Recently at the Hacking at Random (HAR) conference, held in the Netherlands, Karsten Nohl detailed plans for cracking standard GSM cell phone encryption, known as A5/1, and will be making the results available for anyone to use. GSM stands for Global System for Mobile communications and is the most commonly used cell phone standard in the world, and is used in Europe, Africa, Asia, New Zealand, Australia, America and Canada.
The GSM flaw is massive and would affect not only businesses but individuals also as once the hack is complete it means anyone with a $500 radio card and a laptop will be able to listen in to GSM calls, making it easier for criminals to obtain personal data and making listening in on normal voice calls a real and everyday threat.
Stan Schatt, Vice President and Practice Director, Healthcare and Security at ABI Research, commented, "Potentially this news could have as profound an impact on the cell phone industry as the breaking of WEP encryption had on the wireless LAN industry." He continued on to say "... average folks also have to fear criminals learning valuable information about their bank accounts, personal affairs, etc. Equally if not more important, our research shows that employees talk about corporate sensitive information on their cell phones a good deal of the time....If people do nothing, we are likely to start to hear stories of sensitive information being compromised, acquisition information being leaked, personal financial security information being compromised, etc. We could see tales of blackmail and extortion on the rise.""
The hack had been known about and was fabled to be in existence since as early as 1996, but had never been discovered. Simon Bransfield-Garth, CEO of Cellcrypt, said, "Everybody has known for quite some time that a theoretical hack of GSM existed. This news means that the theoretical risk will become a very real one within the next six months." He went on to say that recently conducted research - which will be released soon - found that "79% of people discuss confidential issues by phone every few days with 64% making such calls daily."
The hack is said to be "incredibly simple" to perform and would affect day-to-day use of mobiles. If the hack became widespread, it would be likely that personally identifiable information that is shared over a phone could be easily stolen - such as bank details, social security numbers, credit card details, addresses, and full names.
Hacking at Random has made available Karsten Nohl's powerpoint presentation here.
Cellcrypt has published guidelines for managing the security of voice calls on their website.
Image credit: Slides taken from Karsten Nohl's slideshow
29 Comments - Add comment