October 10, 2019 6pm ET: This story has been substantially updated to reflect revised findings from Blackberry and the standards body GSMA about reduced practical scope and scale of this vulnerability.

Most mobile calls around the world are made over the Global System for Mobile Communications standard; in the US, GSM underpins any call made over AT&T or T-Mobile networks. But at the DefCon security conference in Las Vegas on Saturday, researchers from BlackBerry are presenting an attack that can intercept some GSM calls on 2G networks as they're transmitted over the air and then decrypt them to listen back to what was said. What's more, this vulnerability has been around for decades.

Regular GSM calls aren't fully end-to-end encrypted for maximum protection, but they are encrypted at many steps along their path, so random people can't just tune into phone calls over the air like radio stations. The researchers found, though, that they can target the encryption algorithms used to protect calls and, in older implementations, listen in on basically anything.

"GSM is a well-documented and analyzed standard, but it’s an aging standard and it's had a pretty typical cybersecurity journey," says Campbell Murray, the global head of delivery for BlackBerry Cybersecurity. "The weaknesses we found are in any GSM implementation up to 5G. Regardless of which GSM implementation you’re using there is a flaw historically created and engineered that you’re exposing." Blackberry has since revised these findings to say that the vulnerabilities only exist in some 2G implementations.

The problem is in the encryption key exchange that establishes a secure connection between a phone and a nearby cell tower every time you initiate a call. This exchange gives both your device and the tower the keys to unlock the data that is about to be encrypted. In analyzing this interaction, the researchers realized that the way the GSM documentation is written, there are flaws in the error control mechanisms governing how the keys are encoded. This makes the keys vulnerable to a cracking attack.

As a result, a hacker could set up equipment to intercept call connections in a given area, capture the key exchanges between phones and cellular base stations, digitally record the calls in their unintelligible, encrypted form, crack the keys, and then use them to decrypt the calls. The findings analyze two of GSM's proprietary cryptographic algorithms that are widely used in call encryption—A5/1 and A5/3. The researchers found that they can crack the keys in most implementations of A5/1 within about an hour. For A5/3 the attack is theoretically possible, but it would take many years to actually crack the keys.

"We spent a lot of time looking at the standards and reading the implementations and reverse engineering what the key exchange process looks like," Murray says. "You can see how people believed that this was a good solution. It's a really good example of how the intention is there to create security, but the security engineering process behind that implementation failed."

The researchers emphasize that because GSM is such an old and thoroughly analyzed standard, there are already other known attacks against it that are easier to carry out in practice, like using malicious base stations, often called stingrays, to intercept calls or track a cell phone's location. Additional research into the A5 family of ciphers over the years has turned up other flaws as well. And there are ways to configure the key exchange encryption that would make it more difficult for attackers to crack the keys. But Murray adds that the theoretical risk always remains for implementations that don't contain mitigations.

The researchers say that they are in the early phases of discussing the work with the standards body GSMA.

The trade association said in a statement to WIRED: "Details have not been submitted to the GSMA under our coordinated vulnerability programme. When the technical details are known to the GSMA’s Fraud and Security Group we will be better placed to consider the implications and the necessary mitigation actions."

Though it may not be that surprising at this point that GSM has security issues, it's still the cellular protocol used by the vast majority of the world. And as long as it's around, real call privacy issues remain too.

More Great WIRED Stories