Cracking GSM calls, made affordable and easy
- By William Jackson
- Feb 20, 2008
The first thing to know about the security of GSM cellular phone service if you want to listen in on calls is that 'there is none,' according to one researcher who spoke Wednesday at the Black Hat Federal Briefings in Washington.
There is, however, the A5 encryption used to scramble voice and text traffic between the cell phone and the base station. But 'that was broken 10 years ago,' said the researcher, who identified himself only as Steve.
The theory of cracking the encryption was impractical with the computer power available in 1998 but, since 2003, there has been commercial equipment available capable of breaking A5 encryption. The equipment costs between $70,000 to $500,000 for active systems that inject themselves into the transmissions, or around $1 million for passive systems that quietly listen and do the cracking offline.
That is far too expensive for Steve, as well as Dave Hulton, another researcher at Pico Computing. So they are working with the GSM Software Project to build an affordable A5 cracking system costing less than $1,000.
GSM, or Global System for Mobile communications, is the most popular specification for mobile communications in the world, with an estimated 2 billion subscribers ' or 82 percent of the global market. It is used by 70 carriers in 48 countries. The phones used on the networks are becoming increasingly powerful computers, opening up GSM networks with poor security to interception and hacking.
'This phone is a network plug to 2 billion subscribers,' Steve said, holding up an obsolete Nokia cell phone. The old phone, which can be bought for $1 at auction, has trace functions that, when plugged into a laptop PC, can monitor the location and online activity of nearby cell phone users.
Voice and text message traffic usually is encrypted, but the encryption is weakened by systems that sometimes automatically set the last 10 bits of the 64-bit encryption key to all zeros. Session keys also can be reused for up to 16 calls, further weakening the scheme. The new cracking system uses the weaknesses to break the encryption.
'We tried to make this as easy as possible for anyone to use,' Hulton said.
The system needs to listen to just three or four frames of data in clear text exchanged between the phone and base station in setting up the call.
'If we know the plain text, we can derive exactly what is coming out of A5' to encrypt the data stream, Hulton said. This can be used to 'back out' the encryption and reveal the plain text.
The system they are developing uses rainbow tables to look up values for the 64-bit encryption keys, based on the encryption strings that have been revealed. A rainbow table for a 64-bit key would be prohibitively large, but Steve and Hulton found a way to reduce the number of data points that needed to be used. But even the table for the reduced set is 120,000 times larger than the largest tables used to look up values for a password hash function. It would take 33,000 years to generate the tables with a PC and the table would be 2 terabytes. But with available high-speed computers the job can be done in about three months, and the researchers expect to have their tables completed in March. They hope to make their system available in the second quarter of this year.
How fast it will work will depend on the speed of the hardware it is used with.
'If you have money you can crunch something really quickly,' Steve said. For $1,000 you could crack a key and unencrypt a call in about 30 minutes. For considerably more you could reduce the time to about 30 seconds.
As for who would use this system, Steve and Hulton couldn't say.
'We're just two tech guys,' Steve said. 'We didn't do any market research.'
William Jackson is freelance writer and the author of the CyberEye blog.