Q&A: Researcher Karsten Nohl on mobile eavesdropping

Researcher who tackled smart card security last year talks to CNET about how easy it is to listen in on GSM-based mobile phone calls now that the encryption has been cracked.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
5 min read

This week brought some bad news for mobile phone users. German security expert Karsten Nohl showed how easy it is to eavesdrop on GSM-based (Global System for Mobile Communications) cell phones, including those used by AT&T and T-Mobile customers in the U.S.

Nohl, who has a doctorate in computer engineering from the University of Virginia, made headlines last year publicizing weaknesses in wireless smart card chips used in transit systems around the globe.

Karsten Nohl Kingsley Liu

CNET interviewed Nohl via e-mail on Thursday about his latest work and what the implications are for the more than 3 billion GSM mobile phones worldwide, representing about 80 percent of the market, according to the GSM Alliance.

Q: You made quite a splash at the Chaos Communication Congress hacker conference in Berlin this week. What happened?
Nohl: We showed that GSM, the widely used cell phone standard, is insecure, and explained how your neighbor might already be listening in on your calls. After GSM's security was declared outdated several times before, we were the first to make tools available for people to verify its insecurities.

Q: In August you launched an open-source, distributed computing project designed to crack GSM encryption and compile it into a code book that can be used to eavesdrop on calls. Is this week's announcement related to that?
Nohl: Yes, at the conference a code book was released--a data set previously only available to well-funded organizations. This code book has been computed in just a few months thanks to many volunteers on the Internet.

Q: And this is to determine the key used to encrypt GSM communications, right?
Nohl: That's correct. The code book reveals the encryption key of a call.

Q: What is the problem with the GSM encryption technology exactly?
Nohl: GSM's A5/1 encryption function uses a 64-bit key that is too short to withstand the computing power available today. When the algorithm was designed 20 years ago when CPU [central processing unit] cycles and storage were much more expensive, it must have seemed a lot more secure. However, the A5/1 function should have been replaced years ago when researchers first discussed practical attacks.

Q: What does this mean for users of GSM phones? What is the real-world threat?
Nohl: Cell phone calls can be intercepted--not just since this week, but more cheaply every month. Sensitive information, say, from politicians, can be overheard from, say, foreign embassies. Others willing to cross the line into illegality and listen in on a call could be industry spies or even private snoops.

Q: Exactly how would someone use this technology to spy on mobile phone conversations?
Nohl: You record a call and then decrypt it. Recording requires some advanced radio equipment, which can be as cheap as the $1,500 suggested retail price [Universal Software Radio Peripheral] device. One direction of a call can potentially be intercepted from a kilometer away while catching both directions requires the eavesdropper to be in the vicinity of the victim. Decryption is then done using the code book the community produced.

Q: What should people do to protect themselves against this?
Nohl: In the short-term, there is not much users can do to protect themselves other than being aware of the threat and keeping their most confidential calls and text messages off the GSM network. To improve GSM security in the long run, customers should go to their operators and create demand for improvements.

Q: What are the practical implications of your work? In other words, does your research make it cheaper and easier to eavesdrop and if so, how much cheaper and how much faster to crack the encryption? (One expert had estimated that the code book would let someone crack the code in hours now instead of taking weeks.)
Nohl: Our results don't necessarily make decryption faster; current commercial interceptors decrypt within seconds, often faster than the time a user takes to answer the call. Our project makes the technical background of these systems more accessible and aims to inform about the fact that GSM intercept is widespread. As a side effect, interception might become cheaper, too.

Q: What exactly does someone need to eavesdrop? (In other words, the code book/tables, antennas, special software, and $30,000 worth of hardware?)
Nohl: The more you spend on hardware, the faster you can decrypt calls. Two USRP radios, a beefy gaming computer, and a handful of USB sticks can already decrypt many calls. For $30,000 you can build a sub-minute decryptor.

Q: I understand it is illegal to intercept mobile phone calls in the U.S. and many other countries. Is what you did legal?
Nohl: Intercepting the phone calls of others should be illegal everywhere, and we do not plan to do that. Our research instead exposes that nothing in GSM is keeping criminals away from doing illegal intercepts. Fortunately, such security research is still legal.

Q: What did you do to make sure you have good legal standing? Did you consult with the Electronic Frontier Foundation?
Nohl: The EFF indeed helped us understand the legal implications of researching GSM technology.

Q: Have you been in touch with the GSM Alliance or any other pertinent entities?
Nohl: We have not yet been able to start a discourse with the GSMA. Through the press, though, we hear that a GSMA meeting in February might decide to ramp up upgrade efforts toward A5/3, the better encryption function. That would be great!

Q: Why did you do this research and public disclosure?
Nohl: We aim to make users of GSM aware that the GSM cannot be fully trusted. After other researchers have called a hack [questioned the security] of GSM for many years, we thought it was time to go one step further and provide tools for customers to "try at home" how insecure GSM's current encryption function is.

Q: Can the tables be used against the A5/3, the successor to A5/1? What is the difference between the two crypto standards?
Nohl: Fortunately, we cannot crack A5/3. This newer encryption is used in 3G networks and is currently considered a security patch for GSM networks. So there is [hope].

Q: What should mobile phone operators or carriers do about this?
Nohl: Carriers should now do the security patch that is overdue 15 years by upgrading to a new encryption function. I suspect they will only do so if customer demand is significant. Hopefully the customers will make it clear to their provider that they want 21st century security for their phone calls.