Should users worry about new cellular hack?
- — 30 December, 2009 07:58
How concerned should business users be about wireless security now that another group claims to have cracked the security scheme used by 80 percent of the world's cellular telephones?
Not very, unless you are doing something very illegal or highly sensitive, in which case all bets are off.
Specifically, the cipher used by the General System for Mobile Communications (GSM) has reportedly been cracked by a German researcher, who presented his findings Sunday at a hacker conference in Berlin.
A demonstration of the technique is scheduled for tomorrow.
GSM is the algorithm used by most of the world's cellular devices, including the AT&T and T-Mobile networks in the U.S.
This is not the first time someone has claimed to have cracked GSM encryption, but it is the most serious challenge so far. GSM has been used for 21 years and was first cracked in 1994.
The German researcher, Karsten Nohl, says the 64-bit A5/1 encryption method is no longer capable of protecting the world's cellular communications. You can download a PDF of his presentation.
Real-time monitoring of calls would be possible with specialized receivers, antennas, and about $30,000 of computing hardware, Nohl said. Such tools are already available to government and Nohl said he believes criminals have the technology, too.
Not surprisingly, the GSM trade association downplayed the report, saying GSM security is already in the process of being improved. Nohl, however, says the replacement system can also be cracked.
My take: First, if you are in the U.S. and not on AT&T or T-Mobile, this development does not concern you. GSM is much more widely used internationally, however.
Second, it should always be assumed that agencies with a "need to know" have access to your communications, which I believe is pretty much the way it should be.
What this development presents is the prospect that soon large numbers of people and organizations will be able to monitor GSM calls using off-the-shelf hardware and open-source software. In six months to a year, organizations that are security conscious (and are likely targets) may want to find a new way to protect their calls.
Crime and industrial espionage are the most likely users of the new hacking technology.
For most applications, however, GSM security remains "good enough" to protect sensitive information adequately, if not perfectly. Carriers, meanwhile, need to improve wireless security to stay ahead of current and future threats.