August 12, 2011, 4:46 PM — You already know cell-phone conversations aren't that secure, right? That everything you say could be overheard, even if only by the annoyed-looking people always standing around you in elevators or subways while you try to make yourself heard about the important details of your day (yes, all of them. What are you, into keeping secrets?)
A German wireless encryption expert lent a lot of weight to his argument that the GSM data protocol used on 80 percent of the world's phones is inherently insecure by demonstrating the way he and a research partner could intercept a digital cell-phone broadcast and decrypt it on the fly quickly enough to listen in to the conversation.
Karsten Nohl, chief scientist at Berlin-based Security Research Labs and former Ph.D. candidate at the University of Virginia, decrypted the algorithms and published them in 2009 as a way to demonstrate that both GSM and the General Packet Radio Service (GPRS) data network that runs on top of it is vulnerable to attack. In 2008 he also cracked the encryption algorithms for the RFID cards in credit cards in 2008, though he and his partners in the project didn't disclose all the details on how to accomplish that on their own.
"GSM cell phone calls use outdated encryption that can now be cracked with rainbow tables on a PC," according to a headline on the home page of Security Research Labs promoting Karsten's writeup of the project.
In the U.S., AT&T and T-mobile use GSM networks. Sprint and Verizon use the competing CDMA, which Nohl didn't examine because it is owned by Qualcomm, rather than being open-source as is GSM..
"GSM Security Project creates tools to test and document vulnerabilities in GSM networks around the world so to ignite the discussion over whether GSM calls can and should be secured. The project is summarized in this BlackHat 2010 presentation," the project itself reads.
Nohl wrote that, using his method, it's possible to intercept, record, decrypt and listen to conversations on GSM phones using open-source and/or free software and very basic hardware.