A German security expert this week said a vulnerability in a widely used wireless technology could allow hackers to gain access to cellphones remotely, causing them to send text messages or make phone calls.
Hackers could use the vulnerability in the GSM network technology, which is used by billions of people in about 80 percent of the global mobile market, using them for their scams, said Karsten Nohl, head of Germany´s Security Research Labs.
Similar attacks on a smaller scale have been done before, but a new attack based on the recent discovery could be much greater, exposing any cellphone using GSM technology.
“We can do it to hundreds of thousands of phones in a short timeframe,” Nohl told Reuters in advance of a presentation at a hacking convention in Berlin on Tuesday.
Attacks on corporate landline phone systems are common, often involving bogus premium-service phone lines that hackers set up in Europe, Africa and Asia. Hackers make calls to numbers from the hacked business phone systems or mobile phones, then collect their money and move on before the activity is identified. Phone owners and users usually do not identify there is an issue until they receive their bills. In some instances, their phone carriers will end up paying at least part of the costs.
Nohl said he would not present the details of an attack at the conference, but said hackers will usually replicate the code needed for the attack to take place within a few weeks.
Networks that use GSM technology are vulnerable in the way in which they handle commands, Nohl told AllThingsD. GSM networks are common throughout the world and are used in AT&T and T-Mobile handsets in the US.
Nohl studied 11 countries and was able to hack into both voice and text conversations using a seven-year-old Motorola phone along with widely available decryption software, according to a report from the NY Times.
Nohl said that most network commands are sent in the simplest computer code, which significantly increases their vulnerability. A range of options for randomizing the data can easily improve the security, but Nohl said that carriers have varied widely in how well they implement protection.
Each GSM command is exactly 23 bytes long. In most cases, Nohl said, that leaves room for carriers to send random data that makes messages harder to intercept. However, some messages use the full 23 bytes, requiring a more sophisticated workaround to make things secure.
It´s also hard to guess which networks are best-protected without studying them.
“It´s pretty unpredictable which network will be configured how,” said Nohl. While Vodafone did pretty well on its British network, its German subsidiary has a less secure network.
The vulnerability seems to be limited to the oldest 2G variant of the GSM networks, but since all GSM phones support the 2G network, that leaves all such phones vulnerable.
Although Nohl´s research focused only on European and Asian countries, carriers elsewhere could be vulnerable unless they better use their encryption than European counterparts.
Nohl released a tool today for people to check the vulnerability in their area. He hopes volunteers will help fill in the gaps, showing how vulnerable or not various networks are.
A new ranking on which areas are most vulnerable is available at http://www.gsmmap.org. It lets consumers see how their operators are performing and lets anyone participate in measurement of their carriers´ security.
The review of 32 operators in 11 countries shows just how vulnerable the GSM standard really is. “None of the networks protects users very well,” said Nohl. Many telecom operators could easily improve their clients´ security, in many cases by simply updating their software.
“This is a major vulnerability in most networks we tested, and the irony is that it costs very little, if nothing, to repair,” Nohl said. “Often it is just a question of inertia on the part of operators, or they have other priorities, such as building their networks.”
Philip Lieberman, the chief executive and president of Lieberman Software, a company in Los Angeles that sells identity management software to large businesses and the US government, told the New York Times that much of the digital technology that protects the privacy of cellphone calls had been developed in the 80s and 90s and is now ripe for attack.
He noted, however, that the kind of hacking being implemented by researchers such as Nohl demands a level of skill and sophistication that is beyond the abilities of most individuals.
“Your digital mobile calls are generally well protected from people like yourselves, who are not in the position to crack them,” Lieberman told NY Times in an interview. “However, the technology to do this type of surveillance, which was once possible only by government intelligence agencies, is rapidly becoming affordable to more and more people.”
The GSM Association, a London organization that represents operators, said it would await details of Nohl´s study, adding that it welcomed research designed to improve GSM technology.
“GSM networks use a range of encryption and authentication technologies and other features to make it difficult for criminals to fraudulently access and/or eavesdrop on customer communications or to identify and locate customers,” the association said in a statement.
Nohl said he based the choice of countries for his study on the ability of him and his team to travel. His Berlin firm advises businesses, European governments and mobile operators, he said, on how to erect better digital communication defenses.
The potential for damage may increase with the rise of consumer banking and buying through their mobile devices, said Nohl. But generally, he noted, the digital security tools implemented by banks and online retailers are far superior to those used by mobile operators and should thwart most attacks.
In Asia, the Middle East and Latin America, the level of mobile security varies widely and can be much lower. Operators in India and China encrypt digital traffic poorly or not at all, either to save on the network´s operating costs or to allow government censors unfettered access to communications, said Nohl.
—
On the Net:
Comments