Public call to crack GSM encryption: Appropriate or not?

Each year, I like to peruse the seminar notes from the Hacker at Random convention. They have a way of foretelling hacking trends that are missed at Black Hat and DEFCON.

This year was no exception. Karsten Nohl, a PhD candidate from the University of Virginia gave quite a talk. He wants to create a rainbow table that will decipher GSM (AT&T and Tmobile) phone calls.

Experts are saying

After some investigation, I found an article in Mobile Europe that presented several opinions about Nohl’s project. Analysts appear to be concerned. They are saying methodology required to crack GSM encryption has been available for 15 years. Cellcrypt CEO Simon Bransfield-Garth mentioned:

“Everybody has known for quite some time that a theoretical hack of GSM existed. This news means that the theoretical risk will become a very real one within the next six months.”

Stan Schatt, Vice President and Practice Director, Healthcare and Security at ABI Research pointed out:

“Potentially this news could have as profound an impact on the cell phone industry as the breaking of WEP encryption had on the wireless LAN industry.”

I did some checking and according to GSM World, there are billions of people using GSM phone technology. So, cracking GSM encryption has some significance.

Implications

It doesn’t take long to realize what’s at stake if GSM-encrypted traffic is no longer secure:

Confidential, heck any GSM phone call could be monitored.

Financial institutions that use text messages as authentication tokens would be in trouble.

Smart-phone traffic bound for the Internet is no longer secure on the GSM network portion.

Nohl’s motive

As a cryptography expert, Nohl understands this. He told Elinor Mills of CNET:

“We’re not creating a vulnerability but publicizing a flaw that’s already being exploited widely. Clearly we are making the attack more practical and much cheaper, and of course there’s a moral question of whether we should do that.”

I wasn’t aware of the GSM protocol already being co-opted, until I read that. After searching the Internet, indeed there are devices capable of cracking GSM encryption, but they are expensive. Nohl plans on offering the solution for free.

Final thoughts

I have two questions:

If GSM encryption is vulnerable, why haven’t the telcos done something about it?

Is it right that Nohl and other experts use tactics resembling blackmail to get things fixed?

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Payroll

The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

A computer running Windows 11. — Image: Microsoft.

Software

Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

A software engineer works from home. — Image: tanatat/Adobe Stock

CXO

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Project management process to manage and develop with resources to deliver quality product, agile development cycle, businessman project manager balance on clock juggling project management elements. — Image: Nuthawut/Adobe Stock

Software

The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

A user typing a password. — Image: Song_about_summer/Adobe Stock

Security

1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

PURPOSE This Media disposal policy from TechRepublic Premium provides specific instructions for ensuring organization data is properly protected when disposing of old storage media. From the policy: POLICY DETAILS When disposing of damaged, unusable, obsolete, off-lease, decommissioned, old, or end-of-service-life equipment and media, the organization requires that the guidelines outlined herein be followed: Hard drives, ...

PURPOSE To take some of the effort out of writing (and rewriting) emails to share with company staff and executives, TechRepublic Premium has assembled basic templates to handle the most common types of communications. Simply copy the text into your favorite word processor and customize it to fit your needs. Then, paste it into an ...

PURPOSE The purpose of this policy from TechRepublic Premium is to provide guidelines for developing mobile applications from a security, procedural and best practices standpoint. While it contains technical guidelines, it is not intended to serve as a programming guide but as a framework for operations. This policy can be customized as needed to fit ...

Public call to crack GSM encryption: Appropriate or not?