Researchers figure out how to crack GSM phone security
TechWorld.com - Two enterprising researchers claim to have figured out a way to eavesdrop on calls made using GSM mobile phones, cracking open its much-vaunted encryption.
According to David Hulton and Steve Muller, who presented the technique at the Black Hat security conference in Washington this week, GSM calls can now be recorded over long distances and cracked open in half an hour using only $1,000 worth of field-programmable gate array-aided computer equipment and a frequency scanner.
Although GSM's 64-bit A5 stream cipher has been theoretically vulnerable for some time, this is the first time anyone has demonstrated a way of doing it without investing in expensive, specialized equipment and without it taking years.
According to Hulton, spend $100,000 on hardware and the crack can be done in only 30 seconds using massively parallel processing technology. His company, Pico Computing Inc., is now developing the fast version to sell to agencies such as law enforcement, but plans to give away the slower version for free.
GSM is used all over the world by mobile phone companies, and is used in the U.S. by several networks, most notably AT&T and T-Mobile. It is considered to be secure enough that even criminals use it, simply cycling phones to avoid the theoretical risk of being tracked.
The "attack" depends on exploiting a vulnerability in the way GSM sets up calls. Assuming attackers were able to find out a phone's mobile subscription identification number and built-in hardware ID -- garnered by sending a text message to that phone, say -- they would have enough information to isolate calls from that phone.
Because networks set up some frames of the call security exchange using the same plain text scheme, throw enough hardware at the problem and the encryption can be forced open by using mathematical tables. "If we know the plain text, we can derive exactly what is coming out of A5," Hulton was quoted as saying at the presentation by sources.
- Leverage the Power of APIs to Turbocharge Your Mobile Strategy: 7 Steps to a Successful API Program In this guide, Intel® Services-which offers industry-leading API management solutions for over 150 top enterprises, including Best Buy, Netflix, Expedia, ESPN, and The...
- Mission Critical Cloud Powers Freesat Website, Mobile App When subscription-free satellite TV service Freesat needed a scalable, cost-effective infrastructure it found the disaster recovery and security features it needed with Peer...
- Bring Your Own Device: From Security to Success Download this e-Book to learn best practices for executing a BYOD policy.
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- API Management: The Key to Improving the Consumer Travel Experience Join PhoCusWright's Senior Technology Analyst, Norm Rose, as he shares his insights on how travel suppliers and intermediaries can improve industry data flow...
- Don't Believe the Hype: Not All Containers are Created Equal Hear executives discuss the 3 C's of Secure Mobility-content, credentials, and configurations-and learn the inherent security risks to your organization of using MDM... All Mobile/Wireless White Papers | Webcasts