Computer hackers attending the Chaos Communication Congress in Berlin were told that a concerted hack had cracked and published the secret code that protects 80% of the world’s mobile phones. The move exposes more than 3bn people to having their calls intercepted, and may eventually force mobile phone operators to dip their hands into their pockets and pay for a costly upgrade of their networks.
Karsten Nohl, a German encryption expert, said the hack demonstrates the weaknesses of the security measures protecting the global system for mobile communication (GSM) and ought to push mobile operators into quickly improving their inadequate systems. “We had given up hope that network operators will move to improve security on their own, but we are hoping that with this added attention, there will be increased demand from customers for them to do this,” he is reputed to have said.
“This vulnerability should have been fixed 15 years ago. People should now try it out at home and see how vulnerable their calls are.” Mr Nohl was due to run a practical demonstration of the code but postponed it while he takes advice from lawyers on whether the exercise would be legal. However, the code is already being widely circulated on the internet.
Mr Nohl, a widely consulted cryptography expert with a doctorate in computer engineering from the University of Virginia, waged a similar campaign this year which caused the DECT Forum, a standards group based in Bern, to upgrade the security algorithm for 800m cordless home phones. The hacked GSM code could compromise more than 3bn people in 212 countries. It does not affect 3G phone calls, however, which are protected by a different security code. The GSM Association, the industry body for mobile phone operators, which devised the A5/1 encryption algorithm 21 years ago, said they were monitoring the situation closely.
Security experts expressed fears that cracking the code meant lowering the bar for any potential interception of calls. “A year ago it would have required equipment costing hundreds of thousands of dollars, and serious expertise to listen in to a call,” said Simon Bransfield-Garth, chief executive of Cellcrypt, a mobile phone encryption company. “Today it is going to require $1,500 of network equipment and a computer. It is getting down to a mainstream price tag and moving to the point when it will be straightforward to do,” he continued.
The GSMA has agreed to upgrade its systems on at least one occasion before, in 2004, when security flaws were discovered in another security code, known as A5/2, and operators across Latin America, Asia and Africa were forced to upgrade their networks. A security upgrade could prove very costly, however, as some operators would have to replace their old base stations completely. The A5/2 upgrade, for example, took about 18 months.
A decision on whether to upgrade to a stronger code ought to be taken at the next meeting of the GSMA security group in February