The doghouse: GSM Association

It turns my stomach to see how antiquatedly defensive and counter-productive is the GSM Association's response to the recent cracking of GSM encryption:
Using the codebook, a "beefy gaming computer and $3,000 worth of radio equipment" would allow anyone to decrypt signals from the billions of GSM users around the world, he said.

Signals could be decrypted in "real time" with $30,000 worth of equipment, Mr Nohl added.
It looks like GSMA has a mindset stuck in 1995, completely failing to notice the evolution of security attitudes that happened in the software industry. They employ the classic approach of (1) shoot the messenger, (2) downplay the problem, (3) claim they're "working" on a solution:
The GSM Association (GSMA), which devised the algorithm and oversees development of the standard, said Mr Nohl's work would be "highly illegal" in the UK and many other countries.

[...]

[T]he GSMA dismissed the worries, saying that "reports of an imminent GSM eavesdropping capability" were "common".

It said that there had been "a number" of academic papers outlining how A5/1 could be compromised but "none to date have led to a practical attack".

The association said that it had already outlined a proposal to upgrade A5/1 to a new standard known as A5/3 which was currently being "phased in".

"All in all, we consider this research, which appears to be motivated in part by commercial considerations, to be a long way from being a practical attack on GSM," the spokeswoman said.
Security research should not be illegal anywhere, and the proper response to a vulnerability is to fix it. Immediately; not at some convenient time, far in the future.

Comments

Dave said…
Note also their textbook application of Cellphone (In)Security Standard Excuse #1:


All in all, we consider this research, which appears to be motivated in part by commercial considerations [...]


Don't they ever get tired of this excuse? The "jealous competitors are out to make us look bad" must be the dog-ate-my-homework of poor cellphone security, they've been using this one since (at least) the 1998 Lucky Green/David Wagner break.
denis bider said…
Also, as if their excuses aren't motivated by commercial considerations.

Popular posts from this blog

"Unreachable" beauty standards

When monospace fonts aren't: The Unicode character width nightmare

Is the internet ready for DMARC with p=reject?