Researchers figure out how to crack GSM phone security

TechWorld.com - Two enterprising researchers claim to have figured out a way to eavesdrop on calls made using GSM mobile phones, cracking open its much-vaunted encryption.

According to David Hulton and Steve Muller, who presented the technique at the Black Hat security conference in Washington this week, GSM calls can now be recorded over long distances and cracked open in half an hour using only $1,000 worth of field-programmable gate array-aided computer equipment and a frequency scanner.

Although GSM's 64-bit A5 stream cipher has been theoretically vulnerable for some time, this is the first time anyone has demonstrated a way of doing it without investing in expensive, specialized equipment and without it taking years.

According to Hulton, spend $100,000 on hardware and the crack can be done in only 30 seconds using massively parallel processing technology. His company, Pico Computing Inc., is now developing the fast version to sell to agencies such as law enforcement, but plans to give away the slower version for free.

GSM is used all over the world by mobile phone companies, and is used in the U.S. by several networks, most notably AT&T and T-Mobile. It is considered to be secure enough that even criminals use it, simply cycling phones to avoid the theoretical risk of being tracked.

The "attack" depends on exploiting a vulnerability in the way GSM sets up calls. Assuming attackers were able to find out a phone's mobile subscription identification number and built-in hardware ID -- garnered by sending a text message to that phone, say -- they would have enough information to isolate calls from that phone.

Because networks set up some frames of the call security exchange using the same plain text scheme, throw enough hardware at the problem and the encryption can be forced open by using mathematical tables. "If we know the plain text, we can derive exactly what is coming out of A5," Hulton was quoted as saying at the presentation by sources.