Huge GSM flaw allows hackers to listen in on voice calls

Recently at the Hacking at Random (HAR) conference, held in the Netherlands, Karsten Nohl detailed plans for cracking standard GSM cell phone encryption, known as A5/1, and will be making the results available for anyone to use. GSM stands for Global System for Mobile communications and is the most commonly used cell phone standard in the world, and is used in Europe, Africa, Asia, New Zealand, Australia, America and Canada.

The GSM flaw is massive and would affect not only businesses but individuals also as once the hack is complete it means anyone with a $500 radio card and a laptop will be able to listen in to GSM calls, making it easier for criminals to obtain personal data and making listening in on normal voice calls a real and everyday threat.

Stan Schatt, Vice President and Practice Director, Healthcare and Security at ABI Research, commented, "Potentially this news could have as profound an impact on the cell phone industry as the breaking of WEP encryption had on the wireless LAN industry." He continued on to say "... average folks also have to fear criminals learning valuable information about their bank accounts, personal affairs, etc. Equally if not more important, our research shows that employees talk about corporate sensitive information on their cell phones a good deal of the time....If people do nothing, we are likely to start to hear stories of sensitive information being compromised, acquisition information being leaked, personal financial security information being compromised, etc. We could see tales of blackmail and extortion on the rise.""

The hack had been known about and was fabled to be in existence since as early as 1996, but had never been discovered. Simon Bransfield-Garth, CEO of Cellcrypt, said, "Everybody has known for quite some time that a theoretical hack of GSM existed. This news means that the theoretical risk will become a very real one within the next six months." He went on to say that recently conducted research - which will be released soon - found that "79% of people discuss confidential issues by phone every few days with 64% making such calls daily."

The hack is said to be "incredibly simple" to perform and would affect day-to-day use of mobiles. If the hack became widespread, it would be likely that personally identifiable information that is shared over a phone could be easily stolen - such as bank details, social security numbers, credit card details, addresses, and full names.

Hacking at Random has made available Karsten Nohl's powerpoint presentation here.
Cellcrypt has published guidelines for managing the security of voice calls on their website.



Image credit: Slides taken from Karsten Nohl's slideshow

Report a problem with article
Previous Story

Apple hits back with two new Mac ads

Next Story

Why has Microsoft photoshopped this?

29 Comments

Commenting is disabled on this article.

Amazing!! Considering this is a techinal forum you people certainly don't have a clue.

I work as an engineer for one of the 5 UK operators and you people really need to swot up on you mobile telecoms knowledge.

2G uses GSM
3G (including HSDPA and HSUPA) uses WCDMA

2G can transmit data over GSM (including EDGE modulation) using GPRS and 3G likewise uses GPRS

3G is unaffected (data and voice) as it uses A5/3 encryption.

Honestly I am shocked by the lack of knowledge............. call yourselves l33t geeks :-)

Ziggy, I have to ask a question.....What if you are in an area that is not 3G capable...then wouldn't you be on 2G.....which IS affected by this flaw......and I live in one of the largest cities in the states and I can name hundreds of places where 3G is NOT available, which means that this GSM flaw that YOU say affects 2G (Edge) would affect MOST of GSM customers. I think I get 3G service in my local state 50 percent of the time, which means 50 percent of the time I am using 2G GSM (100 percent if I am traveling on the road). And if you truly are so smart and prepared to bash everyone on this site....then perhaps you can explain to all of us why they haven't fixed this problem yet.

Hi Pal,

Of course your correct that if your not within coverage of a 3G cell then you'll be handed over to 2G. However, the rollout of 3G enabled sites is still on going and the coverage is increasing week by week.

I think that what will happen is that the encryption card found with the MSC's will be updated/reconfigured to use the A5/2 or A5/3 encryption scheme. Its more money for Nokia and Ericsson and the operators will be able to advertise they are unaffected by the exploit.

I aint worried and I don't think anybody else should be. Considering how long GSM has been in the public domain I think it's impressive that the original encryption scheme has lasted so long.

Hi,

A5/3 is recommended on the 3G standard but not all carriers support it, some in fact use A5/1. If this is because of export controls (strong crypto and all that) I do not know.

Encryption algorithms on GSM share the same key, so a way to crack security is to use a device called IMSI catcher to force the handset to use a lower security protocol.

The encryption implementation is on the phone not on the SIM card so in order to close this loophole you might need to replace all phones or disable the old ones out there.

So that's why we don't use GSM in Japan!

Anyway, I'd be more worried about the government listening in on you than a small time hacker.

Shiranui said,
So that's why we don't use GSM in Japan!

Anyway, I'd be more worried about the government listening in on you than a small time hacker.

I'd be more worried about the hacker. He can do a lot more damage than the government. The government still has to go through and/or around the law. Plus you can fight the government, hard to fight someone you don't know.

Shiranui said,
So that's why we don't use GSM in Japan!

Anyway, I'd be more worried about the government listening in on you than a small time hacker.


if the government want's it can listen to you, is a very simple process. every year thousands of conversations are record and listen to.

Thats abit of a shocker in it, but think of the possibilities you could always listen in on a dirty phone call to one of them premium rate numbers, for FREE. Now where can buy that card and *cough*

This has been speculated since 1996?? This has been known about since 1996 and the providers have done nothing to secure this. Major flaw!!!

Conjor said,
why spend money to fix something that wasn't broke at the time?


It was broke that's the whole point? This isn't a flaw that was brought in by a phone's OS this is a flaw in the entire GSM standard

WCDMA is more commonly known as 3G. 3G phones frequently switch back to GSM when the 3G signal strength becomes weak.

In fact, where I live (Australia), I get better call quality on GSM.

I think this article is talking about GSM (for voice calls) security, not 3G (which is for data, although VoIP is possible).

Verizon would be foolish not to use this as a marketing tool, such as the Apple and Microsoft ads.... Unless AT&T can push some firmware to fix it.....AT&T will either standby and watch customers jump ship, which would force Apple to move to another provider (most likely Verizon) to protect profits...or....request some emergency government money and speed up their 4G LTE role out (which would be awesome)....then move all their phones to LTE if that is even possible. In a world that lives in fear of every big or little security threat, this is sure to get some news media spin and have non-techy GSM customers freaking out.

For those who want out of their AT&T contracts....I think this would be great ammunition that is factual.

cerealfreak said,
How is iPhone/AT&T bashing even relevant?? The GSM network is used for voice traffic, 3G and 4G are used for data traffic.

Trolling much??

3G and 4G are not just used for data. In fact GSM is nowhere to be found in the official 3G standard -- 3G is (aka IMT-2000) is a set of standards that define a third generation wireless communication medium. EDGE is the evolutionary upgrade to GSM.

omni said,

3G and 4G are not just used for data. In fact GSM is nowhere to be found in the official 3G standard -- 3G is (aka IMT-2000) is a set of standards that define a third generation wireless communication medium. EDGE is the evolutionary upgrade to GSM.

Where did I state that GSM is in the official 3G standard?? My point was Intel008 response was irrelevant, as the lack of security in GSM has nothing to do with the iPhone and AT&T contracts.

Yes Cereal, and you must be a techy because my comment was based on the business side of the technology. A lot of I.T. folk (myself included, at times) have a lack of understanding with the business side. My comment was focused on the business affect this GSM flaw could have on GSM providers, with targeting AT&T specifically and the iPhone being their biggest product that some would argue is their only real wireless product. I have an iPhone and I would not “bash” the iPhone where other posts I have made praise the iPhone as an “amazing device”. I am not a fan of AT&T and I was pointing out the loss of customers that could come out of this security hole if AT&T does not close it quickly. I was also pointing out that my dissatisfaction with AT&T is mostly targeted to GSM in North America and how it fails to be as reliable with regard to CDMA. If AT&T could move all voice and data service to 4G LTE, then not only would is shore up the GSM flaw, but also shore up reliability concerns, and put their network in the lead for overall performance.

It is a pretty logical assumption that if this GSM flaw has no fix (because if they knew of it years ago, why haven’t they fixed it yet) then what phone manufacture is going to continue to produce GSM based phones if the customer demand goes away due to security concerns. As a tech supporting large enterprise organizations, would you want to have a bridge call discussing a critical business app and sharing confidential information on your GSM phone knowing that its possible someone could be listening? I think notâ€Â¦..

CRN.COM is reporting that Verizon has began testing their 4G LTE rollout and has also decided to test voice calls via the 4G network via VoIP. So, per my comment above about using non-GSM for voice......Looks like it is possible.....Perhaps AT&T and other GSM providers could take notes and learn.

See......http://www.crn.com/mobile/219400220;jsessionid=YYZWYH1VFECA3QE1GHOSKH4ATMY32JVN

and just to add humor to it all......dslreports.com is reporting AT&T is showing their customers just how lame AT&T can be and why this GSM flaw hasn't been fixed over all this time they have known about it.....see the dslreports article for a good laugh....... http://www.dslreports.com/shownews/ATT-App...ngestion-104128

Keep it up AT&T and Verizon will have that iPhone in no time....

protocol7 said,
"79% of people discuss confidential issues by phone every few days with 64% making such calls daily."

Really?

I find that to be very high too... I can't think of much of anything that I talk about that could compromise my information...

I mean, should I not be telling random people my SS#?