Is Mobile Telephony via GSM still Secure enough?
As all of you most probably have heard of, on 28th of December 2009 a German computer engineer announced at the CCC in Berlin that he had cracked the A5/1 cipher used in GSM communication. This would mean that someone could eavesdrop on confidential information exchanged via a cell phone.
I have asked my Cryptography Competence Center around Prof. B. Esslinger to analyzed the risk and to provide a security report with further details and recommendations, which you can find below. More information about the work of Prof. Esslinger and the open source crypto community can be found on the project page at http://www.cryptool.org/index.php/en.html
Currently, we see the risk still as acceptable and from a technical point of view, the situation is under control. However, this might change very soon and therefore this risk area must be continuously monitored.
NOTE: In general, phones, especially cell phones and cordless phones, shall not be considered as secure communication devices. For business areas with high confidentiality requirements, the usage of encrypted mobile phones is strongly recommended.
I really like the report and therefore I wanted to share with all of you as you may have the same questions or requirements in your area of responsibility.
Cheers
-Andreas
Happy New Year and all the best for 2010!
Now that 2009 is over I want to give you a quick summary about what happened and how we as ITRiskSpace.com team see the future. I want to thank you all for the support and commitment we have received from all of you. Please join us as well in future.
Enjoy
-Andreas