via CNet :
If you are using a GSM phone (AT&T or T-Mobile in the ... Smartphone News forum
Cracking GSM phone crypto via distributed computing
If you are using a GSM phone (AT&T or T-Mobile in the U.S.), you likely have a few more months before it will be easy for practically anyone to spy on your communications.
Security researcher Karsten Nohl is launching an open-source, distributed computing project designed to crack the encryption used on GSM phones and compile it into a code book that can be used to decode conversations and any data that gets sent to and from the phone.
He hopes that by doing this it will spur cellular providers into improving the security of their services and fix a weakness that has been around for 15 years and affects about 3 billion mobile users.
"We're not creating a vulnerability but publicizing a flaw that's already being exploited very widely," he said in a phone interview Monday.
"Clearly we are making the attack more practical and much cheaper, and of course there's a moral question of whether we should do that," he said. "But more importantly, we are informing (people) about a longstanding vulnerability and hopefully preventing more systems from adopting this."
This weakness in the encryption used on the phones, A5/1, has been known about for years. There are at least four commercial tools that allow for decrypting GSM communications that range in price from $100,000 to $250,000 depending on how fast you want the software to work, said Nohl, who previously has publicized weaknesses with wireless smart card chips used in transit systems.
It will take 80 high-performance computers about three months to do a brute force attack on A5/1 and create a large look-up table that will serve as the code book, said Nohl, who announced the project at the Hacking at Random conference in the Netherlands 10 days ago.
Very interesting piece, but I wonder if the intended result is likely. Will the carriers actually scramble to change things? I doubt it. Based on the limitations of the current technology mentioned in the article and price of the equipment, they'll say it's no more to be worried over then someone wire-tapping your home phone.
A5/3 (KASUMI) used for 3G communications is significantly stronger, and is supported by most of the modern "2G" towers as well.
In the radio engineering screens on the BlackBerry, you can switch cipher modes to KASUMI if you want your 2G calls and data transfers to be more secure over the air.
Just have everyone use bb messenger
This is the kind of things that make you wonder . . .
Agreed and at least the programmers recognized there is a moral decision of whether to release the data. I suspect someone will step in and attempt a legal sanction against them.
Originally Posted by thbassman
BlackBerry8900/220.127.116.11 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/100
This is the reason why I do not use a GSM carrier. It was designed to be weak on security. When CDMA was first implimented it was the only form that could not be listened to using a scanner. Now GSM is opening the flood gates again. As I work with security at work I realize that it does not matter what you use there will always be ways to listen in or intercept your data. Just remember that if you do not encrypt your emails they are transmitted as plain text over the wire and can be read by anyone that has access to the systems, not to be an alarmest. Just an FYI.
The original CDMA2000 (also LFSR based) ciphers (CAVE/CMEA/ORYX) were weaker than A5/1 used on GSM networks. 3G GSM (which, by the way, is a W-CDMA transport) and newer CDMA2k networks use Kasumi (in a counter mode).
The hardware necessary to reassemble the spectrum spread communications of CDMA type transmissions is more complicated, but "2G" CDMA2k networks are otherwise no more secure than a GSM one.
Of course, if someone really wants to see the data you are sending, they'd just wiretap the tower itself, since communications over the cellular network (i.e. between base stations and the internet) itself are not encrypted.