(This post disappeared from the blog a couple of days ago. I don't know why. It's back now.)
A little over a week ago, I posted some comments on Karsten Nohl's public A5/1 attack and the GSMA's response. Reuters & MSNBC think that carrying what is essentially a GSMA press release should somehow pass for journalism. (Thanks, Foneswitch, for bringing this to my attention.) I thought that the links to ads for cellular service were a particularly ironic touch. I hope a real person actually thought to put them there. Irony aside, two things about this press release strike me.
First, the GSMA is admitting that there are simple things that carriers can do to make their networks more secure and that they just haven't bothered doing those things yet. If that's really the case, then Dr. Nohl's public announcements are already having their intended effect of forcing the GSMA to pay attention the security security practices of its members. I'd really love to hear the specifics of these improvements, though, since traces of transactions in most EU and US networks show that they are already just about as secure as their current equipment allows. There's not much left to do.
Second, many GSM networks in other parts of the world, outside the US and EU, are not encrypted at all, not even with A5/2. Many governments simply do not allow their publics to use encrypted cellular networks. This is an issue that is not addressed by Dr. Nohl's project, by the GSMA or by the various media outlets who are providing free publicity for the GSMA's damage control campaign. For nearly half of the world's GSM users, all this bickering and posturing over A5 cracking is irrelevant because they are not even allowed that level of security. Worse yet, most of them probably don't even know that. That's a much bigger story that doesn't get covered.
Given all the recent spin, I think we should probably stop listening to the GSMA and just find out for ourselves how these networks are configured. In that spirit, I would like to propose a new crowd-sourcing project on GSM security: a public catalog of the security and encryption policies of all of the world's public cellular networks. A good place to put this might be somewhere in Wikipedia, where it will be very hard to censor once published. If anyone is interested in organizing something like that, please let me know.