Cellular Can Be Cracked

  • Richard Cole
  • Associated Press
  • March 21, 1997

A few minutes work on a computer can break the codes that are supposed to protect new digital cellular phone technology from eavesdroppers, a team of researchers said Thursday. The cellular phone industry claimed the impact on users would be "virtually none," since engineers were working to strengthen the encryption and since a separate code that scrambles voices was not broken.

The Cellular Telecommunications Industry Association also denied that its codes could be broken so easily.

"It involves very sophisticated knowledge," an association statement said. "The announced attack requires multiple minutes--up to hours--of high speed computer processing to break the coded message."

But Bruce Schneier, one of the high-tech code breakers, called the implications serious for the new generation of digital phones.

He said they were able to break the code that protects transmissions between the cell phone and the central system--including dialed phone digits, credit card numbers, passwords and account numbers.

"We're talking about a few minutes on a computer--a high-end Pentium, not a work station, one you might have on your desk," he said. He also said the code that protects voices was broken years ago.

Schneier emphasized that they only cracked the codes used by the U.S. cellular phone system, not on the system used in Europe. The U.S. cellular industry agreed to a weaker encryption system under pressure from the Clinton administration.

Schneier is president of Counterpane Systems in Minneapolis, a consulting firm that has worked on encryption for Intel, Microsoft, Netscape and other companies, he said.

Also part of the code-breaking team was John Kelsey of Counterpane in Missouri, and David Wagner, a University of California at Berkeley undergraduate who works with the same computer department security group that discovered a major Netscape flaw in 1995.

Categories: Articles, Text

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.