Is Mobile Telephony via GSM still Secure enough?
GSM (Global System for Mobile communications: originally from Groupe Spécial Mobile) is the most popular standard for mobile phones in the world. Its promoter, the GSM Association, estimates that 80% of the global mobile market uses the standard. GSM is used by over 3 billion people across more than 212 countries and territories.
GSM was designed with a moderate level of security. The system was designed to authenticate the subscriber using a pre-shared key and challenge-response. Communications between the subscriber and the base station can be encrypted. The development of UMTS introduces an optional software application USIM, that uses a longer authentication key to give greater security, as well as mutually authenticating the network and the user - whereas GSM only authenticates the user to the network (and not vice versa).1
On 28 December 2009 the German computer engineer Karsten Nohl announced2 that he had cracked the A5/1 cipher [used for GSM]. According to Nohl, he developed a number of rainbow tables (static values which reduce the time needed to carry out an attack) and improved known plaintext attacks. He also said that it is possible to build "a full GSM interceptor ... from open source components" but that they had not done so because of legal concerns.1
GSM uses several cryptographic algorithms for security. The A5/1 and A5/2 stream ciphers are used for ensuring over-the-air voice privacy. A5/1 was developed first and is a stronger algorithm used within Europe and the United States; A5/2 is weaker and used in other countries. Serious weaknesses have been found in both algorithms: It is possible to break A5/2 in real-time with a ciphertext-only attack, and in February 2008, Pico Computing, Inc revealed its ability and plans to commercialize FPGAs that allow A5/1 to be broken with a rainbow table attack.1
The code breaker machine of the University Bochum (COPACOBANA) has possibly also the ability to break A5/1 in real-time, and can be purchased comparatively cheaply.
Potential Security RisksThe potential risk is that someone listens in on confidential information exchanged via a cell phone.
Alternative attacks: Note that only the connection between the user and the first basis station is encrypted. The basis stations usually communicate between each other unencrypted. Therefore it is possible to tab the wire and listen in (easy for all agencies). Of course, the same also applies to landline phone calls.
Warning (Risk Acceptance): In general, phones, especially cell phones and cordless phones, shall not be considered as secure communication devices.
Alternative Communication: Sensitive information can be exchanged via secure e-mail.
Secure Phones: Use special end-to-end voice encrypted mobile phones or adapters (e.g. from Rohde & Schwarz3,4) which are being used by the Federal Government of Germany5.
Using UMTS: As UMTS can replace GSM and is also more secure, UMTS should be used instead of GSM whenever possible. The phones then must be configured to use UMTS only. This would work fine for regions with well-established UMTS networks, but can produce problems in regions with weak UMTS infrastructure, or in countries with cryptography restrictions like Australia.
Using other cipher e.g. A5/3: The GSM system supports multiple algorithms (not only A5/1 and A5/2). The currently used weak algorithms can be replaced with more secure ciphers, e.g. A5/3 which is also used in UMTS. However, the mobile network operator determines which cipher is used, and configures the base stations accordingly. The user cannot influence this decision-making process.
Currently, the risk is still acceptable and from a technical point of view, the situation is under control. However, this might change very soon and therefore risk must be continuously monitored. Nevertheless, for business areas with increased confidentiality requirements, the usage of encrypted mobile phones is strongly recommended.
Sources and Further Links1 Wikipedia article about GSM, 06 January 2010, http://en.wikipedia.org/wiki/GSM
2 The New York Times, Karsten Nohl, 29 December 2009, “Cellphone Encryption Code Is Divulged” http://www.nytimes.com/2009/12/29/technology/29hack.html?_r=2
3 Product info, Rohde & Schwarz “TopSec GSM“, http://www2.rohde-schwarz.com/en/-products/secure_communications/voice_and_data_encryption/TopSec_GSM.html
4 Product info, Rohde & Schwarz “ TopSec Mobile“, http://www2.rohde-schwarz.com/en/-products/secure_communications/voice_and_data_encryption/TopSec_Mobile.html
5 Heise.de, 20 October 2009, „Bundesregierung investiert 21 Millionen in Krypto-Handys“
Heise.de, 28 December 2009, “26C3: GSM-Hacken leicht gemacht“
Heise.de, 30 December 2009, “26C3: CCC fordert stärkere Verschlüsselung des GSMMobilfunks“ (German)
Spiegel.de, 29 December 2009, “CCC-Congress: Sicherheitsforscher hacken Mobilfunk-Verschlüsselung“ (German) http://www.spiegel.de/netzwelt/netzpolitik/0,1518,669368,00.html
Paper from Phillip Suedmeyer, member of the Cryptography Competence Center, 7 November 2003, “Die Stromchiffre A5” (German)
OpenSource project information page about the Crypto work of Prof. B. Esslinger who leads the Cryptography Competence Center http://www.cryptool.org/index.php/en.html