Researchers: GSM mobile security on the ropes
Privacy and data put at risk, researchers say at Black Hat
IDG News Service - AMSTERDAM -- The security of the most widely used standard in the world for transmitting mobile phone calls is dangerously flawed, putting privacy and data at risk, two researchers warned at the Black Hat conference here today.
Researchers David Hulton and Steve Muller showed at a Black Hat event in the U.S. last month how it was possible to break the encryption on a GSM (Global System for Mobile Communications) call in about 30 minutes using relatively inexpensive off-the-shelf equipment and software tools. Hackers could listen in on phone calls from distances of up to 20 miles or farther away.
The researchers are still refining their technique, which involves cracking the A5/1 stream cipher, an algorithm used to encrypt conversations. In about another month, they'll be able to crack about 95% of the traffic on GSM networks in 30 minutes or faster with more advanced hardware.
Their research has been motivated in part by the absence of a more secure encryption method despite years of warnings about GSM.
"Ultimately, we are hoping that the mobile operators actually initiate a move to secure their networks," Muller said. "They've had about 10 years, and they haven't done it. In my opinion, there is only one language that they speak -- that's called revenue. As soon as they lose the revenue, they will actually change."
Since 1991, when GSM networks debuted, the integrity of their security has declined as researchers investigated. In 1998, the A5/1 and the A5/2, a weaker stream cipher, were broken.
Commercial interception equipment, which can cost up to $1 million, is now available to eavesdrop on calls. Hulton and Muller were game for a challenge and wanted to do it more cheaply.
For around $700, they bought a Universal Software Radio Peripheral, which can pick up any frequency up to 3 GHz. They modified the software to pick up GSM signals broadcast from base stations. They compared those with signals picked up by a Nokia 3310 phone, which had a software feature that allowed for a peek into how GSM works.
Hulton and Muller studied how a GSM phone authenticates with a base station and sets up an encrypted call. They then built a machine with lots of memory that uses Field-Programmable Gate Arrays, high-powered hardware used for intensive calculations, in order to crack the call's encryption.
The pair now plans to commercialize the technique, although Hulton said they will vet buyers. He said they haven't had any feedback from operators on their research.
Muller warned that faster attacks on GSM will likely emerge, making it more imperative that the mobile industry finds a solution.
"We started [this project] because everyone said we couldn't do it," Muller said. "Attacks will always get better; they'll never get worse."
- The Apple-ization of the Enterprise: Understanding IT's New World Read this paper for how to tackle Apple-ization (and the related consumerization of IT and Bring Your Own Device/BYOD).
- A Practical Introduction to Enterprise Mobility Management Read the white paper to better understand the basic concepts within mobility management and to learn how you can apply EMM technology to...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise Endpoint Backup Checklist Read this checklist to learn how to create a back up strategy to quickly and easily protect your endpoint data.
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Mobile Security: Containerizing Enterprise Data In this on-demand webinar, Fixmo's Lee Cocking, VP of corporate strategy, explains why Apple-ization trends like mobility and "bring-your-own-device" (BYOD) are driving the... All Mobile/Wireless White Papers | Webcasts