After 21 Years, GSM Encryption is Cracked Putting 3.5B Users at Risk

190px-GSMLogoJason Mick writing for DailyTech:

For 21 years, the same encryption algorithm, A5/1, has been employed to protect the privacy of calls under the Global Systems for Mobile communications (GSM) standard. With the GSM standard encompassing 80 percent of calls worldwide (AT&T and T-Mobile use it within the U.S.) — far more than the leading rival standard CDMA — this could certainly be considered a pretty good run. However, someone has finally deciphered and published a complete analysis of the standard’s encryption techniques in an effort to expose their weaknesses and prompt improvement.

Karsten Nohl, a 28-year-old German native, reportedly cracked the code and has published his findings to the computer and electronics hacking community. Mr. Nohl, who cites a strong interest in protecting the privacy of citizens against snooping from any party, says that his work showcases the outdated algorithms’ flaws.

At the Chaos Communication Congress, a four-day conference of computer hackers that runs through Wednesday in Berlin, he revealed his accomplishments. He describes, “This shows that existing GSM security is inadequate. We are trying to push operators to adopt better security measures for mobile phone calls.”…

[continues at DailyTech]

, ,

  • Word Eater

    No one with any experience in information security should be surprised that using a secret, proprietary algorithm (A5/1) to encrypt anything is a bad idea.

    They must have had astonishingly good access controls, NDAs, and physical security to keep it under wraps for 21 years. They should be proud of that at least.

    The best way to have algorithms stand the test of time is something like what NIST does to vet new encryption standards (like how Rijndael became AES). Those algorithms were hung out to dry in public and every goon with a computer was able to take a crack at finding weaknesses. The result is something much more secure than what a bunch of isolated folks in a lab can create.

    Live and learn perhaps?

  • Word Eater

    No one with any experience in information security should be surprised that using a secret, proprietary algorithm (A5/1) to encrypt anything is a bad idea.

    They must have had astonishingly good access controls, NDAs, and physical security to keep it under wraps for 21 years. They should be proud of that at least.

    The best way to have algorithms stand the test of time is something like what NIST does to vet new encryption standards (like how Rijndael became AES). Those algorithms were hung out to dry in public and every goon with a computer was able to take a crack at finding weaknesses. The result is something much more secure than what a bunch of isolated folks in a lab can create.

    Live and learn perhaps?

21