Did you know that the vast majority of calls carried out on the 3.5 billion GSM connections in the world today are protected by a 21-year old 64-bit
encryption algorithm? You should now, given that the A5/1 privacy algorithm, devised in 1988, has been deciphered by German computer engineer Karsten Nohl and published as a torrent for fellow code cracking enthusiasts and less benevolent forces to exploit. Worryingly, Karsten and his crew of merry men obtained the binary codes by simple brute force -- they fed enough random strings of numbers in to effectively guess the password. The
GSM Association -- which has had a 128-bit A5/3 key available since 2007, but found little takeup from operators -- has responded by having a whinge about Mr. Nohl's intentions and stating that operators could just modify the existing code to re-secure their networks. Right, only a modified 64-bit code is just as vulnerable to cracking as the one that just got cracked. It's important to note that simply having the code is not in itself enough to eavesdrop on a call, as the cracker would be faced with just a vast stream of digital communications -- but Karsten comes back to reassure us that intercepting software is already available in customizable open source varieties. So don't be like Tiger, keep your truly private conversations off the airwaves, at least for a while.
posted December 29th 2009 4:18AM
I guess browsing and surfing the web isn't as big of a deal as having your conversations listened to. :)
@xjman349
Big brother is already listening, no matter what encryption the OTA link is using :)
@xjman349 HMmm, I live a normal life... really if the government is listening to everything I say it does not make me lose sleep. Before I open my mouth I think and make sure whatever I am going to say can be said anywhere. No secrets here. No 007 fantasies either. AT least the goverment dos that for "protection", it is a different story when a psycho is doing it for nasty pleasures or things of that sort.
@vman81
No the reason you cant hear me is because that other guy listening in on your conversation is eating potato chips.
"it is a different story when a psycho is doing it for nasty pleasures or things of that sort."
I think you'll find that basically the government is psycho and gets nasty pleasures from what they do, that's why the lowlifes get into politics and the 'security' game in the first place.
@Wwhat
I am sure we would both freak at some of the things they have heard.
I doubt Karsten was trying to take any sort of credit especially since the header of the 2nd slide in his presentation reads "GSM has been cracked over and over"
moot point since lte rolls out next year.
That's why there is a data connection... VoIP + custom end-to-end encryption and you have nothing to worry (except if you become an interesting subject for the NSA)... Most of today's smartphones have enough power to do heavy encryption algorithms real-time...
The lesson here is that you just cant talk about anything on a phone that you wouldn't want the world to know about.
@ArbitrageMan You, sir, are wise. Privacy has always been an illusion. I have nothing to hide my biggest secret would be that I like to sing in the shower in French and Italian... there now everyone knows that !!!!!
@ArbitrageMan
Im happy to know the secret but Im unhappy due to the its meaning >.< who wanna know that :O
If you have nothing to hide then there's something wrong with you, you have become an ABC comedy show character, seek help and get back your soul.
Sadly, this enables something we won't like thinking about: decryption of any encrypted call that was recorded as a whole cryptogram and saved for just this moment...
The people I'd worry about are the ones who always had access, governments and their spooks and such, and friends of the government (ie people controlling a billion+ dollar).
sweet so now its not just the NSA listening to our phone calls, some private competition for the feds would be nice.
i really want to see a verizon vs att commercial about this...mybe one involving luke wilson and a hacked in a car outside listenin to some dirty tiger woods-esque calls
I've often wondered how good GSM encryption is. Guess this answers that one.
Or you could just use Skype..or any VOIP really...aren't they all encrypted with decent AES algs?
VoIP is usually currently not encrypted. Not sure about Skype.
@ejan
https://support.skype.com/en_US/faq/FA145/What-type-of-encryption-is-used
"Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates." I would say that is pretty badass...lol.
Either way, even if you're using a different VOIP service (I think vonage isn't) that is not encrypted, you can always use a VPN.
I bet the password was "password"
@(Unverified)
no, it was the inventors birthday .... people nowadays still tend to use their birthday -,- unlike my 24 characters password ......................not
Where ya'll been? this was covered in detail in Security Now 213: Cracking GSM: http://twit.tv/sn213
I have links with twit in them blocked.
This is a bit old news but at least the word is getting out to the main public. Steve Gibson and Leo Laporte talked about this in his Security Now podcast back in September. In fact, it was called Cracking GSM. There are tools readily available for purchase for a few thousand dollars that would get you all setup to record conversations and listen in later. For more dollars, you can listen live. Steve complained that the GSM folks were not taking the warnings seriously but I think now they will.