back to article Ageing GSM crypto cracked on commodity graphics rig

The crypto scheme applied to second generation (2G) mobile phone data can be hacked within seconds, security researchers have demonstrated. The work by researchers from the Agency for Science, Technology and Research (A*STAR), Singapore shows that breaking the A5/1 stream cipher used by 2G is possible using commodity hardware …

  1. bazza Silver badge

    2G FruiG

    Now that's an old fashioned ice cream flavour.

  2. nedge2k

    um, even when they were new in 2012, the GTX 690's were only like $1K - not $5k

    1. Lee D Silver badge

      I'm guessing the graphics cards weren't the main expense.

      With things like rainbow tables, probably the machines was fully kitted out with RAM, and extra graphics RAM and some more RAM, and a few SSDs to catch what the RAM can't hold.

      1. phuzz Silver badge
        Paris Hilton

        RAM's not that expensive now either, you can pick up 32GB of DDR4 for less than £200, about the same again will get you 1TB of SSD. The graphics cards they used will probably be matched for about £250-300 today, and figure about another £250 for a CPU and a motherboard with enough PCIe slots and bandwidth to run everything.

        Even with current UK prices I reckon you could build an equivalent rig for less than two grand.

        >>>> Paris, because she's good with money.

  3. Charlie Clark Silver badge

    So…

    The flaws in the encryption have been known about since 2009 and you still need to create some pretty big rainbow tables and have some pretty good equipment to do the hack.

    Well, in that case I'm impressed by what the GSMA did come up with back then. It means we're generally pretty safe. Yes, the spooks have probably had the wherewithal to do this for a couple of years for the few cases where they can't get a wiretap order or find a compliant telco, but given all the other attack vectors on modern phones such getting an app installed that can control the mike and use the network, I'm not unduly worried.

    Nevertheless, it's an important research project and should expedite the deprecation of this part of the standard.

  4. John Robson Silver badge

    Is it me...

    Or is the concept of searching a terabyte rainbow table in 9 seconds on 'commodity' hardware the impressive thing here.

    Of course it depends what they call 'commodity', I don't see too many PCs with a TB of RAM, and suspect that a few SSDs may be needed in parallel to get that sort of performance...

    Mind - you 'as little as nine seconds' could mean 'if you're the first item in the rainbow table'

    1. Duncan Macdonald

      Re: Is it me...

      If the table is arranged as a ordered list then a binary search would find the answer in no more than 42 reads. With an SSD this would take well under 1 second.

      As the rainbow table is not exhaustive (as it is far too small), several bits of the key must be determined by a computation (maybe by brute force) and this is what would take the bulk of the 9 seconds.

      (An exhaustive rainbow table would require 2^64 entries - many exabytes.)

  5. Velv
    Boffin

    "Security experts have known the A5/1 was breakable since 2009..."

    Security experts have known since way before 2009 that that all bar one encryption techniques are only computationally secure (i.e. given enough time and resources they can be broken). Moore's Law ensures that what is classed as "secure enough" today will not be secure enough in the future.

    Only the Vernam cipher is known to be mathematically secure.

    1. Julz

      One Time Pad

      "any unbreakable system must have essentially the same characteristics as the one-time pad: the key must be truly random, as large as the plaintext, never reused in whole or part, and kept secret"

      Not really practical for most at the moment. The truly random requirement is also a bit of a bugger.

    2. John H Woods Silver badge

      "Moore's Law ensures that what is classed as "secure enough" today will not be secure enough in the future" -- Velv

      I hear what you're saying, but the universe is finite and, more significantly, the time period for which cipher text has to remain safe is actually pretty short. I cannot see any conceivable way that a 256 bit keyspace can be exhaustively searched in a reasonable time (say, under a century) by conventional (non-quantum) computers. NB: I am absolutely not saying 256 bit ciphers cannot be broken.

  6. Robert Carnegie Silver badge

    So

    From now on, assume that your 2G phone calls are being tapped. By the government, by the local newspaper, by local taxi firms listening out for possible bookings, including calls to other taxi firms. Does that happen? I don't know, but, assume that it does.

    Oh, and muggers.

    Also, your 3G or 4G phone presumably drops back to 2G when there isn't a 3G signal, so in fact everyone is going to be bugged.

    1. petur

      Re: So

      indeed, the attack will include fallback to 2G so how long before 2G is removed completely?

    2. Charlie Clark Silver badge

      Re: So

      Only if it's using A5/1. Many companies have already moved off this for their 2G connections, other networks no longer do any kind of 2G.

    3. John Smith 19 Gold badge
      Unhappy

      "your 3G or 4G phone presumably drops back to 2G when there isn't a 3G signal,"

      Now that turns "Ho hum, well it's obsolete anyway" into "S**t, so if you can mess up the 3G signal enough you can force drop back to 2G"

      Do that at a tower site and you have a sort of watering hole attack against however many subscribers use it.

      How useful that is depends on what else you can get apart from their speech....

    4. Anonymous Coward
      Anonymous Coward

      Re: So

      It might be worth looking into turning off 2G in some cases… at least here in Australia, Telstra are shutting down their 2G service, so any legitimate tower your phone connects to should be 3G or later.

      1. david 12 Silver badge

        Re: So

        For values of "any legitimate" defined as "Telstra"

  7. Simon Rockman

    Not a problem

    No commercial mobile phone network uses A5/1 anymore. They have moved to A5/2 or A5/3

    Simon

    1. Robert Carnegie Silver badge

      Re: Not a problem

      Is there a way to tell whether I'm on A5/1, A5/2 or A5/3 ? Besides the sound of a mystery person breathing as they tap in to my phone calls. I mean - won't this depend at some level on what encryption is implemented in the phone, or the SIM card, or the novelty case I keep it in? Apart from "not 2G at all", what should I be looking for as an upgrade?

      Also - what happens somewhere there isn't a 3G signal geographically - have they really given up providing 2G? (In my case, O2 and a quite early micro-SIM card, pay as I go)

      And is this anything to do with starting to get spam texts again? I think some people get a lot of them, but it's been rarely or never for me. But several lately. Some odd phone calls, too.

    2. Duncan Macdonald

      Re: Not a problem

      The A5/2 cipher is MUCH WEAKER than the A5/1 cipher - it fact it is so bad that the GSM association prohibited its inclusion in new phones back in 2006. The A5/3 cipher is far stronger than the A5/1 cipher and is used in GPRS / EDGE mode. Note if you make a voice call anywhere with a poor signal then fall back to GSM mode with its poor security is likely.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like