Get the latest best-practice stories, news and white papers straight to your mailbox
GSM: cheaper to hack than ever
Last August, a hacker declared GSM “broken” in terms of security by demonstrating how a low-cost device and open-source software could spoof a cell phone tower. The GSM Association responded that the hack was impractical as eavesdroppers would have difficulty targeting a specific user, and it only works within a certain range.
Last week, another group of hackers demonstrated how to eavesdrop on GSM calls and text messages using various software programs, four $15 handsets and a laptop.
The attack - demonstrated at last week's Chaos Computer Club (CCC) Congress in Berlin by Security Research Labs researcher Karsten Nohl and OsmocomBB project programmer Sylvain Munaut - essentially allows a hacker to track down a target phone's location and determine its random network ID number, which in turn lets the hacker know which stream of information to decrypt.
The decryption process itself takes about 20 seconds. The entire demo took around two minutes, according to the Wired Threat Level blog (which has the juicy technical details as well).
As with previously reported hacks, the attack won't work on W-CDMA networks, but that should small comfort to cellcos in markets where 3G is a fraction of their user base (presuming 3G exists at all). Even where 3G and HSPA dominate, many cellcos still run legacy GSM networks alongside their W-CDMA networks, and are more likely to use them to offload voice calls as 3G data traffic gets heavier.
The good news is that the vulnerabilities exploited to make the hack work are relatively easy to fix, says Nohl. For example, cellcos can ensure their network routing information is not simply available through the internet and avoid recycling encryption keys between successive calls and text messages.
In other words, things they could be doing already but aren't, primarily because GSM is an old technology and many operators took shortcuts when deploying it, Nohl told the CCC Congress audience, describing the hack as the equivalent of “GSM debugging tools”.
“This is all a 20-year-old infrastructure, with lots of private data and not a lot of security,” he said, according to Threat Level. “We want you to help phones go through the same kind of evolutionary steps that computers did in the 1990s.”