In a statement addressing the news over Karsten Nohl’s project to target the A5/1 vulnerability in GSM-based transmissions, the GSM Alliance said that the research is a long way from being a practical attack on GSM. Moreover, the GSMA feels that there were commercial considerations behind the projects goals
The GSMA said that they welcome research designed to improve the security of communications networks, but at the same time added that the theoretical compromise presented at the Black Hat conference “…requires the construction of a large look-up table of approximately 2 Terabytes – this is equivalent to the amount of data contained in a 20 kilometre high pile of books.”
So the GSMA says that because the lookup table would be rather large, the effort to make one would be too great. In our story covering the A5/1 vulnerability, Karsten Nohl explained to us how this massive lookup table would be dealt with.
First off, the project will use the power of grid computing. Each person in the project will use fast GPUs for the generation of, and lookup of, the nodes own table. In addition, they will donate small portions of disk space to house part of the Rainbow Table that will be created and used to crack A5/1. Once the table is complete, it will be made available to anyone who wants it.
As the project members finish their part of the process, the hope is that they will upload their completed tables to anonymous repositories and share them with BitTorrent. The process will be organic, Nohl explained, “…these tables will just popup in random places.”
In reality, once the project is successful, all anyone would need is some RF equipment, a $500 USD laptop, and the personal drive to sit in a location for awhile to scan GSM traffic to pull off an attack.
“However, before a practical attack could be attempted, the GSM call has to be identified and recorded from the radio interface. So far, this aspect of the methodology has not been explained in any detail and we strongly suspect the team developing the intercept approach has underestimated its practical complexity,” the GSMA statement says.
“I'm puzzled by the GSMA's attempt to hide behind the alleged inability of hackers to snoop GSM traffic,” Nohl said in a statement emailed to The Tech Herald and two other reporters.
He pointed out that the A5/1 technology is over twenty years old and shipped with billions of handsets across the globe. “The GSMA should take the hacker community and its current interest in GSM technology more serious.”
In direct response to the comment from the GMSA, where it was hinted that the team developing the A5/1 intercept approach underestimated its practical complexity, we asked Nohl if he could expand any on the existing information regarding the complexity of the GSM network.
We asked, because if you shift through the documentation, notes, and research from both The Hackers Choice and Nohl’s project (which is a reimplementation of the THC work), you can see that the project members clearly understand the complexities of GSM and the A5/1 vulnerability.
“The Airprobe project and related projects have made huge progress in the few months they have been investigating GSM. Our timeline for computing the A5/1 code book is roughly aligned with other projects' timelines for snooping GSM traffic,” Nohl said.
Another puzzling aspect to the GSMA statement is the insistence that the A5/1 Rainbow Table project, or the others related to the A5/1 vulnerability, are commercially motivated.
“A hacker would need a radio receiver system and the signal processing software necessary to process the raw radio data. The complex knowledge required to develop such software is subject to intellectual property rights, making it difficult to turn into a commercial product,” the GSMA said, adding in their conclusion that they consider the research to be motivated in part by commercial considerations.
So we asked Nohl about that as well. Are there commercial aspects to his project?
“The project members have no commercial interest, whatsoever. Others affiliated with the CCCB, though, sell crypto phones and would like to see the security of GSM to be shown to be as weak as it is. When setting up these projects we made sure not to include any of these interests,” he explained to us.
The GSM Alliance asserts that because of Intellectual Property, and the complexity of GSM itself, there is little to worry about. They also mention that A5/1 has proven to be a very effective and resilient privacy mechanism.
At the same time, there is work to improve the security of GSM-based networks. “The GSMA has been working to further enhance privacy protection on GSM networks and has developed a new high-strength algorithm, A5/3… This new privacy algorithm is being phased in to replace A5/1.”
Nohl commented that he and the other project members are, “…glad that the GSMA has also joined the discussion on how to make GSM more secure. Adopting 3G's better security for GSM seems very reasonable.”
Yet, when the GSMA statement pointed out that carriers could, if it ever proved necessary, quickly alter GSM configurations to make the interception and deciphering of calls considerably harder, Nohl takes the stance of, “…do it then…” asking, “Why would you wait knowing that this weakness is already being exploited?”
The use of A5/3 is already spreading across the mobile footprint here in the US. A5/3 is used predominately in 3G networks, but in the case of carriers like AT&T, 3G is only partially implemented. AT&T carries the voice side of their network on GSM, and the data side of things is 3G. This means they are using both A5/1 and A5/3.
In a previous article on the A5/1 vulnerability project, we asked Nohl about AT&T and the iPhone. “AT&T has the ability to switch the iPhone to 3G on voice and data,” Nohl explained, but only for the iPhone 3G handsets. The problem is that, before AT&T moves customers over to 3G to avoid the weakness in A5/1, they would need to admit that there is a problem on their 2G voice network, something Nohl notes is highly unlikely.
“The proposal has been around for a long time to include the 3G cipher in the 2G standard,” Nohl said. Yet, despite the proposal, nothing has changed. “Hopefully the discussion over GSM’s current insecurity will prompt the debate of adopting the better 3G security for GSM,” he added.