Exciting news from the Chaos Communication Congress in Berlin this week: the A5/1 stream cipher meant to ensure privacy on GSM mobile phone calls has been weakened. Security researcher Karsten Nohl and his team have created an attack table – two terabytes of it – so you can look stuff up rather than be forced to calculate it yourself. They’ve saved processing time at the expense of memory. You can see the gory details in Nohl’s 26C3 presentation.
This kind of thing is not a surprise to anyone interested in security systems: a given system never becomes more secure, only less secure. New attacks and weaknesses are found. Supposedly secret keys turn out to be not-so-secret. No amount of pixie dust or PR can change this. For those designing security systems the game is to stay one step ahead of the attackers, to be Road Runner against Wile E Coyote.
But there’s a third player in the security game. Alongside our meep-meeping hero and Acme’s best customer (a black-hat hacker) is the white-hat hacker. His job is to find Road Runner’s vulnerabilities before Coyote does: because that way Road Runner can introduce effective countermeasures before Coyote can do any damage. White-hat hackers are needed in part because, as security guru Bruce Schneier says, anyone can create a security system they cannot themselves break. You need some attackers on your side to point and laugh when you make a basic error, because the black-hat hackers won’t be so kind.
In this case, Nohl’s team are wearing white hats: they’re the good guys. And don’t forget that Nohl’s team might not be first. We don’t know. Suitably savvy crooks might have already exploited the weaknesses in A5/1.
An appropriate response from the GSM Association – the mobile operators and hangers-on who promote GSM – would have been: “Yes, this was always going to happen at some point. That’s why we’re doing blah blah blah,” where the blahs would describe some change that strengthens the system. That would give people confidence that the association were thinking ahead, working to improve security.
But when I heard the news of this new attack I laughed. I knew what the response would be. The GSM Association would find the nearest hole and wedge its head firmly inside, while issuing pooh-pooh PR from its prominent buttocks. And that is precisely what has come to pass.
A spoke tells us, “We consider this research, which appears to be motivated in part by commercial considerations, to be a long way from being a practical attack on GSM.” Pooh! “To [develop this attack] while supposedly being concerned about privacy is beyond me.” Pooh! Nohl’s activity was “highly illegal.” Pooh!
Let’s take those points in order:
- What’s impractical now will be practical soon: it’s the way technology works. If you wait until it’s a practical attack you’ll be too late. The GSM Association are probably just hoping that GSM will die before this happens.
- Nohl’s team call GSM “the most widely deployed privacy threat on the planet” and don’t believe the GSM Association is taking its weaknesses seriously. That sounds like concern about privacy to me.
- Cretins. White-hat hackers must use black-hat methods or it’s game over.
But, you say, Nohl could have taken his attack to the GSM Association privately. I don’t think this would have had any effect. From his presentation it seems as if they were well aware of his work, and the default behaviour of associations like this when presented with undesirable information tends to be to either ignore it or try to suppress it. The unfortunate truth is that it is only through transparency that anything changes. See also: MPs’ expenses.
Surely, you continue, the GSM Association contains some people who aren’t dumb. They must know that security systems get broken all the time. Of course they do. In fact they were perfectly capable of issuing the response I suggested above because a stronger replacement cipher is available, KASUMI or A5/3, that I believe handsets already support. (Nohl’s presentation suggests A5/3 has weaknesses of its own, but let’s not go there.)
This new cipher isn’t in widespread use simply because not all operators have upgraded their systems; they’re trading off the increase in security against the expense of upgrading.
I’m guessing this was not a message the operator-packed GSM Association wanted to send out in their condemnation of Nohl’s work.
Avaragado's blog 