Securing GSM in Wake of Exposed Vulnerability

You're traveling overseas and make a call to a colleague at the head office using your mobile phone. You mention something sensitive -- some pricing information, your negotiating strategy or some confidential technology perhaps. If anyone's listening in to your conversation then you might have just cost your company millions of dollars. Loose lips sink ships, as the saying goes.

There's no doubt that corporate espionage -- not to mention government espionage -- goes on, and the fact is that mobile phone conversations aren't secure.

Phone networks in most parts of the world use GSM, and GSM conversations are protected by the A5 encryption algorithm, but recently the code was cracked by a team led by German cryptographer Karsten Nohl.

He said his goal was to raise to awareness of the vulnerability and force operators to upgrade security, as the A5/1 code for GSM is outdated and should have been replaced 15 years ago.

As a result of the incident, the GSM association is evaluating the issue, and could decide in coming months to require carriers to upgrade their networks to a more secure code. This could mean updating software or could involve replacing hardware components at each base station in a network.

But even before Nohl grabbed international headlines with the GSM hack, there were signs that GSM was vulnerable. Two researchers at a recent Black Hat conference showed how GSM encryption could be cracked quickly and cheaply. "GSM is not secure, but it has to be," one of the researchers said at the time. "There will be an increase in data and identity theft, tracking, and unlawful interception going on via GSM."

Examples of systems capable of listening in to GSM conversations include the GSS ProA GSM Interceptor and the SCL-5020 multi-channel Passive GSM Monitoring System.

"For most purposes GSM network encryption is adequate," said Graham Titterington, principal analyst at research firm Ovum. "The problem is that it doesn't encrypt your conversation as it travels over the backbone to its destination."

Once your words have left the cellular network and are traveling on conventional lines they could be vulnerable to eavesdropping or some form of diversion and man-in-the-middle attacks. The solution is end-to-end encryption, said Titterington.

Fortunately, there are some services available to help address GSM security issues in the short-term until the networks are upgraded, as it certainly is true then that a determined espionage agent could intercept your cell phone traffic and listen to your conversation.

It turns out that one of the simplest ways to encrypt conversations made from a cellphone is to use the circuit switched data (CSD) functionality offered by some (but not all) GSM carriers to make a secure call to another cellphone.

A CSD call works in a similar fashion to a voice call, and is usually charged at the same per minute rate as a voice call. This is unlike GPRS, EDGE and 3G services, which are usually charged according to the amount of data transferred. Calls may be brokered between cell phones using the voice network, but the actual conversation ends up as an encrypted data call.

The tricky part is making the process as transparent as possible to end users, so they can use their phone's contact list and make calls in as near to the normal way as possible without compromising call quality.

This can be hard because of the low bandwidth of CSD, especially if handsets are not equipped with suitably high powered processors to carry out the encryption work.

Still, there are products available to help protect GSM calls. Two examples of this type of encryption serve are PhoneCrypt, from the German company SecurStar, which primarily supports Windows Mobile phones, and Secure Voice GSM for Nokia Symbian phones. These two solutions require having the software installed on both phones.

Another, perhaps more flexible, system is provided by Cellcrypt, a UK-based company that offers software for Symbian and Windows Mobile phones and that just added support for BlackBerrys.

Instead of using CSD, the software makes secure voice over IP (VoIP) calls, and can therefore use packet data services including GPRS, 3G, UMTS or HSPA, as well as Wi-Fi.

"CSD doesn't travel well, as it depends on local infrastructure," said Simon Bransfield-Garth, Cellcrypt CEO. "Different countries use different algorithms, so you may be able to call from country A to country B, but not to country C. VoIP on the other hand works anywhere in the world," he said.

VoIP also offers far lower latency - the delay between the time when words are spoken and when they are heard at the other end. CSD calls typically have a latency of one second, while the latency on encrypted VoIP is a quarter to a half that, Bransfield-Garth said. The software costs "a small number of hundreds" of dollars per handset.

As well as making handset-to-handset calls, organizations using the software can install a Cellcrypt PBX gateway, allowing mobile users to make encrypted calls to landline users within the company's telephone network. A Cellcrypt management system also allows an administrator to manage Cellcrypt-enabled phones centrally, pushing software updates to phones or revoking licenses if handsets are lost or stolen.

KoolSpan, a Bethesda, Maryland-based company, uses CSD communication with a twist. Its solution is a combination of software and hardware, thanks to its TrustChip: a device that slots in a standard SD card slot on Symbian and Windows Mobile phones to provide hardware based encryption and key storage.

This makes the system more secure against hacker attacks on the phone itself, according to Tony Fascenda, KoolSpan's CEO. "If you have a system which uses 256 bit AES encryption then many people believe that you have everything you need. But if you don't protect your keys then you are setting yourself up to be hacked," he said.

A KoolSpan based solution typically costs about $3,000 per user, including the TrustChip, the encryption application and a management system.

(This may sound expensive, but it compares favorably with the $3,350 price tag for General Dynamics' Sectera Edge secure device that the NSA approved for use by President Obama in place of his BlackBerry.)

Of course if you're looking for a cheap option you could always use Skype, the free VoIP service formerly owned by eBay. Skype calls are encrypted using a proprietary secret algorithm, and the use of Skype has reportedly caused headaches for law enforcement services unable to listen in on calls made by terrorists and criminals using the service.

But since the encryption system is proprietary there is no guarantee that it really is secure, or that some type of agency or hacker doesn't have a "backdoor" enabling it to listen in to Skype.

This highlights a more general point: if you need to rely on voice encryption then it's wise not to take the word of the vendor that its product is secure - after all, how do you know that it uses the encryption system it claims to, and that it is implemented in a secure fashion?

The SecureVoice GSM Web site, for example, claims "our calls can never be violated by any third party" because "call authentication is made using an unbreakable RSA encryption based on a 1024 bit asymmetric key algorithm using a random key." It's not clear what this means, but certainly no key-based encryption system is unbreakable - it's always possible to guess the key, although this is statistically extremely unlikely.

A much better bet is to choose a system that offers its source code for inspection, and preferably one whose cryptographic module has been validated to a standard such as the Federal Information Processing Standards (FIPS).





security, wireless, hacking, mobile security, GSM