Cell phone crypto aims to baffle eavesdroppers

Thu Jun 2 19:56:08 EDT 2005

Cell phone crypto aims to baffle eavesdroppers
By Munir Kotadia, ZDNet Australia

Published on ZDNet News: May 31, 2005, 4:10 PM PT

An Australian company last week launched a security tool for GSM mobile
 phones that encrypts transmissions to avoid eavesdroppers.

GSM, or Global System for Mobile Communications, is one of the most popular
 mobile phone standards and is built to provide a basic level of security.
 However, for more than five years the security has been "cracked," and
 commercial scanners that can emulate GSM base stations are becoming more
 common. That prompted Melbourne-based SecureGSM to launch its encryption
 tool at the CeBit exhibition in Sydney last week.

Roman Korolik, managing director of SecureGSM, said that because GSM security
 was cracked so long ago, there was a lot of information and equipment
 available that could be used for intercepting GSM calls.

"There are devices available for interception and decoding (GSM calls) in
 real time...Although they are, strictly speaking, illegal in most countries,
 you can buy them," said Korolik, who believes that these scanners are
 already being used to intercept sensitive calls. "You can imagine that in
 places like the stock exchange, where the traders are on their mobile
 phones...there could be a few scanners there."

As far back as 1999, the security used by GSM has been questioned. In a paper
 published by Lauri Pesonen from the Department of Computer Science and
 Engineering at Helsinki University of Technology, the GSM model was said to
 have been "broken on many levels."

"The GSM security model is broken on many levels and is thus vulnerable to
 numerous attacks targeted at different parts of an operator's network...If
 somebody wants to intercept a GSM call, he can do so. It cannot be assumed
 that the GSM security model provides any kind of security against a
 dedicated attacker," Pesonen wrote in the paper.

However, additional GSM security is unlikely to be used by the masses,
 according to Neil Campbell, national security manager of IT services company
 Dimension Data, who said companies are likely to have higher priorities.

"This is a security control like any other control--like a firewall or a
 policy. An organization needs to believe it is appropriate for their risks
 to implement this control. Obviously the military is one that you would
 expect to have a need for secure communications, but I wouldn't expect there
 to be too many organizations in this country that would think it necessary
 to encrypt their mobile phone conversations," said Campbell.

SecureGSM requires Windows Mobile Phone Edition
<http://news.zdnet.com/2100-1040_22-5697127.html?tag=nl> with an ARM or
 compatible processor running at 200MHz or better. It also requires 6Mb of
 RAM (random access memory) and 2MB of storage space.

The SecureGSM application uses 256-bit, triple cipher, layered encryption
 based on AES, Twofish and Serpent ciphers. According to SecureGSM, all of
 these algorithms are considered "unbreakable" and the triple layer ensures
 that "encrypted data is future proof." The product costs $188 (AU$249) for a
 single-user license, and each "secure" device requires a license.

Dimension Data's Campbell said that companies thinking about implementing
 such a solution will need to calculate how much they could lose if their
 communications were intercepted.

"Share traders may need it, but this is for an organization that communicates
 by mobile telephone and understands that the risk of interception is
 generally extremely low, but that risk is completely unacceptable," Campbell
 said.

Munir Kotadia of ZDNet Australia reported from Sydney

-- 
Advances in Financial Cryptography:
   https://www.financialcryptography.com/mt/archives/000458.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com