GSM Cracked

[Karsten Nohl], with a group of security researchers has broken the A5/1 Stream Cipher behind GSM. Their project web site discusses their work and provides slides(pdf) presented at 26C3. A5/1 has had known vulnerabilities for some time now and is scheduled to be phased out for the newer KASUMI or A5/3 block cipher. This should be an interesting time in the cell phone business.

Thanks to [Tyco] and [MashupMark] for pointing us to this story.

14 thoughts on “GSM Cracked

  1. Well gov agencies had this technology since years now you can hook it up on an 1K device. Its going to be a bigger issue for the developing countries where the GSM providers dont have the budget to switch the encryption.

    But what govs have are probably more sophisticated starting with that they can tap the calls at the BSS why would they need to crack A5.

    We were about to do some research on this but the thc wiki only wrote down the basics when they had a lot more what they didnt publish. Dunno how the hell can they call it for a community project when they work privately and dont publish just junk.

    Anyways I hate cellphones and I think its a really sick thing to listen someone elses calls for fun.

  2. The REALLY cool part, if you read the slides, they’ve developed a generalized distributed system for making rainbow tables across CPUs, GPUs, and FPGAs for ciphers up to 64 bits, or so.

  3. This does not mean that now anyone can download a small Python script for use on their Nokia and just start tapping on calls and texts… Using the work that these guys have developed requires a shitload of equipment and expertise only a handful of people possess. Don’t worry about your security, if someone wants to listen to your calls, they’ve already done it by going to your operator and tapping in on the ground side rather than radio side.

    Apart from that, I didn’t have time to go through all of the material (slides etc.) but how do they figure out the timing scheme for a particular mobile station? I mean, GSM is a TDMA nightmare since the timing scheme is per-session and only the mobile station and the base-station transceiver know it.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.