The security in GSM was designed to last 20 years. It’s now 22 years on. Is it still as uncrackable as it was in 1986?
We’ve got used to mobile phone calls being secure, but one thing every encryption expert knows is that technology eventually catches up with security, be it cleverer algorithms or more brute force with more processor power. There have been rumours of GSM having been hacked almost as long as there has been GSM.
Every GSM or WCDMA phone ever built has a little bit of technology designed by Charles Brookson. He has been involved in GSM since the very early days. “I guess we should start at the beginning, which was the old GSM Security Expert Group” he told me. “I became involved in 1985. We were very constrained as to what could be designed in. Security had to come at no cost, in terms of complexity, timing, and use of resources and of course cost impact on the handset”.
They were not allowed two way authentication as this introduced extra delay, so a GSM the mobile does not authenticate the network as. “We put all that right for 3G.”
The algorithms were all designed by the Algorithm Expert Group, chaired by Charles in 1986. "In those days we were limited by export control as to the strength, and we could not publish them." It's often claimed that they kept the details secret to keep them secure, that's not the case, and they couldn't publish because export laws wouldn't let them.
Ultimately systems which are published so that their security can be tested in the wild are more secure.
GSM was the first public encryption system available for everyone, Charles and his colleagues designed it to make the whole process really simple to use, roaming security and things like that just worked on the principal that it’s wrong to ask users to make security decisions.
“The were various processes such as key management, key derivation, authentication which we called A1 to A9, these were simplified and combined to for example A5 for the over the air encryption, and A3/A8 to do the authentication. The system was designed for strong authentication, over the air privacy, some degree of anonymity, and other constraints, like operators being able to choose their own authentication algorithms and not having to reveal them to others.”
A5/1was the first algorithm they produced. This was leaked on the Internet, but the wrong version leaked so all the original claims of it being easy to break A5/1 were on a different algorithm.
“We designed GSM to be a European algorithm, when it went worldwide (much too all our surprise), we had to design a new algorithm called A5/2 because the export laws stopped us from providing A5/1 outside Europe, although many countries got it before A5/2 was released.”
Still brains and technology catch up with anything and hackers found that by simulating an A5/2 base station they could get the encryption key for a handover to the mobile phone’s A5/1 network and intercept the call.
“This is a typical man-in the middle attack. This was proposed by Elad Barkan, Eli Biham, Nathan Keller in 2006 in Israel but isn’t known to have been used in real conditions”
A5/2 has since been withdrawn, and now anyone can have A5/1 or A5/3. Unless they are subject to UN sanctions. Although interestingly quite a few countries around the world – including China - still choose not to use any encryption, for their own reasons. Charles’ standards team introduced an encryption indicator on the mobile, so sometimes you get a message on the screen telling you that the call isn’t encrypted.
“Today A5/1 is still offering reasonable privacy, and it has met its 20 year goal but we know it won’t stay that way. The various papers on breaking A5/1 algorithms are still really academic. Although, practical demonstrations within a laboratory type environment will probably be possible soon. You have to be close to the person, have identified the mobile, and follow the frequency hopping and other services. Not really feasible in a real world, with many base stations and mobiles. The equipment is still pretty complex, and requires look-up tables of terabytes of memory which need to be held in fast memory or on special hard disks if you want anything approaching a practical speed, even then the decryption isn’t real-time, so you can’t tell if you are listening to the right call. While all of these factors make listening to an A5/1 call – the kind you and I make every day – practically impossible – computers get more powerful and cheaper so the signs of A5/1 being broken are coming together.
Still we are prepared. We started A5/3 some years ago; it is based on the first 3G algorithm called Kasumi (the later one is called Snow). Unlike then early days of GSM These are all publicly available. Most of the major infrastructure manufacturers support A5/3, and others are rapidly developing it. Most new chip sets in mobiles will support A5/3 as well.
3G is better of course, with stronger algorithms and extra security built in. But one cannot remain complacent about the security of any system, it has to be constantly monitored, improved where possible (sometimes difficult where one has to ensure backwards compatibility), and I’ve been doing that ever since! Looking back, it amazes me that we got it so right, and that it is still doing a reasonable job after all these years.
Don’t forget that A5 only protects the bit between the mobile and the base station, and 3G between the mobile and a little further into the network, so if you need other security to your emails or other transactions you should be looking to all the good security mechanisms used within the Internet, Personal Computing and telephony worlds”
Ultimately the rumours of GSM, in its current A5/1 incarnation being broken are premature. It’s stood the test of time incredibly well. Under Moores Law computers are eight thousand times more powerful than when A5/1 was designed and yet the encryption is still secure, but in preparation for it being broken A5/3 is ready and being rolled out. So yes. Twenty two years on, GSM is every bit as secure as it was back when it was conceived.
Cat Keynes publishes her thoughts on the mobile phone industry every Sunday at www.catkeynes.com you can read the column the previous Friday by subscribing here.
Motorola needed a new head of the mobile devices division which understood the world market and could work with the newly formed Symbian Foundation. But no-one wanted the job, or the share options, at the sinking ship of Mobile Devices so instead they got a joint head of the whole company – which includes the profitable bits. Sanjay Jha the talented COO from Qualcomm and completely the wrong person for the job. he’ll head mobile devices in time, if they can find anyone to underwrite the split.
Sprint has always been an aggressive company to deal with and now the problems are coming home to roost as it has to raise $3bn.
Open Operating System warn of fragmentation. When two people modify the same bit and then try and put it back into the core. They worry about it so much (and should do) that they come up with crazy plans for the vendors to consolidate. Sensibly you can expect the rumours that Symbian and Google to have been thought up by anyone with more than half a brain, and Google has denied that it will join LiMo, the talkingshop for people who don’t understand Linux.
A remote control for a mobile phone sounds like a strange idea until you play with a Zeemote. The Bluetooth joystick gives you an analogue input and some of the top games companies including Glu and Finblade are supporting it. The first manufacturer to ship is Sony Ericsson but you need to live in the Netherlands to buy it.
Nokia has the best margins in the industry (see last weeks column on platforms) and can use this to maintain market share by cutting prices.
<< Previous Sunday's Following Sunday's >>
[Home] [Archive] [Subscribe] [Advertise] [About Me] [Contact Me]