Hackers claim they will be able to listen to calls and read texts made on 2G phones by the end of 2009. A security specialist agrees, but the industry seems unconcerned

Cellcrypt CEO Simon Bransfield-Garth:
codebook to crack calls could be stored
in three terabyte drive, now available
off the shelf

The GSM Association is playing down claims from computer hackers that the security of 2G mobile phone calls could be broken before the end of 2009, so that criminals with off-the-shelf equipment will be able to bug calls.

The GSMA was responding to claims by a security specialist, Karsten Nohl, who told Global Telecoms Business that an anonymous group of hackers is working to create a “codebook” that will allow anyone with modern computing power to pick up and decode encrypted GSM calls.

This is because the algorithm used for 2G is no longer secure — though, added Nohl, 3G calls are still beyond the scope of eavesdroppers with today’s computing.

The hackers are collaborating on the codebook “not because we want to help people listen to calls, but because we want to help identify a very wide threat”, said Nohl, who spent three years until 2008 doing a PhD at the University of Virginia but is now a consultant in Berlin.

According to the GSM Association, which represents 700 mobile operators worldwide, the threat is “purely academic”. Association spokeswoman Claire Cranton commented: “This is the same group that’s been saying the same things 12-18 months ago. All of the operators are keeping an eye on it.”

What’s changed, suggested Nohl, is that a “community” of hackers, exchanging information anonymously by BitTorrent, are working on producing an electronic codebook on the A5/1 algorithm used to encrypt 2G calls — which would then be put in the public domain.

Details of the attack were revealed at a hacking conference by Nohl and a colleague.

They told Hacking at Random 2009, held in the Netherlands, that A5/1 crackers are “widespread among intelligence agencies” but that “after 15 years, [there is] still no public A5/1 exploit”. However, “we’ll change this over the next months”, they stated.

Simon Bransfield-Garth, CEO of telecoms security specialist Cellcrypt, said that the codebook would be three terabytes in size — a number that sounds huge, but is now available off the shelf. Amazon.com is selling Seagate 1.5 terabyte drives for $119.99, so 3 megabytes’ worth would cost just under $240.

“That means it’s a lot more plausible than four years ago,” said Bransfield-Garth. “It does rather suggest it’s an open opportunity to hackers to build the code tables.”

Nohl said the he wanted to warn politicians and businesspeople using 2G mobiles that their calls will no longer be secure. “There are already companies selling these tools,” he said, but the cost is still high. Once the codebook is available “there could be real criminals doing industrial espionage”, he said. “We want GSM to be made more secure.”

He said that criminals might be able to pick up GSM signals and decode text messages containing bank customers’ passwords, for example. “The problem has been known but not widely known.”

The “community” working on the codebook is “a distributed effort that is 100% anonymous”, said Nohl. He expects the work to be done “by the end of the year — and it could be done before then”.

Network operators contacted by Global Telecoms Business said their policy was for the GSMA to lead discussions on this. A GSMA statement from March 2008 is still current, said Cranton.

This states that: “The GSMA, which welcomes research designed to improve the security of communications networks, routinely monitors the work of groups, such as the ‘A5 cracking project’.”

The association pointed out that “before a practical attack could be attempted, the GSM call has to be identified and recorded from a radio interface. So far this aspect of the methodology has not been explained in any detail and we strongly suspect the team developing the intercept approach has underestimated its practical complexity.”

The GSMA statement, written — according to Cranston — by Charles Brookson, who led much of the industry’s security work, says that a new algorithm, A5/3, is being phased in to replace A5/1.

Nohl, commenting to GTB on the GSMA statement, said: “I’m puzzled by the GSMA’s attempt to hide behind the alleged inability of hackers to snoop GSM traffic. This is 20 years old technology that ships in billions of handsets. The GSMA should take the hacker community and its current interest in GSM technology more seriously. We are glad that the GSMA has also joined the discussion on how to make GSM more secure. Adopting 3G’s better security for GSM seems very reasonable.”

Bransfield-Garth commented: “We’ve certainly got evidence that voice interception occurs,” though he said that this is normally in the network rather than in the air interface.

“If it becomes clear that it is possible to intercept 2G calls, in order to protect privacy enterprises will need to be seen to take all normal steps. The tipping point is coming very fast.” Though 3G calls are still secure, “that is still only 15% of the coverage in the world”, he said.

“The principle challenge is 2G, with four billion users. The cost of upgrading that is almost unthinkable.”

But Bransfield-Garth, whose company markets technology to make 2G calls more secure, condemned the work that the “community” is doing to produce a codebook. “Putting this information into the public domain is frankly reprehensible,” he said. GTB