GSM to feel the heat from open source project
The announcement of a new project to attack the A5/1 GSM encryption standard could spell trouble in the mid-term for mobile phone network security. As well as normal telephone conversations, this would also allow text messages to be read, not just by state agencies with specialist equipment (for whom it is already a matter of course), but by anyone with the right equipment, costing just 1,000 euros. This would undermine the whole basis of the mobile banking security structure, which uses GSM to transfer mobile TANs for validating online transfers.
The project, initiated by cryptography specialist Karsten Nohl, is intended to make the wider public aware of the vulnerabilities in A5/1, which are already old hat in specialist circles. With community assistance, he plans to pre-compute the secret keys and save them in a code book. Since, even with the relatively non-secure A5/1 standard, this would take 100,000 years on a normal PC and would require 128 petabytes of storage capacity, Nohl’s software uses a number of tricks.
It uses the latest graphics cards with CUDA support to carry out the computation, distributes the task over large numbers of computers connected over the web and compresses the code book/tables using specific procedures so that they take up less space. Nohl is calling on the community to participate in the project in order to compute the tables in the shortest possible time. A little under 200 PCs should be enough to achieve this within a few months.
Nohl's idea is nothing new – hacker group THC started to pre-compute key tables for A5/1 back in 2008, and is reported to have completed the task with the aid of FPGAs. However, apparently due to legal issues, the tables have never been published.
Nohl's project is largely based on the earlier work carried out by THC, but adds a number of enhancements. Details of Nohl's project are given in the slides from his presentation at HAR 2009.
Should the project prove successful and the tables be distributed via, for example, BitTorrent, mobile phone operators will probably find themselves forced to move to more secure encryption standards. This would, however, require that all mobile phones support the new standard, something which usually necessitates a firmware update, and is therefore likely to be a big issue for many users.
Professional users are likely to switch to mobile phones with third party encryption software, whilst normal users are likely to switch back to fixed line phones for confidential conversations – preferably not a cordless, though, as DECT is just as insecure. For banks, it will mean saying goodbye to their mobile TAN procedures.