Code That Protects Most Cellphone Calls Is Divulged, and the open source
platform used to decode is skysweeper.
By KEVIN J. O'BRIEN
Published: December 28, 2009
BERLIN — A German computer engineer said Monday that he had deciphered
and published the secret code used to encrypt most of the world’s
digital mobile phone calls, in what he called an attempt to expose
weaknesses in the security of global wireless systems.
The action by the encryption expert, Karsten Nohl, aimed to question the
effectiveness of the 21-year-old GSM algorithm, a code developed in 1988
and still used to protect the privacy of 80 percent of mobile calls
worldwide.
“This shows that existing GSM security is inadequate,” Mr. Nohl, 28,
told about 600 people attending the Chaos Communication Congress, a
four-day computer hackers’ conference that runs through Wednesday in
Berlin. “We are trying to push operators to adopt better security
measures for mobile phone calls.”
The GSM Association, the industry group based in London that devised the
algorithm and represents wireless operators, called Mr. Nohl’s efforts
illegal and said they overstated the security threat to wireless calls.
“This is theoretically possible but practically unlikely,” said Claire
Cranton, a GSM spokeswoman, noting that no one else had broken the code
since its adoption. “What he is doing would be illegal in Britain and
the United States. To do this while supposedly being concerned about
privacy is beyond me.”
Some security experts disagreed. While the disclosure does not by itself
threaten the security of voice data, one analyst said companies and
governmental organizations should take the same steps to ensure the
security of their wireless conversations as they do with antivirus
software for computer files.
“Organizations must now take this threat seriously and assume that
within six months their organizations will be at risk unless they have
adequate measures in place to secure their mobile phone calls,” said
Stan Schatt, a vice president for health care and security at the
technology market researcher ABI Research in New York.
Mr. Nohl, who has a doctorate in computer engineering from the
University of Virginia, is a widely consulted encryption expert who
waged a similar campaign this year that prodded the DECT Forum, a
standards group based in Bern, to upgrade the security algorithm for 800
million cordless home phones.
Mr. Nohl has now set his sights on GSM, whose second-generation digital
technology is still the most widely used wireless-communications
standard in the world. About 3.5 billion of the world’s 4.3 billion
wireless connections use GSM; it is used by about 299 million consumers
in North America.
In August, at a hackers’ forum in Amsterdam, Mr. Nohl challenged other
computer hackers to help him crack the GSM code. He said about 24
people, some members of the Chaos Computer Club, which is based in
Berlin, worked independently to generate the necessary volume of random
combinations until they reproduced the GSM algorithm’s code book — a
vast log of binary codes that could theoretically be used to decipher
GSM phone calls.
The code book, Mr. Nohl said, contains the equivalent of about two
terabytes, or 2,000 gigabytes, of digital information, the equivalent of
100 high-definition films.
During an interview, Mr. Nohl said he took precautions to remain within
legal boundaries, emphasizing that his efforts to crack the GSM
algorithm were purely academic, kept within the public domain, and that
the information was not used to decipher a digital call.
“We are not recommending people use this information to break the law,”
Mr. Nohl said. “What we are doing is trying to goad the world’s wireless
operators to use better security.”
Mr. Nohl said the algorithm’s code book was available on the Internet
through services like BitTorrent, which some people use to download vast
quantities of data like films and music. He declined to provide a Web
link to the code book, for fear of the legal implications, but said its
location had spread by word of mouth through the hackers’ community.
The GSM algorithm, technically known as the A5/1 privacy algorithm, is a
binary code — which is made exclusively of 0’s and 1’s — that has kept
digital phone conversations private since the GSM standard was adopted
in 1988.
But the A5/1 algorithm is a 64-bit binary code, the modern standard at
the time it was developed, but simpler than the 128-bit codes used today
to encrypt calls on third-generation networks. The new codes have twice
as many 0’s and 1’s.
In 2007, the GSM developed a 128-bit successor to the A5/1, called the
A5/3 encryption algorithm, but most network operators have not yet
invested to make the security upgrade.
The disclosure of a GSM encryption key, in and of itself, does not
enable surveillance of mobile calls, which must still be overheard and
identified from the digital stream of thousands of calls transmitted
through a single cellphone station.
The undertaking is highly complex because a digital call typically hops
among up to 60 different broadcast frequencies during a single
conversation, as the mobile network operator maximizes the use of its
available bandwidth.
In a statement, the GSM Association said efforts to crack the algorithm
were more complex than critics have asserted, and that operators, by
simply modifying the existing algorithm, could thwart any unintended
surveillance.
“We strongly suspect that the teams attempting to develop an intercept
capability have underestimated its practical complexity,” GSM said in a
statement. The association noted that hackers intent on illegal
eavesdropping would need a radio receiver system and signal processing
software to process raw radio data, much of which is copyrighted.
But Mr. Nohl, during a presentation Sunday to attendees at the Berlin
conference, said the hardware and software needed for digital
surveillance were available free as an open-source product in which the
coding is available for individuals to tailor to their needs.
A security expert whose company sells software to governments,
businesses and aid agencies that provides extra layers of security for
wireless calls, said Mr. Nohl’s disclosures highlighted the need for
better wireless security.
Simon Bransfield-Garth, the chief executive of Cellcrypt, based in
London, said Mr. Nohl’s efforts could put sophisticated mobile
interception technology — limited to governments and intelligence
agencies — within the reach of “any reasonable well-funded criminal
organization.”
“This will reduce the time to break a GSM call from weeks to hours,” Mr.
Bransfield-Garth said during an interview. “We expect as this further
develops it will be reduced to minutes.”
Mr. Bransfield-Garth said advances in surveillance technology have made
it possible to buy commercial wireless surveillance systems in countries
like India for as little as $1,500.
“Customers have told us they have lost multimillion-dollar deals because
of information that has leaked out to competitors through phone
intercepts,” Mr. Bransfield-Garth said. “Phone intercepts are
considerably more common than people realize.”