The quiet week between Christmas and New Year's was unsettled-at least to a certain extent-by the news that Karsten Nohl, a German hacker, led a group that claims to have defeated the encryption algorithm that protects Global System for Mobile Communication (GSM) communications.
Take your pick of whether this is big, very big or huge news. Nohl, who made no secret of his plan to take on the security standard-there were reports of his aim to do so before the news of his success broke-was quoted in The New York Times as saying he has done so in order to "goad the world's wireless operators to use better security." Nohl, it should be noted, undertook a similar attack this year against the DECT wireless phone security standard.
The news doesn't qualify under any reasonable view as small, simply because the GSM standard is so widespread and any threat to its stability is serious business. The Times story says that GSM is used by about 3.5 billion of the world's 4.3 billion wireless connections, and by about 299 million devices in the United States.
It's always interesting to wonder whether folks who do things like this-Ralph Nader comes to mind -- really are selfless gadflies inflicting short-term pain for the overall long term public good, or narcissist driven by the desire to read about themselves in dry technical publications, The New York Times and everywhere in between. The reality is almost certainly is a bit of both. It would be instructive to learn what communications Nohl had with GSM vendors and service providers both in the long term and when he was about to make his exploit known.
On a higher and more important level is consideration of what to do. For whatever rationale, the code is out of the bag, so to speak. Of course, the GSM community is minimizing what Nohl has done. Once the reporters go away, it is important that the security community soberly assess the damage and put any required workaround or patch in place.
One interpretation certainly is that if one person can do what Nohl did (or lead a collective effort to do so), he should be lauded for raising a yellow flag. The other is that there were ways he could have worked toward better GSM security without potentially compromising untold amounts of data. In short, it is too early to say whether Nohl should be thanked or investigated. But it is clear what he did must be taken seriously.