Randomness (r_ness) wrote,

GSM standard still vulnerable to call intercept.

In an unrelated story, Reuters reports on progress in intercepting actual phone calls, as opposed to breaking into voicemail:
"I'd be very surprised if no criminal organisation understood this potential and wasn't already doing this," said hacker Karsten Nohl, who helped expose a security flaw in the widely used GSM mobile network standard last December.

The vulnerability of the 20-year-old GSM standard, used by billions of people in about 80 percent of the global mobile market, was clearly demonstrated last December by Nohl together with fellow hacker Sylvain Munaut.

The two demonstrated an interception at the Chaos Computer Club Congress in Berlin, using a toolkit of four cheap phones, a laptop and some open-source software to hack the A5/1 algorithm used to keep GSM voice conversations confidential.

The GSM Association has developed a new, more secure algorithm but it is hard to deploy in older networks. It has also made available a security patch that is easier to implement, but Nohl said it had not been widely deployed.

Nohl is currently conducting tests on networks around Europe and says he had been able to attack all the GSM networks in London, France, Germany and the Netherlands during recent tests, using kit that a computer studies student could build in a week.

Nohl told Reuters he estimated an entire surveillance operation could be built around a person or organisation today for under 30,000 euros ($42,000) -- about one-tenth of the price it might have cost four or five years ago.

Among the British operators, only Vodafone is rolling out the GSMA's security patch to protect its network.

Orange and T-Mobile (DTEGn.DE), who have recently merged their networks, are looking at security options but have no firm plans.
Wikipedia article on the A5/1 cipher and its weaknesses.
  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.