Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cheap GSM Eavesdropping a Reality

Soulskill posted more than 3 years ago | from the poking-holes-in-the-ether dept.

Cellphones 75

Techmeology writes "GSM eavesdropping has been demonstrated at the Chaos Computer Club Congress in Berlin using a €10 Motorola phone and open source GSM firmware. Karsten Nohl and Sylvain Munaut replaced the firmware on the phone, enabling them to process all the data it received. They used already available rainbow tables to decrypt data being sent to and from other mobile phones. They have no plans to release the hack publicly, however they expect others to successfully attempt the hack. Mr. Nohl said the objective was to raise awareness of GSM's insecurity."

Sorry! There are no comments related to the filter you selected.

Until phones have real crypto (3, Insightful)

dgatwood (11270) | more than 3 years ago | (#34722882)

Until phones use proper PK crypto with a proper certificate authority, key revocation, etc. under the user's control, you can safely assume your phone calls are trivially snooped over the air. That's just a great big "duh". Not at all surprising that it can be done cheaply. What's surprising is that it took so long.

Re:Until phones have real crypto (3, Funny)

socsoc (1116769) | more than 3 years ago | (#34722912)

I feel safe. First I have my message translated by code talkers, who then encode it into an image and text it to my friends.

Although lemme tell you, MMS steganography isn't very convenient to see what people are up to.

Re:Until phones have real crypto (3, Funny)

0100010001010011 (652467) | more than 3 years ago | (#34722962)

Rent a Navajo Today!

No more worrying if your neighbor is intercepting your calls. No more being paranoid of foreign governments. Conduct insider trading in front of the SEC!

Word on the street is Julian Assange has his very personal Navajo. No proper business man would be caught with out one.

- Paid for by the Navajo Talkers of America

Re:Until phones have real crypto (3, Funny)

KDN (3283) | more than 3 years ago | (#34722990)

Assuming you trust the Navajo.

Re:Until phones have real crypto (0)

Anonymous Coward | more than 3 years ago | (#34725218)

Assuming you trust the Navajo.

http://www.kstrom.net/isk/maps/az/navhopi.html
Yeah, The navajo's stole some more of our land. The hopi's have specs of land in comparison that are surrounded by the navajo rez.

Not to mention that the navajo's were nomads and the hopi's were farmers and built villages.
http://www.watertown.k12.ma.us/cunniff/americanhistorycentral/02indiansofnorthamerica/The_Navajos.html

- A hopi guy that doesn't really trust the Navajo.

Re:Until phones have real crypto (1)

TheRaven64 (641858) | more than 3 years ago | (#34723028)

I heard a rumour that the NSA has its very own Navajo, and so can intercept all of your messages.

Re:Until phones have real crypto (1)

interval1066 (668936) | more than 3 years ago | (#34723214)

Presumably to protect your important messages from the imperial japanese navy. Reality is service providers don't and have never taken their customer's privacy very seriously, and how can you, really, if your customer's private data is a second revenue stream for you. Nice thing if you have an app-installable smart phone you can encrypt your communications yourself. Bad thing is few user's take their communication privacy seriously either.

Re:Until phones have real crypto (1)

grcumb (781340) | more than 3 years ago | (#34727258)

Rent a Navajo Today!

No more worrying if your neighbor is intercepting your calls. No more being paranoid of foreign governments. Conduct insider trading in front of the SEC!

Word on the street is Julian Assange has his very personal Navajo. No proper business man would be caught with out one.

- Paid for by the Navajo Talkers of America

This is insightful in a Haha Only Serious kind of way.

The fact of the matter is that a Personal Navajo [imagicity.com] is actually a pretty comprehensible way to present Public/Private Key cryptography to non-technical users.

Re:Until phones have real crypto (1)

fatphil (181876) | more than 3 years ago | (#34729746)

The analogy on that page is completely useless. It has none of the properties that the real cryptosystems have, and plenty that the real cryptosystems don't have.

Obligatory XKCD (1)

Anonymous Coward | more than 3 years ago | (#34723104)

http://xkcd.com/257/

Re:Obligatory XKCD (1)

floydman (179924) | more than 3 years ago | (#34725740)

Mod parent up!

Re:Until phones have real crypto (1)

cyber-vandal (148830) | more than 3 years ago | (#34722922)

Oh yeh that's just what we want - OMG LOL crap I revoked my PK crypto.

Re:Until phones have real crypto (2)

JockTroll (996521) | more than 3 years ago | (#34723034)

Revoking a Navajo would be much worse.

Re:Until phones have real crypto (1)

horza (87255) | more than 3 years ago | (#34723302)

Even funnier is the way people put locks on their front doors. Just imagine OMG LOL crap I lost my door key. Hilarious.

Phillip.

Re:Until phones have real crypto (1)

cyber-vandal (148830) | more than 3 years ago | (#34723950)

You can still break into your house if you lose your key. You don't need to phone an Indian call centre and try to get them to understand what you need.

Re:Until phones have real crypto (0)

Anonymous Coward | more than 3 years ago | (#34723000)

Why do the users need public keys and so on? A carrier could have public keys for each tower, signed by a root certificate from that network. Phones that operate on, say, Verizon would have the Verizon root pre-loaded. Then the key exchange could work as in TLS, using the tower's public key to provide security.

Re:Until phones have real crypto (2)

dgatwood (11270) | more than 3 years ago | (#34723704)

TLS proves the tower is owned by the telco, but it doesn't prove that the tower isn't compromised. Further, since a sizable portion of towers are owned by local telcos and are merely used by the major telcos, you'd need most of that PK infrastructure to handle such a trust model anyway, so why not do the extra 10% to get it right?

A proper security scheme really should be end-to-end encrypted, not end-to-nearest-trusted-node encrypted. I realize that this scares the bajeezus out of the powers that be because it makes government eavesdropping difficult as well, but as soon as you leave a back door, it can be exploited.

Re:Until phones have real crypto (2)

eddy (18759) | more than 3 years ago | (#34723090)

I'd settle for AES using a pre-shared key.

Re:Until phones have real crypto (2)

Sloppy (14984) | more than 3 years ago | (#34723238)

That's actually a reasonably good idea. I love PK, but in real life, 99% of my phone calls are to people that I already know, where there's just no reason (other than the fact that current devices suck) one can't establish a shared secret in advance. In a sense, even AES is underkill; not that anyone needs more, but even syncing up a few gigabytes of OTP is totally feasible. "Feasible" even understates it; technically it would be trivial.

We walk around with devices that contain microphones and antennas, and many have CCDs, accelerometers and other crap. They have awesome potential as random number generators. Get two of 'em in the same room for a little while, or spend a few hours charging on the nightstand a few inches away from the spouse's device, and there's the chance to set up a pad with virtually no possibility of eavesdropping unless the room is bugged (and and if you're worried about that, use a cable -- unfortunately, if things have gone that far, you have already lost so it doesn 't matter whether or not you have good crypto).

Most of our phone calls could be secure, if we wanted that.

Re:Until phones have real crypto (1)

ThunderBird89 (1293256) | more than 3 years ago | (#34723546)

Most of our phone calls could be secure, if we wanted that.

Or if manufacturers and carriers would either let us do the required hacking or do it themselves, and even then, Average Joe doesn't need such security or want to bother setting it up. Just imagine: you get a cell number from an overseas contact in an email. If you then wanted a secure conversation, you'd need to meet up in person to synch OTPs, at which point the whole cryptographic scheme would be pretty much moot.

Re:Until phones have real crypto (0)

Anonymous Coward | more than 3 years ago | (#34723966)

Isn't that exactly the problem public key encryption solves?

Seriously, find a real problem to pick apart.

Re:Until phones have real crypto (1)

Sloppy (14984) | more than 3 years ago | (#34723988)

For situations where you don't want to "bother setting it up" (and let's be realistic about the UI: all that can mean, is meeting in person and pressing a button or connecting a cable; if it's harder than that, it's too hard) like your phone-number-in-an-unencryped-email example, you fall back to the WoT and use PK. But that's the second-worse case scenario; I was talking about something else, where people realistically do meet each other sometimes, in addition to talking on phones.

BTW, it doesn't matter what Joe Average needs. Make "reasonably secure" be the default, normal situation. Joe Average doesn't need to use envelopes for his snail mail instead of postcards, but we typically use envelopes anyway, and that's ok! Even if they're overkill, envelopes are just too easy to use, to be worth thinking about when you need one and when you don't.

A lot of security pros get caught up in worrying about what is needed and threat models, but sometimes god-proof crypto can be so easy to deploy that it's faster and easier to just use it, than to even think about what you're securing against. People who live together so that their phones could routinely and trivially exchange shared secrets, are a good example of that.

Let's do our thinking when we make the tools, so that most users usually won't have to. Assume Joe Average's "rofl" response to someone sending him a picture of a cat in a Santa hat, needs to be safe from the transcendent intelligences existing in the High Beyond portion of the galaxy. Then only relax that assumption when it's inconvenient. I think we'll find there are many scenarios where it's not inconvenient.

Re:Until phones have real crypto (1)

fatphil (181876) | more than 3 years ago | (#34729774)

"god-proof crypto can be so easy to deploy that it's faster and easier to just use it, than to even think about what you're securing against."

Then you've probably already lost. Remember in Aliens when they had Alien-proof welding on the door?

Re:Until phones have real crypto (1)

Sloppy (14984) | more than 3 years ago | (#34749246)

Remember in Aliens when they had Alien-proof welding on the door?

  1. Since putting alien-proof welding everywhere involves some significant time and materials, I won't talk shit about the space marines and their failure to establish an alien-proof perimeter. But we just have to click a mouse button. What's our excuse for not putting alien-proof welding on the ceiling?
  2. And if it weren't for that damn crawlspace, the welding on the doors would have been a good use of resources. Don't let their failure convince you to stop welding your doors shut. I'm telling you, the door is going to be the first thing they try. Shut the door and maybe the aliens will go look for someone else to bother.

Re:Until phones have real crypto (1)

AmiMoJo (196126) | more than 3 years ago | (#34730874)

I have never been able to work out why Thunderbird or any other OS mail apps does not do public key exchange automatically. If the default install shipped with GPG and attached a your public key and signed every message by default we could make real progress towards encrypted by default communications.

My guess is that they are worried about confusing people with strange attachments and text appended to their mails. I can't think of a reason why that stuff could not be moved to mail headers though.

Re:Until phones have real crypto (0)

Anonymous Coward | more than 3 years ago | (#34736216)

There's actually a fairly simple solution to the secret issue, see the Socialist Millionaire Problem [wikipedia.org] as implemented by OTR [wikipedia.org] for an example.

This works so long as there is some shared secret you can use

Re:Until phones have real crypto (0)

Anonymous Coward | more than 3 years ago | (#34724874)

I'd settle for AES using a pre-shared key.

Which should be relatively easy given that the SIM was given to you by the mobile provider and so they should know it.

The reason CAs and the whole PKI is needed was to establish "trust" between parties which may never had any previous relationship (a browser contact a 'random' web site).

In recent years the hard part has generally been key management/distribution.

Re:Until phones have real crypto (0)

Anonymous Coward | more than 3 years ago | (#34723136)

This is what SIM cards need to do:

1: Have multiple types of keys stored onboard the device, such as a ECC key and an RSA key. The keys are generated on the SIM card, then certified by the cellular carrier's CA (the CA key used offline and stored in a proper HSM, of course.) This way, should RSA get broken, it wouldn't be hard to fall back to ECC.

2: Do similar with symmetric encryption. AES-256 is good, but have SERPENT or another top tier algorithm ready to go just in case AES is made useless.

3: Hashes as well. Have the SHA-3 algorithm, once it is finalized, but have Whirlpool and Skein available.

4: Start using "standard" crypto for encoding communications. Towers could use the same mechanism that SSL does so the phone knows it is talking to a "genuine" tower and not a bogus one. Then fire up Diffie-Hellman for a key exchange, make a session key, and go from there.

5: If an eavesdropping key is required, it isn't hard to tack on an ADK onto the keys stored in the SIM.

One reason GSM used obscure algorithms was that they were fast. However, with conventional chips, even embedded ones on smart cards, AES-256 is pretty easy to do in real time.

Re:Until phones have real crypto (1)

petermgreen (876956) | more than 3 years ago | (#34725632)

And it's not like landline phones are secure either, anyone can climb up the pole and fit a tap to your line. Provided they have the right equipment they are pretty unlikely to be noticed.

Re:Until phones have real crypto (1)

locofungus (179280) | more than 3 years ago | (#34729418)

Why do you need a certificate authority?

If I call up one of my friends I'll know pretty quickly if it's not really them. If I call up someone I don't know then I don't see that there is any great benefit in knowing that some other random company says that this random person that I don't know really is a random person that I don't know - the main benefit will be that if I call them more than once then I can confirm that I'm talking to the same person.

Certificate revocation is slightly different, but even then you don't really need a central authority - you merely need some known places where you can go to check if a certificate has been revoked and they just share any revocations that they've received.

Firefox's model is so broken with regards to certificates. I have to permanently accept a certificate before I've seen the site I'm visiting. Unverified HTTPS certificates should be treated exactly like HTTP connections but with the extra ability to be able to say "Yes, this is the right site this time, please warn me if someone might be spoofing it in the future" (Konqueror is only slightly better, at least it has "accept this certificate for this session only" but still doesn't have an easy way to make that acceptance permanent after seeing the site)

It's really bizarre how most people seem to get this backwards and want to be able to offload their trust onto someone else. Even the British Government do (did[1]) it. I have a user name and password to access the UK government stuff, mainly to do my tax return each year. I could, if I wanted, create a client certificate to do this. However, in order for the British Government to accept a client certificate it has to be signed by BT, a company I have no relationship at all with - quite how the British government thinks BT is more likely to know who I am than they are is completely beyond me.

Tim.

[1] I looked into this years ago when tax returns first went online. It may have changed now.

Chaos Communication Congress (1)

Anonymous Coward | more than 3 years ago | (#34722916)

27C3 => 27th. Chaos Communication Congress not Chaos Computer Club Congress. But it is a congress held by the CCC (Chaos Computer Club) ;-)

And the presentation in question was awesome. I recommend anyone to get the streamdump or, if you can wait a bit, the official video releases that will be released later on. Pretty much all talks on the Congress were recorded and are/will be available for download.

Cheers

I don't care... (5, Interesting)

fearlezz (594718) | more than 3 years ago | (#34722972)

... because governments spying on their own people are much more dangerous to your privacy than the neighbour wiretapping a conversation. Since governments can simply wiretap your provider, I'd suggest to keep private information off the line at all times.

Re:I don't care... (2)

CastrTroy (595695) | more than 3 years ago | (#34723022)

Exactly. In this day and age, there are so many more and better ways of encrypting your conversations that it's amazing that anybody uses cell phones and other government-tappable means of communication when doing things the government would be interested in. I'm sure that there are many criminals who are using proper crypto to send messages, but there are many-many more who aren't, and those are the ones being caught.

Re:I don't care... (3, Insightful)

TheRaven64 (641858) | more than 3 years ago | (#34723038)

Not true. The government will typically need a warrant to wiretap at the provider. At the very least, they will leave a paper trail. In contrast, they can tap into unsecured communications without any kind of warrant, and if they can do it with $10 of equipment then there is nothing that will require a paper trail.

Re:I don't care... (3, Insightful)

nospam007 (722110) | more than 3 years ago | (#34723242)

"The government will typically need a warrant ..."

Boy you're so wrong. They just need a National Security Letter.

http://www.wired.com/threatlevel/tag/national-security-letter/ [wired.com]

Re:I don't care... (4, Insightful)

tunapez (1161697) | more than 3 years ago | (#34723624)

Actually, they just need to promise to deliver one in a week...
Third bullet from the bottom. [wikipedia.org]
 
In this day and age of fear, a kid with an undetonated firecracker, a chip on his shoulder and a lighter could easily be labeled a 'terrorist threat'. Which any lawyer worth his/her salt, or golfs with the judge, could qualify as an 'emergency'. Getting around to sending the letter ex post facto? I'm sure it will be a top priority for the listeners already listening.

Re:I don't care... (1)

sjames (1099) | more than 3 years ago | (#34724452)

That's the really sad thing, as easy as it's been made for them to "legally" do the wiretap, they still can't be bothered to meet the requirements!

Re:I don't care... (2, Insightful)

Anonymous Coward | more than 3 years ago | (#34724528)

Remember the retroactive telecom immunity bill passed in 2008? Before that, the rules where that if, say AT&T, reasonably tried to obey the law (it didn't matter whether they actually did or not, they just had to try, and act in good faith) then they would be free of liability. This wasn't good enough so we needed FISA amended.

Meeting requirements is too onerous? No, even trying to meet requirements is too onerous. Wanting to meet the requirements is too onerous. Having a vague intent to possibly try to be legal if it happens to be convenient, is too onerous. Asking them to not go out of their way to harm the public, is an insult to them.

And we still vote for the people who changed that law. That's how low we've sunk. That's how important privacy is, and how much we believe in the spirit of the 4th amendment.

Re:I don't care... (1)

fatphil (181876) | more than 3 years ago | (#34729954)

By any sensible definition of the word warrant, an NSL is a warrant.

Re:I don't care... (0)

Anonymous Coward | more than 3 years ago | (#34730454)

"The government will typically need a warrant ..."

Boy you're so wrong. They just need a National Security Letter.

Simply flat wrong. An NSL cannot authorize realtime telephone intercepts. That requires a Title III warrant or FISA court order, both of which require court approval and plenty of justication.

Re:I don't care... (0)

Anonymous Coward | more than 3 years ago | (#34723712)

The government will typically need a warrant to wiretap at the provider.

Where have you been for the last 9 years? Don't you know that 'the Constitution is just a piece of paper' (TM). The government now has rooted the constitution. All they need do is 'sudo terrorist' and they have full root access.

Re:I don't care... (0)

Anonymous Coward | more than 3 years ago | (#34723760)

The government will typically need a warrant to wiretap at the provider.

Or via Post-It note [slashdot.org]

Re:I don't care... (0)

Luckyo (1726890) | more than 3 years ago | (#34723284)

Strongly disagree (but then again, I'm not living in USA). I worry very little of government wiretaps - they leave a paper trail, have to abide by rules and all people involved are bound by an oath of silence on whatever private info they get to hear.

I do worry about small time criminals trying to fish out useful information, like locations, time when apartment is empty, identity theft, etc. That's largely untraceable, and is an actual substantial risk in this day and age to anyone.

Granted if you're some sort of an activist, former is probably a big risk for you. But for an average citizen, latter scenario is far more likely.

Re:I don't care... (0)

Anonymous Coward | more than 3 years ago | (#34723314)

That is why the only good encryption scheme is end-to-end, directly from phone to phone.
This would have been trivial to implement in the mobile phone standards. It just has not been done this way because then the authorities would not have a single entity they can force to cooperate when they want to tap a phone. (ie. RIM blackberry)

Wrong Way (1)

SuperKendall (25149) | more than 3 years ago | (#34723432)

because governments spying on their own people are much more dangerous to your privacy

No they aren't, because they don't do anything if they are listening. It's like a tree falling in a forest, is it really a violation of privacy if only automated scanners "hear" your conversation?

Someone actually scanning local GSM calls is way more likely to be doing so for a purpose, perhaps to gather material for blackmail or get things like account numbers or other personal data. That is a far more immediate and personal danger than a giant organization that can't do anything without fifteen signatures knowing that you are having health issues "down there".

Don't use GSM Phones (5, Informative)

clonehappy (655530) | more than 3 years ago | (#34723008)

GSM systems use a rudimentary TDMA system which assigns each user a timeslot on a given frequency. The handset and base station both transmit/receive at the assigned interval to exchange the voice data. There isn't much security to speak of, since the basic encryption used in GSM was broken years ago. 3G GSM systems are probably still secure, as they don't use a TDMA based system. 3G GSM uses a Wideband-CDMA based system which provides greater security of the data being transferred at the physical interface layer.

Using a CDMA system, which many Americans and the rest of the world see as inferior technology, effectively eliminates the ability for a third party to eavesdrop on a wireless call. In a CDMA system, all data is distributed over the same frequency range, with an ever-changing pseudorandom code assigned to it, using spread spectrum technology. The ability to "guess" the code for any given call (out of I belive over a trillion unique codes) is nearly impossible.

While this doesn't mean that governments, spy agencies, etc. cannot still listen to your phone conversation, it means Joe Blackhat in his garage across the alley isn't listening to your phone conversation. If I were using a mobile phone for anything remotely private, which I sure as hell don't, I would have to forego using the global standard system in favor of one that uses a more secure air interface (CDMA or 3G GSM). If there are any non-telco geeks that want to know more, read section 5 of the whitepaper linked below, it has some good information on how this all works and how this system works to keep your conversations private, at least from two-bit hackers.

http://b2b.vzw.com/assets/files/SecurityWP.pdf [vzw.com]

Re:Don't use GSM Phones (1)

Anonymous Coward | more than 3 years ago | (#34723224)

(W)CDMA isn't necessarily more secure. At least for 3G, _which_ code to use for the dedicated will be sent on a common/known control channel ...
Also, with WCDMA, by recording the raw radio data (10MHz bw IIRC), you are certain that _all_ calls/sms/data are in the recording ...

WCDMA is indeed more secure but that's for other reasons that just the radio layer. (Which make sense ... it's not the job of the modulation scheme to ensure confidentiality and authentication !)

(note that I don't know CDMA much so it may not apply. But if indeed it's more secure, it's _not_ just because of another modulation scheme ...)

There's nothing wrong with GSM (4, Informative)

Sloppy (14984) | more than 3 years ago | (#34723376)

Networks are insecure, period. That should be the underlying assumption of any communications system.

Then you put endpoint-to-endpoint crypto into the application. If some other layer also encrypts, like the crypto in CDMA or GSM or WPA2 or OpenVPN, that's ok, but it's not something your application should assume is useful, or even needs to be aware of.

Look at it that way, and GSM and CDMA have identical security: none. Security is the application's problem. We're looking at it all wrong: legacy phones are insecure, because they're an application that is designed to be compatible with .. what, late 1800s tech? Let's stop worrying about the networking tech itself, and fix the app. Fix the app, and the network won't matter.

Re:There's nothing wrong with GSM (0)

Anonymous Coward | more than 3 years ago | (#34726316)

The app won't be fixed, because then suddenly you can only call those people who have also installed(/updated) the app (or, avoid the app all together).

Re:Don't use GSM Phones (1)

horza (87255) | more than 3 years ago | (#34723480)

AFAICR GSM went with TDMA as it was more reliable, equipment was cheaper, and it didn't walk across the Qualcomm patent minefield. However, TDMA vs CDMA is irrelevant if using proper end-to-end encryption. With A5/1 broken (it did pretty well lasting a couple of decades with the pace of change in technology) the new generation of smart phones have plenty of processing power to provide a decent PK layer on top. You are already doing this when using Skype on your mobile. A simple app download is probably easier than changing most of the world's mobile infrastructure.

Phillip.

Re:Don't use GSM Phones (1)

Anonymous Coward | more than 3 years ago | (#34723838)

CDMA isn't an encryption scheme, it's a method to allow multiple stations simultaneous access to a frequency range. For this reason I sure as hell wouldn't trust it to secure anything. I also sure as hell wouldn't trust a vendor for details on how secure their network actually is. Vendors also told us that WEP was perfectly secure as well, and we all know how that turned out.

(BTW, if you think a trillion is a large search space, think again).

CDMA still vulnerable to cheap MITM attacks (1)

chrb (1083577) | more than 3 years ago | (#34724242)

As far as I know, CDMA is still vulnerable to a Man In the Middle attack, where the eavesdropper's equipment pretends to be a basestation. This is the method Chris Paget demonstrated against GSM at Defcon with $1500 of equipment [youtube.com] . The equipment cost may be slightly higher with CDMA, but apart from that, the technique should work fine - a MITM attack is independent of the physical layer. Qualcomm have stated that CDMA can be cracked; there was some scandal in South Korea about this, and it was revealed that they issue their cabinet members with phones that do end to end encryption because they assume CDMA has been cracked by the North.

Re:Don't use GSM Phones (1)

yuhong (1378501) | more than 3 years ago | (#34725206)

Or just upgrade to 3G, which provides a stronger KASUMI-based algorithm.

Re:Don't use GSM Phones (0)

Anonymous Coward | more than 3 years ago | (#34725688)

You don't really know what you are talking about. It's a shame the mods don't either and this nonsense gets to +5

Still, to put you straight, the underlying "air interface" isn't what provides security in these systems, and has never been designed as such. Sure, TDMA - even with frequency hopping - is easier to eaves drop than something like WCDMA or LTE, but it's the encryption standard used that is the weak point here i.e. A5 [wikipedia.org] , 2 or 3. And we shouldn't be surprised by this given that the first GSM standard is about 20 years old and written at a time when mobile processors and batteries were a lot less powerful than today.

3G GSM uses a Wideband-CDMA based ...

That shows your lack of erudition. GSM and WCDMA are different standards while 3G is an umbrella term for UMTS and CMDA200.

While this doesn't mean that governments, spy agencies, etc. cannot still listen to your phone conversation,

Yep - 3GPP define the 'lawful intercept interface' which defines a handy network side socket for monitoring various aspects of the wireless comms network and subscribers. It's defined in 3GPP 33.106/7.

Mod down (0)

Anonymous Coward | more than 3 years ago | (#34740028)

This person has posted complete BS and been modded to +5 for it. CDMA versus TDMA has absolutely nothing to do with security or encryption, or the ability of anyone with $500 and an eBay account to recover the baseband data.

Basically, if you're concerned with wireless security, you don't want to fall for anything in that Verizon document. It was obsolete when the first GNU Radio USRP shipped.

Crypto isn't the main problem (5, Informative)

ThunderBird89 (1293256) | more than 3 years ago | (#34723040)

The main problem here isn't really cryptographic, but economic: mobile carriers have no vested interest in protecting the privacy of their customers, since the Average Joe doesn't care about it either way, and for those who do, there exist specialized encrypted phones (which, I might add, can all be subverted by hackers with the least bit of determination). This article [arstechnica.com] states that of the two keys being used, the one used to authenticate the SIM towards the provider is very strong, because the providers have an interest in keeping that secure, while the key protecting individual sessions is weak, since it doesn't need to be strong.

Using strong crypto in the handsets would likely require a more powerful CPU or a dedicated chip, raising the cost and the complexity, making it unattractive to the manufacturers and providers. Also, it wouldn't solve a damn thing, as it would merely shift the focus from eavesdropping to more ... direct methods of obtaining the required information, since a cypher is only as strong as the weakest point, in this case the human endpoints.

Also, I doubt government agencies are startled at this announcement. I worked at the Hungarian Foreign Ministry, and I had at least one call eavesdropped, and one call actually hijacked by having a third party speak on the line for both of us to hear. The article makes it clear that in order for this to work, you need to know your target and track it for some time, making it impossible to just 'go around snooping in on others' and have this turn into another Google StreetView incident.

Re:Crypto isn't the main problem (1)

anwaya (574190) | more than 3 years ago | (#34723180)

... Also, it wouldn't solve a damn thing, as it would merely shift the focus from eavesdropping to more ... direct methods of obtaining the required information, since a cypher is only as strong as the weakest point, in this case the carriers operating the networks between the human endpoints.

FTFY.

Re:Crypto isn't the main problem (1)

ThunderBird89 (1293256) | more than 3 years ago | (#34723246)

Tell me which one is harder:
a) going through the trouble to get a proper phone, rewrite and reflash the firmware, locate your phone, probe it, the listen keep sending silent messages to keep myself updated on the session key and finally after a lot of waiting around, eavesdrop in on a single one-minute conversation, or
b)kidnapping you, drugging you, and hitting you with a $5 monkey wrench until you tell me what I want to know?

The carrier isn't the weakest point in the link if you want to get the info, it's the humans. And like I said, if you have to be discreet about it, you're already more than likely to have access to the equipment to do it professionally.

Re:Crypto isn't the main problem (1)

F.Ultra (1673484) | more than 3 years ago | (#34726652)

It depends, in many situations b) is unacceptable since you don't want the subject to know that you are eavesdropping on him,

Re:Crypto isn't the main problem (1)

ThunderBird89 (1293256) | more than 3 years ago | (#34727050)

In which case you usually have access to the required equipment already.
Face it, if you need to stay in the shadows, you're usually with the secret services, and you have the budget and the technicians to pull it off without this hack, or you just approach the provider. If you don't have access to the stuff, you likely don't actually need the data, or you can afford to get in his face about it, and use rubber hose cryptanalysis to extract the information.

Re:Crypto isn't the main problem (1)

F.Ultra (1673484) | more than 3 years ago | (#34731340)

Or you simply don't want to be caught by the authorities for breaking the law (killing or torturing the guy) while still trying to perform say industrial espionage.

Re:Crypto isn't the main problem (1)

ThunderBird89 (1293256) | more than 3 years ago | (#34731438)

Once again, the limiting factor is hardly money in that case, if your company needs the info that desperately, they will invest in a ~$50,000 unit built specifically for this purpose so their agents won't have to muck about with hacked phones.

This is mainly a wake-up call for providers, saying "Look, we can do this. Put terrorists and internet together with this, and you get...?". It's saying that eavesdropping is affordable, but the required technical knowledge and skills still place it outside an average person's reach, and those with the proper knowledge probably knew this was possible already, this being only a confirmation of their theories.

I restate: if you need to do it discreetly, you're more than likely to have the resources to do it professionally, whether you're secret service or doing industrial espionage; if you don't have the resources (technological or monetary), you're probably not in a position that requires a lot of discretion anyway.

Re:Crypto isn't the main problem (1)

F.Ultra (1673484) | more than 3 years ago | (#34733228)

Yes you are absolutely correct but I still find the rubber hose method that people always brings up after xkcd, to miss the point sometimes. Even if you are a basement amateur you might not be interested in violence. And regardless, slashing people is a much easier way into prisons than hacking phones. And whatever secret that you want to get hold of might be wortless if your victim knows that you have obtained it. Disregarding the obvious rubber hose candidates such as your ATM pincode of course :)

Re:Crypto isn't the main problem (0)

Anonymous Coward | more than 3 years ago | (#34723192)

IMHO, it isn't that bad to shift the main mode of attack from the network to endpoints. This means a blackhat can't just sit there anywhere in the globe and passively get data. They would have to mount an active attack against an endpoint to get what they want, and that is a lot harder and generates a lot less ROI.

To me, it seems a lot easier to sit back and look at slurped packets from a compromised router in a data center on another continent, versus having to fly over to that continent, procure a firearm, "borrow" one of the data center's sysadmins and use rubber hose decryption to obtain a method of decoding data, or find someone in that area who is willing to do that.

It is just like the banking industry -- say we had a signing system where transactions were signed and a secure, robust PKI, ID theft and account fraud by passive attackers and spammers would go to zero because it would take more active attacks (skimmers, stealing people's PINs, rubber hose decryption) which changes the rate of returns drastically.

Re:Crypto isn't the main problem (2)

ThunderBird89 (1293256) | more than 3 years ago | (#34723260)

RTFA, please, both from the summary and from my comment. In order to carry out this attack, you need to target a single phone on the network, and know both the number and the location. You can't eavesdrop on the general traffic. Like I said, there's no threat of this turning into a StreetView incident.

Re:Crypto isn't the main problem (1)

horza (87255) | more than 3 years ago | (#34723544)

Rather than buy a specialised encrypted phone, couldn't you just install Skype or any VoIP supporting encrypted codecs and use that?

As for strong crypto requiring a more powerful CPU or dedicated chip, hardly. There is an overhead but it's not that dramatic. New smartphones can handle image processing and wouldn't even notice an encryption layer.

Also, it wouldn't solve a damn thing, as it would merely shift the focus from eavesdropping to more ... direct methods of obtaining the required information, since a cypher is only as strong as the weakest point, in this case the human endpoints.

Correction that solves everything. We want the police to be able to catch bad guys. They need to be able to get targeted intelligence. We don't want mass surveillance by the government as it will inevitably be abused at some point.

Phillip.

Re:Crypto isn't the main problem (1)

ThunderBird89 (1293256) | more than 3 years ago | (#34723656)

The problem with dedicated codecs and Skype is that they only communicate with themselves. Even Skype drops the encryption when dialing a non-skype number, since the other end lacks the algorithms to decrypt the data. But you're most likely right about the CPU.

The governments own the airwaves, if they really wanted surveillance, they could just swagger up to the Telcos and say "Give us a live feed or we revoke your permits!". What I meant by the "would not solve anything" is that if I want to get something out of you, I will, whether it's by listening in on your phone calls or beating the everliving crap out of you. Personally, if someone is going to steal data from me, at least they could have the decency to do it the painless-and-likely-won't-even-notice way.
Anyway, the police can legally tap the cellphone networks during a criminal investigation, and so can the secret services with the properly authorized warrant (here in Hungary, authorized by the Minister of the Interior). I suspect the system is similar in any given country, except for China and North Korea.

Re:Crypto isn't the main problem (1)

Jimbookis (517778) | more than 3 years ago | (#34724152)

This eavesdropping is not really a concern to governments. They just tap at an exchange and listen to the nice G.711 data no matter where the target of interest is located with their mobile, be it GSM or 3G. I think this trick is more useful for the casual user and could return us to the old days of listening to calls on the old analogue systems (like AMPS) with a scanner and narrowband FM demodulator. I am interested to find out how they got enough info together to hack and reprogram the phone!

Re:Crypto isn't the main problem (1)

ThunderBird89 (1293256) | more than 3 years ago | (#34724316)

It won't go there. Read the article: needs two phones, knowing your target's location, restricted to a single targeted phone and one conversation start-to-finish. Nothing more.

Surprised? (1)

Midnight Thunder (17205) | more than 3 years ago | (#34723174)

Given the real-time nature of phone conversations and the low amount of processing power that most phones have, surely the solution they chose was a best fit solution? When you throw a modern desktop PC into the equation, then you are going to be able to crack that very quickly. The real question is the GSMA has actually provided other levels of encryption for when processing capability is available? The improved encryption would depend on both phone and tower capabilities.

Re:Surprised? (2)

phorm (591458) | more than 3 years ago | (#34725736)

Depends. A device with a chipset dedicated to a given task may in many cases be comparatively low-powered compared to a general-purpose PC, but may be *very* efficient at what it does. It's one of the reasons even a slightly older GPU will kick ass over software-rendering on most PC's.

Dedicated hardware can make a big difference in a lot of things, which is one of the reasons why in many systems there is hardware support for specific crypto methods.

I think that - especially nowadays - this is mostly the result of phone/hardware companies becoming a bit lazy and/or apathetic in terms of data security. With all the focus on speed and profit, security/privacy have been sorely neglected.

Which phone did they use? (0)

Anonymous Coward | more than 3 years ago | (#34723290)

It had to be asked!

Only the cheap part is news (0)

Anonymous Coward | more than 3 years ago | (#34723414)

Cops have been snooping phone calls illegally for years. Drug dealers have been well known, and the cops know exactly where deals go down, and between whom. Phones have been sold as exclusive, private communications. Its over the air. The signal goes everywhere. Unless there is embedded cryptography, its all wide open. Blackberry even had to provide servers that allowed the government to eavesdrop without notice. Don't be shocked! For years, the government has insisted that people who make envelopes allow a 1/2" space between the glue and the top of the envelope, in order that the contents may be tapped to the end that would normally open, and then a small split rod be passed through the opening, catching the contents on each side of the rod. The rod could then be turned, rolling up the contents around the rod. The rod and contents could then be removed through the opening, the contents unrolled, read, re-rolled around the rod, and then both again passed through the opening, then unrolled, and the rod removed, all without removing the seal. Governments love to snoop. The only time they enforce laws about it is when someone tries to violate their monopoly.

Neurosine (1)

neurosine (549673) | more than 3 years ago | (#34724342)

I have a working theory: If you post your costs and profits, people will accept you making a profit. When you do not they are left to their imagination. Texting is old school as TTY....and the charges are overinflated. The industry should not use this as a standard...or we will call them greedy shits...because...y'know...it is fitting.

I'm not a crypto expert but... (1)

alexmipego (903944) | more than 3 years ago | (#34731942)

Sounds to me that this problem is simple to solve, even with a naive solution. Take for example a simple key agreement algorithm like Diffie-Hellman which (for the unfamiliar with the subject) allows 2 parties to reach a secret key (called K) with a simple set of math and shared parameters (which the hackers can get but can't really use them for their advantage/finding K).

With a simple key agreement and some fast cryptographic algorithm (maybe AES) all conversations could be secure no matter what the network security was. It can even be implemented on top of current protocols AFAIK. And if people suggest that the CPU power might be too great then I just would like to remember that nowadays almost every phone has a browser (even if it's a WAP browser) and that HTTPS already uses key agreement and encryption.

I also view this (suggestion of) improvement as raising the bar in protecting the public's privacy because with this protocol in place it would be very difficult/expensive for authorities to break and eavesdrop on people conversations. With a warrant however, the network providers (cell carriers and other phone services) could put in place a way for authorities to get the key to decrypt the conversation taking place.

I for one can't wait to see a green lock next to my in-call HUD.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?