Is Cell Phone Security A Virtual House Of Cards? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile
Commentary
8/28/2009
05:20 PM
50%
50%

Is Cell Phone Security A Virtual House Of Cards?

Mobile service providers insist there is nothing wrong with their security standards. Are they whistling past the digital graveyard?

Mobile service providers insist there is nothing wrong with their security standards. Are they whistling past the digital graveyard?GSM is the world's dominant mobile communications technology. Today, nearly 3.5 billion people in over 200 countries use mobile handsets that employ the standard.

Most knowledgeable users assume that their GSM handsets use encryption to secure voice and data transmissions. In fact, GSM uses a particular encryption algorithm, known as A5/1, to encrypt voice calls in Europe and the United States.

A variant called A5/3 is mandated for use with 3G data services. It uses a longer encryption key; as a result, it is considered less vulnerable -- but not invulnerable -- to attack.

Last year, a group of hackers started a project to attack known weaknesses in the A5/1 algorithm using off-the-shelf hardware and open-source software tools. The result: A compelling theoretical blueprint for a GSM scanner that could, in a matter of seconds, capture and crack encrypted cell phone traffic.

For a while, the GSM encryption-busting initiative appeared to drop off the radar. Last month, however, the organizers appeared at the Black Hat conference in Las Vegas to reaffirm their approach to exposing fundamental flaws in GSM encryption.

Does the initiative represent an immediate threat to cell phone data security? It is difficult to say.

In the first place, there is often a considerable gap between a proof-of-concept project and functional exploits. On the other hand, it looks like that gap will close in a matter of months, at the latest.

Also, it appears that 3G traffic -- potentially a gold mine of sensitive data -- doesn't yet figure in this story.

The real problem involves the mobile industry's response to the issue. It's laughable, and it does not bode well for the future.

According to one recent article covering the issue, mobile operators scoffed at the fact that the GSM exploit requires the generation of a 2TB "rainbow table," a type of data array that greatly simplifies the process of cracking an encryption algorithm.

It's true that creating such a table on a single PC could, in theory, take thousands of years. According to Dr. Karsten Nohl, however, the lead developer working on the GSM decoding proof-of-concept project, a far more efficient approach involves using a distributed computing infrastructure. An ad hoc, peer-to-peer network of this sort can use high-end desktop graphics processors -- known for their massive parallel computing capabilities -- to generate the rainbow table in a matter of weeks.

Once that work is done, the table can be distributed to anyone "with a laptop and an antenna" who wants to listen in on GSM voice calls or text messages.

GSM network operators don't have much to say about all of this. Instead, they're fixated on the fact that the rainbow table would be around 2TB in size -- or as an industry trade group puts it, "equivalent to the amount of data contained in a 20 kilometre high pile of books."

I would put it a different way. I can buy 2TB of storage for less than it would cost to buy a new GSM smartphone. That's a far more relevant analogy than a feeble attempt to make 2TB of data sound super-scary-big by comparing it to a pile of books.

The industry group representing GSM operators also scoffed at the cost and complexity of a radio receiver necessary to capture raw cell phone data. Here too, these companies are stuck firmly in the 1980s: Anyone can buy the hardware necessary to capture GSM radio signals for around $700; those with electronics expertise can build their own for even less.

The other piece of the GSM data-capture puzzle, software capable of converting the GSM radio signals, is available for free.

Last year, security expert Bruce Schneier looked at the GSM encryption issue and noted that "attacks never get better; they always get worse. This is why we tend to abandon algorithms at the first sign of weakness."

We're seeing this trend in action as WPA wireless encryption joins its worthless cousin WEP on the technology trash-heap. And we are certainly seeing it happen as hackers turn a complicated, expensive GSM data-grabbing scheme into a relatively cheap and simple technical exercise.

Mobile service providers need to take this problem a lot more seriously. Security through obscurity is a terrible way to do business, but security through denial is even worse.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
Reflections on Tech in 2019
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  12/9/2019
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll