Most mobile calls around the world are made over the Global System for Mobile Communications standard; in the US, GSM underpins any call made over AT&T or T-Mobile’s network. But at the DefCon security conference in Las Vegas on Saturday, researchers from the BlackBerry are presenting an attack that can intercept GSM calls as they’re transmitted over the air and decrypt them to listen back to what was said. And the vulnerability has been around for decades.
Regular GSM calls aren’t fully end-to-end encrypted for maximum protection, but they are encrypted at many steps along their path, so random people can’t just tune into phone calls over the air like radio stations. The researchers found, though, that they can target the encryption algorithms used to protect calls and listen in on basically anything.
“GSM is a well documented and analyzed standard, but it’s an aging standard and it’s had a pretty typical cybersecurity journey,” says Campbell Murray, the global head of delivery for BlackBerry Cybersecurity. “The weaknesses we found are in any GSM implementation up to 5G. Regardless of which GSM implementation you’re using there is a flaw historically created and engineered that you’re exposing.”
The problem is in the encryption key exchange that establishes a secure connection between a phone and a nearby cell tower every time you initiate a call. This exchange gives both your device and the tower the keys to unlock the data that is about to be encrypted. In analyzing this interaction, the researchers realized that the way the GSM documentation is written, there are flaws in the error control mechanisms governing how the keys are encoded. This makes the keys vulnerable to a cracking attack.
“It’s a really good example of how the intention is there to create security, but the security engineering process behind that implementation failed.”
Campbell Murray, Blackberry
As a result, a hacker could set up equipment to intercept call connections in a given area, capture the key exchanges between phones and cellular base stations, digitally record the calls in their unintelligible, encrypted form, crack the keys, and then use them to decrypt the calls. The findings analyze two of GSM’s proprietary cryptographic algorithms that are widely used in call encryption—A5/1 and A5/3. The researchers found that they can crack the keys in most implementations of A5/1 within about an hour. For A5/3 the attack is theoretically possible, but it would take many years to actually crack the keys.
“We spent a lot of time looking at the standards and reading the implementations and reverse engineering what the key exchange process looks like,” BlackBerry’s Murray says. “You can see how people believed that this was a good solution. It’s a really good example of how the intention is there to create security, but the security engineering process behind that implementation failed.”
The researchers emphasize that because GSM is such an old and thoroughly analyzed standard, there are already other known attacks against it that are easier to carry out in practice, like using malicious base stations, often called stingrays, to intercept calls or track a cellphone’s location. Additional research into the A5 family of ciphers over the years has turned up other flaws as well. And there are ways to configure the key exchange encryption that would make it more difficult for attackers to crack the keys. But Murray says that the theoretical risk always remains.
Short of totally overhauling the GSM encryption scheme, which seems unlikely, the documentation for implementing A5/1 and A5/3 could be revised to make key interception and cracking attacks even more impractical. The researchers say that they are in the early phases of discussing the work with the standards body GSMA.
The trade association said in a statement to WIRED that, “Details have not been submitted to the GSMA under our coordinated vulnerability (CVD) programme. When the technical details are known to the GSMA’s Fraud and Security Group we will be better placed to consider the implications and the necessary mitigation actions.”
Though it may not be that surprising at this point that GSM has security issues, it’s still the cellular protocol used by the vast majority of the world. And as long as it’s around, real call privacy issues remain, too.
All Rights Reserved for Lily Hay Newman