Become a fan of Slashdot on Facebook


Forgot your password?
Encryption Communications United States Your Rights Online

NSA Able To Crack A5/1 Cellphone Crypto 122

jones_supa writes "The most widely used cellphone encryption cipher A5/1 can be easily defeated by the National Security Agency, an internal document shows. This gives the agency the means to intercept most of the billions of calls and texts that travel over radiowaves every day, even when the agency would not have the encryption key. Encryption experts have long known the cipher to be weak and have urged providers to upgrade to newer systems. Consequently it is also suggested that other nations likely have the same cracking capability through their own intelligence services. The vulnerability outlined in the NSA document concerns encryption developed in the 1980s but still used widely by cellphones that rely on 2G GSM. It is unclear if the agency may also be able to decode newer forms of encryption, such as those covered under CDMA."
This discussion has been archived. No new comments can be posted.

NSA Able To Crack A5/1 Cellphone Crypto

Comments Filter:
  • by Anonymous Coward on Saturday December 14, 2013 @09:35AM (#45688621)

    I only speak in Navajo.

    • by Anonymous Coward

      I only speak in Navajo.

      I use a combination of speaking in Valley Girl talk with a Scottish accent.

      "Ack! Gack meh widda spoooon!"

    • VoIP + ZRTP (Score:5, Informative)

      by mrchaotica ( 681592 ) * on Saturday December 14, 2013 @12:31PM (#45689379)

      I haven't tried it out yet, but ZRTP [] apparently provides strong (PGP-based) encryption for VoIP. So why not just quit using cellphone "voice calls" entirely? There exist cellphone plans that provide enough data cheaply enough to make this work economically.

      • by Anonymous Coward

        It has nothing to do with PGP. But it uses strong encryption and the user has the option of verifying the session key by reading out a short authentication string that is displayed in the client - if it matches the authentication string displayed at the other end, you know that there is no man-in-the-middle attack going on. It is probably the best VoIP protocol there is in terms of security and user-friendlyness.

      • by Lennie ( 16154 )

        Or use WebRTC, it's encrypted by default with the other encrypted RTP protocol: SRTP.

        There is even a system where you can be sure who you are talking to and be sure there is no man-in-the-middle, with an RFC draft to tie it into oAuth or BrowserID protocols: [] []

        With BrowserID/Persona your privacy will also be preserved.

        Persona is the first implementation by Mozilla of the Mozilla developed protocol.

  • by Anonymous Coward on Saturday December 14, 2013 @09:37AM (#45688629)

    The NSA has maintained a policy that any encryption that was able to block their efforts was ILLEGAL in the USA. Do you actually expect anything to work? Bluntly do you expect to have your banking transactions secure when they can crack them. How about your phone call confirmations when they can record them and appear to be you. How about a hacker who walks into the NSA back-door in all of this. This makes the NSA the biggest terrorist and criminal agents in the world and the accomplace to the stunningly biggest crime situation in history where nobody is secure!

    • by gl4ss ( 559668 )

      sure, that's why you import your 3g networks.

    • by ne0n ( 884282 )
      True all that. And you have to wonder if anybody actually believes the line, "We only collected metadata!"

      Right... and they only looked at the nipples on all the porn they downloaded in between spying on Merkel and $FRENCHGUY too.
  • And this is news? (Score:5, Informative)

    by Anonymous Coward on Saturday December 14, 2013 @09:38AM (#45688633)

    Hardly rocket science these days, see e.g.

    • by Anonymous Coward

      The question isn't the fact that they've been able to break it, the question ultimately is how long have they been able to break it and if they have the processing power to break all of it, all the time.

      If they broke that encryption five years ago, that's a lot different from the NSA breaking it 25 years ago, or worse, it being insecure from the beginning due to the NSA knowing the vulnerability (or inserting it).

    • by Lennie ( 16154 )

      GSM has had problems for many years.

      But let's have a look at something a bit more modern.

      Did you know with LTE Advanced it's all IP-traffic ? Even speech is IP-traffic.

      Did you know the encryption they use is IPSEC ? LTE is 2 types of packets: data and control.

      Did you know IPSEC is optional ? The network operator decides what you get, when you roam and connect to an other operator you might actually get something else.

      So they got proper encryption (at least I hope they pick the right algorithms, we know IPSE

  • by Toe, The ( 545098 ) on Saturday December 14, 2013 @09:42AM (#45688655)

    Well then, just self-censor. Isn't that the road we're heading down?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Why should we self-censor, they shouldn't be listening in without probable cause. I don't care about differing opinions on that front.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      It isn't a private speech. You have no reasonable expectation of privacy because it is now widely known that the government spies on our communications. Therefore, it is not reasonable to have an expectation of privacy.

      Man, the courts really screwed up when they called it an "expectation of privacy".

      • Re: (Score:3, Interesting)

        by davecb ( 6526 )

        Actually it's an expectation a randomly-selected private individual would have, in the absence of specific knowledge. The proverbial "person on the Clapham omnibus" would have the expectation that the government won't act illegally against him. The paranoid wearing the tinfoil hat in the next seat, who considers all governments illegal and intrusive, doesn't count in this case.

        It's also called "a reasonable expectation of privacy", where "reasonable[1]" doesn't include admittedly illegal mass collectio

        • It's worth noting at this point, that the paranoid among us (fortunately but not coincidentally including people writing cryptography systems), have assumed that the NSA (and others) could theoretically be doing at lot of the things that we now know they have done.
          Turns out the paranoiacs were right.
          • by davecb ( 6526 )
            Fortunately that doesn't affect the nominally reasonable person by extinguishing their right to privacy. Professional paranoids and whistle-blowers are valuable the the community, but if their existence could make it easy for the CSE to erase my right to privacy, It Would Be Bad (;-))
        • by Anonymous Coward on Saturday December 14, 2013 @11:27AM (#45689083)

          > [1. It's interesting to note you can't translate "reasonableness" into Latin or modern French. It seems to be something very English-language-specific. My college's motto, "Let Reasonableness Flourish", is in English because of that oddity, and it says interesting things about other countrys' jurisprudence.]

          After five years of Latin, I feel fairly confident in saying the following:

          rationabilis [] is Latin for "reasonable" or "rational".

          -itas [] is the Latin suffix for "-ness".

          Thus, it would be fair to say that "rationabilitas" is Latin for "reasonableness". So no, reasonableness is not an English-language specific concept. And no, it doesn't imply shit about anything.

          • by davecb ( 6526 )

            Alas, rationabilis was used in non-ecclesiastical latin in strictly the sense of "capable of reasoning", or rational, while we were trying to translate reasonableness in the senses of

            • Being within the bounds of common sense: arrive home at a reasonable hour.
            • Not excessive or extreme; fair: reasonable [farlex]

            If we'd used rationabilis, we would have a real risk of it translating back into English as "let spocky-ness flourish"

      • Hey, the DMCA makes it illegal to circumvent DRM no matter how ineffective it is. Surely, since the laws are entirely fair and symmetrical, the expectation of privacy remains when using encrypted communications no matter how ineffective that encryption is... right?

      • by celle ( 906675 )

        "It isn't a private speech. You have no reasonable expectation of privacy because it is now widely known that the government spies on our communications. Therefore, it is not reasonable to have an expectation of privacy."

              The fact that the government has to go out of it's way to do it says there is an 'expectation of privacy'. Where do you think all the money we pay in taxes goes to? It's sure isn't to help the public.

    • ^H^H^H^H^H^H^H^Hyes, it is.

    • Well then, just self-censor. Isn't that the road we're heading down?

      Fuck that.
      Our government is thoroughly corrupt and they'll have to kill me to stop me from saying so.

  • So what? (Score:5, Insightful)

    by Guppy06 ( 410832 ) on Saturday December 14, 2013 @09:49AM (#45688677)

    My mobile carrier is AT&T. The NSA doesn't need to break the encryption.

    • by brunes69 ( 86786 )

      It is indeed interesting because this means that the NSA or CIA or FBI can listen into your phone calls without a wiretap warrant just by grabbing the electrons flying through the air.

      • Re:So what? (Score:5, Informative)

        by tulcod ( 1056476 ) on Saturday December 14, 2013 @10:23AM (#45688825)

        FYI, in usual radio communication, what flies through the air are not electrons but photons. These photons are generated by wiggling a few electrons back and forth at the transmitter, and this in turn wiggles a few electrons back and forth on the receiving end.

      • without a wiretap warrant

        They already have a general warrant to search and seize all the calls that everybody makes. At least, NSA claims this and FISA backs them (and by extension, Chief Justice Roberts).

        • There is a difference between the business records containing the metadata and the actual verbal contents of the call. If all they have is the metadata, and they had permission to actually look at it from the court as opposed to simply storing it, they would know that you called Pizza Hut for 5 minutes at 9:30 PM on 01 December 2013. They wouldn't know anything about the content of the call which could be just about anything, such as:

          1. Cancel my standing order for tonight.
          2. Change my standing order fr

        • by celle ( 906675 )

          " At least, NSA claims this and FISA backs them (and by extension, Chief Justice Roberts)."

              Except FISA by its very definition is illegal in that it violates the principles defined in the constitution.

  • by Anonymous Coward

    I get the feeling they're just drowning themselves in data now. Back in the day, a lot of Turing's great work was for nothing because there wasn't enough staff to process the reams of decrypted traffic coming in, and that was just from the German navy. Yea they can do dumb-ass word-level matching automatically, but I guess most of the potentially useful semantic stuff goes straight down the drain.

    • The general consensus is that the data not actively needed at the time gets sent back to Utah for storage in case it turns out to be of interest later.
  • The hackers and crackers receiving a government check & benefits at the NSA, et al, are working the newest countermeasures out almost before a technology hits the public domain. That an older encryption method is compromised by the guys with the biggest budget is not too difficult to believe. Is it possible a submission about hopscotch rules and an NSA headline could get voted in?
  • So if the NSA can do it, I can do it too right? I be charged with illegal wiretapping?
  • Hysterics (Score:5, Interesting)

    by squiggleslash ( 241428 ) on Saturday December 14, 2013 @10:26AM (#45688845) Homepage Journal

    1. A5/1 is the "insecure, intended for export" cipher. Any US or European operator that uses it is not following recommendations.
    2. It was cracked in the early 1990s. It would be bizarre if the NSA didn't know how to read it. Like I said, it was never intended to be secure by its creators. As in - GCHQ, the NSA's UK ally, has ALWAYS known how to crack it.
    3. One problem with intercepting a GSM mobile call would be dealing with the fact that, as soon as you move away from the transmitting device, you're having to deal with interference from neighboring cells. Which is why any intelligence agency worth its salt isn't going to do that terribly often. What they'd do is install the tap on the operator's network.

    So, in short, this article is claiming the NSA "can do" something, but only in non-Western countries, that it's unlikely to need to do given the fact the alternatives are way easier, and that we know it "can do" anyway, and knew it in the mid-1990s, and probably figured it could do right from the beginning given the close relationship between the NSA and CCHQ. This is news... why?

  • And I remember doing this like 3 or 4 years ago with a rainbow table.It was called the $2000 attack by a website teaching how to do it back then.
  • by Sponge Bath ( 413667 ) on Saturday December 14, 2013 @10:27AM (#45688851)
    Loud and clear. All your phone calls are belong to us.
  • by ei4anb ( 625481 ) on Saturday December 14, 2013 @11:09AM (#45689007)
    It has been common knowledge for at least 14 years that governments could eavesdrop on A5/1 traffic []

    Many governments have warned industrialists not to discuss secrets when using a mobile phone near the country borders. Only the radio channels are encrypted in GSM, lawful interception happens on the wired network that interconnects the base stations so eavesdropping on A5/1 is mostly used when lawful interception is not an option, e.g. listening to the GSM traffic of other countries.

  • A few links to further information and some history on this topic []
  • 26th Chaos Communication Congress, 2009: []

    It is already well known that you can break A5/1 offline anytime you want, and at the 26th CCC there was the "GSM: SRSLY?" conference which outlined the 2 main problems of GSM and UMTS.
    GSM A5/1 can be broken (and the give plenty of details), but it is not used in UMTS. No worries, for UMTS you just need a fake station and you are set. No offline decoding though.

  • QED their nefarious character, not your or mine interest in mind.
  • NSA and its subcontractors are the biggest Ettus customers, they love USRP SRD platform.

  • by Anonymous Coward

    ...when they can rip a BD.

    That's totally un-breakable encryption.

Any sufficiently advanced technology is indistinguishable from a rigged demo.