back to article Secret code protecting cellphone calls set loose

Cryptographers have moved closer to their goal of eavesdropping on cellphone conversations after cracking the secret code used to prevent the interception of radio signals as they travel between handsets and mobile operators' base stations. The code is designed to prevent the interception of phone calls by forcing mobile phones …


This topic is closed for new posts.
  1. Anonymous Coward

    Big Yawn

    It's pretty clear that Intelligence Services such as the NSA have been doing this for years.

    1. Anonymous Coward
      Anonymous Coward

      Go back to bed then

      The NSA is the biggest employer of mathematicians and has the single biggest yearly computing kit budget. I'd be very, very disappointed if they wouldn't have been able to do what mere citizens can do now. Or happy. Secret services doing all that doesn't seem to have done much for the public good, though.

    2. Lou Gosselin

      @Big Yawn

      That's what I was thinking, people who care about privacy lost it a long time ago.

    3. Nexox Enigma


      """It's pretty clear that Intelligence Services such as the NSA have been doing this for years."""

      Right, I'm sure they'd be running a rainbow-table based attack on something they can tap almost at will (results vary based on nearest government.)

      1. Paul Banacks


        "Right, I'm sure they'd be running a rainbow-table based attack on something they can tap almost at will (results vary based on nearest government.)"

        Perhaps... In their own countries.

      2. James O'Brien


        In the (in)famous words of Eric S.

        'if you're worried about privacy on the phone, he said, then you're probably doing something wrong in the first place.'

        And it starts again :)

    4. Anonymous Coward

      Big Yawn - They do not need to

      A femtocell + software to run a controller for 1-2 cell sites only with 1-2 calls only is a fraction of the cost of this. It also captures both uplink and downlink and does it in real time. The kit is available for GSM, 3G and other cellular tech out there and the whole thing costs sub-10K - less than the two software defined radios and the computers to run the crack.

    5. dave lawless

      World of difference

      The NSA usually won't be extorting money from you or they'll tell.

      The NSA usually won't be insider trading.

      The NSA usually won't be trying to find out of you want to be Camilla's tampon.

      1. fajensen Silver badge

        That So?

        The Entire USA government is run by - and for the sole benefit of - Wall Street cronies and insiders mostly embodied as Oligarchs from Goldman Sachs .... therefore the NSA will rob you too!

  2. Anonymous Coward
    Anonymous Coward

    Channel hopping

    Channel hopping? All you need is a TV and a remote. Beer and crisps are optional.

  3. Anonymous Coward
    Anonymous Coward


    Was anyone ever under the impression that cell phone calls were private??????????

    1. Graham Marsden


      ... certainly not the "I'M ON THE TRAIN!!" sort of conversations....

    2. Swarthy

      Private, indeed

      Judging from cellphone calls I've overheard over the years, yes, people do believe their cell phone calls are private. even/especially if held at a loud volume in a restaurant or theatre.

  4. Bernie 2
    Thumb Up


    Interesting article.

  5. Anonymous Coward

    @AC - 19:32

    It's pretty clear intelligence services don't need to do it as they can install their equipment in the base station. And they don't need to reverse-engineer the algorithms as they can easily get the secret appendices of the specification from the GSMA.

    The problem here is that organisations like Mafia can get it with a modest budget.

  6. Idiots _Quotient

    |:| White Hat Spooks ha ha ha |:|

    M lovin IT .........

  7. raving angry loony

    @AC 28Dec@19h32

    Perhaps, but the various spy agencies are probably doing their interception once it gets to the wire, not on the air. So not a "big yawn", but rather another example of why security through obscurity (ie: "secret codes") doesn't work.

  8. Andus McCoatover

    Not to worry.

    Well done, chaps for breaking the A5/1 algorithm.

    Did no-one tell you that GSM (2G) is dead in about a year or so and the 3G standard is much, much more secure? That might be why the military uses spread-spectrum. (Google for Hedey Lamarr for the 'prior art' bit*. You'll be surprised. I was.)

    Oh, and China has the A5/0 algorithm, which is open (i.e., unencrypted so the chinese can spy on anyone, as usual). So?

    "...was developed by volunteers around the globe using giant clusters of computers and gaming consoles.." made me snort on the pub keyboard again. Gaming consoles, FFS???

    Icon, 'cos I'm in the lounge. Of the pub, natch.

    *OK, as El Reg readers are in "Couch Potato" mode after the hols, I've done it for you.

    1. karakalWitchOfTheWest
      Gates Halo


      All your calls are made with 2G and not 3G. Try to turn off 3G on your handset und you will still be able to make calls.

      Gaming consoles? Yes. PS3 from Sony.

      1. Andus McCoatover

        No Troll...

        Just an ex-GSM engineer, who kept being told when 2G would be 'turned off'. In 2004, it was 2008, then a bit more life...2011 was the last date I heard. Try to turn off 2G on your phone, you can still call..Possibly...

        Of course, NMT450 got a boost when Nokia brought out it's "Ringo" phones, but the boost was only a couple of years or so. Pissed off a lot of users here in Nordic-land. Pity anyone who bought a 2G-only iPhone.

        Gaming consoles? Just sounded - well, a bit 'Ginger', as Jeremy Clarkson once said.

    2. Ross 7

      Re: Not to worry

      "Gaming consoles, FFS???"

      Aye - "Fat" PS3s make really nice HPC clusters. As you're a fan of Googlin' try "folding@home"...

      And 2G ain't anywhere near dead unfortunately. Plenty of people out there using 2G SIM cards and the phone co's have no interest in paying good money to send out a replacement 3G card whilst the 2G one works fine - margins are too slim. You think they care one jot about OTA security?

    3. Doug Glass

      Most People Who Read "The Register"...

      ... don't have any clue who Hedy Lamarr was or what she co-invented while a "dumb blonde" actress of the '30s.

      Spread Spectrum has been around a very long time and what's invented today can always be hacked tomorrow.

    4. Ed Panzeter 1

      What is funny about gaming consoles being used?

      Maybe I'm missing the funny, but linked gaming consoles have been used as a poor man's supercomputer for years now. The gaming consoles often offer way more processing power for the dollar than a computer of similar spec. I know Sony was getting their panties in a bunch because researchers were purchasing loads of PS3s to link and crunch numbers. Sony was losing money on those scenarios because these researchers would never purchase any games or anything for the Sony-subsidized kit.

  9. Keith T

    Karsten Nohl, al Qada and the IRA thank you.

    Yes, major intelligence agencies have been doing this for years.

    But criminals, so-called "terrorist groups", and minor intelligence agencies could only do it with the charitable donation of intellectual property by hackers and security researchers.

  10. F Seiler

    @Big Yawn

    While that may or may not be clear. Showing how a relatively cheap setup can intercept calls is still worth something.

    Operators may chose to ignore that someone with a huge budget to invest into this kind of games is capable of it it is one thing, and maybe they were even kind of fond of knowing that for those "national security relevant" cases, the gov can just do it fine by itself without putting the operator into the unfomfortable situation to have to help.

    But if basically any hobbyist can do it without ruining herself (and therfore a specialised company can provide it as a quite cheap service as they have to invest only once), that is an entirely other matter.

  11. Anonymous Coward
    Black Helicopters

    there are no known attacks against 3G


    DAILY MAIL 22 AUG 2007 Page 15

    Taliban fanatics are tapping the mobile phones of British soldiers and calling their families to tell them their loved ones are dead. They may also be using the calls home to pinpoint the positions of camps in Afghanistan's wartorn Helmand province. Forces in Afghanistan have now been banned from using mobile phones to stop the infiltration.....

    there are thankfully backup GSM security algorithms from the nice guys at ETSI, just remind me what is the roll-out strategy when A5/1 & A5/2 are deprecated?

    1. Cameron Colley

      That's why they call it the Daily Fail...

      I'd say the situation in Afghanistan is much like the situation here -- the government and those with phone company connections regularly listen in on calls without the need for any "digital scanners" picking up the calls.

  12. JohnG Silver badge

    Dumb phones

    Given that the dumbest of GSM phones need to be able to agree/follow channel hopping with a base station, the complexity of any encryption is likely to be limited.

    Perhaps it would not be that difficult to modify a handset to follow the conversation of a target handset, given that it already has suitable receiver circuitry and the necessary encryption/decryption algorithms in firmware.

    1. Dale Richards

      Cellular tapping?

      There's an app for that...

  13. Winkypop Silver badge

    Who needs to intercept mobes?

    It seems half the civilized world puts no end of private dross from their sad existences on FailBook..

  14. MacroRodent Silver badge

    Probably not much impact

    Remember when cellular phones were analogue? People still happily used them even though they could easily be eavesdropped with a portable off-the-shelf scanner radio. GSM eavesdropping is still way harder.

    1. Mike 137 Silver badge

      Serious potential impact

      In the days of analogue phones we just talked to each other. Now, we're being driven to use our phones for authentication and financial transactions. The pickings are massively rich, so it's going to be well worth a few thousand dollars to a bunch of "agencies" who will rent out their services to the underworld. Goodbye secure login, goodbye bank balance. Cheques are just so robust by comparison.

      1. Anonymous Coward

        Secure banking in mobiles

        Secure banking in mobiles will remain secure, however, as mobile sites will still use HTTPS, regardless of any half-baked crypto the GSM standard uses. That kind of crypto is still hard to crack, short of a 1024-qubit quantum computer.

        Anyway, in the days of analogue, even a cheapo StarTAC handset could intercept calls ... the "magic" code was a source of fun for many a student back in the analogue days...

    2. James R Grinter

      Eavesdropping E/TACS

      It didn't even require a scanner - you could eavesdrop with another handset, too.

      (But I've got to agree on the impact - for most casual users are happy to speak LOUDLY and repeat everything the other person is telling them, too.)

  15. Anonymous Coward
    Anonymous Coward

    "medium-end graphics card"?

    There is no "medium-end" on any scale. There are the two ends and the middle. The medium is roughly in the middle, as far from the ends as you can get. Yes, the reader can work out what is meant by this curious expression, but he also sees muddled thinking by the writer, and wonders how deeply it goes.

  16. Anonymous Coward

    did anyone mention the BTS yet?

    there's an open-sauce GSM basestation project underway, There are many positive things to say about the project , however it's very likely we'll see fake/pirate/private GSM BTS soon. Did anyone mention that the BTS informs the handset what level of encryption to use - "today, Malcom, we'll be using weak"

    GSM eavesdropping is TECHNICALLY EASY - you need a USRP software radio and do upto 3 months typing in Python/C bodging free and open bits of software together. Then private individuals can ELINT/SIGINT/COMINT listen & track GSM, a USRP software radio costs around £520 and is not illegal to own or play with. it's not an overstatement to say - don't do mission critical things on GSM.

  17. max allan

    Easier eavesdropping

    If you need a radio at both ends of the conversation, an easier eavesdropping would be to stand next to one of your targets : Deedle dah dah deedle dah der dah "HELLO, I'M ON THE PHONE".... "NO IT'S SHIT"...

  18. Anonymous Coward
    Anonymous Coward

    Who need snooping?

    If peoples were concerned and wanted to keep their mobby conversations private, then they wouldn't YELL LIKE HOBOS in the fscking middle of the road!

  19. Harry

    "there's an open-sauce GSM basestation project underway"

    No doubt the Register will soon ketchup with that.

  20. Cortland Richmond

    Easy as Pi

    Massive rainbow table? Hello? Thousand million digits of Pi sites are out there. How massive does it have to BE?

    It's worse, really. When a high fidelity audio system can pick up the GSM buzz, why not a broad band direct data receiver? Who needs hopping?

    Not me, said Peter Rabbit!

  21. fajensen Silver badge

    Lawful Interception ...

    Is what you people should worry about: In every single piece of telecom kit sold the last 2 decades or so, there exist at "Lawful Interception Interface" that provides unrestricted access to unencrypted traffic on request by the "proper authorities". Perfect for automated collection, recording, analysis - and the archiving for Seven years so that laws can be applied retroactively perhaps - of *all* phone calls.

    The (maybe) only way around it is to use IP-Sec, SSH or VPN - but I would not count on that entirely to keep my sekret plans for world domination hidden; that is where the NSA will spend their CPU-hours, should the occasion merit.

    Be happy that most people say nothing of importance whatsoever!

  22. K. Adams

    I suspect...

    ... that the US' NSA, the UK's GCHQ, Russia's FSB, and China's MIIT "encouraged" the GSMA to "sell" them the rainbow tables for both A5/1 and A5/3 a long time ago...

  23. Peter Fairbrother 1

    Channel hopping, not

    GSM doesn't use channel hopping.

    Some 3g systems do (CDMA), but the maximum keyspace is limited to 2^24 bits, not hard to brute force. Channel hopping is not used for security, just to make better use of the available spectrum. I think the key may even be sent using a much smaller keyspace too, but I'm not sure about that.

    The (partial) break is against the A5/1 algorithm, which is used to encrypt the voice signal, and has nothing to do with channel hopping.

    I said partial because it needs a 2TB rainbow table to operate fully, and that hasn't all been made public yet - but that's just a matter of computer time to work it out.

  24. Stewart Haywood


    "The code is designed to prevent the interception of phone calls by forcing mobile phones and base stations to rapidly change radio frequencies over a spectrum of 80 channels. "

    No it's not. Frequency hopping is designed to spread interference around. The idea is that interference that may result in one or more calls failing, when spread around, results in a few more calls being degraded but not failing.

    The encryption algoritms are designed to provide network security. Note that although you may think that they are there to keep your calls private, they are not. They are there to secure the network against intruders, not to secure your calls.

  25. John Tserkezis

    It's all about making money. And if you can't, cheat.

    "All your calls are made with 2G and not 3G. Try to turn off 3G on your handset und you will still be able to make calls"

    Not sure how things work in your side of the lake, but here in Australia, some carriers (not mentioning any names) lock GSM/3G capable hardware, to 3G ONLY. So, if you're in a GSM-only covered area, you're screwed. Let's lock in our users to ourselves only shall we. That way we don't have to sub-let carrier time from someone else...

    Telstra, because they have more money to throw around, have gone further by knobbling the world-wide standard issue 3G, into something they call NextG. So if you have a GSM, GPRS or 3G phone, and you're in an area that's only covered by Telstra, you can be SURE it's kobbled to accept phones that they've knobbled with their NextG badge and firmware first.

    If you can't (or don't want to) compete on a world-wide standard issue network, make your own!

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020