

Comments

GSM_monitor

When we last spoke with Cellcrypt, they told us about a group of white hat hackers in Germany who were attempting to crack the GSM codebook. The group is led by Karsten Nohl, and yesterday news broke that his team have cracked the GSM algorithm, technically known as the A5/1 privacy algorithm. The algorithm is used to tell your voice call to hop frequencies, thus encrypting your call. Each mobile device is given a key, which decodes the hopping algorithm so you can listen to a call.

The GSM association has been quoted saying that “by simply modifying the existing algorithm, [carriers] could thwart any unintended surveillance.” This statement doesn’t ring entirely true. The costs of implementing such an update would be very significant, and it seems these costs are what’s preventing carriers from updating their infrastructure.

Something else to consider, and I’m no expert on encryption, but generally speaking you need the algorithm and the key to be in sync. Updating the algorithm may be easy on the carrier side, but the key to decode rests in the device. It’s not clear how easy or difficult it would be to update these keys.

With over 80% of calls being made on this now unsecured GSM network, we do have a major security concern on our hands. Many are saying 3G is the solution, but academics and industry players all know that 3G is subject to the same potential algorithm cracking, making it a band-aid solution.

Speaking with Cellcrypt, we talked about this and how their software can add an additional layer of security on voice calls to make sure they’re encrypted. We also talked about how using the GSM codebook isn’t the only way to listen to a call, and voice security has been a concern for many years. For example, a user can spoof the base station to listen to a call. A mobile phone is looking for the strongest signal to find a base station, so anyone who is able to mimic the base station, can take the signal and simply tell the device to turn off encryption. Another way is to have a rogue agent inside the carrier to intercept the call. This actually happened back in 2004 when a Vodafone Greece engineer was found to be intercepting the calls of 100+ government officials.

  • paul

    The decode key is not in the phone. It is established by the network and given to the phone at call setup. It is different for every call.

    Sounds like the white hat hackers have not published the crack either, so they are the only ones who have it – them and the GSM association I’m sure.

    Cool either way. Good post

  • paul

    The decode key is not in the phone. It is established by the network and given to the phone at call setup. It is different for every call.

    Sounds like the white hat hackers have not published the crack either, so they are the only ones who have it – them and the GSM association I’m sure.

    Cool either way. Good post

  • josh

    The GSM Algorithm has been known to be weak and crackable with the right tools for years. The initial algorithms were created when cell phone did not have nearly the processing power we have today.

  • josh

    The GSM Algorithm has been known to be weak and crackable with the right tools for years. The initial algorithms were created when cell phone did not have nearly the processing power we have today.