[Infowarrior] - GSM Crack... GSMA's First Response? That's Illegal

Richard Forno rforno at infowarrior.org
Wed Dec 30 00:28:13 UTC 2009 

GSM Encryption Cracked... GSMA's First Response? That's Illegal
http://techdirt.com/articles/20091229/1044447528.shtml
The big news in security circles this week is the fact that a security  
researcher claims to have cracked the encryption used to keep GSM  
mobile phone calls private. It looks like he and some collaborators  
used a brute force method. He admits that it requires about $30,000  
worth of equipment to de-crypt calls in real-time, but that's pocket  
change for many of the folks who would want to make use of this.  
What's much more interesting (and worrisome) is the GSM Association's  
(GSMA) response to this news:

"This is theoretically possible but practically unlikely," said Claire  
Cranton, an association spokeswoman. She said no one else had broken  
the code since its adoption. "What he is doing would be illegal in  
Britain and the United States. To do this while supposedly being  
concerned about privacy is beyond me."

There are so many things wrong with that statement it's hard to know  
where to begin. First, claiming it's "theoretically possible, but  
practically unlikely" means that it's very, very possible and quite  
likely. To then say that no one else had broken the code since its  
adoption fifteen years ago is almost certainly false. What she means  
is that no one else who's broken the code has gone public with it --  
probably because it's much more lucrative keeping that info to  
themselves. Next, blaming the messenger by announcing that cracking  
the code is "illegal in Britain and the United States" is not what  
anyone who uses a GSM phone should want to hear. They should want to  
know how the GSMA is responding and fixing the problem -- not how  
they're responding to the public release. Finally, if it's "beyond"  
her why cracking a code used for private conversations and showing  
that it's insecure is all about being concerned about "privacy" -- she  
should be looking for a different job. This has everything to do with  
privacy. The GSMA claims that the code is secure for private  
conversations, and this group of folks is showing that it is not. That  
seems to have everything to do with privacy.

More information about the Infowarrior mailing list