Wiretapping Made Easy
Andy Greenberg, 02.21.08, 12:53 AM ET
Silently tapping into a private cellphone conversation is no longer a high-tech trick reserved for spies and the FBI. Thanks to the work of two young cyber-security researchers, cellular snooping may soon be affordable enough for your next-door neighbor.
In a presentation Wednesday at the Black Hat security conference in Washington, D.C., David Hulton and Steve Muller demonstrated a new technique for cracking the encryption used to prevent eavesdropping on global system for mobile communications (GSM) cellular signals, the type of radio frequency coding used by major cellular service providers including AT&T; (nyse: T - news - people ), Cingular and T-Mobile. Combined with a radio receiver, the pair say their technique allows an eavesdropper to record a conversation on these networks from miles away and decode it in about half an hour with just $1,000 in computer storage and processing equipment.
Hulton, director of applications for the high-performance computing company Pico, and Muller, a researcher for mobile security firm CellCrypt, plan to make their decryption method free and public. In March, however, they say they'll start selling a faster version that can crack GSM encryption in just 30 seconds, charging between $200,000 and $500,000 for the premium version.
Who will be the customers for their innovative espionage technique? Hulton and Muller say they aren't sure yet. But they plan to offer the method to companies that will integrate it with radio technology, not sell it directly to the law enforcement and criminal customers who will undoubtedly be interested in putting it to use. "We're not creating the technology that does the interception," Muller says. "All this does is crunch data."
Hulton and Muller will likely make a tidy profit from the fruits of their research work, which they've personally patented. The companies they work for may profit less directly; Pico makes the high-performance processors necessary to do heavy-duty encryption work. CellCrypt makes software for encrypting mobile phone conversations, patching the security flaw that Hulton and Muller's research has uncovered.
As for the moral question of chipping away at the privacy of cellphone users around the world, Muller gives an answer common to security researchers: He and Hulton didn't invent the hackable technology; they just brought attention to its vulnerabilities.
In fact, Muller argues, GSM encryption was cracked--theoretically--in academic papers as early as 1998. "Active" radio interceptors, which impersonate cell towers and can eavesdrop on GSM phone conversations, have also been sold by companies like Comstrac and PGIS for years. (Active techniques, however, only allow eavesdropping from within about 600 feet and are easily detectable, Muller notes.) Undetectable, "passive" systems like the one that Muller and Hulton have created aren't new either, though previous technologies required about a million dollars worth of hardware and used a "brute force" tactic that tried 33 million times as many passwords to decrypt a cell signal.
All of that means, Hulton and Muller argue, that their cheaper technique is simply drawing needed attention to a problem that mobile carriers have long ignored--one that well-financed eavesdroppers may have been exploiting for years. "If governments or other people with millions of dollars can listen to your conversations right now, why shouldn't your next-door neighbor?" Muller says.
The new technique may serve as a wake-up call for mobile carriers, which have long been in denial about the vulnerabilities of GSM security, says Bruce Schneier, encryption guru and chief technology officer of BT Counterpane.
"This is a nice piece of work, but it isn't a surprise," he says. " We've been saying that this algorithm is weak for years. The mobile industry kept arguing that the attack was just theoretical. Well, now it's practical."
David Pringle, a spokesman for the GSMA trade association, which represents 700 GSM carriers around the world, said in a statement that the mobile industry is committed to maintaining the integrity of GSM services, and the protection and privacy of customer communications is at the forefront of operators concerns.
He also pointed out that decrypting GSM still requires special equipment and is more secure than a typical landline. The GSMA, he noted, has developed and is working on implementing a higher level of encryption; Newer 3G cell carriers are also immune from the attack.
Although their exploit doesn't target the competing CDMA cellular technology used by carriers like Verizon (nyse: VZ - news - people ) and Sprint Nextel (nyse: S - news - people ), Muller argues it's not necessarily less secure. GSM was only decrypted first because it's more popular worldwide: Few cellphone subscribers outside North America use CDMA carriers.
So how do Hulton and Muller ensure that their own phone conversations aren't intercepted? Muller responds to that question, posed by an audience member at Black Hat's gathering of hackers and security professionals, with a smile.
"We don't use phones," he says.
'); //--> News Headlines | More From Forbes.com | Special Reports
Advertisement: Related Business Topics >