In order to keep a conversation between two mobile devices private and secure, service providers use algorithmic encryption. The most widely used protocol around the globe is a 64-bit Global System for Mobiles (GSM) algorithm called A5/1 which was developed in 1988. GSM prevents interception of conversations by forcing devices and base stations to constantly change frequencies. Whilst many 3G networks now use the more up-to-date 128-bit A5/3 version developed in 2007, the vast majority of mobile providers do not appear to have upgraded.


A5/1 GSM encryption stream cypher diagram

Breaking out of the lab

nohlThere have been “in the lab” rumblings about numerous flaws in the 64-bit system for a few years now but nothing about serious threats out in the wild. Until now that is. At the recent Chaos Communication Congress in Berlin, security researcher and privacy advocate Karsten Nohl (who grabbed headlines in2008 when he published details of security weaknesses of the Mifare Classic wireless smart card chip) gave details of how he and his team had spent some months cracking open A5/1.

Nohl’s research project “aims at publicizing cryptographic weaknesses found in today’s cellular networks. We are not advocating to exploit these weaknesses but rather want to inform about the fact that GSM calls are already being intercepted and decrypted using commercial tools.”

Nohl’s team has not only created sets of instructions to quickly look up all the values from gsm_interceptorhuge tables which show all of the possible inputs and outputs of 64-bit algorithms, but has also managed to spread the storage of those tables, known as rainbow tables, over a distributed system of nodes. Each node “donates” processing and storage power for a piece of the code book.

Armed with a laptop, some relatively inexpensive hardware and a couple of network cards, an eavesdropper now has the potential to intercept an A5/1-protected call or text, record it and then use the technical know-how published on the internet to successfully decrypt it in seconds. Nohl told CNET “GSM’s A5/1 encryption function uses a 64-bit key that is too short to withstand the computing power available today. When the algorithm was designed 20 years ago when CPU [central processing unit] cycles and storage were much more expensive, it must have seemed a lot more secure.”

To worry or not to worry…

The GSM Association has adopted a defensive pose and played down the seriousness of the breach, saying that applying the results of the research is “a long way from being a practical attack on GSM” and accusing Nohl and his team of engaging in “highly illegal” activity. Nohl, however, states that legal advice has been obtained that shows all is “within the legal realm” and is encouraging mobile service providers to update their infrastructures before someone puts all of the pieces together and builds a full GSM interceptor to fully exploit the weaknesses.

If the dismissive position of the GSM Association is reflecting of industry attitude towards customer security, are you concerned that security exploits as demonstrated by Nohl could render your texts and conversations available for just about anyone to see or hear?