Well, it’s finally happened: the elements necessary to build a computer setup capable of passively decrypting GSM have been cobbled together by cryptographer/computer scientist Karsten Nohl. It has been known for some years now that A5/1 – the stream cipher used to protect most GSM calls – was weak, c.f. the wikipedia page on A5/1 for a list of results. Practical attacks were considered slightly more difficult due the requirement for radio equipment and computation time. So despite expensive commercial products being available for a long time, there hasn’t been anything concrete that the general public can try. Until now.
Unveiled at the Chaos Communications Congress, he presents a solution utilising easily available open source software, inexpensive radio equipment and recently available rainbow tables. The combination means that it is now possible to capture and decrypt packets with a high degree of certainty.
What does this mean? It means that monitoring mobile calls and text messages is no longer limited to the Police, Government and criminal gangs that can afford the existing equipment retailing at around £20,000 – any spotty teenager that can afford around £1,500 worth of equipment can in theory intercept your calls. And make calls from your number, and fake SMS messages from your number, etc.
The bright shining light that the GSM consortium had in mind to replace A5/1 – A5/3, which is really just the Kasumi block cipher – is not going to help. Well, on a cursory reading it seems to depend on who you ask: the documentation I had previously read suggested the protocol was changed and that although Kasumi has theoretical breaks, it would be beyond the boundary of a practical attack (where have we heard that before); the presentation slides provided by Nohl however suggest that the mobile handset can be forced to encrypt packets using A5/1 with the same key allowing key recovery, and that Kasumi is fairly weak. Perhaps I’m just mixing up 3G specifications with the older GSM specs… if anyone actually knows the details here I’d appreciate them.
Personally, I think all this is a good thing: it evens the paying field – now everyone should know the security risks with non-provider mobile phone monitoring, not just criminals and bored rich folk.
There are commercial products available – again at significant cost – that can protect mobile calls by using strong encryption and forwarding calls via the data channel; they only however work on certain mobiles and are not in wide use. Given the ever increasing bandwidth available on mobile devices, I cannot imagine it will be long before an open source project pops up with a cross-platform solution of similar nature. The one caveat is that both handsets in the call must use the same software.