The BBC has reported (http://news.bbc.co.uk/1/hi/technology/8429233.stm) that Karsten Nohl has published details of the encryption algorithm used to encrypt mobile phonecalls made using GSM technology.
The topic has inspired much discussion following a talk at the Chaos Computer Congress in Berlin. The GSM Association seems, according to the BBC report, to be a little ambivalent about the affair, warning that "Mr Nohl's work would be "highly illegal" in the UK and many other countries."
However, the report goes on to say that:
…the GSMA dismissed the worries, saying that "reports of an imminent GSM eavesdropping capability" were "common".
It said that there had been "a number" of academic papers outlining how A5/1 could be compromised but "none to date have led to a practical attack".
Well, it's too early to say how this will play out, certainly on the strength of this report. It does seem that the scope for intercepting conversations could be impressive, if Nohl's work translates into real attacks that have real impact in certain contexts (espionage, law-enforcement, and so on). However, in the data-driven world we now occupy, I wonder whether it carries quite the same importance as the interception of binary data, especially if it accelerates the take-up of A5/3. At the same time, doesn't this say something about the ultimate ineffectiveness of security that assumes that economically infeasible solutions are forever?
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/