Potential hacking and eavesdropping issues
Last modified on Monday, 19 May 2008 09:16
GSM technology, the most widely used mobile phone standard, is insecure. This claim comes from a security expert at the LayerOne Security Conference that took place over the weekend in Pasadena, California. GSM has become a world wide standard for cellular networks, although the uptake is somewhat smaller in the U.S.
The speaker, David Hulton, claims that GSM is so insecure it is feasible to track the location of mobile users, and with a bit of effort, to even listen in to mobile calls as they are taking place. Hulton claims he has cracked the encryption algorithm the mobile phones use, and stated, “GSM security should become more secure or at least people should know they shouldn’t be talking about (sensitive) things over GSM. Somebody could possibly be listening over the line.”
Hulton also claims that with a $900 investment, equipment can be purchased and free software used to create a false network device to track traffic across a mobile network. “You can see all the cell phones connected to the base station. You can’t see calls, but people associated with the calls. You can also do location tracking. If you know somebody is on the network you can see how close to the base station they are,” he said.
This is feasible because the subscriber identifier (the user identification number) is easily visible on traffic, even though identifiers are not supposed to be transmitted in plain text. Hutton indicated that while it might not be legal to view that data, it is still relatively easy to do.
Another conference speaker, David Bryan, Senior Security Consultant with security company Netspi, was also highly critical of Voice Over IP (VoIP) systems. He indicated that while VoIP saves corporations and consumers a lot of money, such systems typically have “little to no security.”
VoIP is based on open standards generally that do not encrypt traffic, leaving them a target for eavesdropping, intercepted calls, fake and bogus voice messages. Bryan demonstrated this by injecting an emergency broadcast message into an ongoing mobile phone conversation while he recorded the call with an automated tool.
He pointed out that Skype does have encryption and also uses proprietary technology so that outsiders cannot dissect the code. Vonage, however, offers no encryption and no security at all is currently in place, according to Bryan.