By Jonathan Fildes
Technology reporter, BBC News
Encryption is used on mobiles to stop eavesdropping
A German computer scientist has published details of the secret code used to protect the conversations of more than 4bn mobile phone users.
Karsten Nohl, working with other experts, has spent the past five months cracking the algorithm used to encrypt calls using GSM technology.
GSM is the most popular standard for mobile networks around the world.
The work could allow anyone - including criminals - to eavesdrop on private phone conversations.
Mr Nohl told the Chaos Communication Congress in Berlin that the work showed that GSM security was "inadequate".
"We are trying to inform people about this widespread vulnerability," he told BBC News.
"We hope to create some additional pressure and demand from customers for better encryption."
The GSM Association (GSMA), which devised the algorithm and oversees development of the standard, said Mr Nohl's work would be "highly illegal" in the UK and many other countries.
"This isn't something that we take lightly at all," a spokeswoman said.
Mr Nohl told the BBC that he had consulted with lawyers before publication and believed the work was "legal".
GSM encryption was first introduced in 1987
Mr Nohl, working with a "few dozen" other people, claims to have published material that would crack the A5/1 algorithm, a 22-year-old code used by many carriers.
The code is designed to prevent phone calls from being intercepted by forcing mobile phones and base stations to rapidly change radio frequencies over a spectrum of 80 channels.
It is known to have a series of weaknesses with the first serious flaw exposed in 1994.
Mr Nohl, who describes himself as an "offensive security researcher", announced his intention to crack the code at the Hacking at Random (HAR) conference in The Netherlands in August this year.
"Any cryptographic function is a one way street," he told BBC News. "You should not be able to decrypt without the secret key".
To get around this problem, Mr Nohl, working with other members of the encryption community, used networks of computers to crunch through "every possible combination" of inputs and outputs for the encryption code. Mr Nohl said there were "trillions" of possibilities.
All of the outputs are now detailed in a vast table, which can be used to determine the encryption key used to secure the conversation or text message.
"It's like a telephone book - if someone tells you a name you can look up their number," he said.
Using the codebook, a "beefy gaming computer and $3,000 worth of radio equipment" would allow anyone to decrypt signals from the billions of GSM users around the world, he said.
Signals could be decrypted in "real time" with $30,000 worth of equipment, Mr Nohl added.
It has previously been possible to decrypt GSM signals to listen in on conversations, but the equipment cost "hundreds of thousands of dollars," experts said.
According to Ian Meakin, of mobile encryption firm Cellcrypt, only government agencies and "well funded" criminals had access to the necessary technology.
He described Mr Nohl's work as a "massive worry".
"It lowers the bar for people and organisations to crack GSM calls," he told BBC News.
"It inadvertently puts these tools and techniques in the hands of criminals."
However, the GSMA dismissed the worries, saying that "reports of an imminent GSM eavesdropping capability" were "common".
It said that there had been "a number" of academic papers outlining how A5/1 could be compromised but "none to date have led to a practical attack".
The association said that it had already outlined a proposal to upgrade A5/1 to a new standard known as A5/3 which was currently being "phased in".
"All in all, we consider this research, which appears to be motivated in part by commercial considerations, to be a long way from being a practical attack on GSM," the spokeswoman said.