[A51] New A5/1 attack patented

Karsten Nohl nohl at virginia.edu
Thu Dec 27 10:22:06 CET 2012

On Dec 27, 2012, at 5:00 , javier falbo wrote:

> Yes, from what i could read, we could use it to prevent the frequency hopping efect (or decode the stream and also change the frequency remote) and track the conversation even after hoping.
> A5/2 trick is old, that by forcing a 3G phone to move to GSM.
> Solution: Put on your phone do not authorize DUAL MODE, just fix it on 3G.
> I think what the article try to focus is on this "new" man in the middle attach, that with a normal PC you could take the key in 1 second.
> Which is maybe similar as the IMSI catchers or creating a fake cell.
> Nowadays i am working to implement this on any android device with a special python script and custom rom :)
> Android is open source.
> Regards.
> > Date: Thu, 27 Dec 2012 04:43:32 +0100
> > From: 246tnt at gmail.com
> > To: m.bevand at gmail.com
> > CC: a51 at lists.reflextor.com
> > Subject: Re: [A51] New A5/1 attack patented
> > 
> > > Elad Barkan and Eli Biham (them again) filed a patent which was made
> > > public 2 months ago. It appears to be a new attack against A5/1:
> > >
> > > http://www.google.com/patents/US8295477
> > 
> > I've just did a quick scan through it and didn't really see what's
> > "new" about it ...
> > 
> > The abstract seems to describe the very well known A5/2 attack and
> > it's optimization. They also describe in the invention the classic
> > downgrade attacks (sinceit all A5/x share the same Kc, you attack A5/2
> > or A5/1 using an imsi catcher and reuse the found Kc to decrypt
> > intercepted A5/3 data for eg).
> > 
> > Can you pin point exactly what "new" about it ?
> > 
> > AFAICT it's just the exact stuff they published 10 years ago ...

I'm with Sylvain in wondering what is new (and patentable) here.
Apart from the novelty question, the technical relevance seems to have dropped significantly over the past years:

* No phone with A5/2 support (the weakest cipher) should have been produced in years. The GSMA requires new phones to not support it anymore

* Cracking A5/1 (the somewhat better cipher) also takes only seconds on a good computer, allowing for the same kind of man-in-the-middle attack the patent describes, but against all GSM-capable phones

* Networks steadily move to A5/3 (the best available cipher) making it possible -- in theory -- to prevent MITM attacks. However, this would require the phone to notice that a network temporarily downgrades to A5/1 (or even A5/2) and notify the user. Anybody here know whether the type of encryption used is exposed to Android?



More information about the A51 mailing list