NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0452 GSM Mobile Security Seriously Flawed:
The security of the most widely used standard in the world for transmitting mobile phone
calls is dangerously flawed, putting privacy and data at risk, two researchers warned at
the Black Hat conference. Two researchers showed at a Black Hat event in the US last
month how it was possible to break the encryption on a GSM (Global System for Mobile
Communications) call in about 30 minutes using relatively inexpensive off-the-shelf
equipment and software tools. Hackers could listen in on phone calls from distances of
up to 20 miles or farther away. The researchers are still refining their technique,
which involves cracking the A5/1 stream cipher, an algorithm used to encrypt conversations.
In about another month, they will be able to crack about 95% of the traffic on GSM
networks in 30 minutes or less, with more advanced hardware. Their research has been
motivated in part by the absence of a more secure encyrption method despite years of
warnings about GSM. The pair studied how a GSM phone authenticates with a base station
and sets up an encrypted call. They then built a machine with lots of memory that uses
Field-Programmable Gate Arrays, high-powered hardware used for intensive calculations,
in order to crack the call's encryption. They now plan to commercialize the technique,
although one researcher said they would vet the buyers. He said they have not had any
feedback from operatoors on their research. One of the researchers warned that faster
attacks on GSM will likely emerge, making it more imperative that the mobile industry finds
a solution.
(IDG News Service 28MAR08)