GSM mobile security was weakened after pressure from the UK

Security standards for 2G communications were deliberately downgraded, say engineers who worked on original project

A group of technologists who worked on protocols for mobile communication systems in the 1980s claim that encryption was deliberately weakened following pressure by the British secret services.

GSM (Global System for Mobile Communications), also known as 2G, was developed by the European Telecommunications Standards Institute (ETSI) in the 1980s to standardise communications protocols for mobile and cellular phones. Now four engineers who worked on the original project have told Norwegian newspaper Aftenposten that the A5/1 encryption standard built into GSM was deliberately weakened after pressure from the British government.

"They wanted a key length of 48-bit. We were very surprised. The West Germans protested because they wanted a stronger encryption to prevent spying from East Germany. The compromise was a key length of 64-bit - where the ten last bits were set to zero. The result was an effective key length of 54-bit," technologist Jan Arild Audestad told Aftenposten.

At the start of the project, a 128-bit key length had been proposed, on the premise that it would have been secure for 15 years, but, said Audestad, ETSI was forced to introduce a weaker standard.

Another leading member of the GSM team, Thomas Haug, said that he came under personal pressure to weaken security.

"I was told by a British delegate that the British secret services wanted to weaken the security so they could eavesdrop more easily," Haug said.

There may have been commercial and practical reasons too. Had GSM ended up with 128-bit encryption mobile phones would not have been able to be sold in then-communist Eastern Europe because of strict export controls.

It was not only the British that were interested in weakening the cryptographic standard. ETSI team member Michel Mouly told Aftenposten that other countries were involved, although he declined to say which, except to say that they were "not Western European."

The weak 54-bit A5/1 encryption remains in place 30 years later, and the ease with which it can be cracked is one of the reasons that the NSA found it easy to bug German chancellor Angela Merkel's mobile phone conversations, as revealed in documents leaked by Edward Snowden last year.

Following these revelations two leading German carriers Deutsche Telekom and AT&T announced that they are adopting A5/3 encryption for their 2G networks, a standard that requires 100,000 times more computing power to crack, according to Karsten Nohl, chief scientist at Security Research Labs in Berlin.