The cracking of GSM encryption by 28-year-old German security  expert Karsten Nohl has sent shock waves through the wireless industry. But the crack should come as no surprise to an industry that has long given short shrift to security, an analyst says.
Nohl -- working with others around the Internet -- has created a guidebook for cracking the Global System for Mobile communication's 64-bit A5/1 algorithm, which was adopted in 1988. 3G networks use 128-bit encryption to protect caller privacy and the new A5/3 algorithm is being "phased in," GSM Association spokesperson Claire Cranton said.
Nohl said the message from the cracking effort is "to have better security, not 'We want to break you.' The goal is better security. If we created more demand for more security, if any of the network operators could use this as a marketing feature ... that would be the best possible outcome."
High Crime or High Time?
"Being security researchers, one thing we can do -- and what we choose to do in this case -- is to show how it can be done," he told the Associated Press. The revelations are aimed at pushing the industry's adoption of 128-bit encryption, which would be "one quintillion times more difficult" to crack."
Cranton spoke with outrage about the release of the guidebook, saying "this activity is highly illegal in the U.K. and would be a serious RIPA offense, as it probably is in most countries." She referred to Britain's Regulation of Investigatory Powers Act, which governs the interception of user logs and e-mails of suspected criminals by security and intelligence agencies.
But it should come as no surprise that the algorithm was broken, Andrew Storms, director of security operations for nCircle, said in an e-mail. "The variable of any encryption is time. One only needs to ensure the encryption is strong enough to guarantee the secrecy of the payload until the contents no longer have value. Given enough time, any encryption will be broken."
Industry Slow to Upgrade Security
Both the claims of improving security and the industry's protests are commonplace, Storms said. "As with any controversial information security research, a cat-and-mouse game plays out. Those affected cry foul, while the researcher claims noble intentions."
"Given Moore's Law, it was only a matter of time before the 1989 A5/1 algorithm would be broken," Storms said. "A5/3, the newer algorithm, will also be broken in due course years from now. "
"The cellular-phone industry should have known that their encryption would be broken and has been slow to roll out the newer A5/3 algorithm," Storms said. "This is a classic case of security not being a top priority. What encourages consumers to spend money isn't security -- it's gadgets and features. While vendors have been busy trying to meet revenue goals, security simply has not received the attention it deserves."
The crack exploits flaws in GSM known for 15 years, Nohl said. "Fifteen years seems long enough for the cypher to be replaced with something else. No one uses a phone that is 15 years old. If they had taken steps, they could have replaced everything three times over."
agile:
Posted: 2010-07-30 @ 11:13am PT
Governments do not need to crack any encryption. They just tap it using lawful interception systems from the backbone. They have been doing that for years, without anyone saying anything.
Anonymous:
Posted: 2010-02-08 @ 2:27am PT
Most governmental agencies are using a GSM interceptor, the question is: what are the "other agencies" using for eavesdropping GSM networks, is it an equipment based on the recent cracking method? who is involved in this black market? Nohl knows anything about it?
Kawan Jiawook
|
Social Media and the Customer Experience