1. sources
1.1. general arts
1.1.1. Wash Post
1.1.1.1. A5 is a 64 bit cipher that protects GSM traffic
1.1.1.2. was broken 10 years ago but ...
1.1.1.2.1. preprocessing was expensive
1.1.1.2.2. 1 million in hardare (?)
1.1.1.2.3. active attacks
1.1.1.3. new attack
1.1.1.3.1. passive
1.1.1.3.2. remote
1.1.1.3.3. uses FPGA custom device to do large pre-computation
1.1.2. Forbes
1.1.2.1. sensationalist opening
1.1.2.1.1. cellular snooping may soon be affordable enough for your next-door neighbor.
1.1.2.1.2. not just the FBI
1.1.2.2. the pair say their technique allows an eavesdropper to record a conversation on these networks from miles away and decode it in about half an hour with just $1,000 in computer storage and processing equipment.
1.1.2.3. make the tables free
1.1.2.4. In March, however, they say they'll start selling a faster version that can crack GSM encryption in just 30 seconds, charging between $200,000 and $500,000 for the premium version.
1.1.2.5. Muller argues, GSM encryption was cracked--theoretically--in academic papers as early as 1998.
1.1.2.6. "Active" radio interceptors, which impersonate cell towers and can eavesdrop on GSM phone conversations, have also been sold by companies like Comstrac and PGIS for years. (Active techniques, however, only allow eavesdropping from within about 600 feet and are easily detectable, Muller notes.)
1.1.2.7. Undetectable, "passive" systems like the one that Muller and Hulton have created aren't new either, though previous technologies required about a million dollars worth of hardware and used a "brute force" tactic that tried 33 million times as many passwords to decrypt a cell signal.
1.1.2.8. that their cheaper technique is simply drawing needed attention to a problem that mobile carriers have long ignored
1.1.2.9. "This is a nice piece of work, but it isn't a surprise," he says. " We've been saying that this algorithm is weak for years. The mobile industry kept arguing that the attack was just theoretical. Well, now it's practical."
1.1.3. Information Week
1.1.3.1. greatly decrease the time and money required to decrypt, and therefore snoop on, phone and text message conversations taking place on GSM networks.
1.1.3.2. time cost trade-off
1.1.3.2.1. $1000 for 30 mins
1.1.3.2.2. $100, 000 for 30 secs
1.1.3.2.3. what is the function here?
1.1.3.3. So-called "active" systems simulate a GSM base station and don't rely on encryption because they trick phones into connecting to the GSM network through them.
1.1.3.4. Hutton and Steve's technology relies on the use of an array of devices known as field programmable gate arrays to first create a table of all the possible encryption keys -- in this case 288 quadrillion -- and then decrypt each of those over the course of three months. The resulting tables of keys could then be used by software to decrypt GSM communications, which first have to be intercepted using a receiver that can listen in on GSM frequencies.
1.1.4. GCN
1.1.4.1. previous
1.1.4.1.1. The equipment costs between $70,000 to $500,000 for active systems that inject themselves into the transmissions
1.1.4.1.2. or around $1 million for passive systems that quietly listen and do the cracking offline
1.1.4.1.3. since 2003, there has been commercial equipment available capable of breaking A5 encryption.
1.1.4.2. how to reduce key space
1.1.4.2.1. Voice and text message traffic usually is encrypted, but the encryption is weakened by systems that sometimes automatically set the last 10 bits of the 64-bit encryption key to all zeros.
1.1.4.3. data
1.1.4.3.1. The system needs to listen to just three or four frames of data in clear text exchanged between the phone and base station in setting up the call.
1.1.4.4. storage
1.1.4.4.1. A rainbow table for a 64-bit key would be prohibitively large,
1.1.4.4.2. Steve and Hulton found a way to reduce the number of data points that needed to be used
1.1.4.4.3. But even the table for the reduced set is 120,000 times larger than the largest tables used to look up values for a password hash function
1.1.4.4.4. It would take 33,000 years to generate the tables with a PC and the table would be 2 terabytes
1.1.4.4.5. But with available high-speed computers the job can be done in about three months, and the researchers expect to have their tables completed in March. They hope to make their system available in the second quarter of this year.
1.1.4.5. cost
1.1.4.5.1. hat is far too expensive for Steve, as well as Dave Hulton, another researcher at Pico Computing. So they are working with the GSM Software Project to build an affordable A5 cracking system costing less than $1,000.
1.1.4.5.2. “If you have money you can crunch something really quickly,” Steve said. For $1,000 you could crack a key and unencrypt a call in about 30 minutes. For considerably more you could reduce the time to about 30 seconds.
1.1.4.6. value
1.1.4.6.1. GSM estimated 2 billion subscribers — or 82 percent of the global market. It is used by 70 carriers in 48 countries.
1.1.4.6.2. reuse
1.1.5. Bruce
1.2. A/5 on Wikipedia
1.3. The work
1.3.1. SchooCon slides
1.3.1.1. Feb 15th
1.3.1.2. traffic interception is easy
1.3.1.3. basically build a table that maps keys to internal states
1.3.1.4. big rainbow computation
1.3.2. GSM A5-1 break black hat.pdf
1.3.2.1. eavesdropping signal is cheap and easy
1.3.2.2. security
1.3.2.2.1. active
1.3.2.2.2. passive
1.3.2.2.3. key is artificially weakened
1.3.2.2.4. key material is reused
1.3.2.2.5. data broken into frames of 144 bits
1.3.2.2.6. 4 frames of data for passive attack
1.3.2.2.7. dismiss otrher attacks as academic cow dung
1.3.2.2.8. known-plainext to get key stream
1.3.2.2.9. 204 points reduces table search to 2^58, knocking off 6 bits
1.3.2.2.10. about 120,000 times larger than biggest LanMan tables
1.3.2.2.11. how to compute
1.3.2.2.12. attack
2. summary
2.1. sound bites
2.1.1. GSM encryption broken for $1000 in 30 mins
2.1.2. cellular snooping may soon be affordable enough for your next-door neighbor, not just the FBI
2.1.3. greatly decrease the time and money required to decrypt, and therefore snoop on, phone and text message conversations taking place on GSM networks.
2.2. who
2.2.1. David Hulton and Steve Muller
2.2.1.1. Hulton, director of applications for the high-performance computing company Pico, and Muller, a researcher for mobile security firm CellCrypt,
2.3. A5/1 history
2.3.1. was broken 10 years ago but ...
2.3.1.1. The equipment costs between $70,000 to $500,000 for active systems that inject themselves into the transmissions
2.3.1.2. or around $1 million for passive systems that quietly listen and do the cracking offline
2.3.1.2.1. preprocessing was expensive
2.3.1.2.2. not muct justitication
2.3.2. active attacks
2.3.2.1. injecting data packets into the carrier's system
2.3.2.2. circumventing the encryption altogether by tricking a nearby target's phone into connecting to a bogus, unencrypted relay station controlled by the attacker
2.3.3. Muller argues, GSM encryption was cracked--theoretically--in academic papers as early as 1998.
2.4. new attack
2.4.1. properties
2.4.1.1. passive
2.4.1.2. remote
2.4.2. time cost trade-off
2.4.2.1. $1000 for 30 mins
2.4.2.1.1. 2TB rainbow, 1 FPGA, 30 mins
2.4.2.2. $100, 000 for 30 secs
2.4.2.2.1. 2TB rainbow, 16 FPGA, 30 secs
2.4.2.3. A rainbow table for a 64-bit key would be prohibitively large,
2.4.2.3.1. Steve and Hulton found a way to reduce the number of data points that needed to be used
2.4.2.4. uses FPGA custom device to do large pre-computation
2.4.2.5. first create memory for 2^58 key streams and then decrypt into intial keys
2.4.2.5.1. Hutton and Steve's technology relies on the use of an array of devices known as field programmable gate arrays to first create a table of all the possible encryption keys -- in this case 288 quadrillion -- and then decrypt each of those over the course of three months. The resulting tables of keys could then be used by software to decrypt GSM communications, which first have to be intercepted using a receiver that can listen in on GSM frequencies.
2.4.2.6. It would take 33,000 years to generate the tables with a PC and the table would be 2 terabytes
2.4.3. reduce search
2.4.3.1. The system needs to listen to just three or four frames of data in clear text exchanged between the phone and base station in setting up the call.
2.4.3.2. Voice and text message traffic usually is encrypted, but the encryption is weakened by systems that sometimes automatically set the last 10 bits of the 64-bit encryption key to all zeros.
2.4.3.3. 4 frames of data for passive attack
2.4.3.3.1. derive 204 key stream points
2.4.3.3.2. 204 points reduces table search to 2^58, knocking off 6 bits
2.4.3.3.3. The system needs to listen to just three or four frames of data in clear text exchanged between the phone and base station in setting up the call.
2.4.4. how to compute
2.4.4.1. 1 PC
2.4.4.1.1. 55K A5 / sec gives 33K years
2.4.4.1.2. what about lots?
2.4.4.2. 68 Pico FPGA
2.4.4.2.1. 72 billion A5 per sec
2.4.4.2.2. appox 3 months
2.4.4.2.3. But with available high-speed computers the job can be done in about three months, and the researchers expect to have their tables completed in March. They hope to make their system available in the second quarter of this year.
2.5. comment and reaction
2.5.1. that their cheaper technique is simply drawing needed attention to a problem that mobile carriers have long ignored
2.5.2. "This is a nice piece of work, but it isn't a surprise," he says. " We've been saying that this algorithm is weak for years. The mobile industry kept arguing that the attack was just theoretical. Well, now it's practical."
2.5.3. greatly decrease the time and money required to decrypt, and therefore snoop on, phone and text message conversations taking place on GSM networks.
2.5.4. that their cheaper technique is simply drawing needed attention to a problem that mobile carriers have long ignored
2.5.5. David Pringle, a spokesperson for the GSM Association (GSMA),
2.5.5.1. declined to comment on the specifics of the duo's research, saying engineers there hadn't had time to review it. But he defended the security and resiliency of the A5/1 privacy algorithm, saying the attacks detailed to date have been more theoretical than practical.
2.6. next steps
2.6.1. rainbow tables
2.6.1.1. make the tables free
2.6.1.2. In March, however, they say they'll start selling a faster version that can crack GSM encryption in just 30 seconds, charging between $200,000 and $500,000 for the premium version.
2.6.2. hope to be finished by March
3. Personal view
3.1. this is 64 bit encryption which is weak
3.2. make the key space smaller
3.3. put it into a table for lookup
3.4. more a result about current computational and storage capacities
3.5. I think the "news" here isn't that "phones are insecure", but that the barrier to entry has been reduced.
3.6. A5 21years old, developed in 1987
3.6.1. just an end-of-life system that will not be decomissioned
3.6.2. while the system is end-of-life cryptographically, its operational life will be much longer
3.6.2.1. like NT
3.6.3. Crypanalysis as a Service
3.6.4. that is, solve the key search problem once, sell it