GSM Encryption Cracked... GSMA's First Response? That's Illegal!

from the yeah,-because-the-eavesdroppers-care dept

The big news in security circles this week is the fact that a security researcher claims to have cracked the encryption used to keep GSM mobile phone calls private. It looks like he and some collaborators used a brute force method. He admits that it requires about $30,000 worth of equipment to de-crypt calls in real-time, but that's pocket change for many of the folks who would want to make use of this. What's much more interesting (and worrisome) is the GSM Association's (GSMA) response to this news:
"This is theoretically possible but practically unlikely," said Claire Cranton, an association spokeswoman. She said no one else had broken the code since its adoption. "What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me."
There are so many things wrong with that statement it's hard to know where to begin. First, claiming it's "theoretically possible, but practically unlikely" means that it's very, very possible and quite likely. To then say that no one else had broken the code since its adoption fifteen years ago is almost certainly false. What she means is that no one else who's broken the code has gone public with it -- probably because it's much more lucrative keeping that info to themselves. Next, blaming the messenger by announcing that cracking the code is "illegal in Britain and the United States" is not what anyone who uses a GSM phone should want to hear. They should want to know how the GSMA is responding and fixing the problem -- not how they're responding to the public release. Finally, if it's "beyond" her why cracking a code used for private conversations and showing that it's insecure is all about being concerned about "privacy" -- she should be looking for a different job. This has everything to do with privacy. The GSMA claims that the code is secure for private conversations, and this group of folks is showing that it is not. That seems to have everything to do with privacy.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, gsm, privacy, reaction, security
Companies: gsma


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ben (profile), 29 Dec 2009 @ 3:24pm

    A5/3

    A5/3, the next encryption level up, has been ignored for many years by a lot of the networks who considered it too costly to implement considering A5/1 was so 'safe'. I wonder now how many will make the transition?

    Since 2006 handset manufacturers have been mandated to remove support for A5/2 (much easier to crack) so that the phone is safe (with no real change to networks). This means your expensive new phone likely wont work in poorer, non western, countries who are only allowed A5/2. A5/1 is likely to go a similar way in the next 5 years, assuming of course traditional voice networks remain. My guess is all future voice will go VoIP with lovely AES etc etc.

    link to this | view in chronology ]

  • identicon
    John, 29 Dec 2009 @ 3:27pm

    /sigh

    Those concerned about security and privicy had best converse inside a sealed, lead encased room. There's no such thing as privacy anymore.

    link to this | view in chronology ]

    • identicon
      Max, 29 Dec 2009 @ 3:56pm

      Re: /sigh

      I think you need to use the Cone of Silence

      link to this | view in chronology ]

    • icon
      Marcus Carab (profile), 29 Dec 2009 @ 4:20pm

      Re: /sigh

      Perhaps. But at the same time, service providers should not guarantee a level of privacy that does not exist and that they apparently have no intention of working to maintain.

      link to this | view in chronology ]

  • icon
    Nelson Cruz (profile), 29 Dec 2009 @ 4:36pm

    Blame it on France

    Blame it on France for not wanting A5/1 to be a stronger algorithm. France wanted authorities to be able to easely tap on conversations. Honestly I'm even surprised it took so long to be "broken".

    link to this | view in chronology ]

  • icon
    sehlat (profile), 29 Dec 2009 @ 4:38pm

    Ms. Cranton obviously worships the Goddess of Institutional Inertia

    And the Goddess of Institutional Inertia is also known as laziness.

    link to this | view in chronology ]

  • identicon
    CHExecutie, 29 Dec 2009 @ 5:24pm

    Voip

    How about free calls? How about 5 second ads played before the call? Why do we even put up with these phone companies anyway?
    Who's with me!

    link to this | view in chronology ]

  • identicon
    vgs, 29 Dec 2009 @ 5:27pm

    Voip

    How about free calls? How about 5 second ads played before the call? Why do we even put up with these phone companies anyway?
    Who's with me!

    link to this | view in chronology ]

  • identicon
    Rooker, 29 Dec 2009 @ 5:30pm

    I guess that solves that. Nobody will ever snoop on a phone call because it's illegal to do that. And nobody ever uses a cell phone outside the US or UK. Ever. Got it.

    link to this | view in chronology ]

    • identicon
      Yakko Warner, 30 Dec 2009 @ 7:56am

      Re:

      But if you outlaw phone snooping, only the outlaws will snoop phones...

      link to this | view in chronology ]

  • icon
    Zaphod (profile), 29 Dec 2009 @ 5:33pm

    $30,000 ? Try $2,000!

    Back around September 8th Steve Gibson of Gibson Research Corp. (grc.com) told all the nitty-gritty about how to crack GSM nearly on the fly. All that is needed is a couple of terrabyte HDDs (Rainbow Tables), a laptop, and a special radio device.

    He told all on his podcast "Security Now". The podcast with all the pertinent info is here:

    http://twit.tv/sn213

    Transcript here:

    http://www.grc.com/sn/sn-213.txt

    That should put an end to the cell companies blowing smoke up places it doesn't belong. Also, it's amazing the cell providers kept a lid on it this long!

    link to this | view in chronology ]

  • identicon
    Bengie, 29 Dec 2009 @ 6:06pm

    CDMA?

    Good reason to use CDMA?

    link to this | view in chronology ]

    • identicon
      Azrael, 29 Dec 2009 @ 11:59pm

      Re: CDMA?

      Nope, it's even worse - all you need to snoop on it is a cloned phone.

      link to this | view in chronology ]

  • icon
    Robert Ring (profile), 29 Dec 2009 @ 6:42pm

    This is laughable. "This is illegal. No one committing a crime would use an illegal method to do so. Therefore you are all safe. Sheep."

    link to this | view in chronology ]

  • identicon
    thornintheside, 29 Dec 2009 @ 7:44pm

    government already had the codes

    Did he expose what our government and various security agencies have used for years to eavesdrop on cell calls?

    link to this | view in chronology ]

    • icon
      Christopher Froehlich (profile), 29 Dec 2009 @ 8:05pm

      Re: government already had the codes

      Exactly. The US had the signals intelligence to do this as early as 2003 and the Brits were certainly ahead of us by that point. Historically, Britain has been years ahead of the US in signals intelligence; but the problem for US operations was not the decryption of the individual frequencies but the multi-frequency modulation of the unique call. This is possible with the right dedicated equipment, but mobile platforms generally had to sacrifice GSM capability due to the overhead. At any rate, all of the problems with GSM intercept have largely been solved for some time in military/DoD operations--that anyone would suggest otherwise is laughable.

      link to this | view in chronology ]

      • identicon
        Jari Winberg, 29 Dec 2009 @ 9:58pm

        Re: Re: government already had the codes

        There's no need for governments to crack any encryptions on radio network, at least not in the every day surveillance/eavesdropping. Lawfully Authorized Electronic Surveillance is a functionality in core network.

        link to this | view in chronology ]

  • identicon
    :), 29 Dec 2009 @ 9:28pm

    Make a lot of Live USBs and show it to the world :)

    http://en.wikipedia.org/wiki/Live_usb_creator

    Microsoft wouldn't dream of doing this.

    That is why to create a live windows CD you have to go to a extensive marathon of steps to accomplish this simple task.

    link to this | view in chronology ]

  • identicon
    a hacker, 29 Dec 2009 @ 9:38pm

    we dont care bout your stinkin laws no more

    stuff you

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Dec 2009 @ 10:09am

      Re: we dont care bout your stinkin laws no more

      I'm getting tired of the over/mis use of "Stuff You"

      Just Saying.

      link to this | view in chronology ]

  • identicon
    Benjie, 30 Dec 2009 @ 5:26pm

    Cloned phones

    Some day they will just switch over to VOIP and public key plus symmetric key would make it near impossible to eavesdrop without access to the carrier.

    If all the low level communication was also done via encryption, it would be impossible to even listen in on a CDMA data stream.

    GSM is less secure.

    link to this | view in chronology ]

  • identicon
    Tangoman, 4 Jan 2010 @ 4:49am

    GSMA response

    So, has GSMA com with a newer response?

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.