Hacker cracks and publishes GSM call encryption code

[Jos]

The 21-year old encryption standard used to protect phone calls on the most widely used mobile standard has been cracked. Karsten Nohl, a German computer engineer revealed yesterday that he had deciphered the binary codes for the 64-bit GSM encryption algorithm known as A5/1 by simple brute force, and then published his findings to the hacking community in a bid to expose weaknesses in the security of global wireless systems.

Although potentially making calls vulnerable to snooping, Nohl said he took precautions to remain within legal boundaries, emphasizing that his efforts were purely academic and kept within the public domain. While the disclosure does not by itself threaten the security of voice data, anyone who can work standard GNU build process and a set of open source software tools could break the encryption and listen in on conversations.

The GSM Association has responded by questioning Nohl's intentions and stating that operators could just modify the existing code to re-secure their networks -- though the new code will remain just as vulnerable to brute force cracking as the one before. The group has had a 128-bit successor to A5/1 since 2007, dubbed A5/3, but thus far has failed to push the standard out across much of the industry.

Permalink to story.

https://www.techspot.com/news/37454-hacker-cracks-and-publishes-gsm-call-encryption-code.html

 

[Timonius]

Forget the 128-bit, better go bigger and make sure you hire Nohl to make it better.

 

[TorturedChaos]

Makes me a little nervous that someone cracked it - through brute force none the less - but mostly I see this as a good thing. That encryption code has been in use for 21 years, sounds like it needs to be updated any ways. Whose to say someone hasn't cracked it already and just didn't say anything? Hopefully we something new very soon.

 

[tengeta]

Its just sad that a 21 year old standard IS the standard to begin with. I assumed years ago it was cracked and they just didn't come out about it. Encryption lives a very short life, especially these days.

 

[Timonius]

You're probably right tengeta and TorturedChaos. This may have been a simple and convenient cover story. haha!

 

[Vrmithrax]

It's hard to imagine that government agencies with massive budgets and the most sophisticated hardware hadn't done a simple brute-force hack of the GSM code long ago. But hey, if I was an agency interested in intelligence or espionage, I'd sure keep the fact that the code was cracked quiet, so people would freely say things they normally wouldn't if they had no confidence in the security of their connection... I'm just sayin...

 

[Guest]

I can't believe it took 21 years to crack it.

 

[Zeromus]

What? He won a bid? Aw, I bet he didn't bet for crap

 

[compdata]

Vrmithrax said:
It's hard to imagine that government agencies with massive budgets and the most sophisticated hardware hadn't done a simple brute-force hack of the GSM code long ago. But hey, if I was an agency interested in intelligence or espionage, I'd sure keep the fact that the code was cracked quiet, so people would freely say things they normally wouldn't if they had no confidence in the security of their connection... I'm just sayin...

100% right on. Anyone who thinks their cell calls are "secure" is in denial

 

[satty]

I dont believe he is the first one who did it(21 years....???)

 

[Guest]

Old news is old (years old).

 

[Guest]

you can thank management again.

meanwhile across the pond, if Nohl can do it...

so can those angry people who keep trying to light their underpants and shoes on fire...

that's the scurry part 8(

 

[Guest]

Government agencies do not need to crack it.
Part of the GSM license is the interconnection with the intelligence agencies in that country.
So the agencies have access to the calls anyway.

 

[Guest]

Any argument against using wireless 802.11 a/b/g/n for VoIP just went away permanently. You can use as much encryption as you want (4096 bit, whatever) if you have the CPU/GPU power to encrypt/decrypt it. This is a solid reason for every confidential phone user to use GNU-PGP and set up a maximum public key protected account scheme. Soon people who have critical conversations over GSM are going to get fired - before the company's business shows up on TMZ.

LOL image verification code is "privately politic". Exactly. The price some people will pay for privacy or to ensure their domination of public life is infinite. GSM just lost a critical early adopter market. If you were going to run for President in 2012, would you let your staff set up a GSM network now, or would you wire every office for wireless a/b/g/n (the earlier standards have some advantages for wide area VoIP) and use GSM only where you had to?

 

[Guest]

So, where is the big announcement to move to 256 bit or whatever?

If we don't hear it, we should all be preparing to use wireless a/b/g/n as our primarily phone connection.

No surer sign of a dead technology than no determined response to stay competitive.