http://www.dailytech.com/After+21+Years+GSM+Encryption+is+Cracked+Putting+35B+Users+at+Risk/article17236.htm
QuoteFor 21 years, the same encryption algorithm, A5/1, has been employed to protect the privacy of calls under the Global Systems for Mobile communications (GSM) standard. With the GSM standard encompassing 80 percent of calls worldwide (AT&T and T-Mobile use it within the U.S.) — far more than the leading rival standard CDMA — this could certainly be considered a pretty good run. However, someone has finally deciphered and published a complete analysis of the standard's encryption techniques in an effort to expose their weaknesses and prompt improvement.
Karsten Nohl, a 28-year-old German native, reportedly cracked the code and has published his findings to the computer and electronics hacking community. Mr. Nohl, who cites a strong interest in protecting the privacy of citizens against snooping from any party, says that his work showcases the outdated algorithms' flaws.
At the Chaos Communication Congress, a four-day conference of computer hackers that runs through Wednesday in Berlin, he revealed his accomplishments. He describes, "This shows that existing GSM security is inadequate. We are trying to push operators to adopt better security measures for mobile phone calls."
The GSM Association, the London-based group that developed the standard and represents wireless companies, was quick to blast the publication calling Mr. Nohl's actions illegal and counterintuitive to the desire to protect the privacy of mobile phone calls. However, they insist that the publication in no way threatens the standard's security.
Claire Cranton, an association spokeswoman, confirmed that Mr. Nohl was the first to break the code, commenting, "[Security threats from the publication of this standard are] theoretically possible but practically unlikely. What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me."
Mr. Nohl attended college in the U.S. and received a PhD in computer engineering from the University of Virginia. Via a similar publication, he managed to convince the DECT Forum, a separate standards group based in Bern, to upgrade its own security algorithm, improving the protection to the standard's 800 million customers in the process.
And while the trade group is only on yellow alert, some security experts disagree with the group's threat analysis, as well, saying the threat could be far more serious. One expert suggested that calls may soon need to be scanned for malicious activity, much as an antivirus scanner works on a computer.
:D
"Hey, I cracked your encryption. You should get better encryption."
"NO DON'T DO THAT, THAT IS ILLEGAL. DAMN YOU. ANYWAY, IT'S NOT THAT BIG A DEAL."
:lulz: We're fucked.
Quote from: Felix on January 02, 2010, 07:45:22 PM
"Hey, I cracked your encryption. You should get better encryption."
"NOBODY WOULD DO THAT, THAT IS ILLEGAL. GO BACK TO SLEEP. ANYWAY, IT'S NOT THAT BIG A DEAL."
:lulz: We're fucked.
fixed
lolz
I'm still laughing about the way Mr. Limbaugh used "sheep" rhetoric in that debate about healthcare.
Quote from: Felix on January 02, 2010, 07:45:22 PM
"Hey, I cracked your encryption. You should get better encryption."
"NO DON'T DO THAT, THAT IS ILLEGAL. DAMN YOU. ANYWAY, IT'S NOT THAT BIG A DEAL."
:lulz: We're fucked.
No,
they're fucked. We're doing awesomely.
Quote from: Felix on January 02, 2010, 07:45:22 PM
We're fucked.
Speak for yourself, I'm on a CDMA network.
It was bound to happen
Quote from: Cain on January 02, 2010, 10:48:16 PM
Quote from: Felix on January 02, 2010, 07:45:22 PM
"Hey, I cracked your encryption. You should get better encryption."
"NO DON'T DO THAT, THAT IS ILLEGAL. DAMN YOU. ANYWAY, IT'S NOT THAT BIG A DEAL."
:lulz: We're fucked.
No, they're fucked. We're doing awesomely.
yes. it's not like the government wasnt listening already anyway. this is just a pointer to bring it to the big public in an effort to make it harder for them.
You're all fucked with me because this is how huge entities deal with huge problems.
Not always. When zero-day exploits were found for Adobe, Apple and Microsoft products, fixes were released within a few weeks. When WEP was cracked they released WPA, and before WPA was even cracked they released WPA2 and there are a couple of different encryption options for it.
Ah, the classic "there was nothing wrong with our security until you found a hole in it" defense.
Quote from: Slanket the Destroyer on January 03, 2010, 06:36:34 PM
Not always. When zero-day exploits were found for Adobe, Apple and Microsoft products, fixes were released within a few weeks. When WEP was cracked they released WPA, and before WPA was even cracked they released WPA2 and there are a couple of different encryption options for it.
It took more than 15 minutes to crack WEP?
Who's with me in thinking that pursuing a degree in computer engineering is going to put you on a terrorist watch list from now on?
Quote from: GA on January 04, 2010, 01:56:56 AM
Ah, the classic "there was nothing wrong with our security until you found a hole in it" defense.
Well put good sir.
Quote from: Mistress Freeky on January 04, 2010, 02:05:26 AM
Who's with me in thinking that pursuing a degree in computer engineering is going to put you on a terrorist watch list from now on?
If we make computers an act of terror, only terrorists will have computers!!
What doesn't get you put on a terrorist watch list these days? Hell, studying terrorism gets you put on the terrorism watchlist.
As for computers and paranoia, remember when the USA declared anything above 40-bit encryption were a type of munition, and using it was an act of war against the USA? Or, after September 11th, when a bunch of suspicious "computer security experts" declared terrorists were using Linux and that Something Should Be Done About This?
:lulz: Ah, good times.
I once farted in public, and someone called it a "dirty bomb". Terrorist watch list. :(
Also, is it just me or does GSM sound like jizm in your head?
Quote from: Cain on January 04, 2010, 10:26:18 AM
As for computers and paranoia, remember when the USA declared anything above 40-bit encryption were a type of munition, and using it was an act of war against the USA?
Yes, and when they finally get around to trying to take my encryption away I plan to claim my second amendment rights based on that.
Quote from: Cain on January 04, 2010, 10:26:18 AM
What doesn't get you put on a terrorist watch list these days? Hell, studying terrorism gets you put on the terrorism watchlist.
As for computers and paranoia, remember when the USA declared anything above 40-bit encryption were a type of munition, and using it was an act of war against the USA? Or, after September 11th, when a bunch of suspicious "computer security experts" declared terrorists were using Linux and that Something Should Be Done About This?
:lulz: Ah, good times.
I remember when a bunch of us at college won world war 3 without the USA even knowing about it. After they pulled that shit we 64bit encrypted a declaration of war with a "failure to respond within 6 months will be treated as a formal surrender" - disclaimer then wrote it to every 3.5 inch floppy we copied for months.
P3nT,
Now part owns the USA, along with half a dozen other college nerds.
http://www.theregister.co.uk/2010/01/13/gsm_crypto_crack/
The replacement isn't even out yet and is already in trouble.
Hm, that "sandwich attack" on A5/3 might not be very practical right now, but it's only been in the spotlight for a few weeks and attacks only get better, never worse.