Yesterday Luke blogged about Karsten Nohl, the German engineer who claims to have hacked the 64-bit A5/1 encryption algorithm used by GSM technology. Here’s what it all means…
Before the GSM network was introduced in the late 80s, mobile phones used an ‘analogue’ network to communicate with each other and it was anything but secure. Phones could be cloned and conversations could be intercepted with surprising ease, however when the digital GSM age arrived, these security issues were addressed and gossiping on your phone was a far more private experience.
But things change and what was considered secure 20 years ago probably isn’t today, a fact proven by a team of intrepid cryptographers who claim to have broken GSM’s encryption algorithm, potentially opening up every mobile phone conversation or SMS placed over a GSM network to eavesdroppers.
This algorithm is known as the A5/1, and it works by scrambling call data over a series of 80 rapidly changing radio frequencies as it’s sent between your phone and the base station. To break this code, the hackers used many computers to come up with every possible combination of frequencies, creating a code book which when used with specific equipment would provide the key to unlock your phone conversation.
The hacking team published their results and have said they broke the GSM A5/1 algorithm to highlight the inadequacy of its security, although the GSMA – who are behind the GSM standard – say their research does not constitute a ‘practical attack on GSM’ and that similar claims are often made, but with no harmful effects. They also say the even more secure A5/3 algorithm is being rolled out, making the breach even less of a concern.
But should we as mobile users be concerned? Not really, no. It has always been possible to listen in on a mobile phone conversation, but it was very difficult, very expensive and usually reserved for those enforcing the law. While this new research is said to show is that it can now theoretically be done with open-source software and a few thousand pounds worth of specialist equipment, plus the necessary technical know-how, doesn’t mean it will be, plus the news may push forward the A5/3 algorithm’s adoption. Besides, speaking on any phone – mobile or fixed – and relaying private, vital or secret information is never the wisest thing to do, as eavesdroppers don’t always need computers to hear your conversation!
For those interested in the more technical side of this story, take a look at the hackers presentation made at a German conference recently.