I know I babble a lot about computer and internet security, and I tend to be more paranoid about it than most people...but I thought this topic was important to mention, because it covers a much wider range of people than just wireless network computer users.
GSM (Global System for Mobile) is the technology standard used to encrypt and transmit voice and data on most of the cell/mobile phone networks in the world. Everyone in the US that has AT&T or T-Mobile for service, as well as most major carriers in over 200 other countries use the GSM standard.
The GSM specification was created back in 1980, as a way to try to standardize mobile phone encryption and transmission. Now, for those of us who were alive in 1980, take a second to remember what kind of computers and computing power existed back then (Apple II+, Commodore 64, IBM/MS-DOS computers where processors were measured in HERTZ and memory was measured in KILObytes). For those who don't remember this, just imagine the computers back then had less power than even the lowest-end TI calculators have today, and certainly way less than any current mobile phone. OK....got that idea in mind?
The encryption strength and algorithm that is used in GSM was VERY strong for 1980. Even super computers in 1980 would have taken a long time to brute-force attack the 64-bit encryption that was being used. The encryption algorithm was also proprietary (secret) which, in 1980 wasn't a problem to keep secret because we didn't have the internet and the unlimited collaboration potential we have now. In addition, given the processing power of mobile phones in 1980, it would not have been possible to use any stronger encryption or any more complex encryption algorithms. It was the right solution for then.
Fast Forward to 2009, 29 years later. We're still using the same GSM technology from 1980. The same encryption strength, the same encryption algorithms. Personal computers have the processing power that super computers had in 1980. Even the lowest-end mobile phones have more processing power than computers in 1980. 128-bit encryption is the MINIMUM now for computer applications (keeping in mind that 128-bit encryption isn't just twice as good as 64-bit, it's 2 to the 64th POWER better than 64-bit encryption - it increases exponentially). We have the internet and can share ideas and collaborate with the entire world. We've also had 29 years to figure out the "secret" proprietary encryption algorithms. Can you see where this is going?
GSM has been completely cracked. Any hobbyist with a little spare cash and a willingness to do some googling can hook up a circuit board and antenna to their laptop (via standard USB or ethernet) and monitor and decrypt GSM-based transmissions right out of the air. There's enough open source software out there to make it easy to listen to voice streams, look at data streams, or whatever the streams of packets happen to be transmitting/receiving from a GSM phone.
The problem with this technology no longer being secure, as opposed to other wireless technologies like WEP and WPA, is that even if there's a newer more secure technology available, it will take years for everyone currently on GSM networks to be upgraded to use it. Not only would the network itself have to be upgraded, but all existing phones would have to be as well - not something that happens overnight.
Again, none of this is meant to scare people, it's just meant to make people aware. People should never make the assumption that everything they do on their phone is private and secure and should understand the risks.
A couple of other points to make:
Internet use on GSM phones - while the encryption used to transmit packets from your phone to the tower is broken and crackable, if you're using a secure web connection (https/SSL) in the web browser itself, that encryption is in addition to the GSM encryption, and is much better/stronger (it is the same as what your PC web browser uses) so there is less to worry about. So, for example, if you access your online banking site from your phone, you're still protected by the SSL encryption the banking website is using.
People that don't use the GSM network (the other major one being CDMA, used by Sprint and Verizon) - if you think you're safer, you're probably not. While there is no specific widespread CDMA cracking technology out there yet, the level of technology CDMA uses isn't really much stronger than GSM, it's just that GSM is a bigger target since it's used so widely across the world. It's day is coming :(
Subscribe to:
Post Comments (Atom)
2 comments:
I'm sure the gubbermint will just make the hardware and software used to crack GSM illegal. That's what they did for radios that could receive analog cell phone signals, and look how well that worked out!
Hi,
In the Encrypted mobile phone they are using the GSM encryption algorithm so this type of mobile is useful in secure gsm communication.
Post a Comment