Open source hack could make mobiles vulnerable to prying ears

NEWS

Once the look-up table is created it would be available for anyone to use.

Distributed computing, which has long been used for research and academic purposes, like SETI@home, and which companies have built businesses around, not only solves the technical hurdle to cracking the A5/1 code, but it could solve the legal ones too.

A few years ago a similar GSM cracking project was embarked upon but was halted before it was completed after researchers were intimidated, possibly by a cellular provider, Nohl said. By distributing the effort among participants and not having it centralised, the new effort will be less vulnerable to outside interference, he said.

Nohl wasn't certain of the legal ramifications of the project but said it's likely that using such a look-up table is illegal but possession is legal because of the companies that openly advertise their tables for sale.

In the US, two mobile operators make use of GSM: T-Mobile USA and AT&T. A T-Mobile USA spokeswoman said the company had no comment on the matter.

A spokesman for US telco AT&T said: "We take extraordinary care to protect the privacy of our customers and use a variety of tools, many technical and some human approaches. I can't go into the details for security reasons." He declined to elaborate or comment further.

Carriers should upgrade the encryption or move voice services to 3G, which has much stronger encryption, Nohl said.

In the meantime, people can use separate encryption products on the phone, like Cellcrypt, or handsets with their own encryption, Nohl said. Amnesty International and Greenpeace are using phones with stronger encryption, for example, but it only works if both parties to a conversation are using the same technology, he said.

For data encryption there is Pretty Good Privacy (PGP) for email and virtual private network (VPN) software for connecting to a corporate network, he said.

The encryption problem is particularly serious for people doing online banking, where banks are using text messages as authentication tokens. Banks should instead offer RSA SecurID tokens or send one-time pass phrases through regular mail, Nohl said.

"I think, potentially, this could have as much impact as the breaking of WEP (Wired Equivalent Privacy) had a few years ago," said Stan Schatt, security practice director at ABI Research. "That shook up the industry quite a bit."

As a result of breaking that encryption, enterprises were reluctant to rely on wireless LANs so the Wi-Fi Alliance pushed through an interim standard that strengthened the encryption scheme, he said.

"Vendors will jump in with interim solutions, like Cellcrypt," Schatt said. "Mobile operators themselves will have to jump in and offer additional levels of encryption as part of a managed service offering for people who want a higher level of encryption."

However, consumers aren't likely to want to pay extra for the boosted encryption strength, he said.

To snoop on someone's phone, a would-be spy would need to be within eyesight of the target, Schatt said. Or, spies could point a recording device in the direction of a building and grab whatever conversations were nearby, he said.

"If you stand outside a building of a competitor you could get conversations between product managers and about sensitive corporation information, like acquisitions," he said. "Corporations put even more sensitive information over their phones, in general, than they do over their email."