IP: a bit more on cellular qeakness

[Dave Farber <farber () cis upenn edu>]

Date: Thu, 20 Mar 1997 12:35:16 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Flaw in Cell-Phone Encryption Identified; Design Process Blamed


This is a press release <http://www.counterpane.com/cmea.html> from


* Bruce Schneier, Counterpane Systems, 612 823-1098  schneier () counterpane com
* David Wagner, University of California, Berkeley 510-643-9435 
    daw () cs berkeley edu
* Robert Sanders, University of California. Berkeley 510-643-6998
    rls () pio urel berkeley edu
* Lori Sinton, Jump Start Communications, 415-938-2234 lsinton () aol com


    Telecommunications Industry Association algorithm 
    for digital telephones fails under simple cryptanalysis


MINNEAPOLIS, MN. AND BERKELEY, CA., March 20, 1997 - Counterpane Systems and
UC Berkeley jointly announced today that researchers have discovered a flaw
in the privacy protection used in today's most advanced digital cellular
phones. This discovery points to serious problems in the chosed-door process
used to develop these privacy measures. This announcement is a setback to
the US cellular telephone industry, said Bruce Schneier of Counterpane
Systems, a Minneapolis, MN consulting firm specializing in cryptography. The
attack can be carried out in a few minutes on a conventional personal
computer.


Schneier and John Kelsey of Counterpane Systems, along with graduate student
David Wagner of the University of California at Berkeley, plan to publish
their analysis in a paper entitled "Cryptanalysis of the Cellular Message
Encryption Algorithm (CMEA)." Legislators are scheduled to hold hearings
today on Rep. Goodlatte's "SAFE" (Security And Freedom Through Encryption)
bill, HR695.


The problem affects numbers dialed on the key pad of a cellular handset,
including any telephone, PIN, or credit cards numbers dialed. The system was
supposed to protect the privacy of those dialed digits, but the encryption
is weak enough that those digits are accessible to eavesdroppers with a
digital scanner.


The cryptographers blame the closed-door design process and excessive
pressure from U.S.  military interests for problems with the privacy
standard. The cellular industry attempted to balance national security with
consumer privacy concerns. In an attempt to eliminate recurring security
problems, the cellular standards arm of the Telecommunications Industry
Association(TIA) privately designed this new framework for protecting
cellular phones. The system uses encryption to prevent fraud, scramble voice
communications, and protect users' privacy. These new protections are being
deployed in today's digital cell phones, including CDMA, NAMPS, and TDMA.


Not a new problem


As early as 1992, others - including noted security expert Whitfield Diffie
- pointed out fatal flaws in the new standard's voice privacy feature. The
two flaws provide a crucial lesson for policy makers and consumers, the
researchers said. These weaknesses are symptomatic of broad underlying
problems in the design process, according to Wagner.


Many have criticized the National Security Agency (the U.S. military
intelligence agency in charge of electronically monitoring foreign powers)
for insinuating itself into the design process, pressuring designers to
cripple the security of the cellular encryption technique and hamstringing
emerging cellular security technology. "The result is weaker protection for
everybody," Kelsey said.


"This is another illustration of how U.S. government efforts to control
cryptography threaten the security and privacy of Americans," said David
Banisar, attorney for the Electronic Privacy Information Center in
Washington, D.C.


This is not the first report of security flaws in cellular telephony. Today,
most cellular phone calls can be intercepted by anyone in the area listening
to a scanner, as House Speaker Newt Gingrich learned this past January when
someone with a scanner recorded one of his cellular calls.  According to FCC
estimates, the cellular telephony industry lost more that $400 million to
fraud and security problems last year.


CMEA Technology


CMEA is a symmetric cipher, like the Digital Encryption Standard (DES). It
uses a 64-bit key, but weaknesses in the algorithm reduce the key to an
effective length of 24 or 32 bits, significantly shorter than even the weak
keys the U.S. government allows for export.


Greg Rose, program chair of the 1996 USENIX Security Symposium, put the
results in context: This break does not weaken the digital cellular fraud
protections. And it's still true that digital cellular systems are much
harder to casually eavesdrop on than analog phones. But it's clear from this
break that a determined criminal with technical resources can intercept
these systems."


Counterpane Systems is a Minneapolis, MN-based consulting firm specializing
in cryptography and computer security. Bruce Schneier is president of
Counterpane and author of three books on cryptography and security. David
Wagner is a founding member of the ISAAC computer security research group at
UC Berkeley. In the Fall of 1995, the ISAAC group made headlines by
revealing a major flaw in Netscape's web browser. The authors also hasten to
thank Greg Rose for his advice.


    [This was also noted by "Tom Zmudzinski" <zmudzint () ncr disa mil>.
    Several others contributed John Markoff's article in *The New York
    Times* today.  As usual, my local source, *San Francisco Chronicle*,
    ran the NYT item without indicating its author.  PGN]