Original url: http://www.nytimes.com/2009/12/29/technology/29hack.html?_r=1
A German computer engineer said Monday that he had deciphered and published the secret code used to encrypt most of the worldâ€™s digital mobile phone calls, saying it was his attempt to expose weaknesses in the security of global wireless systems.
The action by the encryption expert, Karsten Nohl, aimed to question the effectiveness of the 21-year-old G.S.M. algorithm, a code developed in 1988 and still used to protect the privacy of 80 percent of mobile calls worldwide. (The abbreviation stands for global system for mobile communication.)
â€œThis shows that existing G.S.M. security is inadequate,â€ Mr. Nohl, 28, told about 600 people attending the Chaos Communication Congress, a four-day conference of computer hackers that runs through Wednesday in Berlin. â€œWe are trying to push operators to adopt better security measures for mobile phone calls.â€
The G.S.M. Association, the industry group based in London that devised the algorithm and represents wireless companies, called Mr. Nohlâ€™s efforts illegal and said they overstated the security threat to wireless calls.
â€œThis is theoretically possible but practically unlikely,â€ said Claire Cranton, an association spokeswoman. She said no one else had broken the code since its adoption. â€œWhat he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.â€
Some security experts disagreed. While the disclosure does not by itself threaten the security of voice data, one analyst said companies and governmental organizations should take the same steps to ensure the security of their wireless conversations as they do with antivirus software for computer files.
â€œOrganizations must now take this threat seriously and assume that within six months their organizations will be at risk unless they have adequate measures in place to secure their mobile phone calls,â€ said Stan Schatt, a vice president for health care and security at the technology market researcher ABI Research in New York.
Mr. Nohl, who has a doctorate in computer engineering from the University of Virginia, is a widely consulted encryption expert who waged a similar campaign this year that prodded the DECT Forum, a standards group based in Bern, to upgrade the security algorithm for 800 million cordless home phones.
Mr. Nohl has now set his sights on G.S.M., whose second-generation digital technology is still the most widely used wireless-communications standard in the world. About 3.5 billion of the worldâ€™s 4.3 billion wireless connections use G.S.M.; it is used by about 299 million consumers in North America.
In August, at a hackersâ€™ forum in Amsterdam, Mr. Nohl challenged other computer hackers to help him crack the G.S.M. code. He said about 24 people, some members of the Chaos Computer Club, which is based in Berlin, worked independently to generate the necessary volume of random combinations until they reproduced the G.S.M. algorithmâ€™s code book â€” a vast log of binary codes that could theoretically be used to decipher G.S.M. phone calls.
During an interview, Mr. Nohl said he took precautions to remain within legal boundaries, emphasizing that his efforts to crack the G.S.M. algorithm were purely academic, kept within the public domain, and that the information was not used to decipher a digital call.
â€œWe are not recommending people use this information to break the law,â€ Mr. Nohl said. â€œWhat we are doing is trying to goad the worldâ€™s wireless operators to use better security.â€
Mr. Nohl said the algorithmâ€™s code book was available on the Internet through services like BitTorrent, which some people use to download vast quantities of data like films and music. He declined to provide a Web link to the code book, for fear of the legal implications, but said its location had spread by word of mouth.
The G.S.M. algorithm, technically known as the A5/1 privacy algorithm, is a binary code â€” which is made exclusively of 0â€™s and 1â€™s â€” that has kept digital phone conversations private since the G.S.M. standard was adopted in 1988.