main
Report a problem

Huge GSM flaw allows hackers to listen in on voice calls

Owen Williams   on 25 August 2009 - 21:17 · 31 comments & 13398 views

Advertisement (Why?)
Recently at the Hacking at Random (HAR) conference, held in the Netherlands, Karsten Nohl detailed plans for cracking standard GSM cell phone encryption, known as A5/1, and will be making the results available for anyone to use. GSM stands for Global System for Mobile communications and is the most commonly used cell phone standard in the world, and is used in Europe, Africa, Asia, New Zealand, Australia, America and Canada.

The GSM flaw is massive and would affect not only businesses but individuals also as once the hack is complete it means anyone with a $500 radio card and a laptop will be able to listen in to GSM calls, making it easier for criminals to obtain personal data and making listening in on normal voice calls a real and everyday threat.

Stan Schatt, Vice President and Practice Director, Healthcare and Security at ABI Research, commented, "Potentially this news could have as profound an impact on the cell phone industry as the breaking of WEP encryption had on the wireless LAN industry." He continued on to say "… average folks also have to fear criminals learning valuable information about their bank accounts, personal affairs, etc. Equally if not more important, our research shows that employees talk about corporate sensitive information on their cell phones a good deal of the time....If people do nothing, we are likely to start to hear stories of sensitive information being compromised, acquisition information being leaked, personal financial security information being compromised, etc. We could see tales of blackmail and extortion on the rise.""

The hack had been known about and was fabled to be in existence since as early as 1996, but had never been discovered. Simon Bransfield-Garth, CEO of Cellcrypt, said, "Everybody has known for quite some time that a theoretical hack of GSM existed. This news means that the theoretical risk will become a very real one within the next six months." He went on to say that recently conducted research - which will be released soon - found that "79% of people discuss confidential issues by phone every few days with 64% making such calls daily."

The hack is said to be "incredibly simple" to perform and would affect day-to-day use of mobiles. If the hack became widespread, it would be likely that personally identifiable information that is shared over a phone could be easily stolen - such as bank details, social security numbers, credit card details, addresses, and full names.

Hacking at Random has made available Karsten Nohl's powerpoint presentation here.
Cellcrypt has published guidelines for managing the security of voice calls on their website.



Image credit: Slides taken from Karsten Nohl's slideshow

Post a comment · Send to friend Comments · There are 31 additional comments
(3 replies) #1 protocol7 on 25 Aug 2009 - 21:40
"79% of people discuss confidential issues by phone every few days with 64% making such calls daily."

Really?
#1.1 M_Lyons10 on 25 Aug 2009 - 23:18
protocol7 said,
"79% of people discuss confidential issues by phone every few days with 64% making such calls daily."

Really?


I find that to be very high too... I can't think of much of anything that I talk about that could compromise my information...

I mean, should I not be telling random people my SS#?
#1.2 roadwarrior on 25 Aug 2009 - 23:59
Anyone who calls their bank to check balances, etc. would be vulnerable.
#1.3 Conjor on 26 Aug 2009 - 13:52
Yet another reason to do banking in branch...
(5 replies) #2 Intel008 on 25 Aug 2009 - 21:53
Verizon would be foolish not to use this as a marketing tool, such as the Apple and Microsoft ads…. Unless AT&T can push some firmware to fix it…..AT&T will either standby and watch customers jump ship, which would force Apple to move to another provider (most likely Verizon) to protect profits…or….request some emergency government money and speed up their 4G LTE role out (which would be awesome)….then move all their phones to LTE if that is even possible. In a world that lives in fear of every big or little security threat, this is sure to get some news media spin and have non-techy GSM customers freaking out.

For those who want out of their AT&T contracts....I think this would be great ammunition that is factual.
#2.1 cerealfreak on 26 Aug 2009 - 00:01
How is iPhone/AT&T bashing even relevant?? The GSM network is used for voice traffic, 3G and 4G are used for data traffic.

Trolling much??
#2.2 omni on 26 Aug 2009 - 05:55
cerealfreak said,
How is iPhone/AT&T bashing even relevant?? The GSM network is used for voice traffic, 3G and 4G are used for data traffic.

Trolling much??


3G and 4G are not just used for data. In fact GSM is nowhere to be found in the official 3G standard -- 3G is (aka IMT-2000) is a set of standards that define a third generation wireless communication medium. EDGE is the evolutionary upgrade to GSM.
#2.3 cerealfreak on 26 Aug 2009 - 14:53
omni said,
cerealfreak said,
How is iPhone/AT&T bashing even relevant?? The GSM network is used for voice traffic, 3G and 4G are used for data traffic.

Trolling much??


3G and 4G are not just used for data. In fact GSM is nowhere to be found in the official 3G standard -- 3G is (aka IMT-2000) is a set of standards that define a third generation wireless communication medium. EDGE is the evolutionary upgrade to GSM.


Where did I state that GSM is in the official 3G standard?? My point was Intel008 response was irrelevant, as the lack of security in GSM has nothing to do with the iPhone and AT&T contracts.
#2.4 Intel008 on 26 Aug 2009 - 16:25
Yes Cereal, and you must be a techy because my comment was based on the business side of the technology. A lot of I.T. folk (myself included, at times) have a lack of understanding with the business side. My comment was focused on the business affect this GSM flaw could have on GSM providers, with targeting AT&T specifically and the iPhone being their biggest product that some would argue is their only real wireless product. I have an iPhone and I would not “bash” the iPhone where other posts I have made praise the iPhone as an “amazing device”. I am not a fan of AT&T and I was pointing out the loss of customers that could come out of this security hole if AT&T does not close it quickly. I was also pointing out that my dissatisfaction with AT&T is mostly targeted to GSM in North America and how it fails to be as reliable with regard to CDMA. If AT&T could move all voice and data service to 4G LTE, then not only would is shore up the GSM flaw, but also shore up reliability concerns, and put their network in the lead for overall performance.

It is a pretty logical assumption that if this GSM flaw has no fix (because if they knew of it years ago, why haven’t they fixed it yet) then what phone manufacture is going to continue to produce GSM based phones if the customer demand goes away due to security concerns. As a tech supporting large enterprise organizations, would you want to have a bridge call discussing a critical business app and sharing confidential information on your GSM phone knowing that its possible someone could be listening? I think not…..
#2.5 Intel008 on 26 Aug 2009 - 19:09
CRN.COM is reporting that Verizon has began testing their 4G LTE rollout and has also decided to test voice calls via the 4G network via VoIP. So, per my comment above about using non-GSM for voice......Looks like it is possible.....Perhaps AT&T and other GSM providers could take notes and learn.

See......http://www.crn.com/mobile/219400220;jsessionid=YYZWYH1VFECA3QE1GHOSKH4ATMY32JVN

and just to add humor to it all......dslreports.com is reporting AT&T is showing their customers just how lame AT&T can be and why this GSM flaw hasn't been fixed over all this time they have known about it.....see the dslreports article for a good laugh....... http://www.dslreports.com/shownews/ATT-App...ngestion-104128

Keep it up AT&T and Verizon will have that iPhone in no time....
(2 replies) #3 NimrodUK on 25 Aug 2009 - 22:03
3G is more secure than 2G and most people who care about phones and security should already be on 3G and not the old 2G.
#3.1 iaTa on 25 Aug 2009 - 22:28
3G phones still use GSM a lot of the time.
#3.2 Conjor on 26 Aug 2009 - 13:53
proof? documentation?
#4 kouhii00 on 25 Aug 2009 - 22:34
I think this article is talking about GSM (for voice calls) security, not 3G (which is for data, although VoIP is possible).

Last edited by kouhii00 on 25 Aug 2009 - 22:39
#5 M_Lyons10 on 25 Aug 2009 - 23:17
Rut roh...
(1 reply) #6 Raa on 26 Aug 2009 - 00:00
It's times like the that I think : "Thank the maker i'm on WCDMA"
#6.1 Ledward on 26 Aug 2009 - 02:33
WCDMA is more commonly known as 3G. 3G phones frequently switch back to GSM when the 3G signal strength becomes weak.

In fact, where I live (Australia), I get better call quality on GSM.
(2 replies) #7 cerealfreak on 26 Aug 2009 - 00:03
This has been speculated since 1996?? This has been known about since 1996 and the providers have done nothing to secure this. Major flaw!!!
#7.1 Conjor on 26 Aug 2009 - 13:54
why spend money to fix something that wasn't broke at the time?
#7.2 cerealfreak on 26 Aug 2009 - 14:54
Conjor said,
why spend money to fix something that wasn't broke at the time?



It was broke that's the whole point? This isn't a flaw that was brought in by a phone's OS this is a flaw in the entire GSM standard
#8 psionicinversion on 26 Aug 2009 - 01:01
Thats abit of a shocker in it, but think of the possibilities you could always listen in on a dirty phone call to one of them premium rate numbers, for FREE. Now where can buy that card and *cough*
(2 replies) #9 Shiranui on 26 Aug 2009 - 01:59
So that's why we don't use GSM in Japan!

Anyway, I'd be more worried about the government listening in on you than a small time hacker.
#9.1 NeoSigma on 26 Aug 2009 - 03:41
Shiranui said,
So that's why we don't use GSM in Japan!

Anyway, I'd be more worried about the government listening in on you than a small time hacker.


I'd be more worried about the hacker. He can do a lot more damage than the government. The government still has to go through and/or around the law. Plus you can fight the government, hard to fight someone you don't know.
#9.2 jingarelho on 26 Aug 2009 - 12:45
Shiranui said,
So that's why we don't use GSM in Japan!

Anyway, I'd be more worried about the government listening in on you than a small time hacker.

if the government want's it can listen to you, is a very simple process. every year thousands of conversations are record and listen to.
(1 reply) #10 liemfukliang on 26 Aug 2009 - 12:38
How about using internet via GSM like HSDPA? Is it also effected? Or just voice only?
#10.1 Conjor on 26 Aug 2009 - 13:56
I would assume they would still be able to intercept that data...
#11 liemfukliang on 26 Aug 2009 - 12:39
How about using internet via GSM like HSDPA? Is it also effected? Or just voice only?
(3 replies) #12 {-: ZIGGY -} on 27 Aug 2009 - 15:41
Amazing!! Considering this is a techinal forum you people certainly don't have a clue.

I work as an engineer for one of the 5 UK operators and you people really need to swot up on you mobile telecoms knowledge.

2G uses GSM
3G (including HSDPA and HSUPA) uses WCDMA

2G can transmit data over GSM (including EDGE modulation) using GPRS and 3G likewise uses GPRS

3G is unaffected (data and voice) as it uses A5/3 encryption.

Honestly I am shocked by the lack of knowledge............. call yourselves l33t geeks :-)
#12.1 Intel008 on 27 Aug 2009 - 16:39
Ziggy, I have to ask a question.....What if you are in an area that is not 3G capable...then wouldn't you be on 2G.....which IS affected by this flaw......and I live in one of the largest cities in the states and I can name hundreds of places where 3G is NOT available, which means that this GSM flaw that YOU say affects 2G (Edge) would affect MOST of GSM customers. I think I get 3G service in my local state 50 percent of the time, which means 50 percent of the time I am using 2G GSM (100 percent if I am traveling on the road). And if you truly are so smart and prepared to bash everyone on this site....then perhaps you can explain to all of us why they haven't fixed this problem yet.
#12.2 {-: ZIGGY -} on 27 Aug 2009 - 20:09
Hi Pal,

Of course your correct that if your not within coverage of a 3G cell then you'll be handed over to 2G. However, the rollout of 3G enabled sites is still on going and the coverage is increasing week by week.

I think that what will happen is that the encryption card found with the MSC's will be updated/reconfigured to use the A5/2 or A5/3 encryption scheme. Its more money for Nokia and Ericsson and the operators will be able to advertise they are unaffected by the exploit.

I aint worried and I don't think anybody else should be. Considering how long GSM has been in the public domain I think it's impressive that the original encryption scheme has lasted so long.
#12.3 Rodolfo Rosini on 08 Sep 2009 - 13:55
Hi,

A5/3 is recommended on the 3G standard but not all carriers support it, some in fact use A5/1. If this is because of export controls (strong crypto and all that) I do not know.

Encryption algorithms on GSM share the same key, so a way to crack security is to use a device called IMSI catcher to force the handset to use a lower security protocol.

The encryption implementation is on the phone not on the SIM card so in order to close this loophole you might need to replace all phones or disable the old ones out there.

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)