Cheap GSM Eavesdropping a Reality

Techmeology writes "GSM eavesdropping has been demonstrated at the Chaos Computer Club Congress in Berlin using a €10 Motorola phone and open source GSM firmware. Karsten Nohl and Sylvain Munaut replaced the firmware on the phone, enabling them to process all the data it received. They used already available rainbow tables to decrypt data being sent to and from other mobile phones. They have no plans to release the hack publicly, however they expect others to successfully attempt the hack. Mr. Nohl said the objective was to raise awareness of GSM's insecurity."

Until phones have real crypto

[dgatwood]

Until phones use proper PK crypto with a proper certificate authority, key revocation, etc. under the user's control, you can safely assume your phone calls are trivially snooped over the air. That's just a great big "duh". Not at all surprising that it can be done cheaply. What's surprising is that it took so long.

Re:Until phones have real crypto

[socsoc]

I feel safe. First I have my message translated by code talkers, who then encode it into an image and text it to my friends.

Although lemme tell you, MMS steganography isn't very convenient to see what people are up to.

Re:Until phones have real crypto

[0100010001010011]

Rent a Navajo Today!

No more worrying if your neighbor is intercepting your calls. No more being paranoid of foreign governments. Conduct insider trading in front of the SEC!

Word on the street is Julian Assange has his very personal Navajo. No proper business man would be caught with out one.

- Paid for by the Navajo Talkers of America

Re:Until phones have real crypto

[KDN]

Assuming you trust the Navajo.

Re:

[TheRaven64]

I heard a rumour that the NSA has its very own Navajo, and so can intercept all of your messages.

Re:

[interval1066]

Presumably to protect your important messages from the imperial japanese navy. Reality is service providers don't and have never taken their customer's privacy very seriously, and how can you, really, if your customer's private data is a second revenue stream for you. Nice thing if you have an app-installable smart phone you can encrypt your communications yourself. Bad thing is few user's take their communication privacy seriously either.

Re:

[grcumb]

Rent a Navajo Today!

No more worrying if your neighbor is intercepting your calls. No more being paranoid of foreign governments. Conduct insider trading in front of the SEC!

Word on the street is Julian Assange has his very personal Navajo. No proper business man would be caught with out one.

- Paid for by the Navajo Talkers of America

This is insightful in a Haha Only Serious kind of way.

The fact of the matter is that a Personal Navajo [imagicity.com] is actually a pretty comprehensible way to present Public/Private Key cryptography to non-technical users.

Re:

[fatphil]

The analogy on that page is completely useless. It has none of the properties that the real cryptosystems have, and plenty that the real cryptosystems don't have.

Obligatory XKCD

[Anonymous Coward]

http://xkcd.com/257/

Re:

[floydman]

Mod parent up!

Re:

[cyber-vandal]

Oh yeh that's just what we want - OMG LOL crap I revoked my PK crypto.

Re:

[JockTroll]

Revoking a Navajo would be much worse.

Re:

[horza]

Even funnier is the way people put locks on their front doors. Just imagine OMG LOL crap I lost my door key. Hilarious.

Phillip.

Re:

[cyber-vandal]

You can still break into your house if you lose your key. You don't need to phone an Indian call centre and try to get them to understand what you need.

Re:

[dgatwood]

TLS proves the tower is owned by the telco, but it doesn't prove that the tower isn't compromised. Further, since a sizable portion of towers are owned by local telcos and are merely used by the major telcos, you'd need most of that PK infrastructure to handle such a trust model anyway, so why not do the extra 10% to get it right?

A proper security scheme really should be end-to-end encrypted, not end-to-nearest-trusted-node encrypted. I realize that this scares the bajeezus out of the powers that be becau

Re:

[eddy]

I'd settle for AES using a pre-shared key.

Re:

[Sloppy]

That's actually a reasonably good idea. I love PK, but in real life, 99% of my phone calls are to people that I already know, where there's just no reason (other than the fact that current devices suck) one can't establish a shared secret in advance. In a sense, even AES is underkill; not that anyone needs more, but even syncing up a few gigabytes of OTP is totally feasible. "Feasible" even understates it; technically it would be trivial.

We walk around with devices that contain microphones and antennas,

Re:

[ThunderBird89]

Most of our phone calls could be secure, if we wanted that.

Or if manufacturers and carriers would either let us do the required hacking or do it themselves, and even then, Average Joe doesn't need such security or want to bother setting it up. Just imagine: you get a cell number from an overseas contact in an email. If you then wanted a secure conversation, you'd need to meet up in person to synch OTPs, at which point the whole cryptographic scheme would be pretty much moot.

Re:

[Sloppy]

For situations where you don't want to "bother setting it up" (and let's be realistic about the UI: all that can mean, is meeting in person and pressing a button or connecting a cable; if it's harder than that, it's too hard) like your phone-number-in-an-unencryped-email example, you fall back to the WoT and use PK. But that's the second-worse case scenario; I was talking about something else, where people realistically do meet each other sometimes, in addition to talking on phones.

BTW, it doesn't matter w

Re:

[fatphil]

"god-proof crypto can be so easy to deploy that it's faster and easier to just use it, than to even think about what you're securing against."

Then you've probably already lost. Remember in Aliens when they had Alien-proof welding on the door?

Re:

[Sloppy]

Remember in Aliens when they had Alien-proof welding on the door?

1. Since putting alien-proof welding everywhere involves some significant time and materials, I won't talk shit about the space marines and their failure to establish an alien-proof perimeter. But we just have to click a mouse button. What's our excuse for not putting alien-proof welding on the ceiling?
2. And if it weren't for that damn crawlspace, the welding on the doors would have been a good use of resources. Don't let their failure convince

Re:

[AmiMoJo]

I have never been able to work out why Thunderbird or any other OS mail apps does not do public key exchange automatically. If the default install shipped with GPG and attached a your public key and signed every message by default we could make real progress towards encrypted by default communications.

My guess is that they are worried about confusing people with strange attachments and text appended to their mails. I can't think of a reason why that stuff could not be moved to mail headers though.

Re:

[petermgreen]

And it's not like landline phones are secure either, anyone can climb up the pole and fit a tap to your line. Provided they have the right equipment they are pretty unlikely to be noticed.

Re:

[locofungus]

Why do you need a certificate authority?

If I call up one of my friends I'll know pretty quickly if it's not really them. If I call up someone I don't know then I don't see that there is any great benefit in knowing that some other random company says that this random person that I don't know really is a random person that I don't know - the main benefit will be that if I call them more than once then I can confirm that I'm talking to the same person.

Certificate revocation is slightly different, but even the

Chaos Communication Congress

[Anonymous Coward]

27C3 => 27th. Chaos Communication Congress not Chaos Computer Club Congress. But it is a congress held by the CCC (Chaos Computer Club) ;-)

And the presentation in question was awesome. I recommend anyone to get the streamdump or, if you can wait a bit, the official video releases that will be released later on. Pretty much all talks on the Congress were recorded and are/will be available for download.

Cheers

I don't care...

[fearlezz]

... because governments spying on their own people are much more dangerous to your privacy than the neighbour wiretapping a conversation. Since governments can simply wiretap your provider, I'd suggest to keep private information off the line at all times.

Re:

[CastrTroy]

Exactly. In this day and age, there are so many more and better ways of encrypting your conversations that it's amazing that anybody uses cell phones and other government-tappable means of communication when doing things the government would be interested in. I'm sure that there are many criminals who are using proper crypto to send messages, but there are many-many more who aren't, and those are the ones being caught.

Re:I don't care...

[TheRaven64]

Not true. The government will typically need a warrant to wiretap at the provider. At the very least, they will leave a paper trail. In contrast, they can tap into unsecured communications without any kind of warrant, and if they can do it with $10 of equipment then there is nothing that will require a paper trail.

Re:I don't care...

[nospam007]

"The government will typically need a warrant ..."

Boy you're so wrong. They just need a National Security Letter.

http://www.wired.com/threatlevel/tag/national-security-letter/ [wired.com]

Re:I don't care...

[tunapez]

Actually, they just need to promise to deliver one in a week...
Third bullet from the bottom. [wikipedia.org]
 
In this day and age of fear, a kid with an undetonated firecracker, a chip on his shoulder and a lighter could easily be labeled a 'terrorist threat'. Which any lawyer worth his/her salt, or golfs with the judge, could qualify as an 'emergency'. Getting around to sending the letter ex post facto? I'm sure it will be a top priority for the listeners already listening.

Re:

[sjames]

That's the really sad thing, as easy as it's been made for them to "legally" do the wiretap, they still can't be bothered to meet the requirements!

Re:

[Anonymous Coward]

Remember the retroactive telecom immunity bill passed in 2008? Before that, the rules where that if, say AT&T, reasonably tried to obey the law (it didn't matter whether they actually did or not, they just had to try, and act in good faith) then they would be free of liability. This wasn't good enough so we needed FISA amended.

Meeting requirements is too onerous? No, even trying to meet requirements is too onerous. Wanting to meet the requirements is too onerous. Having a vague intent to possibly tr

Re:

[fatphil]

By any sensible definition of the word warrant, an NSL is a warrant.

Re:

[Luckyo]

Strongly disagree (but then again, I'm not living in USA). I worry very little of government wiretaps - they leave a paper trail, have to abide by rules and all people involved are bound by an oath of silence on whatever private info they get to hear.

I do worry about small time criminals trying to fish out useful information, like locations, time when apartment is empty, identity theft, etc. That's largely untraceable, and is an actual substantial risk in this day and age to anyone.

Granted if you're some so

Wrong Way

[SuperKendall]

because governments spying on their own people are much more dangerous to your privacy

No they aren't, because they don't do anything if they are listening. It's like a tree falling in a forest, is it really a violation of privacy if only automated scanners "hear" your conversation?

Someone actually scanning local GSM calls is way more likely to be doing so for a purpose, perhaps to gather material for blackmail or get things like account numbers or other personal data. That is a far more immediate and pers

Don't use GSM Phones

[clonehappy]

GSM systems use a rudimentary TDMA system which assigns each user a timeslot on a given frequency. The handset and base station both transmit/receive at the assigned interval to exchange the voice data. There isn't much security to speak of, since the basic encryption used in GSM was broken years ago. 3G GSM systems are probably still secure, as they don't use a TDMA based system. 3G GSM uses a Wideband-CDMA based system which provides greater security of the data being transferred at the physical interface layer.

Using a CDMA system, which many Americans and the rest of the world see as inferior technology, effectively eliminates the ability for a third party to eavesdrop on a wireless call. In a CDMA system, all data is distributed over the same frequency range, with an ever-changing pseudorandom code assigned to it, using spread spectrum technology. The ability to "guess" the code for any given call (out of I belive over a trillion unique codes) is nearly impossible.

While this doesn't mean that governments, spy agencies, etc. cannot still listen to your phone conversation, it means Joe Blackhat in his garage across the alley isn't listening to your phone conversation. If I were using a mobile phone for anything remotely private, which I sure as hell don't, I would have to forego using the global standard system in favor of one that uses a more secure air interface (CDMA or 3G GSM). If there are any non-telco geeks that want to know more, read section 5 of the whitepaper linked below, it has some good information on how this all works and how this system works to keep your conversations private, at least from two-bit hackers.

http://b2b.vzw.com/assets/files/SecurityWP.pdf [vzw.com]

Re:

[Anonymous Coward]

(W)CDMA isn't necessarily more secure. At least for 3G, _which_ code to use for the dedicated will be sent on a common/known control channel ...
Also, with WCDMA, by recording the raw radio data (10MHz bw IIRC), you are certain that _all_ calls/sms/data are in the recording ...

WCDMA is indeed more secure but that's for other reasons that just the radio layer. (Which make sense ... it's not the job of the modulation scheme to ensure confidentiality and authentication !)

(note that I don't know CDMA much so it

There's nothing wrong with GSM

[Sloppy]

Networks are insecure, period. That should be the underlying assumption of any communications system.

Then you put endpoint-to-endpoint crypto into the application. If some other layer also encrypts, like the crypto in CDMA or GSM or WPA2 or OpenVPN, that's ok, but it's not something your application should assume is useful, or even needs to be aware of.

Look at it that way, and GSM and CDMA have identical security: none. Security is the application's problem. We're looking at it all wrong: legacy phones are insecure, because they're an application that is designed to be compatible with .. what, late 1800s tech? Let's stop worrying about the networking tech itself, and fix the app. Fix the app, and the network won't matter.

Re:

[horza]

AFAICR GSM went with TDMA as it was more reliable, equipment was cheaper, and it didn't walk across the Qualcomm patent minefield. However, TDMA vs CDMA is irrelevant if using proper end-to-end encryption. With A5/1 broken (it did pretty well lasting a couple of decades with the pace of change in technology) the new generation of smart phones have plenty of processing power to provide a decent PK layer on top. You are already doing this when using Skype on your mobile. A simple app download is probably easi

Re:

[Anonymous Coward]

CDMA isn't an encryption scheme, it's a method to allow multiple stations simultaneous access to a frequency range. For this reason I sure as hell wouldn't trust it to secure anything. I also sure as hell wouldn't trust a vendor for details on how secure their network actually is. Vendors also told us that WEP was perfectly secure as well, and we all know how that turned out.

(BTW, if you think a trillion is a large search space, think again).

CDMA still vulnerable to cheap MITM attacks

[chrb]

As far as I know, CDMA is still vulnerable to a Man In the Middle attack, where the eavesdropper's equipment pretends to be a basestation. This is the method Chris Paget demonstrated against GSM at Defcon with $1500 of equipment [youtube.com]. The equipment cost may be slightly higher with CDMA, but apart from that, the technique should work fine - a MITM attack is independent of the physical layer. Qualcomm have stated that CDMA can be cracked; there was some scandal in South Korea about this, and it was revealed that t

Re:

[yuhong]

Or just upgrade to 3G, which provides a stronger KASUMI-based algorithm.

Crypto isn't the main problem

[ThunderBird89]

The main problem here isn't really cryptographic, but economic: mobile carriers have no vested interest in protecting the privacy of their customers, since the Average Joe doesn't care about it either way, and for those who do, there exist specialized encrypted phones (which, I might add, can all be subverted by hackers with the least bit of determination). This article [arstechnica.com] states that of the two keys being used, the one used to authenticate the SIM towards the provider is very strong, because the providers have an interest in keeping that secure, while the key protecting individual sessions is weak, since it doesn't need to be strong.

Using strong crypto in the handsets would likely require a more powerful CPU or a dedicated chip, raising the cost and the complexity, making it unattractive to the manufacturers and providers. Also, it wouldn't solve a damn thing, as it would merely shift the focus from eavesdropping to more ... direct methods of obtaining the required information, since a cypher is only as strong as the weakest point, in this case the human endpoints.

Also, I doubt government agencies are startled at this announcement. I worked at the Hungarian Foreign Ministry, and I had at least one call eavesdropped, and one call actually hijacked by having a third party speak on the line for both of us to hear. The article makes it clear that in order for this to work, you need to know your target and track it for some time, making it impossible to just 'go around snooping in on others' and have this turn into another Google StreetView incident.

Re:

[anwaya]

... Also, it wouldn't solve a damn thing, as it would merely shift the focus from eavesdropping to more ... direct methods of obtaining the required information, since a cypher is only as strong as the weakest point, in this case the carriers operating the networks between the human endpoints.

FTFY.

Re:

[ThunderBird89]

Tell me which one is harder:
a) going through the trouble to get a proper phone, rewrite and reflash the firmware, locate your phone, probe it, the listen keep sending silent messages to keep myself updated on the session key and finally after a lot of waiting around, eavesdrop in on a single one-minute conversation, or
b)kidnapping you, drugging you, and hitting you with a $5 monkey wrench until you tell me what I want to know?

The carrier isn't the weakest point in the link if you want to get the info,

Re:

[F.Ultra]

It depends, in many situations b) is unacceptable since you don't want the subject to know that you are eavesdropping on him,

Re:

[ThunderBird89]

In which case you usually have access to the required equipment already.
Face it, if you need to stay in the shadows, you're usually with the secret services, and you have the budget and the technicians to pull it off without this hack, or you just approach the provider. If you don't have access to the stuff, you likely don't actually need the data, or you can afford to get in his face about it, and use rubber hose cryptanalysis to extract the information.

Re:

[F.Ultra]

Or you simply don't want to be caught by the authorities for breaking the law (killing or torturing the guy) while still trying to perform say industrial espionage.

Re:

[ThunderBird89]

Once again, the limiting factor is hardly money in that case, if your company needs the info that desperately, they will invest in a ~$50,000 unit built specifically for this purpose so their agents won't have to muck about with hacked phones.

This is mainly a wake-up call for providers, saying "Look, we can do this. Put terrorists and internet together with this, and you get...?". It's saying that eavesdropping is affordable, but the required technical knowledge and skills still place it outside an average

Re:

[F.Ultra]

Yes you are absolutely correct but I still find the rubber hose method that people always brings up after xkcd, to miss the point sometimes. Even if you are a basement amateur you might not be interested in violence. And regardless, slashing people is a much easier way into prisons than hacking phones. And whatever secret that you want to get hold of might be wortless if your victim knows that you have obtained it. Disregarding the obvious rubber hose candidates such as your ATM pincode of course :)

Re:

[ThunderBird89]

RTFA, please, both from the summary and from my comment. In order to carry out this attack, you need to target a single phone on the network, and know both the number and the location. You can't eavesdrop on the general traffic. Like I said, there's no threat of this turning into a StreetView incident.

Re:

[horza]

Rather than buy a specialised encrypted phone, couldn't you just install Skype or any VoIP supporting encrypted codecs and use that?

As for strong crypto requiring a more powerful CPU or dedicated chip, hardly. There is an overhead but it's not that dramatic. New smartphones can handle image processing and wouldn't even notice an encryption layer.

Also, it wouldn't solve a damn thing, as it would merely shift the focus from eavesdropping to more ... direct methods of obtaining the required information, since

Re:

[ThunderBird89]

The problem with dedicated codecs and Skype is that they only communicate with themselves. Even Skype drops the encryption when dialing a non-skype number, since the other end lacks the algorithms to decrypt the data. But you're most likely right about the CPU.

The governments own the airwaves, if they really wanted surveillance, they could just swagger up to the Telcos and say "Give us a live feed or we revoke your permits!". What I meant by the "would not solve anything" is that if I want to get somethin

Re:

[Jimbookis]

This eavesdropping is not really a concern to governments. They just tap at an exchange and listen to the nice G.711 data no matter where the target of interest is located with their mobile, be it GSM or 3G. I think this trick is more useful for the casual user and could return us to the old days of listening to calls on the old analogue systems (like AMPS) with a scanner and narrowband FM demodulator. I am interested to find out how they got enough info together to hack and reprogram the phone!

Re:

[ThunderBird89]

It won't go there. Read the article: needs two phones, knowing your target's location, restricted to a single targeted phone and one conversation start-to-finish. Nothing more.

Surprised?

[Midnight Thunder]

Given the real-time nature of phone conversations and the low amount of processing power that most phones have, surely the solution they chose was a best fit solution? When you throw a modern desktop PC into the equation, then you are going to be able to crack that very quickly. The real question is the GSMA has actually provided other levels of encryption for when processing capability is available? The improved encryption would depend on both phone and tower capabilities.

Re:

[phorm]

Depends. A device with a chipset dedicated to a given task may in many cases be comparatively low-powered compared to a general-purpose PC, but may be *very* efficient at what it does. It's one of the reasons even a slightly older GPU will kick ass over software-rendering on most PC's.

Dedicated hardware can make a big difference in a lot of things, which is one of the reasons why in many systems there is hardware support for specific crypto methods.

I think that - especially nowadays - this is mostly the res

Neurosine

[neurosine]

I have a working theory: If you post your costs and profits, people will accept you making a profit. When you do not they are left to their imagination. Texting is old school as TTY....and the charges are overinflated. The industry should not use this as a standard...or we will call them greedy shits...because...y'know...it is fitting.

I'm not a crypto expert but...

[alexmipego]

Sounds to me that this problem is simple to solve, even with a naive solution. Take for example a simple key agreement algorithm like Diffie-Hellman which (for the unfamiliar with the subject) allows 2 parties to reach a secret key (called K) with a simple set of math and shared parameters (which the hackers can get but can't really use them for their advantage/finding K).

With a simple key agreement and some fast cryptographic algorithm (maybe AES) all conversations could be secure no matter what the networ