Beware! your neighbor might be listening…
Wednesday February 27, 2008 at 6:53 am CST
Posted by Denys Ma
We came across an interesting presentation at the recent Blackhat Conference that discusses a technique to decrypt cellular signals here. The article discusses a cheaper, faster method of cracking the encryption used between the mobile devices (phones), and mobile stations (cell towers). The encryption in question is the A5/1 algorithm, which is used widely in GSM networks in United States.
The encryption was actually proved to be vulnerable, and can be cracked with a long pre-processing stage (around 2^40 stages or so) with huge amounts of storage. More details can be found here, here, and here. There are also known plain-text based attacks, found here, that can attack A5/1 in minutes, but requires the attacker to be active in the attack.
What makes this attack interesting is that it is completely passive, and was able to overcome the long, pre-processing stage of the attacks discussed above by using custom designed FPGAs instead of the personal PC. With this, they were able to crack the encrypted data within 30 minutes, which makes “real-time” decryption a possibility. Furthermore, the presenters are planning to sell a hardware based product that can do this much faster. This could lead to easier espionage or other illegal activities if the technology lands in the wrong hands.
The presenters also shown various different weaknesses in the current implementation of cellular networks.
Besides the GSM cracking attack , there’s also another paper published on cellular network security, which can be found here. This paper simulates the scheduler (proportional fair) commonly used in several 3G networks and shows that malicious users, with access to a few mobile devices, can manipulate the scheduler into assigning an unfair amount of time slots to the attacker. This shows that with only a few attackers, they were able to steal a majority of time slots.
I think these works, although controversial, could provide the stimulus for a new and robust direction for security practices in cellular technology, since now, cellular networks are used as widely, or even more so, than the Internet. The Internet is relatively well understood compared to the cellular network. More attention focused on the security of the cellular networks might help both consumer and cellular service provider build a more secure network that we all already depend on.