Israeli Scientists Crack GSM Mobile Call Security
Wed September 3, 2003 06:31 AM ET
By Albert Robinson

TEL AVIV (Reuters) - An Israeli scientist said on Wednesday his team had found a way to break into mobile phone calls made on the popular GSM network, allowing eavesdroppers to listen in on calls and even take on a caller's identity.

The GSM Association, representing vendors who sell the world's largest mobile system, which is used by more than 860 million consumers in 197 countries, confirmed the security hole but said it would be expensive and complicated to exploit.

Professor Eli Biham of the Technion Institute in Haifa said he was shocked when doctoral student Elad Barkan told him he had found a fundamental error in the GSM (Global System for Mobile communications) code.

I told him (Barkan) that it was impossible, Biham told Reuters. I said such a basic mistake would already have been noticed by someone else. But he was right, the mistake was there.

We can listen in to a call while it is still at the ringing stage and within a fraction of a second know everything about the user, Biham said. Then we can listen in to the call.

Using a special device it's possible to steal calls and impersonate callers in the middle of a call as it's happening, he said. GSM code writers made a mistake in giving high priority to call quality, correcting for noise and interference, and only then encrypting, Biham said.

HARD TO EXPLOIT

The GSM Association said the security holes in the GSM system stemmed from its development in the late 1980s when computing power was still limited, but that this particular gap could only be exploited with complex and expensive technology and that it would take a long time to target individual callers.

This (technique) goes further than previous academic papers, (but) it is nothing new or surprising to the GSM community. The GSM Association believes that the practical implications of the paper are limited, it said in a statement.

GSM, or Global System for Mobile Communications, accounts for 72 percent of the world's digital mobile phone market and 70 percent of the global wireless market, the GSM association said.

The GSM Association said an upgrade had been made available in July 2002 to patch the vulnerability in the A5/2 encryption algorithm.

The researchers claimed they also managed to overcome the new encryption system that was put in place as a response to previous attacks, Biham said.

They have sent a copy of their research to the GSM Association to help them correct the problem, and the method is being patented and will be used only by law enforcement agencies, he said.

Biham and the GSM Association said the problem would not affect third-generation (3G) phones since engineers had replaced the encryption, security mechanisms and protocols for 3G.

The GSM Association also said any attack would have to be an active one, requiring the attacker to transmit distinctive data over the air to masquerade as a GSM base station. An attacker would also have to physically stand between the caller and the base station to intercept the call.

Transmitting on an operator's radio frequencies is illegal in most countries.

In Israel, Partner Communications, the country's second-largest cellphone operator, uses the GSM system, and some customers of Cellcom, Israel's largest mobile phone operator, also use GSM.

A spokeswoman for Cellcom declined to comment, while a spokesperson for Partner was not immediately available. (Additional reporting by Lucas van Grinsven in Amsterdam)

Reuters