Dr. Karsten Nohl, an encryption expert whose work we have followed for some time here at The Tech Herald, told us that the A5/1 cracking project launched this summer has completed its goal of computing rainbow tables for GSM (Global System for Mobile communications). What this means is that everybody can now download the data and decrypt GSM-based communications.
As news of Nohl’s talk with Chris Paget at 26C3 (Chaos Communication Congress) in Berlin this week started to spread, centering on the release of the rainbow tables and code to decrypt GSM communications, the GSM Alliance declared that the real security in GSM is not the encryption itself, but resides in channel hopping.
“Hence, the next step of our project is to support open source projects to better support channel hopping. The hope is that once we demonstrate that channel hopping, too, can be circumvented with readily available equipment, we can enter a more constructive discussion with the operators on giving GSM the security its users deserve,” Nohl told The Tech Herald.
The A5/1 algorithm is one of the ciphers used on GSM networks. The purpose for A5/1 is to encrypt both voice and signaling data, and it is applied in both the handset and the Base Transceiver Station (BTS). The problem is that A5/1 is outdated and broken. It is, after all, over twenty years old now.
In response to the 26C3 talk, the GSM Alliance told the New York Times that what Nohl discussed, and by proxy what the A5/1 cracking project itself is attempting to do is, theoretically possible but practically unlikely. This is the same argument they used in August, when the A5/1 project was launched.
“The impractical argument I don’t buy any more,” Nohl told us while discussing the GSM Alliance comments.
The hardware and software needed to crack GSM exists. The knowledge that GSM is vulnerable has been around since 1997, and within the last year work on cracking the crypto used to shelter it from outside interference has boomed.
For $1,500 USD, a person can purchase one of two Ettus Research USRP2 receivers needed, and use open software that has existed for some time to start cracking GSM. After that, all that is needed is 2TB of drive space for the rainbow tables, and a decent computer. The more spent on computing power, the faster the GSM can be decrypted.
Adding to the statement to the press, the GSM Alliance spokesperson Claire Cranton noted that, “What [Nohl] is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.”
When asked about that part of the statement, Nohl responded, “Why have security in the first place if breaking it is illegal?”
Criminals care little about legalities, which is why the GSM Alliance should be happy that Nohl and previous researchers have held off outright helping the criminal element. The idea is not to entice criminals to crack GSM; they will do that on their own. The motivation behind all of the talks, the research, and the public sharing of information is to highlight a fundamental flaw and encourage the GSM Alliance to correct it.
As for the other part of the statement issued by the GSM Alliance, the concern about privacy is why so much has gone into the A5/1 research. Because of this, Nohl said, the research has been difficult. From its inception, each step of the A5/1 cracking process has been in the public eye, and no laws have been broken.
The GSM Alliance cannot claim that any of the published research is news to them. They know A5/1 has flaws. This is why they moved to adopt A5/3. So based on the statement from the GSM Alliance, the illegality comes from talking about the security issues, and discussing work and academics that have been around for years. In short, they still rely on security by obscurity.
A5/1 uses 64-bit encryption, which again, is weak and exploitable. To combat this, A5/3 was developed. A5/3 succeeds A5/1 completely, using 128-bit encryption for hardened security. The use of A5/3 is already spreading across the mobile footprint here in the US. A5/3 is used predominately in 3G networks, but in the case of carriers like AT&T, 3G is only partially implemented.
Even now, A5/3 has been broken academically. It is because of this most operators are looking to shift from the use of GSM to something stronger. This new strength will come from LTE, commonly known as 4G. LTE has several strengths, including two that Nohl made mention on during our conversation.
First, LTE is more open than the GSM standard. The fact that it is open means that security problems can be researched and corrected by academics. Second, LTE has fewer patents on it, so new developments can be freely adopted to enhance it over time. Overall, LTE is just more secure, making it a great step in the right direction, Nohl said.
LTE is also partly responsible for some of the issues faced by GSM. This is because most operators on GSM currently, both in the U.S. and Europe, have a defined roadmap for LTE deployment. This roadmap, in some cases as little as five years for some operators in Europe, means shifting financial resources to launching LTE and pushing any needed GSM improvements to the wayside.
However, until LTE is deployed fully, GSM will be vulnerable to anyone who wants to take the time to intercept communications, a fact proven over the last decade by everyone who has ever dug into the A5/1 standard, including Nohl and his team as they advanced existing research and pushed the final pieces into play.