Cell Phone Security and Encryption

There have been some high profile incidents of cell phone hacking some years ago. For example, the former Speaker of the House of Congress in the USA Newt Gingrich was hacked when an older married couple used a simple radio scanner to listen in on his calls.  But you do not hear about such hacking much anymore, even though the GSM cellular standard still has the known weakness in its encryption algorithm.

Hacking the speaker was made easier because the American cell phone technology is a mix of technologies. That market is different from the rest of the world. There are three cell phone standards there: CDMA, GSM, and IDEN. The USA is where cellular technology was invented—at AT&T Bell Laboratories, which made so many important inventions, like UNIX, C, C++, the laser, microwaves, and the transmitter—so it makes sense that there would have been more than one standard vying to become the dominant standard.

The vast majority of the rest of the world adopted GSM only.

GSM Encryption Hacked
GSM encrypts phone calls so that they cannot be spied on by ordinary radio transmitters. The GSM encryption algorithm was hacked way back in 2009. But it has not been changed much, since to do so would require reprogramming phones, cell towers, and networks around the world. That would require much coordination between countries and carriers.

gsm security

GSM uses a 64 bit A5/1 encryption algorithm. After it was hacked in 2009, hackers then went after the KASUMI a 128-bit A5/3 algorithm and cracked that one was well.

Hacking Data and Voice
GSM is a radio transmission standard. It is designed to carry both voice connections, text messages, and data. Data is IP network data, meaning internet traffic with an IP address. That can be and often is encrypted. This means that VPN and SSL traffic sent over the cellular network cannot be hacked, because it carries its own encryption.

The way the hack works is by listening to call information and then obtaining general, city-wide location information and then working to obtain a specific location and then the phone number.

Hackers have demonstrated that they can modify the firmware on a regular cell phone and connect a USB cable to that to stream data to a computer than the phone would otherwise not listen to. That they lets the hacker pick the phone number out of the air. Having done that they send the phone malformed SMS text messages, causing it to reveal the encryption key. It does this using a dictionary attack, in other words it looks through the bytes in SMS message response and matches parts of those to the collection of the known set of keys. This works because the keys are not completely random. Worse, cellular carriers often reuse the encryption keys for the next batch of phone calls.

Researchers say that cellular companies could fix this by using address randomization, which is what Microsoft did to try to keep hackers from loading .dlls by using the known address of where those are stored. And then they could quit reusing the same keys.

Law Enforcement
One tool that law enforcement and the spy agencies to listen to phone calls is called Stingwray invented in 2013. What that does is pretend to be a cell tower in order to trick phones into communicating with it. That speeds up the hacker approach which uses GSM phones and has drivers driving around trying to locate a specific phone once having found out its city.

stingray gsm spy device

Photo: Stingray cell phone spy device

But the problem with Stingray, say privacy advocates, is it lets law enforcement spy on all the phone calls in an area. It’s not supposed to work that way per the law. The police are supposed to obtain a court-ordered warrant to listen in on a specific number. But who is to say that the intelligence services are going to follow the law. Edward Snowden showed that the Americans even violated their own Patriot Act, which after 9/11 gave them increased surveillance powers.

A private citizen cannot use Stingray since it is illegal to put up radio transmissions in the radio spectrum reserved for the cell phone companies.  Of course hacking cell phone calls using a modified GSM device is illegal too, but when you do that you do not broadcast via the airwaves that you are doing that.

How to Avoid Cellular Spying
So what do celebrities, diplomats, and politicians do to avoid eavesdropping if GSM can be hacked? Basically they cannot. The best thing to do is to use WhatsApp to make phone calls. We explained how that encryption works in this article.