Code that encrypts world's GSM mobile phone calls is cracked

Code that encrypts world's GSM mobile phone calls is cracked

Summary: A German computer engineer said that he had cracked the secret code used to encrypt most of the world's mobile phone calls.

SHARE:

A German computer engineer said Monday that he had cracked the secret code used to encrypt most of the world's mobile phone calls.

In an attempt to expose holes in the security of global wireless systems, 28-year-old Karsten Nohl cracked the 21-year-old GSM algorithm, which is used to encrypt 80 percent of the world's mobile calls, reports the New York Times.

Nohl revealed his success at the Chaos Communication Congress in Berlin, Germany. He said that 24 people worked independently to reproduce the code book, or binary code log, for the algorithm, which contains the equivalent of about two terabytes of data.

He announced his intentions to crack the GSM algorithm at a conference in August.

[Nohl's wiki page for the A5/1 project]

The GSM Association reportedly said that Nohl's actions were illegal in the U.S. and U.K., and said it was unlikely that Nohl had actually cracked the code.

Nohl reportedly said the code book is available on the Internet through BitTorrent.

The issue at the center of it all: should wireless carriers and/or the government take more steps to ensure the security of GSM wireless phone calls?

The GSM algorithm is an A5/1 algorithm, a 64-bit binary code now slightly outdated compared to the 128-bit codes used today to encrypt calls on third-generation networks. A successor, called the A5/3 encryption algorithm, was later developed, but most network operators haven't yet implemented it.

A known encryption expert, Nohl has a PhD. in computer engineering from the University of Virginia.

Earlier this year, he exposed weaknesses in the security algorithm for cordless home phones, prompting the DECT Forum, a standards group, to revisit it (.pdf). Nohl previously studied the security of RFID systems.

About 3.5 billion of the 4.3 billion wireless connections across the globe use GSM. In North America, 299 million consumers use the technology.

Topics: Hardware, Mobility, Networking, Security, Wi-Fi

Andrew Nusca

About Andrew Nusca

Andrew Nusca is a former writer-editor for ZDNet and contributor to CNET. During his tenure, he was the editor of SmartPlanet, ZDNet's sister site about innovation.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

32 comments
Log in or register to join the discussion
  • illegal?

    "The GSM Association reportedly said that Nohl?s actions were illegal in the U.S. and U.K., and said it was unlikely that Nohl had actually cracked the code."

    When someone finds a flaw in your security it's better to listen to them than condemn them. What if we just sued everyone who cracked WEP rather than creating WPA(2)? Sounds like a bad idea to me.
    baboddonggae
    • Still, he said that the codebook was released

      on the Internet, so he should be jailed for that.

      Seriouslly, how much different is that then someone who figures out the combo to your shed, then gives that to someone else who promptly steals your tools?

      Should something happen, he at least should be an accesorry to the crime.
      John Zern
      • Umm no.

        He didn't create the exploit, and in fact if
        you had read the attached article you would
        know that there is already code books available
        for about 6 figures.

        The point is that there are secure standards
        out there, but your providers just drag their
        feet at getting them rolled out. 3G Voice for
        instance is more secure than A5/1.

        And if it hasn't been done already, a crafty
        bot net writer could do the same thing Nohl has
        done by making the botnet a distributed
        computing platform, which is what a botnet
        basically is anyway, to compute out the cipher,
        in a few days time.
        Snooki_smoosh_smoosh
      • Your analogy is flawed

        [i]Still, he said that the codebook was released on the Internet, so he should be jailed for that.[/i]

        It's more like a bank advertising how secure they are (when they're not) and a reporter discovering that and then reporting it. Your tool shed is private; GSM is public.

        He should get a medal and big pat on the back.
        Takalok
    • The thing about encryption...

      is that it's designed with a certain lifetime in mind. As tech advances then the ease with which what was once strong encryption is cracked is accelerated. WPA w/ TKIP is no longer secure as TKIP was designed as an interim encryption solution.

      If GSM is unchanged in 21 years it's held up incredibly well but it's time to think about a new encryption scheme.
      LiquidLearner
  • so what

    isn't the government tapping the cell phones too....with no hacking required.
    Linux Geek
    • Who do you think invented phones?

      It was the gummit so they can liez to you hackzor!
      jdbukis
    • No, it was Microsoft

      In order to stifle innovation and make an easily hackable communications system. You should know better than anyone else that if it was hacked then cleared it was Microsoft, and probably Vista's fault.
      LiquidLearner
      • 1

        Nt
        The one and only, Cylon Centurion
      • Well said...

        Couldn't have said it better myself...

        lol...
        Wintel BSOD
      • Sweet!!

        lmao!!!
        rhonin
  • What do you get after you bust the code?

    Do you get to hear people talking on the phone?The digital stream is probably encrypted at the caller's phone.Whoever the caller calls gets the decryption file.Encryption/decryption is a mathematical scrambling of the digital stream.End computer virus.
    BALTHOR
    • Depends on what he means by "cracked"

      If he cracked the encryption key, then decrypting those phone conversations is easy. But then again, a new key could be issued to the carriers and the cat and mouse game starts. Its funny that the GSM association started off talking saying that what he was doing was illegal - almost saying, even if he did its illegal; which is a no-brainer, but it did not stifle desire to learn more about this. The fact that they deny it, only makes people want to know more about what is possible. The GSM association is in the same boat the music industry was in years ago. They wait for forever to enforce a mandatory implementation of their standard (due to security) and now that hacking attempts are being made they have to rush defend their lack of focus and leadership.
      andrej770
  • Doesn't Bother Me

    I only use my cell for sex party lines mostly with Asian minors so I could care less...........

    If not that I may make the occasional phone call requiring me to say or touch my SSN which is not a big deal either if the network is unsecure.

    I am sure the government listens to enough cell phone calls already!!!!!!!
    ctunk
  • USD government does NOT want more secure phones.

    Yes, there really is a rason most providers have not migrated to better encryption, it makes cracking it too hard for the US government.
    No_Ax_to_Grind
    • Governments do not need the ciphers to get in,

      they just listen in at the source. You know that
      secret room in the ATT building.
      Snooki_smoosh_smoosh
  • Last Time I Checked...

    Last Time I checked, the USA had more CDMA Subrscribers than GSM which means it is inaccurate to say that 299 Million (roughly the entire US Population) uses this technology because at best it is 50% but I would bet it is lower than that...

    Crud, think of how much of the population can't or won't use technology (1 to say 10 year olds and some people over 65).
    slickjim
    • I may be wrong, but...

      I believe that US census reported that there were @ 305 million legal
      residents in the United States. Then there are those 47 million illegals
      that Osama Obama is protecting. I am having a real hard time nailing
      down who exactly carries GSM and CDMA. But that is another story, The
      most recent figurers came up in 2007, which is consistent with what you
      posted. I do not believe that there are even 200 million active cellphones
      in the United States. HEre is the part I am thinking. Again I may be
      wrong, but I am willing to bet the number quoted includes the
      disposable cellphones. Add those in to the mix, and the numbers skew
      off into left field.
      Rick_K
      • More than 1

        In many cases, one person has more than 1 phone.

        I question the 299 million number myself, but I don't think it's outside
        the realm of possibility.
        People
      • Again read the article or take a

        Geography class...
        Snooki_smoosh_smoosh