January 01, 2010, 3:58 PM — A couple of days ago a friend sent email asking whether the news that GSM security has been broken was a serious problem for cell phone users. The story hasn't gotten much traction in the press (people seem to have taken the week off), but that doesn't mean there aren't some important points to be made through the event.
First, does this mean that any individual call is dramatically more likely to be intercepted and understood? No. It's one piece of a puzzle that must be put together to intercept a call, and though the other pieces aren't as obscure as the GSM association would like you to believe, someone would still have to go to considerable effort to pick one call out of the cell call mix and then decrypt it. From that perspective, as of today, this isn't a truly big deal.
From a longer-term perspective, though, it's a huge deal. Why? Because it's another blow to the notion that brute-force solutions to encryption aren't feasible means for defeating a security scheme. We've read a great deal about the "singularity" -- that point in history when computers become as intelligent as humans. I don't know when (or if) that point will come, but I believe we're very close to the point at which enough compute power is accessible to make brute-force solutions available to pretty much anyone who wants one. That should be a very sobering realization for security professionals. Just how sobering is highlighted by the very predictable reactions of the cell phone industry to this latest incident.
The GSM society first trotted out the "this is illegal" argument, and followed that with "it's still too hard." In truth, the biggest problem is that the industry has held onto the 64-bit GSM security scheme for far too long. In the current era of advancing technology, 20 years is far too long to trust a single encryption algorithm.
What does this mean for enterprise mobile managers? Among other things I think it means that, if you have a choice, you look at CDMA rather than GSM as your preferred network technology. It also means that, when a vendor trots out the argment that their security schema would take far too long to break with a brute-force attack, you dose the news heavily with salt before swallowing. Finally, if the security scheme in question has been protecting data longer than you've been in the industry, keep that salt shaker handy. Claims about the scheme's invulnerability should be considered on a day-to-day basis at best, and seen as highly unlikely at worst.