thelinuxlink.net

siddf wrote:Maybe. Maybe the mobile carriers will deploy the stronger 128 bit A5/3 algorithm.

I'm attending the CCC - http://events.ccc.de/congress/2009/wiki/Welcome conference and saw the talk.

Torrents are available here - http://rnmshot.dvrdns.org/ Look for GSM:SRSLY? under Day 1.

Also, howdy all. Love the show.

Q: Exactly how would someone use this technology to spy on mobile phone conversations?
Nohl: You record a call and then decrypt it. Recording requires some advanced radio equipment, which can be as cheap as the $1,500 suggested retail price [Universal Software Radio Peripheral] device. One direction of a call can potentially be intercepted from a kilometer away while catching both directions requires the eavesdropper to be in the vicinity of the victim. Decryption is then done using the code book the community produced.

Q: What should people do to protect themselves against this?
Nohl: In the short-term, there is not much users can do to protect themselves other than being aware of the threat and keeping their most confidential calls and text messages off the GSM network. To improve GSM security in the long run, customers should go to their operators and create demand for improvements.

Q: What are the practical implications of your work? In other words, does your research make it cheaper and easier to eavesdrop and if so, how much cheaper and how much faster to crack the encryption? (One expert had estimated that the code book would let someone crack the code in hours now instead of taking weeks.)
Nohl: Our results don't necessarily make decryption faster; current commercial interceptors decrypt within seconds, often faster than the time a user takes to answer the call. Our project makes the technical background of these systems more accessible and aims to inform about the fact that GSM intercept is widespread. As a side effect, interception might become cheaper, too.

Q: What exactly does someone need to eavesdrop? (In other words, the code book/tables, antennas, special software, and $30,000 worth of hardware?)
Nohl: The more you spend on hardware, the faster you can decrypt calls. Two USRP radios, a beefy gaming computer, and a handful of USB sticks can already decrypt many calls. For $30,000 you can build a sub-minute decryptor.