Cracking GSM encryption just got easier

Two security researchers have made it a great deal easier for someone to listen in on your GSM based phone conversations.

For all intents and purposes most everyone including the GSMA—an organization representing most of the mobile phone operators—considered and still considers GSM very secure. In reality A5/1, the technology used to encrypt GSM communications has been vulnerable for at least a decade. The sense of security seems to be based on the fact that the original attack venues require a great deal of computing power, time, and therefore money to accomplish the crack. So an organization would have to be particularly motivated to even want to crack GSM traffic. Care to guess who has enough motivation?

It appears that researchers David Hulton and Steve Miller have recently developed techniques to greatly reduce the time and required computing power needed to crack A5/1 encryption. The two researchers have even patented their work personally. The efficient modifications of the original crack open all sorts of doors making it easier for both black and white hat types to decode GSM conversations. Because of the implied uses for this technology, I was hoping to find out what motivates people to do this kind of research as it is certainly controversial.


Both Hulton and Muller claim that their goal was to bring attention to the inherent weakness in GSM A5/1 encryption and some agree with them. Bruce Schneier a well-known security expert is in accord and mentions:

“The new technique may serve as a wake-up call for mobile carriers, which have long been in denial about the vulnerabilities of GSM security. This is a nice piece of work, but it isn't a surprise,” he says. “We've been saying that this algorithm is weak for years. The mobile industry kept arguing that the attack was just theoretical. Well, now it's practical.”

Others, who are more cynical point out that Hulton works for Pico Computing. The company makes field-programmable gate arrays (FPGA) which are the high end processors needed to speed up the decryption process. The same people also mention that Muller works for CellCrypt, which specializes in encryption products for cell phones.

The attack process

The initial step is to learn the subscription identification number and equipment ID of the target phone. That can be accomplished by initiating a phone call to the target phone. Since this information is sent in the clear, it can be easily obtained using the appropriate receiver. An alternative method is to wait for the target phone to originate a phone call and receive the required information when the phone contacts the provider’s closet cell tower. With this information the attacker then has the capability to focus on calls from that specific phone. The ability to obtain this—unique to each cell phone—information is where many experts are a bit miffed at the mobile carriers, since the GSM technical specification mentions that this information should be encrypted as well.

The next step is very similar to what is required to crack WEP. The cell networks send enough plain text frames repeatedly, which when obtained and recorded allows the attacker to use the all too familiar “Rainbow Tables” attack. Then it is just a matter of time until the encrypted conversation is converted to useable information.

Final thoughts

It once again points out the axiom that any voice or data communications traveling over the public airwaves should be considered public. For more details about the findings, the article “Research May Hasten Death of Mobile Privacy Standard” in the Washington Post or the article “Wiretapping Made Easy” at maybe of interest.