Full disclosure of IT security problems can be tricky, never quite pleasing all concerned parties. Maybe this time will be different.
After some investigation, I found an article in Mobile Europe that presented several opinions about Nohl's project. Analysts appear to be concerned. They are saying methodology required to crack GSM encryption has been available for 15 years. Cellcrypt CEO Simon Bransfield-Garth mentioned:
"Everybody has known for quite some time that a theoretical hack of GSM existed. This news means that the theoretical risk will become a very real one within the next six months."
Stan Schatt, Vice President and Practice Director, Healthcare and Security at ABI Research pointed out:
"Potentially this news could have as profound an impact on the cell phone industry as the breaking of WEP encryption had on the wireless LAN industry."
I did some checking and according to GSM World, there are billions of people using GSM phone technology. So, cracking GSM encryption has some significance.Implications
It doesn't take long to realize what's at stake if GSM-encrypted traffic is no longer secure:
- Confidential, heck any GSM phone call could be monitored.
- Financial institutions that use text messages as authentication tokens would be in trouble.
- Smart-phone traffic bound for the Internet is no longer secure on the GSM network portion.
As a cryptography expert, Nohl understands this. He told Elinor Mills of CNET:
"We're not creating a vulnerability but publicizing a flaw that's already being exploited widely. Clearly we are making the attack more practical and much cheaper, and of course there's a moral question of whether we should do that."
I wasn't aware of the GSM protocol already being co-opted, until I read that. After searching the Internet, indeed there are devices capable of cracking GSM encryption, but they are expensive. Nohl plans on offering the solution for free.Final thoughts
I have two questions:
- If GSM encryption is vulnerable, why haven't the telcos done something about it?
- Is it right that Nohl and other experts use tactics resembling blackmail to get things fixed?