A significant flaw discovered in the encryption technique used in the newest cellular telephones could leave consumers of the supposedly "secure" phones vulnerable to eavesdropping.
The flaw, discovered through fairly simple cryptanalysis of telephone transmissions, is being blamed on the closed-door design process of the entire system.
Counterpane Systems researchers John Kelsey and Bruce Schneier (author of Applied Cryptography) and UC Berkeley graduate student David Wagner said Thursday that the flaw affects numbers dialed on a cellular handset. Anyone with a digital scanner and a conventional personal computer should be able to duplicate their findings, which the researchers will soon publish in a paper entitled "Cryptanalysis of the Cellular Message Encryption Algorithm (CMEA)."
When a cellular user dials a number on their keypad (be it a telephone number, a PIN, or a credit-card number), it is encrypted with CMEA in an attempt to protect the privacy of the user. CMEA is a symmetric cipher that uses a 64-bit key. A 64-bit key is usually considered to be fairly secure. However, flaws in the CMEA algorithm allow an attacker to predict portions of the key, reducing the effective key length to 24 or 32 bits, significantly shorter than the weak cryptography the US government allows for export. Herein lies the problem. A savvy computer user can break a 32-bit key on a typical home computer in a relatively short period of time.
This is not a new problem. As early as 1992, other researchers, including crypto pioneer Whitfield Diffie, revealed major flaws in the system's voice privacy features. The researchers are blaming broad underlying problems in the design process for the introduction of these flaws.
When the cellular industry was designing the privacy-enhancing features of the new digital cellular network, it received pressure from the National Security Agency to cripple the encryption capability of that network. The industry responded with an attempt to balance the NSA's concern over national security with consumers' desire for privacy by letting the cellular standards arm of the Telecommunications Industry Association design the architecture. It seemed like a reasonable compromise at the time.
Unfortunately, the TIA created a poor algorithm, and thousands of digital cellular users are now using it. How much of this is due to direct government intervention is unclear, but David Banisar, attorney for the Electronic Privacy Information Center, is ready to place the blame squarely on the NSA. "This is another illustration of how US government efforts to control cryptography threaten the security and privacy of Americans."
Cellular telephones, particularly the earlier analog models, have never been considered to be especially secure. In January, House Speaker Newt Gingrich learned this lesson the hard way, when a conference call he participated in was intercepted and leaked to the press.
Like Gingrich's call, most of today's cellular traffic can still be easily intercepted with widely available radio scanners. The new digital system does offer a good deal of protection over the older analog system, especially from casual listeners, but it has now been made clear that a determined eavesdropper with the proper technical expertise and resources can intercept communications on the new system.
The losers in this whole debacle are the cellular users. With the old analog system, many users knew that someone could eavesdrop on their conversations. Now, they've been sold on the new, "secure" digital phones, and are using them with a false sense of security. When users believe their conversation are private, they could potentially say something they would not say if they believed it was possible to be intercepted by a third party. It is precisely this scenario that makes poor encryption (which includes weak encryption) more dangerous than no encryption at all.
