[Infowarrior] - Wiretapping Made Easy

Fri Feb 22 21:13:16 UTC 2008

Security
Wiretapping Made Easy
Andy Greenberg, 02.21.08, 12:53 AM ET

http://www.forbes.com/2008/02/21/cellular-spying-decryption-tech-security-cx
_ag_0221cellular.html?feed=rss_popstories

Washington -

Silently tapping into a private cellphone conversation is no longer a
high-tech trick reserved for spies and the FBI. Thanks to the work of two
young cyber-security researchers, cellular snooping may soon be affordable
enough for your next-door neighbor.

In a presentation Wednesday at the Black Hat security conference in
Washington, D.C., David Hulton and Steve Muller demonstrated a new technique
for cracking the encryption used to prevent eavesdropping on global system
for mobile communications (GSM) cellular signals, the type of radio
frequency coding used by major cellular service providers including AT&T
(nyse: T - news - people ), Cingular and T-Mobile. Combined with a radio
receiver, the pair say their technique allows an eavesdropper to record a
conversation on these networks from miles away and decode it in about half
an hour with just $1,000 in computer storage and processing equipment.

Hulton, director of applications for the high-performance computing company
Pico, and Muller, a researcher for mobile security firm CellCrypt, plan to
make their decryption method free and public. In March, however, they say
they'll start selling a faster version that can crack GSM encryption in just
30 seconds, charging between $200,000 and $500,000 for the premium version.

Who will be the customers for their innovative espionage technique? Hulton
and Muller say they aren't sure yet. But they plan to offer the method to
companies that will integrate it with radio technology, not sell it directly
to the law enforcement and criminal customers who will undoubtedly be
interested in putting it to use. "We're not creating the technology that
does the interception," Muller says. "All this does is crunch data."

Hulton and Muller will likely make a tidy profit from the fruits of their
research work, which they've personally patented. The companies they work
for may profit less directly; Pico makes the high-performance processors
necessary to do heavy-duty encryption work. CellCrypt makes software for
encrypting mobile phone conversations, patching the security flaw that
Hulton and Muller's research has uncovered.

As for the moral question of chipping away at the privacy of cellphone users
around the world, Muller gives an answer common to security researchers: He
and Hulton didn't invent the hackable technology; they just brought
attention to its vulnerabilities.

In fact, Muller argues, GSM encryption was cracked--theoretically--in
academic papers as early as 1998. "Active" radio interceptors, which
impersonate cell towers and can eavesdrop on GSM phone conversations, have
also been sold by companies like Comstrac and PGIS for years. (Active
techniques, however, only allow eavesdropping from within about 600 feet and
are easily detectable, Muller notes.) Undetectable, "passive" systems like
the one that Muller and Hulton have created aren't new either, though
previous technologies required about a million dollars worth of hardware and
used a "brute force" tactic that tried 33 million times as many passwords to
decrypt a cell signal.

All of that means, Hulton and Muller argue, that their cheaper technique is
simply drawing needed attention to a problem that mobile carriers have long
ignored--one that well-financed eavesdroppers may have been exploiting for
years. "If governments or other people with millions of dollars can listen
to your conversations right now, why shouldn't your next-door neighbor?"
Muller says.

The new technique may serve as a wake-up call for mobile carriers, which
have long been in denial about the vulnerabilities of GSM security, says
Bruce Schneier, encryption guru and chief technology officer of BT
Counterpane.

"This is a nice piece of work, but it isn't a surprise," he says. " We've
been saying that this algorithm is weak for years. The mobile industry kept
arguing that the attack was just theoretical. Well, now it's practical."

David Pringle, a spokesman for the GSMA trade association, which represents
700 GSM carriers around the world, said in a statement that ³the mobile
industry is committed to maintaining the integrity of GSM services, and the
protection and privacy of customer communications is at the forefront of
operators¹ concerns.²

He also pointed out that decrypting GSM still requires special equipment and
is more secure than a typical landline. The GSMA, he noted, has developed
and is working on implementing a higher level of encryption; Newer 3G cell
carriers are also immune from the attack.

Although their exploit doesn't target the competing CDMA cellular technology
used by carriers like Verizon (nyse: VZ - news - people ) and Sprint Nextel
(nyse: S - news - people ), Muller argues it's not necessarily less secure.
GSM was only decrypted first because it's more popular worldwide: Few
cellphone subscribers outside North America use CDMA carriers.

So how do Hulton and Muller ensure that their own phone conversations aren't
intercepted? Muller responds to that question, posed by an audience member
at Black Hat's gathering of hackers and security professionals, with a
smile.

"We don't use phones," he says.