Research May Hasten Death of Mobile Privacy Standard
Researchers at a computer security conference in Washington, D.C. this week detailed a method for dramatically reducing the cost and time needed to crack the security that prevents eavesdropping of GSM-based mobile phones.
The weaknesses in the GSM encryption technology -- a 64-bit scheme known as A5/1 -- were first detailed nearly a decade ago, but cracking the code has generally required a great deal of patience and some very expensive hardware (with hardware costs alone exceeding $1 million). U.S. based GSM carriers -- including AT&T and T-Mobile -- as well as most European GSM providers are among the dozens of mobile providers and billions of handsets worldwide using A5/1 as their privacy standard.
Most of the previously detailed methods for cracking A5/1 encrypted GSM communications involved "active attacks," injecting data packets into the carrier's system or circumventing the encryption altogether by tricking a nearby target's phone into connecting to a bogus, unencrypted relay station controlled by the attacker. But researchers David Hulton and Steve Miller say their method relies on a purely passive attack, which can be done remotely and takes advantage of massive advances in parallel computing power to crunch through a listing of all possible GSM encryption keys in a matter of minutes.
The duo's new discovery means the ability to hack into one of these devices could be easier (and more affordable) for both government agencies, law enforcement, hobbyists and would-be thieves.
Miller and Hulton are currently about halfway through the process of generating a giant set of tables listing nearly all of the possible key combinations, which they plan to publish sometime in March for anyone to use. Armed with those tables, a minimum of two terabytes of hard drive space and a computer equipped with at least one hardware device known as a "field-programmable gate array" or FPGA, an attacker could theoretically decrypt a previously recorded GSM phone call or text message in about one hour, with roughly a 95 percent chance of success, Hulton told attendees at the annual "Shmoocon" security conference on Friday.
Total cost for the entire project: around $1,000 to $1,500. Increase the number of hard drive space and/or add more FPGAs, and the time to decrypt drops to around 30 minutes, the researchers said.
Hulton is director of security communications for Pico Computing, a company that manufacturers powerful FPGA devices designed for use in desktop and mobile computers. Hulton said Pico plans to commercialize the technology, which will use the still uncompleted encryption key tables in conjunction with far more powerful hardware devices capable of cracking almost any GSM encryption key within 30 seconds.
In order to intercept the actual encrypted communications, attackers would need to purchase a $700 hardware receiver capable of receiving any GSM frequency from zero to 3.0 Gigahertz. By initiating a call or sending a text message to the target's phone, an attacker could learn the target's mobile subscription identification number and the equipment ID tied to his or her phone, two pieces of information that are unique to each GSM mobile subscriber (data points that are needed to intercept a target's encrypted GSM communications). This would be the easiest way to gather the ID information, but attackers also could collect the same data passively by waiting for the target to initiate a communication, the researchers said.
This information can be intercepted, Miller said, because the providers all send it in plain text over the network, even though the GSM technical specifications advise providers to encrypt that information as well.
"When we wrote our receiver and looked at the network, we actually saw clear text data flowing over the network all the time," Miller told Security Fix. "So, the network providers are pretty much all in violation of the standards. But there's no reason for them to follow it, because no one ever bothers checking."
David Pringle, a spokesperson for the GSM Association (GSMA), declined to comment on the specifics of the duo's research, saying engineers there hadn't had time to review it. But he defended the security and resiliency of the A5/1 privacy algorithm, saying the attacks detailed to date have been more theoretical than practical.
"Over the past few years, a number of academic papers setting out, in theory, how the A5/1 algorithm could be compromised have been published," the GSMA said in a statement. "However, none to date have led to a practical attack capability being developed against A5/1 that can be used on live, commercial GSM networks."
Still, the association says it has been working to "further enhance privacy protection on GSM networks and has developed a new high-strength algorithm, A5/3," which it claims is being phased in among carriers to replace A5/1.
The association said it "closely monitors the work of groups, such as the 'A5 Cracking Project'," and that it is "working through the appropriate standards bodies to ensure all stakeholders understand the implications of this work."
Meanwhile, the two researchers said barring any legal interference, they plan to demonstrate their method Wednesday in a related presentation at Black Hat D.C., a security conference being held this week here in Washington.
The slides from Hulton's Shmoocon presentation contain far more technical details on their research. They are available at this link here (PDF).
February 19, 2008; 12:52 PM ET
Categories: From the Bunker , Latest Warnings , U.S. Government
Save & Share: Previous: Fake Prez. Campaign Video Spreads Malware
Next: Banks: Losses From Computer Intrusions Up in 2007
Posted by: William | February 19, 2008 9:43 PM | Report abuse
Posted by: CG | February 19, 2008 10:41 PM | Report abuse
Posted by: Bk | February 19, 2008 10:45 PM | Report abuse
Posted by: Spiritwood | February 19, 2008 11:32 PM | Report abuse
Posted by: GsmJoe | February 20, 2008 6:24 AM | Report abuse
Posted by: Jones | February 20, 2008 7:19 AM | Report abuse
Posted by: TJ | February 20, 2008 12:26 PM | Report abuse
Posted by: Pete from Arlington | February 20, 2008 12:37 PM | Report abuse
Posted by: Phil | February 20, 2008 3:37 PM | Report abuse
Posted by: GTexas | February 20, 2008 5:14 PM | Report abuse
Posted by: Fred Dunn | February 21, 2008 10:23 AM | Report abuse
Posted by: M.Omer (Jra7) | February 22, 2008 2:49 AM | Report abuse
Posted by: john | February 27, 2008 5:24 AM | Report abuse
Posted by: john | March 6, 2008 6:36 AM | Report abuse
Posted by: bob | March 24, 2008 11:36 AM | Report abuse
Posted by: bob | March 24, 2008 11:36 AM | Report abuse
Posted by: rx adipex | April 17, 2008 12:04 PM | Report abuse
Posted by: vicodin no prescriptions | April 17, 2008 1:58 PM | Report abuse
Posted by: order adipex | April 17, 2008 2:01 PM | Report abuse
Posted by: ambien | May 3, 2008 6:24 PM | Report abuse
Posted by: meridia | May 3, 2008 6:53 PM | Report abuse
Posted by: phendimetrazine | May 3, 2008 8:34 PM | Report abuse
Posted by: ephedrine | May 3, 2008 9:32 PM | Report abuse
Posted by: soma | May 3, 2008 10:28 PM | Report abuse
The comments to this entry are closed.