One year ago today, I posted a note about a presentation at the 26th Chaos Communications Congress on breaking the encryption used to protect GSM cellular telephony. (Actually, the GSM system, which is used for approximately 80% of cellular phones world-wide, has two available encryption methods, called A5/1 and A5/2, for encrypting the voice data stream. The report concerned cracking the A5/1 cipher, the stronger of the two methods. The A5/2 method had been known to be vulnerable for some time.) As is customary after such reports, the practicality of the attack was dismissed by the cellular providers.
The ability to decrypt GSM’s 64-bit A5/1 encryption was demonstrated last year at this same event … However, network operators then responded that the difficulty of finding a specific phone, and of picking the correct encrypted radio signal out of the air, made the theoretical decryption danger minimal at best.
By now, one might think that the providers would realize that some people would regard their response as a challenge, but they seem to be slow learners.
Ars Technica has an article about a presentation at this year’s 27th Chaos Communications Congress, being held in Berlin, that showed that GSM conversations could be intercepted and decrypted, using no equipment other than cheap GSM phones and a laptop computer.
Speaking at the Chaos Computer Club (CCC) Congress in Berlin on Tuesday, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network “sniffers,” a laptop computer, and a variety of open source software.
There are several steps in the interception process, which exploits weaknesses in the GSM protocol and its implementation.
- Because of the way that GSM networks exchange subscriber location information, the location of a particular phone can be narrowed down to a relatively small geographic area: a city, or a particular region.
- Once the location of the target phone is narrowed down, the attacker can “war drive” around the area, sending out “broken” SMS (text) messages, and listening for the system’s responses. This allows the attacker to deduce the network ID assigned to the target phone.
- Once the target has been located and identified, the data stream can be intercepted and decrypted. The decryption is facilitated by the use, by many operators, of background status messages to and from the target phone; these messages, although encrypted, have sizable blocks of “known plaintext”, providing what is known as a crib. (A very similar bit of carelessness by the Germans in World War II — having standardized message headers for, among other things, weather reports — helped Alan Turing and the cryptographers at Bletchley Park to crack the Germans’ Enigma messages.)
The researches replaced the firmware of their inexpensive phones with new code that captured and stored the raw data being transmitted by the cellular network. The network operators also made the hackers’ job easier by frequently re-using random session keys, meaning that it was often possible to retrieve the unencrypted data from several consecutive conversations. The researchers did find that one encryption key was very well protected: the key used to encrypt communications between the provider’s system and the SIM card in the phone, which is used for billing information. At least this indicates that the providers can get it right when their pocketbooks are on the line.
The researchers provided a live demonstration in which they sniffed the message headers used by a phone, cracked the session keys, and recorded the ensuing conversation, all within a few minutes.
As Bruce Schneier has frequently reminded us, attacks on cryptographic systems only get better over time. You would be well advised to take your provider’s claims about the security of your conversations with several shovelfuls of salt.
Update, Saturday, 1 January 2011, 10:50 EST
The ThreatPost blog at Kaspersky Labs also has a brief article on this.