Low-Cost Attack on GSM Encryption Demoed

WASHINGTON – A pair of security researchers have developed a way to use $1,000 worth of off-the-shelf hardware to receive and decipher GSM signals, significantly reducing the time it takes to eavesdrop on conversations on the world’s largest mobile phone network.
The technology was introduced Feb. 20 at the Black Hat DC Briefings here by David Hulton and Steve Miller, two wireless security experts who claim they are the first to implement a low-cost practical attack against A5/1, the cipher used to protect the privacy of GSM cell phone calls.
“GSM is not secure. It’s a big network with base stations all over the place. Our goal is to raise awareness and to motivate the mobile industry to secure the network,” Hulton said.
Hulton, who is best known for his work on 802.11b penetration testing and auditing tools, warned that the reduction in cost and time to crack GSM encryption technology could lead to a rise in data and identity theft attacks, with malicious hackers eavesdropping on cell phone calls and tracking the location of mobile phone users.
He teamed up with Miller on stage to demo the “fully passive” technique, which uses a combination of the TMTO (Time-Memory Trade Off) or Rainbow Table attack and some other tricks.
“One of the tricks that we use to compute such a large table is by implementing the Rainbow Table generation and real-time attack on FPGAs. This reduced our time drastically. On a single PC it would take roughly 33,000 years to compute the table or would take 33,000 PCs one year. With a moderate 4U cluster of 68 FPGAs [field-programmable gate arrays], we can do it in three months,” he said.
Hulton, the co-founder of Pico Computing, a manufacturer of compact embedded FPGA computers, said his company is developing new hardware to speed this up and make the attack more cost effective.
“The time to crack it comes down to money,” he said.
According to Hulton and Miller, an attacker with access to six 350GB hard drives (2TB) and one FPGA can easily recover the key of a GSM conversation (voice or sms/text) in less than 30 minutes.
“The speed is proportional to the hard drive access time and the number of FPGAs. For the cheap attack to work twice as fast, it would require twice the number of hard drives and twice the number of FPGAs,” he said.
It is not the first time that the A5/1 stream cipher came under the scrutiny of security researchers but, before now, realistic attacks required about $1 million in equipment, Hulton said.
He also used his presentation to detail several security holes in the GSM standard, warning that only the air part of a GSM communication is encrypted. “The signal is decrypted at the base station and then transmitted in clear text across the network,” he said, noting that the encryption on the air part was broken in 1998.