Code breakers crack GSM cellphone encryption

The faults discovered in the 850 million cellphones could be used by thieves or eavesdroppers to listen in on calls, steal calls and even to impersonate phone owners. Experts at the Technion in Haifa who specialize in cryptography have discovered …

The faults discovered in the 850 million cellphones could be used by thieves or eavesdroppers to listen in on calls, steal calls and even to impersonate phone owners. Experts at the Technion in Haifa who specialize in cryptography have discovered that mobile phone calls made on the popular GSM network are vulnerable to break-ins. The faults discovered in the 850 million cellphones could be used by thieves or eavesdroppers to listen in on calls, steal calls and even to impersonate phone owners.

The team of researchers in Haifa, including Professor Eli Biham and doctoral students Elad Barkan and Natan Keller, presented their findings at the Crypto 2003 conference held two weeks ago at the University of California, Santa Barbara.

The 450 participants, many of whom are leaders in encryption research, ‘were shocked and astounded’ by their revelation that most cellphones are susceptible to misuse. ‘They were very interested in our work and congratulatory,’ Biham said.

If the cellphone companies in 197 countries want to correct the code errors that expose them to trickery and abuse, they will have to call in each customer to make a change in the cellphone’s programming, or replace all of the cellular phones used by their subscribers.

Biham, Barkan, and Keller’s discovery involved a basic flaw in the encryption system of the GSM (global system for mobile communications) network, which is used by 71 percent of all cellphones.

“Elad discovered a serious flaw in the network’s security system,” explained Biham. “He found that the GSM network does not work in the proper order: First, it inflates the information passing through it in order to correct for interference and noise and only then encrypts it.”

At first,”I told him (Barkan) that it was impossible,” Biham told Reuters. “I said such a basic mistake would already have been noticed by someone else. But he was right, the mistake was there.”

In the wake of this discovery, the three Technion researchers developed a method that enables cracking the GSM encryption system at the initial ringing stage, even before the call begins, and later on, listening in on the call. With the aid of a special device that can also broadcast, it is possible to steal calls and even to impersonate phone owners, even in the middle of an ongoing call.

“We can listen in to a call while it is still at the ringing stage and within a fraction of a second know everything about the user,” Biham said. “Then we can listen in to the call.

“Using a special device it’s possible to steal calls and impersonate callers in the middle of a call as it’s happening,” he said. GSM code writers made a mistake in giving high priority to call quality, correcting for noise and interference, and only then encrypting, Biham said.

Recently, a new and modern encryption system was chosen as a response to previous attacks on existing encryption system. But the Technion researchers also succeeded in overcoming this improvement. The new method works for all GSM networks worldwide, including the U.S. and Europe.

Four years ago, a number of articles were published by Israel researchers – including
Biham – warning of the possibility of cracking the GSM code. An even earlier study on this potential problem was conducted by Professor Adi Shamir of the Weizmann Institute of Science, a world expert in cryptography whose encryption system is widely used in the field of satellite television.

The cellular companies responded to these earlier publications by explaining that it would be very difficult to implement these theoretical scenarios. To crack the codes, a hacker would need to tap into a conversation at the precise moment it began and there is really no chance of doing this, the cellular firm said.

Biham explained that encryption ciphers were kept absolutely secret until 1999 when a researcher called Marc Briceno succeeded to reverse engineer their algorithms. “Since then many attempts have been made to crack them, but these attempts required knowing the call’s content during its initial minutes in order to decrypt its continuation, and afterwards, to decrypt additional calls. Since there was no way of knowing call content, these attempts never reached a practical stage. Our research shows the existence of the possibility to crack the codes without knowing anything about call content,” he notes.

A copy of the research was sent to GSM authorities in order to correct the problem, and the method is being patented so that in future it can be used by the law enforcement agencies.

The GSM Association, representing vendors who sell the world’s largest mobile system, which is used by more than 860 million consumers in 197 countries, confirmed the security hole but said it would be expensive and complicated to exploit.

“This (technique) goes further than previous academic papers, (but) it is nothing new or surprising to the GSM community. The GSM Association believes that the practical implications of the paper are limited,” it said in a statement.

The GSM program was created some two decades ago and is now in its second generation. A third generation is being developed, Biham said, ‘and since we told them about the fault, they will be able to produce it without errors, but I don’t know how long it will take before the new system is released.’

Biham was not aware of any clever thief who has already used the fault to cheat phone users, but ‘any failure like this could eventually be discovered and used for illegal purposes. That’s why we made the information known to GSM.’

Even if the cellular companies choose not to fix the breach discovered in the GSM security system, this problem will disappear when the cellular operators move to the third generation of cellular technology. According to Biham, the problem does not exist in this next-generation standard. But it will be several years before the third-generation technology is fully deployed. Partner plans to begin trial use of the new technology next year, with commercial operation starting only at the end of the year
or in 2005.